CMSC 838 Y
Class Paper Presentation
Prashant Lamba
1
Mechanisms for Secure Modular
Programming in JAVA
1. Lujo Bauer
2. Andrew W Appel
3. Edward W Felten
2
Theme of the Paper

To provide a new module system for java
which improves deficiencies of the java
package system.

To emphasize the need of modular systems
rather than Object oriented software
system.
3
Deficiencies in JAVA Package
System

Limited ability for the control access to their
member class.

No explicit interfaces

Don’t support multiple view of modules

Problems with dynamic linking
4
Solution to the problem

ML-style hierarchical module system
provides Explicit interface
o Multiple views of Module
o

More control over external modules with
which the code is linked
5
Module System
Source Files
Export
Interface
Module description file
Membership
List
Import
Statement
6
Export Interface
Membership List
Import Interface
Access
Access.Java
Tree…/Tree/
AccessList
AccessList.Java
Temp../Temp/
Codegen
Codgen.Java
Assem../Assem/
Frame
Frame.Java
Util../Util
Proc
Proc.Java
Codegen.Java
Abstract class Codgen{
Frame frame;
Abstract Assem.InstrList Codgen(Tree.Stm stm)
}
7
8
Fixing Java Packages

Export Interfaces
– Explicit export interfaces
»

Java package system lacks this feature
Membership List
– Deficiency of java package makes malicious
code to be part of trusted application like
application.
9
Fixing Java Packages
Attack Scenario in Java Package System:
Package
Class1.Java
Class2.java
Malicious Code class.Java
Class3.java
Class4.java
Malicious Code
class.Java
10
Fixing Java Packages
Hierarchical Scalability and Multiple
Interface
Multiple view of an module is possible.
Example
Module M can have V1 and V2 view with class
access A,B,C and A,D respectively
11
Module MO
Exporting A,B,C,and D
Multiple View of Module M0
Module M1
Module M2
Importing
M0.A,M0.B,M0.C
Importing M0.A,M0.D
12
Fixing Java Packages
Name-Space management
– Java packages are named it merely lifts
the problem to package level.
Example:
We can have clash between the two classes
called Util.Parser
13
Solution:
Module system assigns the names via
import statements.
14
Secure Linking

Java uses Type checking mechanism for the
secure dynamic linking
– Problem:
Type checking guarantees that programs and
libraries at least agree on the types they are
using.

Java uses code signature when a system
must trust the behavior of a particular
executable.
– Problem:
In this scheme also we don’t know about the
properties of the code
15
Solution:
– We allow the programmer to require
certain properties of the modules on which
his code depends.
– The properties our system supports are
keywords about the behavior of his code.
– It will cryptographically hash the < byte
code, module description, property name>
16
17
Implementation
Class
Loader
Module
Description File
Trf
2
Trf
1
Trf
3
JVM
Java
Complier
Java
Source
Byte
Code
Trf = Transform
18
Execution in Virtual Machine



Dynamic linking in JVM is managed by Class
Loader.
A request to load a class is may be allowed
by the digital signature of the class.
The Class loader of the system described
uses module description file to set
appropriate environment.
19

Class Loader manipulation leads to security
problems and Type system can be broken
– New JVM have stricter namespace
management policies.
» Machine verifies the encoded name of the
class(returned by load Class request) with which
load class is invoked.
20
Problem:
In our Module system identifiers for class names has
very little resemblance with the actual package names
they refer.
Solution:
Rewriting the byte code replacing the symbolic
name with actual name.
21
Future Work

Support for the Refection API

Dynamic linking is an area that
deserves more study.
22