170 likes | 299 Views
cs205: engineering software university of virginia fall 2006. Security in Java Real or Decaf?. (Duke suicide picture by Gary McGraw.). Project. Last problem set – final report is due last day of class Teams of 2-5: send me team requests before 11am Friday. Project Ideas.
E N D
cs205: engineering software university of virginia fall 2006 Security in Java Real or Decaf? (Duke suicide picture by Gary McGraw.)
Project • Last problem set – final report is due last day of class • Teams of 2-5: send me team requests before 11am Friday
Project Ideas • Due next Wednesday • For now, no suggestions – you can do anything you want, as long as it: • Is small enough to finish by Dec 4 • Is complex enough that a successful project will demonstrate understanding of and ability to apply key concepts in CS205 • If you are really stuck...
from Class 2... Buzzword Description “A simple, object-oriented, distributed, interpreted, robust, secure, architecture neutral, portable, high-performance, multithreaded, and dynamic language.” [Sun95]
What is a secure programming language? • Language is designed so it cannot express certain computations considered insecure. • Language is designed so that (accidental) program bugs are likely to be caught by the compiler or run-time environment instead of leading to security vulnerabilities. A few attempt to do this: PLAN, packet filters
Safe Programming Languages • Type Safety • Compiler and run-time environment ensure that bits are treated as the type they represent • Memory Safety • Compiler and run-time environment ensure that program cannot access memory outside defined storage • Control Flow Safety • Can’t jump to arbitrary addresses Is Java the first language to have them? No way! LISP had them all in 1960.
Java Safety • Type Safety • Most types checked statically • Coercions, array assignments type checked at run time • Memory Safety • No direct memory access (e.g., pointers) • Primitive array type with mandatory run-time bounds checking • Control Flow Safety • Structured control flow, no arbitrary jumps
Malicious Code Can a safe programming language protect you from malcode? • Code your servers in it to protect from buffer overflow bugs • Only allow programs from untrustworthy origins to run if the are programmed in the safe language
Safe Languages? • But how can you tell program was written in the safe language? • Get the source code and compile it (most vendors, and all malicious attackers refuse to provide source code) • Special compilation service cryptographically signs object files generated from the safe language (SPIN, [Bershad96]) • Verify object files preserve safety properties of source language (Java)
Alice User JVML malcode.java Java Source Code malcode.class JVML Object Code javac Compiler JavaVM Alice wants to know JVML code satisfies Java’s safety properties.
Does JVML satisfy Java’s safety properties? No, we’ll learn some about JVML later...
Trusted Computing Base Joe User Bytecode Verifier malcode.class JVML Object Code Java Bytecode Verifier Invalid “Okay” STOP JavaVM
Bytecode Verifier • Checks class file is formatted correctly • Checks JVML code satisfies safety properties • Simulates program execution to know types are correct, but doesn’t need to examine any instruction more than once
Verifying Safety Properties • Type safe • Stack and variable slots must store and load as same type • Memory safe • Must not attempt to pop more values from stack than are on it • Doesn’t access private fields and methods outside class implementation • Control flow safe • Jumps must be to valid addresses within function, or call/return
Running Mistyped Code > java Simple Exception in thread "main" java.lang.VerifyError: (class: Simple, method: main signature: ([Ljava/lang/String;)V) Register 0 contains wrong type
Joe User Java javac Compiler malcode.java malcode.class JVML Trusted Computing Base Java Bytecode Verifier Invalid “Okay” STOP JavaVM
Charge • Next classes: understanding byte codes and the byte code verifier • Start thinking about project ideas and teams • Send team requests by email before 11am Friday