Java security in the real world (Ryan Sciampacone)

1,095 views

Published on

Java was built from the ground up with security clearly in mind and is now the engine powering a huge number of business-critical systems. With this visibility and opportunity come attacks, and this session goes through the current state of security in Java in 2012 (including the Java 6 and 7 verifier changes) and discusses some of the attack vectors. It presents a couple of real-world examples and also talks about the real-world challenges in getting security fixes out quickly. Finally, it touches on hardware cryptography. Come learn more about the reality of security today and take away a better awareness of exactly how Java helps protect you.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,095
On SlideShare
0
From Embeds
0
Number of Embeds
17
Actions
Shares
0
Downloads
47
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Java security in the real world (Ryan Sciampacone)

  1. 1. Ryan Sciampacone – IBM Java Runtime Lead3rd October 2012Security in the Real World © 2012 IBM Corporation
  2. 2. Important DisclaimersTHE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY.WHILST EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION CONTAINED IN THIS PRESENTATION, IT IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED.ALL PERFORMANCE DATA INCLUDED IN THIS PRESENTATION HAVE BEEN GATHERED IN A CONTROLLED ENVIRONMENT. YOUR OWN TEST RESULTS MAY VARY BASED ON HARDWARE, SOFTWARE OR INFRASTRUCTURE DIFFERENCES.ALL DATA INCLUDED IN THIS PRESENTATION ARE MEANT TO BE USED ONLY AS A GUIDE.IN ADDITION, THE INFORMATION CONTAINED IN THIS PRESENTATION IS BASED ON IBM’S CURRENT PRODUCT PLANS AND STRATEGY, WHICH ARE SUBJECT TO CHANGE BY IBM, WITHOUT NOTICE.IBM AND ITS AFFILIATED COMPANIES SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR OTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION.NOTHING CONTAINED IN THIS PRESENTATION IS INTENDED TO, OR SHALL HAVE THE EFFECT OF:- CREATING ANY WARRANT OR REPRESENTATION FROM IBM, ITS AFFILIATED COMPANIES OR ITS OR THEIR SUPPLIERS AND/OR LICENSORS2 © 2012 IBM Corporation
  3. 3. Introduction to the speaker■ Ryan Sciampacone■ 15 years experience developing and deploying Java SDKs■ Recent work focus: ■ Managed Runtime Architecture ■ Java Virtual Machine improvements ■ Multi-tenancy technology ■ Native data access and heap density ■ Footprint and performance ■ Garbage Collection ■ Scalability and pause time reduction ■ Advanced GC technology■ My contact information: – Ryan_Sciampacone@ca.ibm.com3 © 2012 IBM Corporation
  4. 4. What should you get from this talk?■ You should have a clearer picture of some of the attack vectors that have been used recently in Java and what steps were taken to address them. You should also understand the current state of security in Java, and how both Java class libraries and the JVM work hard to keep developer lives simple.4 © 2012 IBM Corporation
  5. 5. The problem with keeping anything secure■ "The only secure computer is one thats unplugged, locked in a safe, and buried 20 feet under the ground in a secret location... and Im not even too sure about that one" -- (attributed) Dennis Huges, FBI.■ Security isn’t just a padlock on a door■ A complex system will have many attack vectors■ Key is keeping the system – Stable – Performant – Secure■ All while keeping easy development accessible to developers5 © 2012 IBM Corporation
  6. 6. Security that doesn’t interfere with the system■ Java and the Java Virtual Machine provide defense in depth – Class loaders – Verification – Access Controller / Security Manager – Java Cryptography Extensions (JCE) – Java Secure Sockets Extension (JSSE) – Java Authentication and Authorization Service (JAAS) Reference: http://en.wikipedia.org/wiki/Riot_control■ Available implicit or explicitly during development / deployment■ Security is expected to be a trusted resource – It just works – It has been verified (thoroughly) by vendors■ Be aware of what isn’t secured!■ Key: Avoiding having to build (and verify!) your own security layers6 © 2012 IBM Corporation
  7. 7. Security Layers in Java■ Some things you get “for free”■ Others you use when you need them Diagram Reference: Java Security, Scott Oaks, O’Reilly Media, May 24, 2001, Second Edition, ISBN-10: 0596001576, ISBN-13: 978-05960015757 © 2012 IBM Corporation
  8. 8. Hashing Denial-of-Service Attack (CVE-2011-4858)8 © 2012 IBM Corporation
  9. 9. Hashing Denial-of-Service Attack■ String hash codes and hashing structures have been around “for ever”■ A combination of – Performance short comings – Documented / predictable behavior■ Can be used to exploit vulnerabilities in existing software■ Algorithmic Complexity Attack9 © 2012 IBM Corporation
  10. 10. Hashing Denial-of-Service Attack – How String Hashing Works■ String hashing algorithm is well known and reversible http://docs.oracle.com/javase/7/docs/api/java/lang/String.html■ Easy to construct strings that have identical hash codes == 2112 == 2031744 http://stackoverflow.com/questions/8669946/application-vulnerability-due-to-non-random-hash-functions10 © 2012 IBM Corporation
  11. 11. Hashing Denial-of-Service Attack – How Hashing Structures Work HashMap11 © 2012 IBM Corporation
  12. 12. Hashing Denial-of-Service Attack – How Hashing Structures Work HashMap Array to hold the various <key,value> pairs12 © 2012 IBM Corporation
  13. 13. Hashing Denial-of-Service Attack – How Hashing Structures Work HashMap Use the hash code for “QuantityAa” to find a location in Array to hold the various the array <key,value> pairs13 © 2012 IBM Corporation
  14. 14. Hashing Denial-of-Service Attack – How Hashing Structures Work HashMap Find the appropriate “bucket” and add the < “QuantityAa”, “1234” > entry14 © 2012 IBM Corporation
  15. 15. Hashing Denial-of-Service Attack – How Hashing Structures Work HashMap < “QuantityAa”, “1234” >15 © 2012 IBM Corporation
  16. 16. Hashing Denial-of-Service Attack – How Hashing Structures Work HashMap < “QuantityAa”, “1234” > < “QuantityBB”, “987” >16 © 2012 IBM Corporation
  17. 17. Hashing Denial-of-Service Attack – How Hashing Structures Work HashMap < “QuantityAa”, “1234” > < “QuantityBB”, “987” > Warning: Lookup / Insertion requires a string comparison!!!17 © 2012 IBM Corporation
  18. 18. Hashing Denial-of-Service Attack – How Hashing Structures Work HashMap < “QuantityAa”, “1234” > < “QuantityBB”, “987” > Warning: Lookup requires a string comparison!!!■ Keys with identical hashes will always fall into the same bucket18 © 2012 IBM Corporation
  19. 19. Hashing Denial-of-Service Attack – Strings as Keys in Hashing Structures ■ Deep buckets with malicious keys can cause serious performance issues HashMap < “AaAaAaAaAa … AaAaAa”, “1234” > < “AaAaAaAaAa … AaAaBB”, “987” > Near duplicate string with difference at the end19 © 2012 IBM Corporation
  20. 20. Hashing Denial-of-Service Attack – Result■ Websites make use of parameters as part of client / server communication■ Server is responsible for managing the parameters for the servlet – Hash structures typical way of managing these <key,value> pairs■ Issue: Long insert / lookup times for parameters that have high hash collision rate Reference: http://www.nruns.com/_downloads/advisory28122011.pdf■ Result: Web servers could be effectively “disabled” with simple requests20 © 2012 IBM Corporation
  21. 21. Hashing Denial-of-Service Attack – Current Solution■ Hashing structures now use an alternate hash code for Strings – Use alternate only at a certain capacity – Algorithm where the hash code cannot be calculated externally■ Why not modify String.hashCode()? – It’s spec! – Reliance in existing software■ NOTE: With alternate hash, iteration order is now changed! – Spec’d as “unspecified” – Doesn’t matter – code relies on this anyways – Solution can cause existing working software to fail!21 © 2012 IBM Corporation
  22. 22. Hashing Denial-of-Service Attack – Current Solution■ The JVM now supports a system property to enable at thresholds -Djdk.map.althashing.threshold=<threshold>■ Apache Tomcat property maxParameterCount to limit number of parameters22 © 2012 IBM Corporation
  23. 23. Gondvv Vulnerability (CVE-2012-4681)23 © 2012 IBM Corporation
  24. 24. Java Security Manager Bypass (Gondvv) Vulnerability■ Imagine visiting a website and your calculator application pops up ■ How did that happen? ■ Arbitrary code has been run on your machine – how compromised are you?24 © 2012 IBM Corporation
  25. 25. Java Security Manager Bypass (Gondvv) Vulnerability – Key Change■ A simple access modifier change (within a larger change) exposed a vulnerability25 © 2012 IBM Corporation
  26. 26. Java Security Manager Bypass (Gondvv) Vulnerability – Key Change■ A simple access modifier change (within a larger change) exposed a vulnerability26 © 2012 IBM Corporation
  27. 27. Java Security Manager Bypass (Gondvv) Vulnerability – Key Change■ A simple access modifier change (within a larger change) exposed a vulnerability27 © 2012 IBM Corporation
  28. 28. Java Security Manager Bypass (Gondvv) Vulnerability – Key Change■ A simple access modifier change (within a larger change) exposed a vulnerability Set the security permissions to that of the current code (privileged) in place of the callers security permissions28 © 2012 IBM Corporation
  29. 29. Java Security Manager Bypass (Gondvv) Vulnerability – Key Change■ A simple access modifier change (within a larger change) exposed a vulnerability Use reflection to acquire a Field object on the given class29 © 2012 IBM Corporation
  30. 30. Java Security Manager Bypass (Gondvv) Vulnerability – Key Change■ A simple access modifier change (within a larger change) exposed a vulnerability Set the reflect object Field usage to ignore access checks. Privileged action permitted through doPrivileged()30 © 2012 IBM Corporation
  31. 31. Java Security Manager Bypass (Gondvv) Vulnerability – In Action com.sun.beans.finder ClassFinder31 © 2012 IBM Corporation
  32. 32. Java Security Manager Bypass (Gondvv) Vulnerability – In Action com.sun.beans.finder ClassFinder findClass() sun.awt SunToolkit32 © 2012 IBM Corporation
  33. 33. Java Security Manager Bypass (Gondvv) Vulnerability – In Action com.sun.beans.finder ClassFinder java.beans findClass() Statement sun.awt “setSecurityManager()” SunToolkit AccessControlContext33 © 2012 IBM Corporation
  34. 34. Java Security Manager Bypass (Gondvv) Vulnerability – In Action com.sun.beans.finder ClassFinder java.beans findClass() Statement sun.awt “setSecurityManager()” SunToolkit getField() AccessControlContext34 © 2012 IBM Corporation
  35. 35. Java Security Manager Bypass (Gondvv) Vulnerability – In Action com.sun.beans.finder ClassFinder java.beans findClass() Statement sun.awt “setSecurityManager()” SunToolkit getField() AccessControlContext java.lang.reflect Field35 © 2012 IBM Corporation
  36. 36. Java Security Manager Bypass (Gondvv) Vulnerability – In Action com.sun.beans.finder ClassFinder java.beans findClass() Statement sun.awt “setSecurityManager()” SunToolkit getField() AccessControlContext Elevated permissions for statement set() java.lang.reflect Field36 © 2012 IBM Corporation
  37. 37. Java Security Manager Bypass (Gondvv) Vulnerability – In Action com.sun.beans.finder ClassFinder java.beans findClass() Statement sun.awt “setSecurityManager()” SunToolkit getField() AccessControlContext Elevated permissions for statement set() java.lang.reflect Field37 © 2012 IBM Corporation
  38. 38. Java Security Manager Bypass (Gondvv) Vulnerability – In Action com.sun.beans.finder ClassFinder java.beans findClass() Statement execute() Elevated permissions sun.awt “setSecurityManager()” for sandbox SunToolkit getField() AccessControlContext Elevated permissions for statement set() java.lang.reflect Field38 © 2012 IBM Corporation
  39. 39. Java Security Manager Bypass (Gondvv) Vulnerability – In Action com.sun.beans.finder ClassFinder java.beans findClass() Statement execute() Elevated permissions sun.awt “setSecurityManager()” for sandbox SunToolkit getField() AccessControlContext Elevated permissions for statement set() java.lang.reflect Field java.lang Runtime39 © 2012 IBM Corporation
  40. 40. Java Security Manager Bypass (Gondvv) Vulnerability – In Action com.sun.beans.finder ClassFinder java.beans findClass() Statement execute() Elevated permissions sun.awt “setSecurityManager()” for sandbox SunToolkit getField() AccessControlContext Elevated permissions for statement set() java.lang.reflect Field java.lang Runtime exec(“…”)40 © 2012 IBM Corporation
  41. 41. Java Security Manager Bypass (Gondvv) Vulnerability – In Action com.sun.beans.finder ClassFinder java.beans findClass() Statement execute() Elevated permissions sun.awt “setSecurityManager()” for sandbox SunToolkit getField() AccessControlContext Elevated permissions for statement set() java.lang.reflect Field java.lang Runtime exec(“…”)Ref: http://en.wikipedia.org/wiki/CastleRef: http://en.wikipedia.org/wiki/Key_(lock)41 © 2012 IBM Corporation
  42. 42. Java Security Manager Bypass (Gondvv) Vulnerability – Epilogue■ Need to be running untrusted code■ Java7 VM required – Thankfully, most systems were still running Java6■ Simple change to an access modifier■ NOTE: A fix was turned around in very short order42 © 2012 IBM Corporation
  43. 43. Invokespecial Security Fix (CVE-2012-1725)43 © 2012 IBM Corporation
  44. 44. Bytecode Verifier■ Java Language Security – Rule enforcement at compile, verification (typically load), runtime■ You want to trust that the code you are running (foreign or otherwise) is still valid – Not accessing things that it shouldn’t – Not bypassing rules that might violate the guarantee of the integrity of the JVM (or platform) as a whole■ Levels of integrity checking on a class file – Valid bytecode sequences – Arguments, local variables and intermediate values are correctly typed – Enforces access protection rules (public, private, protected, package protected)■ Big one: Accessing arbitrary memory – Casting an int to an Object and then dereferencing■ Of course, native code can’t be helped here!■ The verifier function and security has changed (and improved) over Java releases44 © 2012 IBM Corporation
  45. 45. Bytecode Verifier – Invokespecial security fix■ Verifier now enforces that either another constructor on the same class this(…) or a direct superclass is called super(…)■ May affect dynamic proxies that have previously “cheated” – Skipped creating intermediate classes static class Child extends Throwable { public Child() { 0: aload_0 1: invokespecial #8 // calls method java/lang/Object."<init>":()V // should be method java/lang/Throwable."<init>":()V 4: return } }45 © 2012 IBM Corporation
  46. 46. Bytecode Verifier – Invokespecial security fix■ Example: Bypassing important setup and security measures46 © 2012 IBM Corporation
  47. 47. Bytecode Verifier – Invokespecial security fix■ Example: Bypassing important setup and security measures Per instance ID for work and privilege purposes47 © 2012 IBM Corporation
  48. 48. Bytecode Verifier – Invokespecial security fix■ Example: Bypassing important setup and security measures Control point – privileged action if you are “blessed”48 © 2012 IBM Corporation
  49. 49. Bytecode Verifier – Invokespecial security fix■ Example: Bypassing important setup and security measures Bypassing the init!49 © 2012 IBM Corporation
  50. 50. Bytecode Verifier – Invokespecial security fix■ Example: Bypassing important setup and security measures Bypassing the init! Can’t express this in Java syntax – must be generated50 © 2012 IBM Corporation
  51. 51. Method Handles51 © 2012 IBM Corporation
  52. 52. Method Handles■ JSR 292: Supporting Dynamically Typed Languages on the JavaTM Platform – A new bytecode for custom dynamic linkage (invokedynamic) – MethodHandle (and support classes) as a “function pointer” interface for linkage■ Fast invocation of bound methods – Method handle invocation speed can be far superior to reflect methods■ A MethodHandle resembles java.lang.reflect.Method – Access checking is performed at lookup, not at every call – Conversion available from reflection side to MethodHandle types52 © 2012 IBM Corporation
  53. 53. Method Handles – Access and Security Checks Reflection MethodHandlesSecurityManager checks at lookup Yes Yes Access checks at lookup No Yes Access checks at invocation Yes No Checks at setAccessible(true) Yes N/A Anyone can invoke? No: by default Yes – by default Yes: setAccessible(true)53 © 2012 IBM Corporation
  54. 54. Method Handles – Security Where It Matters54 © 2012 IBM Corporation
  55. 55. Method Handles – A Word of Caution■ The lookup mechanism has interesting privilege characteristics – Be careful about what code has access to it55 © 2012 IBM Corporation
  56. 56. Bytecode Verification and Speed56 © 2012 IBM Corporation
  57. 57. Bytecode Verifier – StackMapTable Attribute■ Verify that jump targets agree on stack contents57 © 2012 IBM Corporation
  58. 58. Bytecode Verifier – StackMapTable Attribute■ Verify that jump targets agree on stack contents58 © 2012 IBM Corporation
  59. 59. Bytecode Verifier – StackMapTable Attribute■ Verify that jump targets agree on stack contents Complex / Interesting Points!59 © 2012 IBM Corporation
  60. 60. Bytecode Verifier – StackMapTable Attribute■ Verify that jump targets agree on stack contents Frame 1 Frame 2 Frame 3 Frame 460 © 2012 IBM Corporation
  61. 61. Bytecode Verifier – StackMapTable Attribute■ Verify that jump targets agree on stack contents Frame 1 StackMapTable Frame 2 Frame 1 Frame 2 Frame 3 Frame 3 Frame 4 Frame 4■ Typically a (slow) flow based walk■ V.50+ (Java6+) Class Files now contain basic block maps for a (fast) linear walk61 © 2012 IBM Corporation
  62. 62. Bytecode Verifier – StackMapTable Attribute■ May seem trivial but harder problems exist■ Exceptions! ■ And almost everything generates it’s own bytecodes now…62 © 2012 IBM Corporation
  63. 63. Bytecode Verifier – StackMapTable Attribute■ StackMapTable attribute speeds up verification – Provides a “proof” that the typechecking verifier checks if the stack matches.■ Requirements – Mandatory for class file v.51+ (Java7 compiled) – Optional for v.50 with fallback to old type inference verifier■ Possible speed improvement on class loading? (startup times)63 © 2012 IBM Corporation
  64. 64. Class Loaders and Spoofing64 © 2012 IBM Corporation
  65. 65. Class Loaders■ Part of the Java “Sandbox” – Offers isolation between groups of classes at level of choosing■ Programmatic way of specifying where your classes come from■ Name space■ Opportunities for data de-duplication (Shared Classes)■ Useful as part of a module system65 © 2012 IBM Corporation
  66. 66. Class Loaders – Class Spoofing■ Duplicate named classes are completely valid within a JVM – Visibility creates a namespace – Each is in fact a distinct type ClassLoader A Class Class A Parent ClassLoader A Class Class Class Class A Class A A Class A Class ClassLoader B Class Class A A Class66 © 2012 IBM Corporation
  67. 67. Class Loaders – Class Spoofing■ Prevent situations where duplicate named classes circumvent protection Boot ClassLoader ClassLoader A Class Class Class Class A Class Class A A A Class A Class A Class67 © 2012 IBM Corporation
  68. 68. Class Loaders – Class Spoofing■ Prevent situations where duplicate named classes circumvent protection Boot ClassLoader ClassLoader A Class Class Class Class A Class Class A A A Class A Class A Class68 © 2012 IBM Corporation
  69. 69. Class Loaders – Class Spoofing■ Prevent situations where duplicate named classes circumvent protection Boot ClassLoader ClassLoader A Class Class Class Class A Class Class A A A Class A Class A Class Different protection levels!69 © 2012 IBM Corporation
  70. 70. Class Loaders – Class Spoofing■ Prevent situations where duplicate named classes circumvent protection Boot ClassLoader ClassLoader A Class Class Class Class A Class Class A A A Class A Class A Class70 © 2012 IBM Corporation
  71. 71. Class Loaders – Class Spoofing■ Prevent situations where duplicate named classes circumvent protection Boot ClassLoader ClassLoader A Class Class Class Class A Class Class A A A Class A Class A Class Bad News71 © 2012 IBM Corporation
  72. 72. Class Loaders – Class SpoofingHere’s some rules to remember why this isn’t allowed…72 © 2012 IBM Corporation
  73. 73. Class Loaders – Class SpoofingHere’s some rules to remember why this isn’t allowed…To violate a constraint, the following 4 conditions must be met:■ There exists a loader L such that L has been recorded by the JVM as an initiating loader of a class C named N.■ There exists a loader L’ such that L’ has been recorded by the JVM as an initiating loader of a class C ’ named N.■ The equivalence relation defined by the (transitive closure of the) set of imposed constraints implies N L = N L’.■ C≠C’73 © 2012 IBM Corporation
  74. 74. Class Loaders – Class SpoofingHere’s some rules to remember why this isn’t allowed…To violate a constraint, the following 4 conditions must be met:■ There exists a loader L such that L has been recorded by the JVM as an initiating loader of a class C named N.■ There exists a loader L’ such that L’ has been recorded by the JVM as an initiating loader of a class C ’ named N.■ The equivalence relation defined by the (transitive closure of the) set of imposed constraints implies N L = N L’.■ C≠C’Bottom line: You are protected from this74 © 2012 IBM Corporation
  75. 75. And after all that…75 © 2012 IBM Corporation
  76. 76. So what’s being done about security?■ IBM and Oracle are working to ensure Java is (and remains) secure!■ Reporting Issues: http://www-03.ibm.com/security/secure-engineering/report.html http://www.oracle.com/us/support/assurance/reporting/index.html76 © 2012 IBM Corporation
  77. 77. Conclusion■ Java Security is defense in depth■ Trust, but Verify■ Java and JVM designed to provide security at a low cost to developers■ Many moving parts in security – Things can go wrong, but quick to resolve – Security is Hard – Rolling your own is even worse77 © 2012 IBM Corporation
  78. 78. Questions?78 © 2012 IBM Corporation
  79. 79. References■ Get Products and Technologies: – IBM Java Runtimes and SDKs: • https://www.ibm.com/developerworks/java/jdk/ – IBM Monitoring and Diagnostic Tools for Java: • https://www.ibm.com/developerworks/java/jdk/tools/■ Learn: – IBM Java InfoCenter: • http://publib.boulder.ibm.com/infocenter/java7sdk/v7r0/index.jsp■ Discuss: – IBM Java Runtimes and SDKs Forum: • http://www.ibm.com/developerworks/forums/forum.jspa?forumID=367&start=079 © 2012 IBM Corporation
  80. 80. Copyright and Trademarks© IBM Corporation 2012. All Rights Reserved.IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., and registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web – see the IBM “Copyright and trademark information” page at URL: www.ibm.com/legal/copytrade.shtml80 © 2012 IBM Corporation

×