cs205: engineering software
university of virginia
fall 2006
Forgiveness
and
Permissions
cs205: engineering software
1
Program Execution
Reference Monitor
Monitor
Program
Speakers
Network
Disk
cs205: engineering software
Memory
SuperSoaker 2000
2
Policy and Mechanism
• AccessController provides a
mechanisms for enforcing a security
policy
– Can insert checking code before certain
operations are allowed
• A security policy determines what
the checking code allows
cs205: engineering software
3
Java Policy
[jre directory]\lib\security\java.policy
// Standard extensions get all permissions by default
grant codeBase "file:${{java.ext.dirs}}/*" {
permission java.security.AllPermission; };
// default permissions granted to all domains
grant {
// Allows any thread to stop itself using the java.lang.Thread.stop()
// method that takes no argument.
// Note that this permission is granted by default only to remain
// backwards compatible.
// It is strongly recommended that you either remove this permission
// from this policy file or further restrict it to code sources
// that you specify, because Thread.stop() is potentially unsafe.
// See "http://java.sun.com/notes" for more information.
permission java.lang.RuntimePermission "stopThread";
// allows anyone to listen on un-privileged ports
permission java.net.SocketPermission "localhost:1024-", "listen";
// ... (also allows some standard properties to be read)
};
cs205: engineering software
4
Permissions
java.security.Permission
AllPermission
SocketPermission
java.io.FilePermission
cs205: engineering software
5
Better Solution?
• Impose a policy on the browser and
everything running inside it
• Windows Vista will do this:
– Browser runs at “low integrity” mode
– Low integrity processes cannot:
• Modify higher integrity securable objects
(e.g., files, network sockets,
• Interact with higher integrity
cs205: engineering software
6
Hostile Applets
• See
http://java.sun.com/sfaq/chronology.html
(about 1 new vulnerability/month)
• Easy to write “annoying” applets
(policy is too imprecise; no way to
constrain many resource operations)
• Don’t try these at home...
http://www.cigital.com/hostile-applets/index.html
cs205: engineering software
7
What can go wrong?
• Java API doesn’t call right
SecurityManager checks (63 calls in
java.*)
– Font loading bug, synchronization
• ClassLoader is tricked into loading
external class as internal
• Policy is too weak (allows damaging
behavior)
• Enforcement relies on low-level code
safety properties
cs205: engineering software
8
Project Team Management
• “Democracy”
– Works fine but doesn’t scale
– If everyone is responsible, no one is
responsible
• “Hierarchy”
– Someone is in charge: delegates work,
responsible for making sure it gets done
– Requires leadership, subordination –
difficult in peer groups
cs205: engineering software
9
Bytecode Verifier
malcode.class
JVML
Object
Code
Trusted Computing Base
Java Bytecode Verifier
Invalid
“Okay”
STOP
JavaVM
Alice User
cs205: engineering software
10
Computer Architecture
Processor
does computation
Memory
stores bits
Input Devices (mouse, keyboard, accelerometer)
get input from user and environment
Output Devices (display, speakers)
present output to user
cs205: engineering software
11
Central Processing Unit
(CPU)
cs205: engineering software
12
Intel 4004
• First general purpose
microprocessor, 1971
• 4-bit data
• 46 instructions
– 8-bit instructions!
cs205: engineering software
13
PC Motherboard
Memory
CPU
From http://www.cyberiapc.com/hardwarebeg.htm
cs205: engineering software
14
Inside the CPU
• Registers
• Loads and decodes instructions from
memory
• ALU: Arithmetic Logic Unit
– Does arithmetic
– Can only operate on values in registers
– Must load values from memory into
registers before computing with them
cs205: engineering software
15
Compiler
• Translates a program in a high-level
language into machine instructions
• Calling convention
– How are parameters passed to functions
– How is the stack managed to return
• Register allocation
– Figure out how to use registers
efficiently
cs205: engineering software
16
6:
int max (int a, int b) {
push
ebp
push instruction is 1 byte 00401010
00401011
mov
ebp,esp
mov instruction is 2 bytes 00401013
Dealing with
sub
esp,40h
function call:
00401016
push
ebx
updating
00401017
push
esi
stack,
00401018
push
edi
moving
00401019
lea
edi,[ebp-40h]
arguments
0040101C
mov
ecx,10h
00401021
mov
eax,0CCCCCCCCh
int max (int a, int b) {
00401026
rep stos
dword ptr [edi]
if (a > b) {
7:
if (a > b) {
return b;
00401028
mov
eax,dword ptr [ebp+8]
} else {
0040102B
cmp
eax,dword ptr [ebp+0Ch]
return a;
0040102E
jle
max+25h (00401035)
}
8:
return b;
}
00401030
mov
eax,dword ptr [ebp+0Ch]
00401033
jmp
max+28h (00401038)
9:
} else {
10:
return a;
cs205: engineering software
00401035
00401038
00401039
0040103A
0040103B
0040103D
0040103E
mov
pop
pop
pop
mov
pop
ret
eax,dword ptr [ebp+8]
edi
esi
ebx
esp,ebp
ebp
Cleanup and
return
17
Java Virtual Machine
cs205: engineering software
18
Java Ring (1998)
cs205: engineering software
19
Java Card
cs205: engineering software
20
Java Virtual Machine
• Small and simple to implement
• All VMs will run all programs the
same way
• Secure
cs205: engineering software
21
Implementing the JavaVM
load class into memory
set the instruction pointer to point to the
beginning of main
do {
fetch the next instruction
execute that instruction
} while (there is more to do);
Some other issues we will talk about next week:
Verification – need to check byte codes satisfy
security policy
Garbage collection – need to reclaim unused storage
cs205: engineering software
22
Charge
• Next classes: understanding byte
codes and the byte code verifier
• Project ideas due Wednesday
cs205: engineering software
23