cs205: engineering software
university of virginia
fall 2006
Security in Java
Real or Decaf?
(Duke suicide picture by Gary McGraw.)
cs205: engineering software
1
Project
• Last problem set – final report is due
last day of class
• Teams of 2-5: send me team
requests before 11am Friday
cs205: engineering software
2
Project Ideas
• Due next Wednesday
• For now, no suggestions – you can
do anything you want, as long as it:
– Is small enough to finish by Dec 4
– Is complex enough that a successful
project will demonstrate understanding
of and ability to apply key concepts in
CS205
• If you are really stuck...
cs205: engineering software
3
from Class 2...
Buzzword Description
“A simple, object-oriented,
distributed, interpreted,
robust, secure, architecture
neutral, portable, highperformance, multithreaded,
and dynamic language.”
[Sun95]
cs205: engineering software
4
What is a secure
programming language?
1. Language is designed so it cannot
express certain computations
considered insecure.
A few attempt to do this: PLAN, packet filters
2. Language is designed so that
(accidental) program bugs are
likely to be caught by the compiler
or run-time environment instead of
leading to security vulnerabilities.
cs205: engineering software
5
Safe Programming Languages
• Type Safety
– Compiler and run-time environment ensure
that bits are treated as the type they
represent
• Memory Safety
– Compiler and run-time environment ensure
that program cannot access memory outside
defined storage
• Control Flow Safety
– Can’t jump to arbitrary addresses
Is Java the first language to have them?
No way! LISP had them all in 1960.
cs205: engineering software
6
Java Safety
• Type Safety
– Most types checked statically
– Coercions, array assignments type
checked at run time
• Memory Safety
– No direct memory access (e.g., pointers)
– Primitive array type with mandatory runtime bounds checking
• Control Flow Safety
– Structured control flow, no arbitrary jumps
cs205: engineering software
7
Malicious Code
Can a safe programming language
protect you from malcode?
1. Code your servers in it to protect from
buffer overflow bugs
2. Only allow programs from
untrustworthy origins to run if the are
programmed in the safe language
cs205: engineering software
8
Safe Languages?
• But how can you tell program was
written in the safe language?
– Get the source code and compile it
(most vendors, and all malicious
attackers refuse to provide source code)
– Special compilation service
cryptographically signs object files
generated from the safe language
(SPIN, [Bershad96])
– Verify object files preserve safety
properties of source language (Java)
cs205: engineering software
9
JVML
malcode.java

Java
Source
Code
javac
Compiler
malcode.class
JVML
Object
Code
JavaVM
Alice User Alice wants to know JVML code satisfies
Java’s safety properties.
cs205: engineering software
10
Does JVML satisfy Java’s
safety properties?
No, we’ll learn some about JVML later...
cs205: engineering software
11
Bytecode Verifier
malcode.class
JVML
Object
Code
Trusted Computing Base
Java Bytecode Verifier
Invalid
“Okay”
STOP
JavaVM
Joe User
cs205: engineering software
12
Bytecode Verifier
• Checks class file is formatted
correctly
• Checks JVML code satisfies safety
properties
– Simulates program execution to know
types are correct, but doesn’t need to
examine any instruction more than
once
cs205: engineering software
13
Verifying Safety Properties
• Type safe
– Stack and variable slots must store and load as
same type
• Memory safe
– Must not attempt to pop more values from
stack than are on it
– Doesn’t access private fields and methods
outside class implementation
• Control flow safe
– Jumps must be to valid addresses within
function, or call/return
cs205: engineering software
14
Running Mistyped Code
> java Simple
Exception in thread "main" java.lang.VerifyError:
(class: Simple, method: main signature:
([Ljava/lang/String;)V)
Register 0 contains wrong type
cs205: engineering software
15
Java
malcode.java
javac
Compiler
malcode.class
JVML
Trusted Computing Base
Java Bytecode Verifier
Invalid
“Okay”
STOP
JavaVM
Joe User
cs205: engineering software
16
Charge
• Next classes: understanding byte
codes and the byte code verifier
• Start thinking about project ideas
and teams
• Send team requests by email
before 11am Friday
cs205: engineering software
17