Secure Coding in Java and .NET

© 2003 School of Computing, University of Leeds© 2003 School of Computing, University of LeedsSY32 Secure Computing, Lecture 16SY32 Secure Computing, Lecture 16

Secure Coding inSecure Coding inJava and .NETJava and .NET

Part 1: FundamentalsPart 1: Fundamentals

22SY32 Secure Computing, Lecture 16SY32 Secure Computing, Lecture 16

OutlineOutline

• Basic security features of Java and .NETBasic security features of Java and .NET

• Use of intermediate languagesUse of intermediate languages

• Validation and verification of IL codeValidation and verification of IL code

• Restricted execution environmentsRestricted execution environments

• Code signingCode signing


Basic Security FeaturesBasic Security Features

• Well-defined, standardized type systemWell-defined, standardized type system

• Strict compile-time type checkingStrict compile-time type checking

• Lack of pointer arithmeticLack of pointer arithmetic

• Garbage collectionGarbage collection

• Bounds checking of arrays, etcBounds checking of arrays, etc No buffer overruns!No buffer overruns!


Use of Intermediate LanguagesUse of Intermediate Languages

• Compilers target Compilers target intermediate languageintermediate language rather rather than native machine codethan native machine code Java Java → → bytecodebytecode C#, VB.NET, etc C#, VB.NET, etc →→ CIL ( CIL (‘‘managed codemanaged code’’))

• Intermediate code is typically JIT-compiled to Intermediate code is typically JIT-compiled to native code by a native code by a virtual machinevirtual machine (VM) (VM)

• VM can perform various security checks when VM can perform various security checks when loading, JIT-compiling or running codeloading, JIT-compiling or running code


Java BytecodeJava Bytecode

InternetInternet

Bytecode

JVM

Verifier

Class loader

Classobject

Classloader

DiskOriginal Java model

(SDK 1.0 & 1.1) Bytecode


Java BytecodeJava Bytecode

InternetInternet

Bytecode

JVM

Verifier

Class loader

Classobject

Classloader

DiskJava 2 model

(SDK 1.2 & above) Core APIbytecode

Disk

Bytecode


Class Loaders & SecurityClass Loaders & Security

• Bytecode with different origins is loaded by Bytecode with different origins is loaded by different class loader objectsdifferent class loader objects

• JVM identifies a class by name JVM identifies a class by name andand class loader class loader Prevents, e.g., hostile applet from substituting its Prevents, e.g., hostile applet from substituting its java.net.Socketjava.net.Socket class for real one class for real one

• Difficult to implement correctly; bugs found inDifficult to implement correctly; bugs found in March & May 1996March & May 1996 July 1998July 1998 November 2000November 2000


Bytecode VerificationBytecode Verification

• Verifier looks forVerifier looks for .class.class file format violations file format violations Abuse of Abuse of finalfinal modifier modifier Classes that don't have one superclassClasses that don't have one superclass Illegal data conversionsIllegal data conversions Operand stack overflow or underflowOperand stack overflow or underflow

• Field and method access checking is delayed Field and method access checking is delayed until runtime, then performed once onlyuntil runtime, then performed once only


Code Validation in .NETCode Validation in .NET

• Managed code is organized as logical units Managed code is organized as logical units called called assembliesassemblies, containing CIL instructions, , containing CIL instructions, metadata and resourcesmetadata and resources

• Validation checks thatValidation checks that Files have correct format (PE/COFF)Files have correct format (PE/COFF) Metadata are present and uncorruptedMetadata are present and uncorrupted CIL instructions are legalCIL instructions are legal


ExampleExample

.method static void Main() cil managed{ .entrypoint .maxstack 2 ldc.i4.1 add ldstr "1 + 2 = " call void [mscorlib]System.Console::Write(string) call void [mscorlib]System.Console::WriteLine(int32) ret}

ldc.i4.2

What happens when ldc.i4.2instruction is removed?


Code Verification in .NETCode Verification in .NET

• Verification checks Verification checks type safetytype safety of CIL code of CIL code

• Algorithm will reject some type-safe codeAlgorithm will reject some type-safe code

• Failure doesn't necessarily prevent executionFailure doesn't necessarily prevent execution

Type-safecode

Verifiablecode

All code


ExampleExample

• C# class C# class SecretSecret contains a private integer field contains a private integer field

• Attacker writes a class Attacker writes a class HackHack with a public integer with a public integer field, then attempts to make a field, then attempts to make a HackHack reference reference point to a point to a SecretSecret instance instance

• Bona fide compiler will refuse to compile this Bona fide compiler will refuse to compile this type confusion attack…type confusion attack…

• ……but what if attacker writes in CIL?but what if attacker writes in CIL?


class Secret {

private int data; ...}

class Hack {

public int data;

static void Main() { Secret s = new Secret(); Hack h = new Hack(); h = s; System.Console.WriteLine(h.data); }}

compiler error


.field public int32 'data'

.method static void Main() cil managed{ .entrypoint .maxstack 2 .locals init (class [Secret]Secret V_0, class Hack V_1) newobj instance void [Secret]Secret::.ctor() stloc.0 newobj instance void Hack::.ctor() stloc.1 ldloc.0 stloc.1 ldloc.1 ldfld int32 Hack::'data' call void [mscorlib]System.Console::WriteLine(int32) ret}

type confusion…

…but this code might execute, nevertheless!


ExplanationExplanation

• Assembly that fails verification may run if loaded Assembly that fails verification may run if loaded from local disk, because such code is trusted from local disk, because such code is trusted fully by defaultfully by default

• Same assembly downloaded from a web server Same assembly downloaded from a web server will normally not be executedwill normally not be executed

• Exact behaviour depends on how Exact behaviour depends on how code access code access security policysecurity policy has been configured has been configured


ProblemsProblems

• IL verification is hard to implement correctlyIL verification is hard to implement correctly

• Example: bugs in Java's bytecode verifierExample: bugs in Java's bytecode verifier March 1996March 1996 March & May 1997March & May 1997 April 1999April 1999 March 2002March 2002 January 2003January 2003


Restricted EnvironmentsRestricted Environments

• The Java sandboxThe Java sandbox

• .NET application domains.NET application domains

• .NET isolated storage.NET isolated storage


The Classic Java SandboxThe Classic Java Sandbox

• AppletsApplets from the Internet are not trusted and from the Internet are not trusted and must execute in a must execute in a sandboxsandbox Cannot run programs on client machineCannot run programs on client machine No access to local file systemNo access to local file system Network access restricted to originating siteNetwork access restricted to originating site

• Applications from local disk are implicitly trusted Applications from local disk are implicitly trusted and have full privileges of executing userand have full privileges of executing user

• Restrictive, Restrictive, ‘‘black and whiteblack and white’’ security model, security model, improved in later versionsimproved in later versions


.NET Application Domains.NET Application Domains

• Assemblies of a .NET application can be loaded Assemblies of a .NET application can be loaded into different into different application domainsapplication domains

• Application domains are isolated from each Application domains are isolated from each other, communicating only via other, communicating only via remotingremoting

• Each application domain can be programmed Each application domain can be programmed with its own code access security policywith its own code access security policy


.NET Isolated Storage.NET Isolated Storage

• Applications may need to have some persistent Applications may need to have some persistent state, but granting unrestricted access to hard state, but granting unrestricted access to hard disk is riskydisk is risky

• Isolated storageIsolated storage provides areas of disk that are provides areas of disk that are private to a given user & assemblyprivate to a given user & assembly Virtual filesystem; no way of specifying a path to Virtual filesystem; no way of specifying a path to

another store or rest of diskanother store or rest of disk Quotas can be imposed to prevent DoSQuotas can be imposed to prevent DoS


Code SigningCode Signing

• IL code can be signed digitally by someone IL code can be signed digitally by someone prepared to vouch for that codeprepared to vouch for that code

• If signature can be verified, code may be If signature can be verified, code may be regarded as trusted, and be granted greater regarded as trusted, and be granted greater privilegesprivileges

• Java supports signing of JAR filesJava supports signing of JAR files

• .NET supports signing of assemblies.NET supports signing of assemblies To guarantee integrity & uniqueness (strong naming)To guarantee integrity & uniqueness (strong naming) To identify publisher (Authenticode)To identify publisher (Authenticode)


JAR JAR

Signing ProcessSigning Process

Bytecode

Signedhash

HashBytecode

Signedhash

Signer'sprivate key


Signature Verification ProcessSignature Verification Process

JAR

Bytecode

Signedhash

Originalhash

New hash

Checksignature

Comparehashes

Signer'spublic key


SummarySummary

• Java and .NET promote greater security in Java and .NET promote greater security in development and in code executiondevelopment and in code execution

• Correctness of compiled code can be verified Correctness of compiled code can be verified before it executesbefore it executes Implementations are not perfectImplementations are not perfect Some system configuration may be requiredSome system configuration may be required

• Java and .NET restrict access that untrusted Java and .NET restrict access that untrusted code has to other code, filesystem, network, etccode has to other code, filesystem, network, etc

• Restrictions can be relaxed for signed codeRestrictions can be relaxed for signed code

Secure Coding in Java and .NET

Documents

Transcript of Secure Coding in Java and .NET