Advanced Java
Programming
Security
Agenda




About Security
Application Security
Java Security from the Ground Up
Standalone Java Application Techniques
2
About Security
Common Security Threats
Three concepts of CIA security model
Definition of security
3
Common Security Threats
Identity interception
Steal your identity and use it as their own
Masquerading
Grab your identity and use it elsewhere
with the intention of perpetrating fraud
Replay attack
Capture your request and replay that
request
Data interception and manipulation
Read your data (such as credit card info)
4
Common Security Threats
Repudiation
Deny your/his completed transaction
Denial of Service
Terminate the service
5
Three concepts of CIA security
model
CIA Triad
7
Three concepts of CIA security model



Confidentiality
 information must not be disclosed to any unauthorized
person
Integrity
 authorized actions (unauthorized data changes)
 separation and protection for resources
 error detection and correction (data corruption)
Availability
 presence of objects or service in a usable form
 capacity to meet service needs
 adequate timeliness of a service
8
Definition of security

Detect


Detect how, when and where intrusion has taken place
Protect

Manage people and the Information System in an
effective manner so as to protect against unauthorized
usage
9
Definition of security

React




react to an intrusion
ensure that penetration does not happen again.
vulnerability is eliminated
Recover

recover all data and programs from a breach in security
10
Application Security
- Not just technology; it’s a process… -

System-level Security Vs.
Application-level Security
Application
System
Level ｛
Level
11
｛
Application
code
Java/J2EE
APIs
JVM
Operating
System
System-level Security Vs.
Application-level Security
Systemlevel
 security

Enterprise
Data
Applicationlevel
Security
Defeating System-level security may not provide
attackers with appropriate access to the applicationlevel data, logic, or methods that they seek



12
Attacker
System-level Security Vs.
Application-level Security
(cont.)

13
Systemlevel
 security

Applicationlevel
Security
Enterprise
Data
Work together to build a secure system/application
combination


Attacker
Attacker
System-level Security Vs.
Application-level Security (cont.)

It is more efficient to push some security
responsibilities up to the application level instead of
handling them at the operating-system level
Application
code
Java/J2EE
Application
code
Java/J2EE
Application
code
Java/J2EE
JVM
APIs
(Solaris)
OS
(Solaris)
14
JVM
APIs
(IBM AIX)
OS
(IBM AIX)
JVM
APIs
(MS Window)
OS
(MS Window)
Java Security from the Ground Up



Java Language Safety Features
Java Security Model
Java Security Architecture
15
Java Language Safety Features

Objects have access levels:




private: Accessible by defining class
package (default): Accessible by classes in the same
package
protected: Same as package, with addition of access by
any subclass
public: Accessible by any class
16
Java Language Safety Features

Access methods are strictly adhered to





No pointers (no access to arbitrary memory and
automatic garbage collection)
“final” methods or variables cannot be changed
Variables MUST be initialized before use
Array bounds are enforced
Strict object casting rules
17
Java Security Enforcement
18
Java Security Enforcement

Enforcement happens at different times

Compile time enforcement
 Class load time enforcement
 Runtime enforcement
19
Compile Time Enforcement
Java Source
Java Compiler
Bytecode
Class Loader
Bytecode
Verifier
Java Virtual
Machine
Runtime
20
Compile Time Enforcement
Validate language syntax
Enforce method and variable access
rules
Enforce variable initialization
Enforce some casting operations
21
Class Load Time Enforcement
Java
Source
Bytecode
Java Compiler
Class Loader
Bytecode
Verifier
Java Virtual
Machine
Runtime
22
Class Load Time Enforcement
Bytecode verification
Verifies class file format
Accesses objects as correct type
Final classes are not subclassed
Final methods are not overridden
Every class has a single superclass
Verify that casting legality checks are in
place
23
Class Load Time Enforcement
No operand stack overflows
All field and method accesses are legal
Method calls use correct number &
types of arguments
24
Runtime Enforcement
Java
Source

JavaCompiler
Compiler
Java
Bytecode
Class Loader
Bytecode
Verifier
Java Virtual
Machine
Runtime
25
Runtime Enforcement
Array bounds checking
Throws
ArrayIndexOutOfBoundsException
Object casting
Throws ClassCastException
Security Manager
Throws SecurityException
Depends on the Access Controller
26
Java Security Model
– a strictly defined arena where they cannot affect other
system resources. It provides virtually no flexibility.
Sandbox
27
Java Security Model (cont.)
28
What does this code do?
Using java security mechanisms

Applets are restricted to the sandbox by default:
 Can only phone home and create pop-up window
with warning
 Cannot read/write/delete local files, run another
program, connecting to a server other than its home
server, …

More permissions can be granted with
 Security policy file
 Code signing
What happens when executing ?

Use caution when executing Applets as Applications













1.
2.
3.
public class BadApplet extends Applet{
public void init(){
try {
Runtime.getRuntime().exec(“rmdir foo”);
} catch (Exception e) {
System.out.println(e);
}
}
public static void main(String args[]) {
BadApplet a = new BadApplet();
a.init();
}
}
Exception thrown if run in an Applet container
Exception thrown if run as an application using Applet security
Java –Djava.security.manager BadApplet
OK if run as an application
Java BadApplet
Security Policy Files

Consist of a sequence of grant entries.
 Each gives some specific permissions to applets from a specific
location and/or signed by a specific person

A grant entry has the following general form:
grant signedBy “name”, codeBase “file source”
{ permission1;
permission2;
…
}


signedBy part omitted if signatures not required for this entry.
codeBase part omitted if the entry applies to code from all sources
Security Policy Files

codeBase examples:
grant codeBase “http://www.cs.ust.hk/~liao/comp201/”{
}
//premission entry for all classes under the directory
grant codeBase
“http://www.cs.ust.hk/~liao/comp201/tmp.jar”{ }
// permission entry for tmp.jar
grant codeBase “file:C:/dir/tmp” { }
grant codeBase “file:/C:/dir/tmp” { }
grant codeBase “file://C:/dir/tmp” { }
/* permission entry for tmp on local machine */
Note: Forward slash even for the Windows OS
Code signing will be discussed later.
Security Policy Files


General form for permissions:
permission className tagetName, actionList;
className must be fully qualified.
Examples:
permission java.io.FilePermission "D:\\-","read, write";
// permission to read and write all files in D drive
permission java.awt.AWTPermission
"showWindowWithoutWarningBanner";
// permission to create pop-up window without warning
permission java.net.SocketPermission “*:8000-8999",
“connect";
//permission to connect to any host via port 8000 - 8999.
Security Policy Files

Permission classes:
java.io.FilePermission
java.awt.AWTPermission
java.net.SocketPermission
java.net.NetPermission
java.util.PropertyPermission
java.lang.RuntimePermission
java.security.AllPermission
….

See page 712 for details
Security Policy Files

java.io.FilePermission
 Targets:
File
a file
Directory
a directory
Directory/* all files in the directory
*
all files in current directory
Directory/- all files in this and all its subdirectories
all files in current directory and all its subs
<<ALL FILES>> all files in the file system
In Windows OS, use \\ as file separator

Actions
read, write, delete, execute
Security Policy Files

java.net.SocketPermission
 Targets: (hostRange:portRange)
HostName or IPAddreses a single host
localhost or empty
local host
*.domainSuffix
all hosts whose domain names end
with the suffix . E.g. *.com
*
all hosts
:n
:n1-n2
single port
all ports in the range
 Actions:
accept, connect, listen
Security Policy Files

An example policy file
grant codeBase
"http://www.cs.ust.hk/~liao/comp201/codes/secu/awt/" {
permission java.awt.AWTPermission
"showWindowWithoutWarningBanner";
};
grant codeBase
"http://www.cs.ust.hk/~liao/comp201/codes/secu/file/" {
permission java.awt.AWTPermission
"showWindowWithoutWarningBanner";
permission java.io.FilePermission "<<ALL FILES>>", "read,
write";
};
grant codeBase
"http://www.cs.ust.hk/~liao/comp201/codes/secu/socket/" {
permission java.net.SocketPermission "*", "connect";
};
Security Policy Files


policytool: a utility for creating policy files
Security Policy Files
Location of policy file: On client machine

Method 1:
${user.home}/.java.policy
C:\Documents and Settings\liao\.java.policy
${java.home}/lib/security/java.policy
on my machine: C:\Program Files\j2sdk1.4.0\jre\lib\security
On XP:

Method 2: place a policy file on the internet or on local machine, add
to the master security properties file:
${java.home}/jre/lib/security/java.security
the a link to the policy file. E.g.:
policy.url.3=http://www.cs.ust.hk/~liao/comp201/codes/secu
/applet.policy
Manage the policy file at a single location. Good for intranet.
Permission Granting Examples

AWT Permission example: (check code page)


Normally, pop-up windows created by applets come with warning
banners.
However, the pop-up window created by the applet from
http://www.cs.ust.hk/~liao/comp201/codes/secu/awt/
has no warning banner if one includes the following entry into the
policy file
grant codeBase
"http://www.cs.ust.hk/~liao/comp201/codes/secu/awt/"
{ permission java.awt.AWTPermission
"showWindowWithoutWarningBanner";
};
Permission Granting Examples

File Permission example:


Normally, applets cannot read and write local files.
However, FileIOApplet from
http://www.cs.ust.hk/~liao/comp201/codes/secu/file/
can read and write local files if one includes the following grant entry
in the policy file:
grant codeBase
"http://www.cs.ust.hk/~liao/comp201/codes/secu/file/"
{ permission java.io.FilePermission “<<ALL FILES>> ",
"read,write";
permission java.awt.AWTPermission
"showWindowWithoutWarningBanner";
};
Permission Granting Examples

Socket Permission example:


Normally, applets cannot connect to a server other than its home
server.
However, SocketApplet from
http://www.cs.ust.hk/~liao/comp201/codes/secu/socket/
can connect to other http servers if one includes the following grant
entry in the policy file:
grant codeBase
“http://www.cs.ust.hk/~liao/comp201/codes/secu/socket/”
{ permission java.net.SocketPermission "*", "connect";
};
In your paper try to explain
the contents following
permission policy file
Outline

Using java security mechanisms


Security policy files
Code signing
Public Private Key Encryption
Alice
Bob
Code Signing

Developer




Generates a certificate, which contains a pair of keys, a public key
and a private key.
Send the public key to its users.
Sign applets with the private key.
Client



Gets public key from the developer
Adds the public key to his/her own public key collection
Modify its own security policy file to give more permissions to
applets signed by THE developer.
Code Signing /Developer

Java comes with the keytool program for managing
keystore – database of certificates.

To generate a keystore liao.store and generate a pair of
keys with alias liao use the command:
keytool –genkey –keystore liao.store –alias liao

A dialog follows and liao.store created.

Keep liao.store at a safe location!
Code Signing /Developer
Enter keystore password: 123456
What is your first and last name?
[Unknown]: Renlan Liao
What is the name of your organizational unit?
[Unknown]: Computer Science
What is the name of your organization?
[Unknown]: Hong Kong University of Science and Technology
What is the name of your City or Locality?
[Unknown]: Hong Kong
What is the name of your State or Province?
[Unknown]: Hong Kong
What is the two-letter country code for this unit?
[Unknown]: CN
Is <CN=Renlan Liao, OU=Computer Science, O=Hong Kong University of
Science and
Technology, L=Hong Kong, ST=Hong Kong, C=CN> correct?
[no]: yes
Enter key password for <Renlan>
(RETURN if same as keystore password):
Code Signing /Developer

Export the public key to a certificate file and sent it to user.
keytool –export –keystore liao.store –alias liao
–file liao.cert
 What is inside?
D:\Users\public_html\COMP201\codes\secu>keytool -printcert file liao.cert
Owner: CN=Renlan Liao, OU=Computer Science, O=Hong Kong University of
Science and Technology, L=Hong Kong, ST=Hong Kong, C=cn
Issuer: CN=Renlan Liao, OU=Computer Science, O=Hong Kong University
of Science and Technology, L=Hong Kong, ST=Hong Kong, C=cn
Serial number: 40a08a25
Valid from: Tue May 11 16:09:09 GMT+08:00 2004 until: Mon Aug 09
16:09:09 GMT+08:00 2004
Certificate fingerprints:
MD5: A0:60:35:22:28:42:3B:18:77:12:EB:43:13:B1:D7:C6
SHA1: 9:34:84:4C:F0:32:B5:B1:17:55:3B:0C:03:FC:87:FE:EC:69:A0:6F
Code Signing /Developer

Sign applets

Create a jar file
jar cvf MyApplet.jar *.class

Run the jarsigner tool
jarsigner –keystore Liao.store MyApplet.jar Liao
Keystore containing
private key
Alias of private key
Code Signing /Client

Add public key received to his/her store of public keys
keytool –import –keystore certs.store –alias liao
–file liao.cert

Include location of public key store to policy file
Keystore “keystoreURL”, “keystoreType”;
Ex:
keystore “file:C:\Windows\cert.store”, "JKS";
keystore
"http://www.cs.ust.hk/~liao/comp201/codes/secu/certs.store"
, "JKS";
JKS: type of keystore generated by keytool
Code Signing /User

Add signedBy “alias” to grant clauses in policy file
grant signedBy “liao"
{
permission java.awt.AWTPermission
"showWindowWithoutWarningBanner"; };

What if client’s policy file does not grant permissions to signed applets
 Browser will ask for permissions when loading the applets
 Example: http://www.cs.ust.hk/~liao/comp201/codes/secu/sign2/
Security packages in Java

Separate packages that are included as part of
JDK:

JCE - Java Cryptography classes
 JAAS - Java Authentication and Authorization Services
 Java GSS API - Java Generic Security Services API
 Java Certification Path API
 JSSE - Java Secure Sockets Extension
JCE

JCE covers

encryption and decryption
–
–
–
–


symmetric bulk encryption, such as DES, RC2, and IDEA
Symmetric stream encryption, such as RC4
Asymmetric encryption, such as RSA
Password-based encryption (PBE)
key agreement
Message Authentication Code (MAC)
JavaTM Authentication and Authorization Service
(JASS)

JAAS can be used for two purposes:
1.
2.

background in Security .
JAAS authentication is performed in
a pluggable fashion


for authentication of users, to reliably and securely determine who is
currently executing Java code, regardless of whether the code is running
It is an important
topic
but , and
as an application,
an applet, a bean,
or a servlet;
Unfortunately,
I have
tohave
skip
for authorization
of users to ensure
they
the it
access control rights
because
it needs
a solid
(permissions)
required
to do the actions
performed.
Permits Java applications to remain independent from underlying
authentication technologies.
The implementation is specified in a login configuration
file