230 likes | 327 Views
cs205: engineering software university of virginia fall 2006. Forgiveness and Permissions. Monitor. Speakers. Network. Disk. Memory. SuperSoaker 2000. Program Execution. Reference Monitor. Program. Policy and Mechanism.
E N D
cs205: engineering software university of virginia fall 2006 Forgiveness and Permissions
Monitor Speakers Network Disk Memory SuperSoaker 2000 Program Execution Reference Monitor Program
Policy and Mechanism • AccessController provides a mechanisms for enforcing a security policy • Can insert checking code before certain operations are allowed • A security policy determines what the checking code allows
Java Policy [jre directory]\lib\security\java.policy // Standard extensions get all permissions by default grant codeBase "file:${{java.ext.dirs}}/*" { permission java.security.AllPermission; }; // default permissions granted to all domains grant { // Allows any thread to stop itself using the java.lang.Thread.stop() // method that takes no argument. // Note that this permission is granted by default only to remain // backwards compatible. // It is strongly recommended that you either remove this permission // from this policy file or further restrict it to code sources // that you specify, because Thread.stop() is potentially unsafe. // See "http://java.sun.com/notes" for more information. permission java.lang.RuntimePermission "stopThread"; // allows anyone to listen on un-privileged ports permission java.net.SocketPermission "localhost:1024-", "listen"; // ... (also allows some standard properties to be read) };
Permissions java.security.Permission AllPermission SocketPermission java.io.FilePermission
Better Solution? • Impose a policy on the browser and everything running inside it • Windows Vista will do this: • Browser runs at “low integrity” mode • Low integrity processes cannot: • Modify higher integrity securable objects (e.g., files, network sockets, • Interact with higher integrity
Hostile Applets • See http://java.sun.com/sfaq/chronology.html (about 1 new vulnerability/month) • Easy to write “annoying” applets (policy is too imprecise; no way to constrain many resource operations) • Don’t try these at home... http://www.cigital.com/hostile-applets/index.html
What can go wrong? • Java API doesn’t call right SecurityManager checks (63 calls in java.*) • Font loading bug, synchronization • ClassLoader is tricked into loading external class as internal • Policy is too weak (allows damaging behavior) • Enforcement relies on low-level code safety properties
Project Team Management • “Democracy” • Works fine but doesn’t scale • If everyone is responsible, no one is responsible • “Hierarchy” • Someone is in charge: delegates work, responsible for making sure it gets done • Requires leadership, subordination – difficult in peer groups
Trusted Computing Base Alice User Bytecode Verifier malcode.class JVML Object Code Java Bytecode Verifier Invalid “Okay” STOP JavaVM
Computer Architecture Processor does computation Memory stores bits Input Devices (mouse, keyboard, accelerometer) get input from user and environment Output Devices (display, speakers) present output to user
Intel 4004 • First general purpose microprocessor, 1971 • 4-bit data • 46 instructions • 8-bit instructions!
PC Motherboard Memory CPU From http://www.cyberiapc.com/hardwarebeg.htm
Inside the CPU • Registers • Loads and decodes instructions from memory • ALU: Arithmetic Logic Unit • Does arithmetic • Can only operate on values in registers • Must load values from memory into registers before computing with them
Compiler • Translates a program in a high-level language into machine instructions • Calling convention • How are parameters passed to functions • How is the stack managed to return • Register allocation • Figure out how to use registers efficiently
6: int max (int a, int b) { 00401010 push ebp 00401011 mov ebp,esp 00401013 sub esp,40h 00401016 push ebx 00401017 push esi 00401018 push edi 00401019 lea edi,[ebp-40h] 0040101C mov ecx,10h 00401021 mov eax,0CCCCCCCCh 00401026 rep stos dword ptr [edi] 7: if (a > b) { 00401028 mov eax,dword ptr [ebp+8] 0040102B cmp eax,dword ptr [ebp+0Ch] 0040102E jle max+25h (00401035) 8: return b; 00401030 mov eax,dword ptr [ebp+0Ch] 00401033 jmp max+28h (00401038) 9: } else { 10: return a; 00401035 mov eax,dword ptr [ebp+8] 00401038 pop edi 00401039 pop esi 0040103A pop ebx 0040103B mov esp,ebp 0040103D pop ebp 0040103E ret push instruction is 1 byte mov instruction is 2 bytes Dealing with function call: updating stack, moving arguments int max (int a, int b) { if (a > b) { return b; } else { return a; } } Cleanup and return
Java Virtual Machine • Small and simple to implement • All VMs will run all programs the same way • Secure
Implementing the JavaVM load class into memory set the instruction pointer to point to the beginning of main do { fetch the next instruction execute that instruction } while (there is more to do); Some other issues we will talk about next week: Verification – need to check byte codes satisfy security policy Garbage collection – need to reclaim unused storage
Charge • Next classes: understanding byte codes and the byte code verifier • Project ideas due Wednesday