This document discusses Java security. It covers Java's original goals of being robust and secure. It describes the Java sandbox implementation and how it protects memory, files, and network access. It discusses various aspects of the Java security model including the bytecode verifier, class loaders, security manager, access controller, JAAS, JCE, and JSSE.

1. Java Security
Ferenc Tollas
Sun Certified Developer for Java 2 Platform
Sun Certified Programmer for JSE 5.0

2. “Java is secure”

3. Agenda
● Java goals
● Java Sandbox
● Java Language Security
● Bytecode verifier
● Class loaders
● Java Security Manager
● Access Controller
● JAAS
● Java Cryptographic Extension (JCE)

4. Java goals
● Originally developed by James Gosling
● Goals:
– It should be "simple, object-oriented and familiar"
– It should be "robust and secure"
– It should be "architecture-neutral and portable"
– It should execute with "high performance"
– It should be "interpreted, threaded, and dynamic"
● JDK 1.0 : January, 1996

5. Security requirements
Safe from malevolent programs
Programs should not be allowed to harm a user's computing environment, such as
Trojan horses and harmful programs that replicate, like computer viruses.
Non−intrusive
Programs should be prevented from discovering private information on the host
computer or the host computer's network
Authenticated, Encrypted, Audited, Well-defined security specification.....
● Only the first two were within the province of Java's 1.0 default security model!
● The other requirements were added in later versions of Java
How to provide the security related requirements:
● Java Language security
● Java sandbox implementation
● Pluggable Security Extensions

6. Java Sandbox
● provide an environment where the program can play
● must be configurable by an end user or system administrator
● Protect:
– Memory
– Files
– Network
● Minimal Sandbox: program has access to the CPU, the screen, keyboard, mouse and
memory
● Default Sandbox: CPU and its own memory as well as access to the web server from
which it was loaded
● Open sandbox : the program has access to whatever resources the host machine
normally has access to
● In early versions of Java, only applets were run within a sandbox.
● In the Java 2 platform, all programs have the potential to run in a sandbox

7. Which is faster?
Java's new or C's malloc?
Response:
www.ibm.com/developerworks/java/library/j-
jtp09275/index.html

8. Anatomy of a Java application
Bytecode Verifier:Java class files follow the
rules of the Java language
Class Loader: loads all Java classes and
can set permissions for each class it loads.
Security package:
● SPI
● Message digest
● Key and certificate handling
● Digital signatures
● Encryption : JCE, JSSE
● Authentication : JAAS
Security Manager:the primary interface
between the core API and the operating system
Access Controller: allows or prevents most access
from the core API to the operating system, uses the policy files..
Debug what happens in the background: −Djava.security.debug=all/access/failure

9. What is this:
jre/lib/[arch]/client/clases.jsa

10. Elements of a sandbox
● A sandbox is composed of five elements:
– Permissions : a specific action that code can perform
● type, name and action: permission java.io.FilePermission "/tmp/foo", "read";
● every Java class carries a set of permissions that defines the activities that the
class is allowed to perform
● core Java API are always given permission to perform any action
● application can define its own permissions
– Code sources:location from which a class has been loaded.
Combination of codebases and signers(alias listed in keystore).
– Protection domains: basic concept of sandbox, it is an association
of permissions with a particular code source
DEMO

11. Elements of a sandbox
– Policy files : contains one or more entries that define
a protection domain.
● Global policy file:$JREHOME/lib/security/java.policy
● User specific: $HOME/.java.policy
● Result: union of permissions contained in the global and user policy files
● IMPORTANT: deny setting new policy file: java.security :
policy.allowSystemProperty=true
– Keystores: The certificates themselves are held in a
location (usually a file) called the keystore.
java −Djava.security.manager −Djava.security.policy=<URL>

12. Java language security
● Question: how Java operates on things that are in memory?
● Objects, primitive types has access level: public, protected,
default/package or private
● Programs cannot access arbitrary memory locations, no pointer and
casting between int and Object is illegal.
● Entities that are declared as final must not be changed.
● Variables may not be used before they are initialized->instance variables
are initialized automatically
● Array bounds must be checked on all array accesses.
● Object serialization....Mark with java.io.Serializable, and use keyword
“transient”
● These rules must be enforced! Compiler enforcement. Is it enough???

13. Bytecode verifier
● No interface, users/coders cannot interact with it
● Checks:
– The class file has the correct format
– Final classes are not subclassed, and final methods are not overridden.
– Every class (except for java.lang.Object) has a single superclass.
– There is no illegal data conversion of primitive data types (e.g., int to Object)
– There are no operand stack overflows or underflows
● Delayed bytecode verification
● Runtime verification:array bounds checking, object casting

14. Class loaders
● mechanism by which files are read into the JVM and
converted into class definitions
● Responsibility:
– The security manager is consulted to see if this
program is allowed to access the class in question
– Loads the class
– The security manager is consulted to see if this program
is allowed to create the class in question
– The appropriate protection domain is created for the class

15. Java Security Manager
● determines whether many particular operations
should be permitted or rejected
● −Djava.security.manager option installs a security
manager
● Partnership between the Ja5va API and the
application
● The SecurityException class is a subclass of the
RuntimeException
public FileInputStream(String name) throws FileNotFoundException {
SecurityManager security = System.getSecurityManager( );
if (security != null) {
security.checkRead(name);
}
try {
open(name); // open( ) is a private method of this class
} catch (IOException e) {
throw new FileNotFoundException(name);
} }

16. Access Controller
● Security Manager is based entirely on access controller
● Uses the policy file; is built on permissions, protection
domains, code sources and policies
● the access controller can do everything the security
manager can do; historic reasons
● the access controller is only available in Java 1.2
● Applications always interact with the SecurityManager

17. JAAS
● Java Authentication and Authorization Service
● enforce access controls based on who runs
the code(policy files: where code came from)
● Features:
– Single sign-on support
– Pure Java
– Pluggable Authentication Module framework fir
authentication

18. JCE
● Java Cryptographic Extension
● Features:
– Support for a wide range of standard algorithms
including RSA, DSA, AES, Triple DES, SHA,
PKCS#5, RC2, and RC4.
– Comprehensive API with support for a wide range of
cryptographic services including digital signatures,
message digests, ciphers (symmetric, asymmetric,
stream & block), message authentication codes, key
generators and key factories

19. JSSE
● Java Secure Socket Extension
● APIs and implementations for :
– Transport Layer Security (TLS),
– Secure Sockets Layer (SSL),
– Kerberos (accessible through GSS-API) and
– full support for HTTPS over SSL/TLS.

20. Questions?