Dan SedlacekCTO, Systems Management GroupSterling Software

Java Security and Encryption

Java Security and Encryption

• What is the level of security provided by Java technology?

• What’s NOT provided for in Java

• How Java implements security

• How to extend Java security

Agenda

• Java Security Overview

• Applications and Applets

• Java Language Security

• Java Class Loaders

• Security Manager

• Access Controller

• Security Policies

• Authentication

• Encryption

Java Security OverviewWhat is Security?

• Virus Protection

• System Resource Access Control

• Authentication of Author and Data

• Data Privacy

• Encryption

• Auditing

• Orange Book (C2, B1)

Java Security OverviewWhat is Java Security?

• Virus Protection - Yes

• System Resource Access Control - Yes

• Authentication of Author and Data - Yes

• Data Privacy - Yes & No

• Encryption - Optional

• Auditing - Not Built-in

• Orange Book (C2, B1) - No

Applets and Applications

• Applets – Run Under Control of a Browser– Are Subject to the Browser Security Policy

• Applications– Establish their Own Security Policy– Default is No Security Manager

Applets

Very Restricted

Browser Security Manager

Applications

Allowed to Play

Optional Security Manager

How Does Java Provide Security?

• Java Language Security

• Java Class Loaders

• Digital Signatures

• Java Security Manager

• Java Access Controller

• Encryption

Java Language Security

• Objects have access levels:– private: Accessible by defining class– package (default): Accessible by classes in the

same package– protected: Same as package, with addition of

access by any subclass– public: Accessible by any class

Java Language Security• Access methods are strictly adhered to

• No pointers (no access to arbitrary memory and automatic garbage collection)

• “final” methods or variables cannot be changed

• Variables MUST be initialized before use

• Array bounds are enforced

• Strict object casting rules

Java Language Security• Object serialization can be a problem

– Objects are externalized as series of bytes– Data may be tampered with before the object is

reconstructed

• Some solutions:– objects must be declared “serializable”– “private transient” disallows serialization– writeObject() and readObject() methods let you

implement your own encryption

Java Language Security Enforcement

• Enforcement happens at different times– Compile time enforcement– Class load time enforcement– Runtime enforcement

• It’s easy to get around compile-time enforcement - build your own classes for the JVM

• Class loader and runtime enforcement are more difficult to get around

Java Language SecurityEnforcement

Java Source

Java CompilerBytecode

Class Loader BytecodeVerifier

Java Virtual MachineRuntime

Java Language SecurityCompile Time Enforcement

Java Source

Java CompilerBytecode

Class Loader BytecodeVerifier

Java Virtual MachineRuntime

Java Language SecurityCompile Time Enforcement

• Validate language syntax

• Enforce method and variable access rules

• Enforce variable initialization

• Enforce some casting operations

Java Language SecurityClass Load Time Enforcement

Java Source

Java CompilerBytecode

Class Loader BytecodeVerifier

Java Virtual MachineRuntime

Java Language SecurityClass Load Time Enforcement

• Bytecode verifier is part of the VM

• Bytecode verification– Verifies class file format– Final classes are not subclassed– Final methods are not overridden– Every class has a single superclass (except

Object, of course)

Java Language SecurityClass Load Time Enforcement

• Bytecode verification (continued)– Verify that casting legality checks are in place– No operand stack overflows or underflows– All field and method accesses are legal

• Bytecode verification may be delayed in some implementations

Java Language SecurityRuntime Enforcement

Java Source

Java CompilerBytecode

Class Loader BytecodeVerifier

Java Virtual MachineRuntime

Java Language SecurityRuntime Enforcement

• Array bounds checking– Throws ArrayIndexOutOfBoundsException

• Object casting– Throws ClassCastException

• Security Manager– Throws SecurityException– Depends on the Access Controller

Java Class Loaders

• Read bytecode into the JVM

• Convert into class definitions

• Works in conjunction with Security Manager and Access Controller

• Knows where the class originated

• Understands signed Jar files

• Enforces namespace rules

Java Class Loaders

• Java applications can create and use different class loaders

• Java applets use the browser-provided class loader

Java Class LoadersNamespaces

• Used to eliminate ambiguity between classes with the same name

• Full name of a Java class is qualified by the name of the package:– java.lang.String– com.sun.java.swing.JTable

• Default package

Java Class LoadersNamespaces

• Classes with different CODEBASEs are loaded by different instances of the class loader

• Even if fully qualified class names are the same, namespaces make them unique

• Namespaces enforce package protection

Java Class LoadersHow they Work

• Previously loaded classes are cached

• Class loader optionally consults the Security Manager to see if the program is allowed to access the class

• Internal class loader attempts to load the class from CLASSPATH

• Class loader reads in an array of bytes

• Bytecode verification is performed

Java Class LoadersHow they Work

• A class object is constructed from the bytecodes

• Resulting class name is verified to be the requested class name

• Base classes and classes referenced by static initializers are also loaded

• Other referenced classes are loaded when the class references them

Java Class LoadersHow they Work

• An internal class loader (part of the JVM) loads the Java API classes when the VM starts up

• In 1.1 internal class loader also loads all CLASSPATH classes

• In 1.2 an instance of URLClassLoader loads classes from CLASSPATH

• Browsers load classes for the applets from the applet’s CODEBASE using URL class

Other Java Class Loaders• An RMI class loader (RMIClassLoader) is

similar to an applet class loader– Uses HTTP to load classes from a remote host

• Secure class loader associates protection domains with each class it loads– java.security.SecureClassLoader– Makes use of the access controller facilities

• URL class loader (URLClassLoader) - general purpose class loader

Java Class Loadersand JAR files

• Java Archive files, or JAR files are Zip files with some additional information

• JAR files contain many class files, and other files needed by an application

• All classes in a JAR files are loaded at once

• Signed classes must be in JAR files

Java Class LoadersSecurity Implications

• Class loaders are integral to Java’s security– Class loaders enforce namespace separation– Security Manager depends on the class loader to

keep track of the class origin– Custom class loaders may be developed to

handle load protocols other than HTTP, to implement class file encryption, and to implement special security policies.

Java Security Manager

• Security Manager is the sandbox guard

• Default security manager provided by browsers to protect local system resources

• Applications have a null security manager by default

• Use the -usepolicy option to utilize the default security manager (that in turn uses the Access Controller)

Java Security Manager

Class File

Bytecode VerificationClass LoaderSecurity Manager

InstantiatedObject

Core Java API

Access Controller

Java Security Manager

• java.lang.SecurityManager

• Programs perform operations through the core Java API

• Methods are invoked by the core Java API to check if an operation is allowable

• A SecurityException is thrown if the operation is not allowable

Java Security ManagerTrusted Classes

• In general:– Core API classes are trusted– Classes that are loaded via the CLASSPATH are

trusted

• Specific permissions may be granted based on signature and codebase

• Access Controller is called by the Security Manager to ascertain if a class is trust-worthy

Java Security ManagerMethods

• Protection for the Java Virtual Machine

• System resource protection– File system access– Network access– Printing– Accessing the clipboard– Event queue access

Java Security ManagerMethods

• Access to security related operations

• Protection against manipulating thread groups that were created by another entity

Access Controller• Added in release 1.2

• Used by the security manager to determine security policy

• Allows security policy to be configured without writing a custom security manager

• System security file:– $JAVAHOME/lib/security/java.security

• Security Manager still works with pre-version 1.2 classes

Access ControllerSystem Security File

• $JAVAHOME/lib/security/java.security policy.provider=java.security.PolicyFile

policy.expandProperties=true

policy.allowSystemProperty=true

policy.url.1=file:${java.home}/lib/security/java.policy

policy.url.2=file:${user.home}/.java.policy

• These policy files map code sources to sets of permissions

Access ControllerRoles

• Used by the security manager to determine access to resources

• May be used by a program to check application-specific permissions

• Used only if a security manager is being used

Access ControllerConcepts

• Code sources - Where the class comes from

• Permissions - Ability to perform an operation

• Policies - Set of permissions by code source

• Protection domains - Permissions granted to classes from a particular code source

Access ControllerCode Sources

• java.security.CodeSource

• CodeSource(URL url, PublicKey[] key[])

• public boolean equals(Object obj)

• public final URL getLocation()

• public final PublicKey[] getKeys()

Access ControllerPermissions

• java.security.Permissions

• Permission properties:– Type (e.g. FilePermission)– Name (e.g. name of the file - supports wildcards)– Actions (e.g. read)

Access ControllerPermissions

• Java API permissions– Access controller is automatically called if a

security manager is active

• Arbitrary user-defined permissions– Name (e.g. CorporatePayroll)– Actions (e.g. read)– Access controller must be explicitly called

Access ControllerJava API Permissions

• Java API permissions– FilePermission (e.g. /etc/passwd, read)– SocketPermission (IP:port, accept, connect, listen,

resolve)– PropertyPermission (e.g. java.version, read)– RuntimePermission (Runtime class operations,

e.g. exit)– AWTPermission - Access to windowing resources

Access ControllerJava API Permissions

• Java API permissions– NetPermission - Multicast and HTTP authentication– SecurityPermission - Permission to use the security

package– SerializablePermission - Object serialization– ReflectPermission - Reflection API– UnresolvedPermission - External permissions– AllPermission - Superuser

Security Policies

• java.security.Policy

• Ties code sources to permissions

• Default policy is provided in the system security file

• Methods: Permissions evaluate(CodeSource cs) void refresh()

Default Security Policy

• Policy files specified by the system security file

• Policy files specified by the: policy.url.n entries

• General format: grant [signedBy <signer>]

[,codeBase <code source>] {permission <class> [<name> [, <action list>]];… permission <class> [<name> [, <action list>]];};

Protection Domains

• Java.security.ProtectionDomain

• public ProtectionDomain(CodeSource cs, Permissions p)

• public CodeSource getCodeSource()

• public Permissions getPermissions()

• public boolean implies(Permission p)

• Represents one “grant” entry in the file

Authentication

• It’s a wide open Internet

• System resources need to be protected from viruses and other attacks

• Need for authentication– Author authentication

• Where did the class come from

– Data authentication• Was the class content modified?

Authentication

• The signed JAR file is the mechanism

• Enables the class loader to know definitively where the class came from, and if it has been tampered with.

• Does NOT imply that Java should trust all signed JAR files

• Does NOT protect the privacy of the information in the JAR file - for that you need encryption

Encryption

• javax.crypto.Cipher - the encryption engine

• Perform encryption and decryption of arbitrary data

• Implements named algorithms

• Supplied by security providers

• Sun supports DES, multiple DES, and PBEWithMD5andDES

Encryption

• Used internally by class loader– Public and private keys– Message digests– Signed JAR files

• General purpose encryption

EncryptionSigned JAR files

• Originator generates digital signature– Produce a message digest– Encrypt the digest with private key

• Recipient– Decrypt the signature using public key to

reproduce the message digest– Match the decrypted and calculated digests

Encryption ofSigned JAR files

JAR fileMessageDigestEngine

451350228534...

DigitalSignatureEngine

Private

9728016828...

Digital Signature

Message Digest

Decryption ofSigned JAR files

DigitalSignatureEngine

Public 9728016828...

Digital Signature

451350228534...Message Digest

JAR fileMessageDigestEngine

Java SecuritySummary

• Java Security Features– Java Language Security– Java Class Loaders– Security Manager and Access Controller– Security Policies– Authentication and Encryption

• Java Security is Both Configurable and Extendable

Java Security and Encryption

Questions and Answers

Dan SedlacekCTO, Systems Management GroupSterling Software

dan.sedlacek@sterling.com