Java Security Model For Mobile Code

Abdo Achkar

Mobile Code

A mobile object is a “self contained piece” of executable code.

Definition: Code that can be transmitted across a network

and executed on the other end.

Mobile code is dynamically loaded and executed by standalone programs. Ex: Browsers

Advantages Of Mobile Code In Distributed Systems

Eliminates installation problems of desktop applications.

Favors portability to different platforms.

Enhances scalability of client/server applications.

Reduces software distribution costs.

Criteria For Mobile Code

Safe environment of execution

Platform independence

Life cycle control

Security

Safety features built into the JVM Type-safe reference casting Structured memory access Automatic garbage collection Array bounds checking

Safety features built into the JVM Type-safe reference casting Structured memory access

How Does Java Ensure These Criteria?

Safety features built into the JVM Safety features built into the JVM Safety features built into the JVM Safety features built into the JVM Type-safe reference casting Structured memory access Automatic garbage collection

Safety features built into the JVM Type-safe reference casting Structured memory access Automatic garbage collection Array bounds checking Checking references for null

Safety features built into the JVM Type-safe reference casting

How Does Java Ensure These Criteria? (Cont’)

The class loader architectureThe class loader architecture Primordial class loader (trusted)

The class loader architecture Primordial class loader (trusted) Class loader for other classes (non trusted)

Every namespace has its own loader

The class loader checks to make sure that the class does not declare itself to be a member of a trusted package

How Does Java Ensure These Criteria? (Cont’)

The class-file verifierThe class-file verifierChecks format and internal consistency

The class-file verifierChecks format and internal consistency

Bytecode verifier

The class-file verifierChecks format and internal consistency

Bytecode verifier•Checks that no local variable is accessed

before instantiation

The class-file verifierChecks format and internal consistency

Bytecode verifier•Checks that no local variable is accessed

before instantiation•Checks that class’ fields are assigned

values of proper type.

The class-file verifierChecks format and internal consistency

Bytecode verifier•Checks that no local variable is accessed

before instantiation•Checks that class’ fields are assigned

values of proper type.•Checks methods’ arguments number and

type

Class Verifier (cont’)

Phase two and dynamic linking Finding the class being referenced

Phase two and dynamic linking Finding the class being referenced Replacing symbolic references with direct

references (and remembering them)

The security manager Defines the limits of the “sandbox”

How Does Java Ensure These Criteria? (Cont’)

The security manager Defines the limits of the “sandbox” Is consulted for permission for every

potentially dangerous action.

The security manager Defines the limits of the “sandbox” Is consulted for permission for every potentially dangerous action. List of possible dangerous behaviors supported by security managers:

Accepting/Opening sockets Modifying/Creating threads Creating new class loaders Creating new process Loading DLLs. Deleting/reading/writing from and to a file

Advantages of using Java in mobile code

Unlike traditional software, java allows working with software that come from sources you do not fully trust.

Unlike traditional software, java allows working with software that come from sources you do not fully trust.

Java’s openness allows security holes to be identified and patched.

Unlike traditional software, java allows working with software that come from sources you do not fully trust.

Java’s openness allows security holes to be identified and patched.

Java is platform independent

Unlike traditional software, java allows working with software that come from sources you do not fully trust.

Java’s openness allows security holes to be identified and patched.

Java is platform independent Java is free

Unlike traditional software, java allows working with software that come from sources you do not fully trust.

Java’s openness allows security holes to be identified and patched.

Java is platform independent Java is free Java code is robust (otherwise the

loader/verifier would throw exceptions)

Disadvantages of Java

Slow due to all checkings it doesSlow due to all checkings it doesDoes not allow low level control of

hardware without having to call natives. (can be a security advantage)

Slow due to all checkings it doesDoes not allow low level control of hardware without

having to call natives. (can be a security advantage)Every class extends the class Object. This adds a lot

of overhead to the program.

Questions

References

http://www.javaworld.com/javaworld/jw-08-1997/jw-08-hood.html

http://www.javaworld.com/javaworld/jw-09-1997/jw-09-hood.html

http://www.javaworld.com/javaworld/jw-10-1997/jw-10-hood.html

http://www.javaworld.com/javaworld/jw-11-1997/jw-11-hood.html

http://www.cafeaulait.org/course/week13/26.html http://www.sims.berkeley.edu/academics/

courses/is206/f97/GroupC/java.html