Secure Java Programming

Secure Java Programming Best Practices, Tools and Techniques AKA “Don’t Be A Pwned n00b”

Introduction Today you gain L33t Haxxor Skilllz!!!!1111 • Recognize the most common and dangerous Java coding mistakes that make applications vulnerable • See L33t Exploits in action • Refactor code to take defensive measures • Review what the Java platform has to offer • Know where the online resources are • Properly label and categorize vulnerabilities

Fireside Chat time, with Uncle Scott

Agenda • Java platform security • Online Resources • Most common vulnerabilities • Leet Skillz k\/\/Iz • See Java code • Find the vulnerability • Exploit the weakness • Harden the code against haxxors • And remember, as with all Leet Skillz… • Winners get riches • Lus0rs get Pwned • So pay attention!!!

Agenda • Java platform security • Online Resources • Most common vulnerabilities • Leet Skillz k\/\/Iz

The Seven “Why’s” of Java Security • “Y” is Java Secure? (I know, kinda tacky, what can I say – I write code for a living!) • Immunity - from malware/viruses/malicious code • Privacy – sensitive data in the memory or local storage of a machine hosting a Java program is protected • Identity – The “Who” and “From Where”: • principals tied to the running of the program are known • the source of a program is known, and tampering is prevented • Secrecy – data in transit or at rest can be encrypted • History – actions that may or may not be permissible are auditable • Policy – Rules regarding what code can do, when loaded from a particular “Code Source” and run by a particular “Principal”, are enforced • Safety – Runtime adheres to strict rules

Java is Secure Because… • Security features are baked in • It provides cryptographic building blocks for message digests, key management, digital signatures, and symmetric and asymmetric encryption • “Sandbox” runtime policies based on: • From where code was loaded • By whom the code was digitally signed • What principal is running the code

Java Platform Security Review

Baked In Security • Language and Runtime Features • Type-safe language • Magic memory management and garbage collection • Automatic range-checking on arrays • Class loading is secure and bytecode is verified • Access modifiers to help you protect your classes, methods and fields

Baked In Security - Memory • Java Programs cannot see memory they don’t “own” • Applets are unable to see each other • Java byte-code verifier is key to all of this protection • Java language has “access levels” like C++ (public/package/protected/private) • But… C++ memory is WIDE OPEN • Java memory is (for the most part) NOT • I will demonstrate later on when we can break Java’s access level protection

Baked In Security – The Rules • Access modifiers are enforced • Java programs cannot access arbitrary memory locations • final variables, once initialized, may never be changed • final classes may not be extended • final members may not be overridden • Variables must be initialized before use • Array bounds are never violated • Objects cannot be arbitrarily cast

Baked In – When are Rules Enforced? • Compile Time • Classloading (“linking”) • Runtime Note: Some Java 2 runtime rules are enforced when a “SecurityManager” is present in the JVM. How and what rules are enforced is defined by a “Policy”.

Baked In – Bytecode Verifier • The Verifier can enforce these checks: • Class file has correct format • Magic Number • Minor Version • Major Version, etc… • Geek Trivia Time – Name the Magic Number and it’s history • Final classes are not subclassed • Final methods are not overridden • Every class has a single superclass • Well almost… what is the exception? • java.lang.Object • No illegal data conversion of primitive types • No illegal data conversion of objects CAFE BABE

Baked In – Bytecode Verifier Part II • LeeT Question – Can you overflow a Java thread’s stack? • Trick question! There are TWO Java stacks for each thread! • The Data Stack is loaded with method frames, which contain local variables and other data related to a method call • The Operand Stack hold the values the bytecode operates on • The Data Stack may be overflowed, Why? • Answer: Recursion • The Operand Stack is protected by the verifier against underflow and overflow

Baked In – Runtime Enforcement • Array bounds • Object Casting

Leet Skillz k\/\/Iz Bonus Question!!! • Are there exceptions to the access modifier rules? • Yes! • Exception #1: Object Serialization • Exception #2: Reflection • Exception #3: You will find out later in this presentation!

Serialization – an Exception to the Rules • Object Serialization sees your PRIVATES! • All your variables belongs to us? • Mitigation • Don’t extend java.io.Serializable • Implement readObject and writeObject as final methods that throw IOException • If serialize you must • use transient • or use java.io.Externalizeable plus Encryption

Reflection – another Exception to the Rules • Reflection, using AccessibleObject.setAccessible() • Only works if either: • No SecurityManager is running in the JVM • Or… the current SecurityManager allows access modifiers • For example, if this has been done: • System.setSecurityManager( new SecurityManager() ); • This will result when you try to bypass: Exception in thread "main" java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264) at java.security.AccessController.checkPermission(AccessController.java:427) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:107) • Also see Javadocs for SecurityManager.checkMemberAccess()

Example Access Modifier Bypass via Reflection GoldMinemine=newGoldMine(); ClassproggyClass=mine.getClass(); finalField[]faFields=proggyClass.getDeclaredFields(); for(Fieldfld:faFields){ if(fld.getName().equals(PRIVATE_VARIABLE_NAME)){ try{ fld.setAccessible(true); fld.set( mine, FOOLS_GOLD ); }catch(IllegalArgumentExceptione){ System.err.printf("An IllegalArgumentException has occurred trying to set the value of [%s]%n",PRIVATE_VARIABLE_NAME); }catch(IllegalAccessExceptione){ System.err.printf("An IllegalAccessException has occurred trying to set the value of [%s]%n",PRIVATE_VARIABLE_NAME); } }

Baked In Wrap Up • The Java language and runtime environment is Chock full o’ Security • Programs cannot tamper with memory • Runtime view of memory and internal state of objects is clearly defined • This helps protects a host machine from malicious code

2. Building Blocks for Cryptography • APIs • Cryptography and public key infrastructure (PKI) • Authentication and access control interfaces • Specifically for code signing: • Message Digests • Cryptographic keys • Digital Signatures • Encryption Engines

Java 5 Security Enhancements • JSSE (Java Secure Socket Extension) enhancements • Java implementation of SLL and TLS protocols • JCE (Java Cryptography Extension) enhancements • new ciphers and algorithms • integration with SmartCards and crypto accelerator(“PKCS#11”) • API improvements • Signature Timestamp Support • PKI Enhancements • SASL Support (Simple Authentication and Security Layer) • Java Kerberos enhancements

Java 6 Security Enhancements • An XML Digital Signature implementation (JSR 105) • Smart Card API’s (JSR 268) • Additional Encryption Algorithms • Expanded options, loosened restrictions with tools • API improvements • LDAP support built in to JAAS • Support for Microsoft’s Crypto API

3. The Sandbox • SecurityManager • AccessController • Policies • Code Signing

The Java Sandbox • Typically, “Sandbox” describes the runtime environment of Java applets • True or False – Java command line applications run within a sandbox too • Answer: It Depends • java -Djava.security.manager • Or programmatically: // set a SecurityManager for the JVM System.setSecurityManager(newSecurityManager());

The Sandbox Police • Security Manager • Access Manager • Classloaders • Policies • These all work together to determine what rules to apply to what classes, and make sure the rules aren’t broken

Sandbox Police – Security Manager • The Security Manager is the original face of the sandbox police. It is called to determine what a Java program can and cannot do • File I/O • Network Access • Opening toplevel windows

Sandbox Police – Access Manager • The Access Manager was added in Java 1.2 • Allows easier and fine grained permission granting to specific classes • Security Manager has remained for backwards compatibility • Access Controller leverages these constructs: • Code Sources (URL and Keys from signed Jar if any) • Permissions (Type, Name, and Action) • Policies (1 Policy class per JVM) • Together these made Protection Domains • As of Java 1.4, the concept of a Principal was added

Sandbox Police publicclassSecurityManagerExample{ publicstaticvoidmain(String[]args){ SecurityManagersm=System.getSecurityManager(); if(sm!=null) System.out.printf("There is a SecurityManager and it is %s",sm.getClass().getCanonicalName()); else System.out.println("No SecurityManager present at first!"); Propertiesprops=System.getProperties(); System.out.println("Got System properties!"); // set a SecurityManager for the JVM System.setSecurityManager(newSecurityManager()); sm=System.getSecurityManager(); if(sm!=null) System.out.println("Now there is a SecurityManager and it is "+sm.getClass().getCanonicalName()); else System.out.println("No SecurityManager present!"); try{ props=System.getProperties(); System.out.println("Got System properties!"); }catch(Exceptione){ System.out.println("Access denied to System properties!"); e.printStackTrace();// dang it all, let's get rid of the Security Manager System.setSecurityManager(null); } } }

Open Web Application Security Project • OWASP for short, found online at http://www.owasp.org • Open Community focused on security - online resources covering web application security • Resource of interest: • Top 10 • Guide to Building Secure Web Applications • Java Project

Common Weakness Enumeration • Drawing on numerous sources, CWE is an effort to standardize how “software weaknesses” are identified • Think “latin names” for security vulnerabilities • CWE dictionary can be viewed in various ways • OWASP Top Ten Slice • Java Language List

OWASP Top Ten of 2007 • Cross Site Scripting (XSS) • Injection Flaws • Malicious File Execution • Insecure Direct Object Reference • Cross Site Request Forgery (CSRF) • Information Leakage and Improper Error Handling • Broken Authentication and Session Management • Insecure Cryptographic Storage • Insecure Communications • Failure to Restrict URL Access Cross reference to CWE Weaknesses in Top Ten List

CWE Unforgiveable Vulnerabilities • Buffer overflow using long strings of “A” characters in: • username/password during authentication • file or directory name • arguments to most common features of the product or product class • XSS using well-formed SCRIPT tags, especially in the: • username/password of an authentication routine • body, subject, title, or to/from of a message • SQL injection using ' in the: • username/password of an authentication routine • “id” or other identifier field • numeric field • Remote file inclusion from direct input such as: • include($_GET['dir'] . "/config.inc"); • Directory traversal using "../.." or "/a/b/c" in “GET” or “SEND” commands of frequently-used file sharing functionality, e.g. a GET in a web/FTP server, or a send-file command in a chat client • World-writable critical files: • Executables • Libraries • Configuration files • Direct requests of administrator scripts • Grow-your-own crypto • Authentication bypass using "authenticated=1" cookie/form field • Turtle race condition - symlink • Privilege escalation launching "help" (Windows) • Hard-coded or undocumented account/password • Unchecked length/width/height/size values passed to malloc()/calloc()

Leet Skillz k\/\/Iz • It is essential that Java professionals become one with Secure coding best practices • The following slides demonstrates “sploits” • Each is followed by review and mitigation recommendations • Let’s Pwn the Suzzor Haxxor!

Leet Skillz k\/\/Iz Sploit #1

Sploit #1 – Example A <%Stringeid=request.getParameter("eid");%> EmployeeID:<%=eid%> • http://localhost:8080/ExampleOne.jsp?eid=123 • XSS Injection • eid=<script>javascript:alert('This pop-up confirms vulnerability to Cross-Site Scripting via URL Tampering')</script>

Sploit #1 – Example B <%... Statementstmt=conn.createStatement(); ResultSetrs=stmt.executeQuery(“SELECT * FROM emp WHERE id= “ + eid ); if(rs!=null){ rs.next(); final Stringname=rs.getString("name"); } %> EmployeeName:<%=name%>

Sploit #1 – Cross Site Scripting (XSS) • CWE ID 79 • Sending user generated and/or un-validated data to a web browser is dangerous • Malicious content may be injected and stored in a database or other “trusted” source, then later executed by a victim’s browser • Malicious content might be created by an attacker then executed by a user • For example, a malicious URL might be constructed and emailed to a victim • When the victim clicks the link, the URL exploits a vulnerable web application, “reflecting” injected code back to the victim’s browser where it is executed with the context of the vulnerable web application • This last attack is known as “Reflected XSS” • Fundamental issue is that some characters in HTML are “special” in certain contexts, and can be used to introduce code that will be executed by the user’s browser • Content might be: • JavaScript • HTML • Flash • Etc…

Sploit #1 – What can you Do? Study Cert Advisory CA-2000-02 and Cert’s Understanding Malicious Content Mitigation for Web Developers Then… Get Tactical: • Explicitly set character encoding for all web pages • Identify special characters • Encode special characters in dynamic output • Filter dynamic content on in and out

Sploit #1 – Set Character Encoding <%@pagecontentType="text/html;charset=ISO-8859-1"language="java"%> <html> <head><title>ExampleOne</title></head> <body> <%Stringeid=request.getParameter("eid");%> EmployeeID:<%=eid%> </body> </html>

Sploit #1 – Encode and Filter /** * This simple pattern is used to do a search and replace below */ staticfinalPatternm_patternLessThan=Pattern.compile("<"); /** * This simple pattern is used to do a search and replace below */ staticfinalPatternm_patternGreaterThan=Pattern.compile(">"); /** * This function will cleanse a string for usage in an HTML block level element. * This is to prevent cross-site scripting - we make sure the dynamic content in * this attribute does not include any greater or less than characters. * Note that Pattern.matcher has some very minimal synchronization internally. * @param p_sElementText The text you want to cleanse * @return The cleansed text */ publicstaticStringcleanseHtmlBlockLevelElement(finalStringp_sElementText){ if(p_sElementText==null)return""; returnm_patternGreaterThan.matcher( m_patternLessThan.matcher(p_sElementText).replaceAll("<") ).replaceAll(">"); }

Sploit #1 – Encode and Filter <html> <head><title>ExampleOne</title></head> <body> <%Stringeid=request.getParameter("eid");%> EmployeeID:<%=Util.cleanseHtmlBlockLevelElement(eid)%> </body> </html> • All your boxxen belongZ to uz? • What could we do to improve the above?

Sploit #1 – There is lot’s to cleanse • You will need to cleanse more than just the above (block level elements). Watch for other forms of dynamic content such as: • HTML Attributes enclosed in double quotes • HTML Attributes enclosed in single quotes • HTML Attributes enclosed in no quotes • CDATA • Also note that XML is NOT SAFE – web service endpoints can be used in XSS attacks. • Here is a convoluted example active on Google’s widget site. • It pulls in XML, similar to a simple web service call from here. This XML is reflected back to the user.

Leet Skillz k\/\/Iz Sploit #2

Sploit #2 – Example 1 Stringhome=System.getProperty("APPHOME"); Stringlib=home+LIBNAME; java.lang.Runtime.getRuntime().load(lib);

Sploit #2 – Example 2 System.loadLibrary("library.dll");

Sploit #2 – Process Control • CWE ID 114

Secure Java Programming

Secure Java Programming

Presentation Transcript

Java Programming

“Secure” Programming

Java Programming

Java Programming

Secure programming

Java Programming

Java Programming

Java Programming

Java Programming

Secure Programming

Secure Programming

Java Programming

Java Programming

Secure Programming

Java Programming

Java Programming

Java Programming