Lecture 18: Java™ Decaffeinated CS551: Security and Privacy University of Virginia Computer Science David Evans http://www.cs.virginia.edu/~evans Menu • SSL Challenge Question • Java • Voting 27 July 2016 University of Virginia CS 551 2 SSL Challenge Question Are there skeletons in VeriSign’s closet? 27 July 2016 University of Virginia CS 551 3 Secure Socket Layer (SSL) 141 Sextillion years; Not going any where for awhile; grab a snickers SSL Background • Two Kinds of SSL – Low Encryption (40-bit; 1.1x1012 possible keys) – High Encryption (128-bit; 3.8x1038 possible keys) • SSL is a transport level technology for authentication and data encryption between a web server and a Web server (example). • Applied at the socket interface from the application to the network software. Data Link Header Internet Transport Application Header Header Header Plaintext Data being sent Cipher Text SSL Handshake Server Client • Tell me who you are; • Here are the protocols I support. • For your ID, I know who you are and have your public key; • Here is a secret key I created with your protocols encrypted with your key • Here is my Digital ID to prove who I am; • Here is the protocols I have decided we should use. • Here is a copy of everything we’ve said encrypted with our secret key. • Here is a copy of everything we’ve said encrypted with our secret key. SSL Data Exchange Time to Break Specific Keys Years Key length (bits) 40 1995 2000 2005 68 hours 8.6 minutes 56 7.4 weeks 6.5 days 1.07 minutes 19 hours 64 36.7 years 4.6 years 6.9 months 128 6.7x1017 millennia 8.4x1016 millennia 1.1x1016 millennia [Erkomaa, 1998] Brute Force Attacks Remarks DES Challenge #1 DES Challenge Final DES Challenge on 128-bit Single Computer Small Network VeriSigns Assumption Total Key Space Number of Seconds Number of Years Search Space (keys/sec) Key size (bit) 7.50E+09 56 7.20576E+16 9607679.205 0.30 9.10E+11 56 7.20576E+16 79184.16927 **22 hours 2.45E+11 128 3.40282E+38 1.38891E+27 4.404E+19 650000 128 3.40282E+38 5.23511E+32 1.66E+25 1.00E+06 128 3.40282E+38 3.40282E+32 1.08E+25 76,400,000 128 3.40282E+38 4.45396E+30 1.412E+23 Target: 1.41E+23 27 July 2016 University of Virginia CS 551 8 VeriSign’s Claim N u m b e r o f Ye a rs 1E +27 1E +24 1E +21 Ye ars 1E +18 1E +15 N um b e r o f Ye a rs 1E +12 1E +09 100000 0 1000 1 650000 1000000 76400000 Se arch Sp ace Sp e e d 2 .4 5 E + 1 1 Moore’s Law 18 months C racking 128-bit K eys 1 .0 0 0 E + 2 0 N u m b er o f Years to C rack 1 .0 0 0 E + 1 8 1 .0 0 0 E + 1 6 1 .0 0 0 E + 1 4 1 .0 0 0 E + 1 2 1 .0 0 0 E + 1 0 1 .0 0 0 E + 0 8 1 .0 0 0 E + 0 6 1 .0 0 0 E + 0 4 1 .0 0 0 E + 0 2 1 .0 0 0 E + 0 0 1998 2000 2002 2004 2006 2008 2010 2012 2014 2016 Ye a r C o ns e rva tive E s tim a te B o ld E s tim a te M o o re 's L a w 2018 General Timeline Not to scale CS-551 Class (1.25 hours) Total Human Lifetime Universe Lifetime 0 1010 1019 1020 1023 Quintillion years Sextillion years VeriSign’s Assumptions • Hackers or key breakers have computers that are extremely slow. • We are using the processing speed of computers that were built in the 1980’s era. • Distributed networks and special hardware are not authorized for key breaking schemes. • We are not increasing our processing power every 18-24 months (based on Moore’s Law). 27 July 2016 University of Virginia CS 551 13 Java Security Real or Decaf? 27 July 2016 University of Virginia CS 551 14 Java A. B. C. D. E. Island in Indonesia A Programming Language (Java) A Portable Low-Level Language (JVML) A Platform (JavaVM) A successful marketing strategy – JavaScript is not related to Java or Java F. So you can have more time to work on your projects G. All of the above 27 July 2016 University of Virginia CS 551 15 Java : Programming Language “A simple, object-oriented, distributed, interpreted, robust, secure, architecture neutral, portable, high-performance, multithreaded, and dynamic language.” [Sun95] 27 July 2016 University of Virginia CS 551 16 What is a secure language? 1. Language is designed so it cannot express certain computations considered insecure. A few attempts to do this: PLAN, packet filters 2. Language is designed so that (accidental) program bugs are likely to be caught by the compiler or runtime environment instead of leading to security vulnerabilities. 27 July 2016 University of Virginia CS 551 17 Safe Programming Languages • Type Safety – Compiler and run-time environment ensure that bits are treated as the type they represent • Memory Safety – Compiler and run-time environment ensure that program cannot access memory outside defined storage • Control Flow Safety – Can’t jump to arbitrary addresses Which of these does C++ have? Not a new idea: LISP had these in 1960! 27 July 2016 University of Virginia CS 551 18 Java Safety • Type Safety – Most types checked statically – Coercions, array assignments type checked at run time • Memory Safety – No direct memory access (e.g., pointers) – Primitive array type with mandatory run-time bounds checking • Control Flow Safety – Structured control flow, no arbitrary jumps 27 July 2016 University of Virginia CS 551 19 Malicious Code Can a safe programming language protect you from malcode? 1. Code your servers in it to protect from buffer overflow bugs 2. Only allow programs from untrustworthy origins to run if the are programmed in the safe language 27 July 2016 University of Virginia CS 551 20 Safe Languages? • But how can you tell program was written in the safe language? – Get the source code and compile it (most vendors, and all malicious attackers refuse to provide source code) – Special compilation service signs object files generated from the safe language (SPIN, [Bershad96]) – Verify object files preserve safety properties of source language (Java) 27 July 2016 University of Virginia CS 551 21 JVML malcode.java Java Source Code javac Compiler malcode.class JVML Object Code JavaVM Joe User 27 July 2016 Joe wants to know JVML code satisfies Java’s safety properties. University of Virginia CS 551 22 Does JVML satisfy Java’s safety properties? iconst_2 istore_0 aload_0 arraylength push integer constant 2 on stack store top of stack in variable 0 as int load object reference from variable 0 replace array on top of stack with its length No! This code violates Java’s type rules. 27 July 2016 University of Virginia CS 551 23 malcode.class JVML Object Code Bytecode Verifier Trusted Computing Base Java Bytecode Verifier Invalid “Okay” STOP JavaVM Joe User 27 July 2016 University of Virginia CS 551 24 Bytecode Verifier • Checks JVML code satisfies Java’s safety properties • Type safe – stack and variable slots must store and load as same type • Memory safe (guaranteed by instruction set) • Control flow safe: jumps must be within function, or call/return 27 July 2016 University of Virginia CS 551 25 Are Java Bytecode Verifiers Complicated? • ~700 rules to enforce, JVML specification is (not all clearly specified) • Emin Gün Sirer found > 100 bugs in commercial bytecode verifiers (using automatic test generation) – At least 15 of them were security vulnerabilities • JVML includes jsr instruction (jump to subroutine), can be called with different types in variables and on stack 27 July 2016 University of Virginia CS 551 26 Java malcode.java javac Compiler malcode.class JVML Trusted Computing Base Java Bytecode Verifier Invalid “Okay” STOP JavaVM Joe User 27 July 2016 University of Virginia CS 551 27 JavaVM • Virtual machine – interpreter for JVML programs • Has complete access to host machine • Bytecode verifier ensures some safety properties, JavaVM must ensure rest: – Type safety of run-time casts, array assignments – Memory safety: array bounds checking – Resource use policy 27 July 2016 University of Virginia CS 551 28 JavaVM Policy Enforcment [JDK 1.0 – JDK 1.1] From java.io.File: public boolean delete() { SecurityManager security = System.getSecurityManager(); if (security != null) { security.checkDelete(path); } if (isDirectory()) return rmdir0(); else return delete0(); } 27 July 2016 University of Virginia CS 551 29 java.lang.SecurityManager /** Throws a SecurityException if the calling thread is not allowed to delete the specified file. This method is invoked for the current security manager by the delete method of class File. */ (Some other comments deleted.) public void checkDelete(String file) { throw new SecurityException(); } 27 July 2016 University of Virginia CS 551 30 Security Manager • Reference monitor – How well does it satisfy the requirements? • Complete mediation • Can stop execution/prevent action • Limited effect on execution until policy violation • User/host application creates a subclass of SecurityManager to define a policy 27 July 2016 University of Virginia CS 551 31 HotJava’s Policy (JDK 1.1.7) public class AppletSecurity extends SecurityManager { ... public synchronized void checkDelete(String file) { checkWrite(file); } ... } 27 July 2016 University of Virginia CS 551 32 AppletSecurity.checkWrite (some exception handling code removed) public synchronized void checkWrite(String file) { if (inApplet()) { if (!initACL) initializeACLs(); String realPath = (new File(file)).getCanonicalPath(); for (int i = writeACL.length ; i-- > 0 ;) { if (realPath.startsWith(writeACL[i])) return; } throw new AppletSecurityException ("checkwrite", file, realPath); } } Note: no checking if not inApplet! Very important this does the right thing. 27 July 2016 University of Virginia CS 551 33 inApplet boolean inApplet() { return inClassLoader(); } Inherited from java.lang.SecurityManager: protected boolean inClassLoader() { return currentClassLoader() != null; } 27 July 2016 University of Virginia CS 551 34 currentClassLoader /** Returns an object describing the most recent class loader executing on the stack. Returns the class loader of the most recent occurrence on the stack of a method from a class defined using a class loader; returns null if there is no occurrence on the stack of a method from a class defined using a class loader. */ protected native ClassLoader currentClassLoader(); 27 July 2016 University of Virginia CS 551 35 Recap • java.io.File.delete calls before deleting • HotJava overrides SecurityManager with AppletSecurity to set policy • AppletSecurity.checkDelete calls SecurityManager.checkDelete AppletSecurity.checkWrite • AppletSecurity.checkWrite checks if any method on stack has a ClassLoader • If not no checks; if it does, checks ACL list 27 July 2016 University of Virginia CS 551 36 JDK 1.0 Trust Model • When JavaVM loads a class from the CLASSPATH, it has no associated ClassLoader (can do anything) • When JavaVM loads a class from elsewhere (e.g., the web), it has an associated ClassLoader 27 July 2016 University of Virginia CS 551 37 JDK Evolution • JDK 1.1: Signed classes from elsewhere and have no associated ClassLoader • JDK 1.2: – Different classes can have different policies based on ClassLoader – Explict enable/disable/check privileges – SecurityManager is now AccessController 27 July 2016 University of Virginia CS 551 38 What can go wrong? • Java API doesn’t call right SecurityManager checks (63 calls in java.*) – Font loading bug, synchronization • ClassLoader is tricked into loading external class as internal • Bug in Bytecode Verifier can be exploited to circumvent SecurityManager • Policy is too weak and allows damaging behavior 27 July 2016 University of Virginia CS 551 39 Hostile Applets • See http://java.sun.com/sfaq/chronology.html (about 1 new vulnerability/month) • Easy to write “annoying” applets (policy is too imprecise; no way to constrain many resource operations) • http://www.cigital.com/hostileapplets/index.html 27 July 2016 University of Virginia CS 551 40 Voting 27 July 2016 University of Virginia CS 551 41 VA Absentee Voting: Ballot 1. Print out form from state web site 2. Fill in name and address, sign by voter and a witness 3. Mail to local election official 4. Local election official mails ballot to voter’s address (presumably: checks voter is registered, verifies address, marks on election rolls) 27 July 2016 University of Virginia CS 551 42 VA Absentee Voting 1. Open Envelope A in presence of witness (do not open without witness present) 2. Borrow No. 2 pencil and mark ballot. 3. Place ballot in Envelope B and seal. Do not put anything else in that envelope. 4. Fill in identification and sign Envelope B. Witness signs Envelope B. 5. Place Envelope B in return envelope preaddressed to Secretary of the Electoral Board. Mail or hand deliver in person. 27 July 2016 University of Virginia CS 551 43 Voting Challenges • (50 points) Explain why VA absentee ballot protocol uses Envelope A and requires voter to open it in presence of a witness • (50 points) Devise a good absentee voting protocol (better than my baseline) • (200 points) Exploit vulnerabilities in electoral protocols so Harry Browne or Ralph Nader wins election – Remember getting me arrested is -10000 points! 27 July 2016 University of Virginia CS 551 44 Charge • Tomorrow: Vote – Pay attention to security protocols: who are you trusting? – Don’t get arrested, but think about how a malicious person might defeat the system • Next time – Guest Lecture: Chenxi Wang 27 July 2016 University of Virginia CS 551 45