Dan Sedlacek CTO, Systems Management Group Sterling Software

Java Security and Encryption Dan Sedlacek CTO, Systems Management Group Sterling Software

Java Security and Encryption • What is the level of security provided by Java technology? • What’s NOT provided for in Java • How Java implements security • How to extend Java security

Agenda • Java Security Overview • Applications and Applets • Java Language Security • Java Class Loaders • Security Manager • Access Controller • Security Policies • Authentication • Encryption

Java Security OverviewWhat is Security? • Virus Protection • System Resource Access Control • Authentication of Author and Data • Data Privacy • Encryption • Auditing • Orange Book (C2, B1)

Java Security OverviewWhat is Java Security? • Virus Protection - Yes • System Resource Access Control - Yes • Authentication of Author and Data - Yes • Data Privacy - Yes & No • Encryption - Optional • Auditing - Not Built-in • Orange Book (C2, B1) - No

Applets and Applications • Applets • Run Under Control of a Browser • Are Subject to the Browser Security Policy • Applications • Establish their Own Security Policy • Default is No Security Manager

Applets Browser Security Manager Very Restricted

Applications Optional Security Manager Allowed to Play

How Does Java Provide Security? • Java Language Security • Java Class Loaders • Digital Signatures • Java Security Manager • Java Access Controller • Encryption

Java Language Security • Objects have access levels: • private: Accessible by defining class • package (default): Accessible by classes in the same package • protected: Same as package, with addition of access by any subclass • public: Accessible by any class

Java Language Security • Access methods are strictly adhered to • No pointers (no access to arbitrary memory and automatic garbage collection) • “final” methods or variables cannot be changed • Variables MUST be initialized before use • Array bounds are enforced • Strict object casting rules

Java Language Security • Object serialization can be a problem • Objects are externalized as series of bytes • Data may be tampered with before the object is reconstructed • Some solutions: • objects must be declared “serializable” • “private transient” disallows serialization • writeObject() and readObject() methods let you implement your own encryption

Java Language Security Enforcement • Enforcement happens at different times • Compile time enforcement • Class load time enforcement • Runtime enforcement • It’s easy to get around compile-time enforcement - build your own classes for the JVM • Class loader and runtime enforcement are more difficult to get around

Java Language SecurityEnforcement Java Source Bytecode Bytecode Verifier Java Compiler Class Loader Java Virtual Machine Runtime

Java Language SecurityCompile Time Enforcement Java Source Bytecode Bytecode Verifier Java Compiler Class Loader Java Virtual Machine Runtime

Java Language SecurityCompile Time Enforcement • Validate language syntax • Enforce method and variable access rules • Enforce variable initialization • Enforce some casting operations

Java Language SecurityClass Load Time Enforcement Java Source Bytecode Bytecode Verifier Java Compiler Class Loader Java Virtual Machine Runtime

Java Language SecurityClass Load Time Enforcement • Bytecode verifier is part of the VM • Bytecode verification • Verifies class file format • Final classes are not subclassed • Final methods are not overridden • Every class has a single superclass (except Object, of course)

Java Language SecurityClass Load Time Enforcement • Bytecode verification (continued) • Verify that casting legality checks are in place • No operand stack overflows or underflows • All field and method accesses are legal • Bytecode verification may be delayed in some implementations

Java Language SecurityRuntime Enforcement Java Source Bytecode Bytecode Verifier Java Compiler Class Loader Java Virtual Machine Runtime

Java Language SecurityRuntime Enforcement • Array bounds checking • Throws ArrayIndexOutOfBoundsException • Object casting • Throws ClassCastException • Security Manager • Throws SecurityException • Depends on the Access Controller

Java Class Loaders • Read bytecode into the JVM • Convert into class definitions • Works in conjunction with Security Manager and Access Controller • Knows where the class originated • Understands signed Jar files • Enforces namespace rules

Java Class Loaders • Java applications can create and use different class loaders • Java applets use the browser-provided class loader

Java Class LoadersNamespaces • Used to eliminate ambiguity between classes with the same name • Full name of a Java class is qualified by the name of the package: • java.lang.String • com.sun.java.swing.JTable • Default package

Java Class LoadersNamespaces • Classes with different CODEBASEs are loaded by different instances of the class loader • Even if fully qualified class names are the same, namespaces make them unique • Namespaces enforce package protection

Java Class LoadersHow they Work • Previously loaded classes are cached • Class loader optionally consults the Security Manager to see if the program is allowed to access the class • Internal class loader attempts to load the class from CLASSPATH • Class loader reads in an array of bytes • Bytecode verification is performed

Java Class LoadersHow they Work • A class object is constructed from the bytecodes • Resulting class name is verified to be the requested class name • Base classes and classes referenced by static initializers are also loaded • Other referenced classes are loaded when the class references them

Java Class LoadersHow they Work • An internal class loader (part of the JVM) loads the Java API classes when the VM starts up • In 1.1 internal class loader also loads all CLASSPATH classes • In 1.2 an instance of URLClassLoader loads classes from CLASSPATH • Browsers load classes for the applets from the applet’s CODEBASE using URL class

Other Java Class Loaders • An RMI class loader (RMIClassLoader) is similar to an applet class loader • Uses HTTP to load classes from a remote host • Secure class loader associates protection domains with each class it loads • java.security.SecureClassLoader • Makes use of the access controller facilities • URL class loader (URLClassLoader) - general purpose class loader

Java Class Loadersand JAR files • Java Archive files, or JAR files are Zip files with some additional information • JAR files contain many class files, and other files needed by an application • All classes in a JAR files are loaded at once • Signed classes must be in JAR files

Java Class LoadersSecurity Implications • Class loaders are integral to Java’s security • Class loaders enforce namespace separation • Security Manager depends on the class loader to keep track of the class origin • Custom class loaders may be developed to handle load protocols other than HTTP, to implement class file encryption, and to implement special security policies.

Java Security Manager • Security Manager is the sandbox guard • Default security manager provided by browsers to protect local system resources • Applications have a null security manager by default • Use the -usepolicy option to utilize the default security manager (that in turn uses the Access Controller)

Java Security Manager Access Controller Class File Security Manager Class Loader Bytecode Verification Instantiated Object Core Java API

Java Security Manager • java.lang.SecurityManager • Programs perform operations through the core Java API • Methods are invoked by the core Java API to check if an operation is allowable • A SecurityException is thrown if the operation is not allowable

Java Security ManagerTrusted Classes • In general: • Core API classes are trusted • Classes that are loaded via the CLASSPATH are trusted • Specific permissions may be granted based on signature and codebase • Access Controller is called by the Security Manager to ascertain if a class is trust-worthy

Java Security ManagerMethods • Protection for the Java Virtual Machine • System resource protection • File system access • Network access • Printing • Accessing the clipboard • Event queue access

Java Security ManagerMethods • Access to security related operations • Protection against manipulating thread groups that were created by another entity

Access Controller • Added in release 1.2 • Used by the security manager to determine security policy • Allows security policy to be configured without writing a custom security manager • System security file: • $JAVAHOME/lib/security/java.security • Security Manager still works with pre-version 1.2 classes

Access ControllerSystem Security File • $JAVAHOME/lib/security/java.security • policy.provider=java.security.PolicyFile • policy.expandProperties=true • policy.allowSystemProperty=true • policy.url.1=file:${java.home}/lib/security/java.policy • policy.url.2=file:${user.home}/.java.policy • These policy files map code sources to sets of permissions

Access ControllerRoles • Used by the security manager to determine access to resources • May be used by a program to check application-specific permissions • Used only if a security manager is being used

Access ControllerConcepts • Code sources - Where the class comes from • Permissions - Ability to perform an operation • Policies - Set of permissions by code source • Protection domains - Permissions granted to classes from a particular code source

Access ControllerCode Sources • java.security.CodeSource • CodeSource(URL url, PublicKey[] key[]) • public boolean equals(Object obj) • public final URL getLocation() • public final PublicKey[] getKeys()

Access ControllerPermissions • java.security.Permissions • Permission properties: • Type (e.g. FilePermission) • Name (e.g. name of the file - supports wildcards) • Actions (e.g. read)

Access ControllerPermissions • Java API permissions • Access controller is automatically called if a security manager is active • Arbitrary user-defined permissions • Name (e.g. CorporatePayroll) • Actions (e.g. read) • Access controller must be explicitly called

Access ControllerJava API Permissions • Java API permissions • FilePermission (e.g. /etc/passwd, read) • SocketPermission (IP:port, accept, connect, listen, resolve) • PropertyPermission (e.g. java.version, read) • RuntimePermission (Runtime class operations, e.g. exit) • AWTPermission - Access to windowing resources

Access ControllerJava API Permissions • Java API permissions • NetPermission - Multicast and HTTP authentication • SecurityPermission - Permission to use the security package • SerializablePermission - Object serialization • ReflectPermission - Reflection API • UnresolvedPermission - External permissions • AllPermission - Superuser

Security Policies • java.security.Policy • Ties code sources to permissions • Default policy is provided in the system security file • Methods: • Permissions evaluate(CodeSource cs) • void refresh()

Default Security Policy • Policy files specified by the system security file • Policy files specified by the: • policy.url.n entries • General format: • grant [signedBy <signer>][,codeBase <code source>] {permission <class> [<name> [, <action list>]];… permission <class> [<name> [, <action list>]];};

Protection Domains • Java.security.ProtectionDomain • public ProtectionDomain(CodeSource cs, Permissions p) • public CodeSource getCodeSource() • public Permissions getPermissions() • public boolean implies(Permission p) • Represents one “grant” entry in the file

Authentication • It’s a wide open Internet • System resources need to be protected from viruses and other attacks • Need for authentication • Author authentication • Where did the class come from • Data authentication • Was the class content modified?

Dan Sedlacek CTO, Systems Management Group Sterling Software