java security columbia university [email protected] · the java virtual machine • abstract...
TRANSCRIPT
1
Java
Sec
urity
Ale
xand
er V
. Kon
stan
tinou
Col
umbi
a U
nive
rsity
Fal
l 200
2
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou2
The
Jav
a P
latfo
rm (
Rev
iew
)
•Ja
va P
rogr
amm
ing
Lang
uage
•Ja
va L
ibra
ries
•Ja
va V
irtua
l Mac
hine
(JV
M)
Java
Sour
ce(.
java
)co
mpi
ler
Java
VM
load
er
JVM
Byt
ecod
e(.
clas
s)
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou3
The
Jav
a La
ngua
ge
•O
bjec
t-or
ient
ed–
Sin
gle
inhe
ritan
ce,
inte
rfac
es
•S
tron
g ty
ping
–N
o po
inte
r ar
ithm
etic
/con
vers
ion
–A
rray
bou
nds
chec
king
•G
arba
ge c
olle
ctio
n
•E
xcep
tions
•T
hrea
ds
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou4
Java
Lib
rarie
s
•I/O
•U
tiliti
es &
col
lect
ions
•N
etw
ork
prog
ram
min
g–
Soc
kets
, RM
I, C
OR
BA
•S
ecur
ity: a
cces
s co
ntro
l, cr
ypto
, au
then
ticat
ion
•G
raph
ics
(GU
I, 2D
, 3D
)•
SQ
L, X
ML
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou5
The
Jav
a V
irtua
l Mac
hine
•A
bstr
act c
ompu
ting
mac
hine
–S
tack
-bas
ed
•K
now
s no
thin
g ab
out J
ava
lang
uage
•S
peci
fies
bina
ry c
lass
file
form
at–
Cla
ss fi
le c
onta
ins
VM
inst
ruct
ions
(by
te-c
ode)
•E
mul
ated
on
diffe
rent
pla
tform
s•
Com
pile
rs e
xist
for
othe
r la
ngua
ges
–A
da, S
mal
ltalk
, Eiff
el, C
OB
OL,
etc
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou6
Java
Sec
urity
Fea
ture
s
•S
tron
g ty
ping
•N
o po
inte
r co
nver
sion
/arit
hmet
ic•
Arr
ay b
ound
s ch
ecks
•M
ultip
le p
acka
ge n
ame
scop
es•
Sec
urity
mod
el &
inst
rum
enta
tion
•S
ecur
ity li
brar
ies
–E
ncry
ptio
n, s
igna
ture
, SS
L
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou7
Java
Sec
urity
Evo
lutio
n
•Ja
va 1
.0–
App
lets
ope
rate
in s
andb
ox–
All
othe
r ap
plic
atio
ns tr
uste
d
•Ja
va 1
.1–
Sig
ned
appl
ets
trea
ted
as tr
uste
d ap
plic
atio
ns
•Ja
va 1
.2 (
Java
2)
–N
ew p
olic
y-ba
sed
secu
rity
arch
itect
ure
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou8
App
let S
andb
ox S
ecur
ity
•N
o fil
e ac
cess
•N
o sy
stem
pro
pert
y ac
cess
•R
estr
icte
d ne
twor
k ac
cess
–C
an o
nly
conn
ect t
o se
rver
hos
t
–N
o lo
cal h
ost,
or o
ther
net
wor
k co
nnec
tions
•W
indo
ws
open
ed h
ave
war
ning
tag
•C
anno
t acc
ess
othe
r ap
plet
thre
ads
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou9
Wha
t's S
peci
al A
bout
Jav
a S
ecur
ity?
•S
ecur
ity-c
onsc
ious
des
ign
•Im
plem
ente
d in
Jav
a !?
!–
Sec
urity
com
pone
nts
are
regu
lar
Java
cla
sses
•N
eed
to s
ecur
e th
e V
irtua
l Mac
hine
–C
ompi
ler
prov
ides
“ad
viso
ry”
acce
ss c
ontr
ol
•D
esig
n su
ppor
ts e
xten
sibi
lity
–In
terd
epen
dent
com
pone
nts
–C
ompl
ex d
epen
denc
ies
(bad
new
s)
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou10
Java
Sec
urity
Com
pone
nts
Cla
ssfi
les
(byt
ecod
e)
Cla
ssL
oade
r
Polic
y
Cla
ssob
ject
stat
icby
teco
deve
rifi
er
VM
Run
time
Secu
rity
Man
ager
chec
kRea
d()
Prot
ectio
nD
omai
n
Cod
eSou
rce
(url
, sig
ner)
Acc
essC
ontr
olle
r
chec
kRea
d()
11
Cla
ss L
oade
r
Cla
ssfi
les
(byt
ecod
e)
Cla
ssL
oade
r
Pol
icy
Cla
ssob
ject
stat
icby
teco
deve
rifi
erV
M R
unti
me
Secu
rity
Man
ager
chec
kRea
d()
Prot
ectio
nD
omai
n
Cod
eSou
rce
(url
, sig
ner)
Acc
essC
ontr
olle
r
chec
kRea
d()
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou12
Cla
ss L
oade
r
•C
lass
load
ers
are
regu
lar
Java
obj
ects
–C
hick
en &
egg
pro
blem
•P
rimor
dial
cla
ss-lo
ader
–W
ritte
n in
C
–Lo
ads
syst
em c
lass
es
•La
zy c
lass
load
ing
•D
ynam
ic c
lass
load
ing
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou13
Cla
ss L
oade
r (2
)
•F
orm
s C
lass
obj
ect o
ut o
f byt
e-ar
ray
–F
ile, n
etw
ork,
dyn
amic
com
pila
tion
•D
efin
es n
ames
pace
•T
ype
defin
ed a
s <
cla
ss, l
oade
r >
•S
yste
m c
lass
es h
ave
null
clas
s-lo
ader
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou14
Cla
ss L
oade
r D
eleg
atio
n
•C
lass
load
er d
eleg
atio
n–
Par
ent-
child
rel
atio
nshi
p
•C
ontr
ol a
cces
s to
de
lega
tion
•S
ecur
eCla
ssLo
ader
•U
RLC
lass
Load
er–
Load
s ac
ross
net
wor
k
Prim
ordi
al
java
.lang
.Cla
ssL
oade
r
java
.sec
urity
.Sec
ureC
lass
Loa
der
java
.net
.UR
LC
lass
Loa
der
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou15
Cus
tom
ized
Cla
ss L
oade
r E
xam
ple
publ
ic c
lass
MyC
lass
Loa
der
exte
nds
Cla
ssL
oade
r{
publ
ic M
yCla
ssL
oade
r(C
lass
Loa
der
pare
nt)
{su
per(
pare
nt);
} publ
ic C
lass
load
Cla
ss(S
trin
gna
me)
{//
Del
egat
e to
par
ent f
irst
try
{re
turn
(sup
er.lo
adC
lass
(nam
e));
} ca
tch
(Thr
owab
lee)
{ }
byte
[] b
ytec
ode
= n
ew b
yte[
0]; /
/ XX
X (
read
cla
ss f
ile)
retu
rn(d
efin
eCla
ss(n
ame,
byt
ecod
e, 0
, byt
ecod
e.le
ngth
));
} }
16
Byt
ecod
eV
erifi
er
Cla
ssfi
les
(byt
ecod
e)
Cla
ssL
oade
r
Pol
icy
Cla
ssob
ject
stat
icby
teco
deve
rifi
erV
M R
unti
me
Secu
rity
Man
ager
chec
kRea
d()
Prot
ectio
nD
omai
n
Cod
eSou
rce
(url
, sig
ner)
Acc
essC
ontr
olle
r
chec
kRea
d()
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou17
Enf
orci
ng T
ype
Saf
ety
•C
orne
rsto
ne o
f Jav
a se
curit
y•
Sta
tic ty
pe c
heck
ing
–O
ptim
izat
ion
step
to r
educ
e ru
n-tim
e ch
ecki
ng
•D
ynam
ic ty
pe c
heck
ing
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou18
Byt
ecod
eV
erifi
er
•U
ses
theo
rem
pro
ver
•M
ost c
ompl
ex J
ava
secu
rity
com
pone
nt•
Sun
impl
emen
tatio
n is
two-
phas
e &
co
mpl
ex–
Diff
icul
t to
form
ally
ver
ify
•A
ltern
ativ
e re
sear
ch v
erifi
ers
–P
artia
lly fo
rmal
ly v
erifi
ed
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou19
Byt
ecod
eT
heor
em P
rove
rC
heck
s
•P
oint
er fo
rgin
g•
Cla
ss a
cces
s vi
olat
ion
–P
rivat
e/pr
otec
ted
field
s an
d m
etho
ds
•O
bjec
t cas
ting
•M
etho
d in
voca
tion
–C
orre
ct n
umbe
r an
d ty
pe o
f arg
umen
ts–
No
stac
k ov
erflo
ws
•N
o ill
egal
dat
a co
nver
sion
s–
Inte
ger
poin
ter
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou20
Java
Ass
embl
y E
xam
ple
.sou
rce
Sim
ple.
java
.cla
ss p
ubli
c sy
nchr
oniz
ed S
impl
e.s
uper
jav
a/la
ng/O
bjec
t; >
> M
ET
HO
D 1
<<
.met
hod
publ
ic <
init
>()
V.li
mit
sta
ck 1
.lim
it lo
cals
1.li
ne 3
aloa
d_0
invo
keno
nvir
tual
java
/lan
g/O
bjec
t/<
init
>()
Vre
turn
.end
met
hod
; >>
ME
TH
OD
2 <
<.m
etho
d pu
blic
sta
tic
mai
n([L
java
/lan
g/S
trin
g;)V
.lim
it s
tack
2.li
mit
loca
ls 3
.line
5ne
w ja
va/u
til/
Dat
edu
pin
voke
nonv
irtu
alja
va/u
til/
Dat
e/<
init
>()
Vas
tore
_1.li
ne 6
sipu
sh20
02is
tore
_2.li
ne 7
iinc
2 1
.line
8re
turn
.end
met
hod
publ
ic c
lass
Sim
ple
{pu
blic
sta
tic
void
mai
n(S
trin
g[]
args
) {
java
.uti
l.Dat
eda
te =
new
java
.uti
l.Dat
e();
inti
= 2
002;
i++
;} }
javac
Simple.java
D-Java –o jasmin
Simple.class
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou21
Java
Ass
embl
y E
xam
ple
(2)
; >>
ME
TH
OD
2 <
<.m
etho
d pu
blic
sta
tic
mai
n([L
java
/lan
g/S
trin
g;)V
.lim
it s
tack
2.li
mit
loca
ls 3
.line
5ne
w ja
va/u
til/
Dat
edu
pin
voke
nonv
irtu
alja
va/u
til/
Dat
e/<
init
>()
Vas
tore
_2
; was
ast
ore_
1
jasmin
Simple.jasmine
java Simple
java Simple
java.lang.VerifyError: (class: Simple, method: main signature:
([Ljava/lang/String;)V) Register 2 contains wrong type
Exception in thread "main"
; .lin
e 6
; s
ipus
h20
02;
ist
ore_
2.li
ne 7
iinc
2 1
.line
8re
turn
.end
met
hod
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou22
Cla
sslo
ader
& V
erifi
er T
hrea
ts
•C
lass
load
er r
each
-ove
r–
Byp
ass
inte
nded
cla
ss lo
ader
•T
ype-
conf
usio
n–
Use
cla
sses
with
the
sam
e na
me
load
ed fr
om
diffe
rent
cla
ss lo
ader
s in
terc
hang
eabl
y
•E
xplo
it th
eore
m-p
rovi
ng b
ugs
–M
ultip
le e
xplo
its: i
nter
face
cas
ts, e
tc
23
Pro
tect
ion
Dom
ains
Cla
ssfi
les
(byt
ecod
e)
Cla
ssL
oade
r
Pol
icy
Cla
ssob
ject
stat
icby
teco
deve
rifi
erV
M R
unti
me
Secu
rity
Man
ager
chec
kRea
d()
Prot
ectio
nD
omai
n
Cod
eSou
rce
(url
, sig
ner)
Acc
essC
ontr
olle
r
chec
kRea
d()
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou24
Cod
e S
ourc
e &
Pro
tect
ion
Dom
ains
•P
erm
issi
ons
gran
ted
base
d on
:–
Cod
e so
urce
–C
ode
sign
er
•P
olic
ies
cove
r se
ts o
f cla
sses
with
the
sam
e so
urce
and
sig
ner
–S
et fo
rms
a “p
rote
ctio
n do
mai
n”–
Not
e th
at th
is te
rm is
ove
rload
ed
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou25
Cod
eSou
rce
Thr
eats
•E
xplo
iting
pol
icie
s tr
ustin
g co
de s
ourc
e–
Exa
mpl
e: b
row
sers
trus
t cla
sses
load
ed fr
om
the
file
syst
em–
Atta
cker
s in
trod
uced
cla
ss fi
le in
bro
wse
r ca
che
–G
uess
ed lo
catio
n of
cac
hed
file
–E
xplo
ited
clas
s lo
ader
rea
ch-o
ver
to lo
ad
clas
s fr
om fi
le–
Atta
ck c
lass
had
full
priv
ilege
s
26
Per
mis
sion
s &
Pol
icie
s
Cla
ssfi
les
(byt
ecod
e)
Cla
ssL
oade
r
Pol
icy
Cla
ssob
ject
stat
icby
teco
deve
rifi
erV
M R
unti
me
Secu
rity
Man
ager
chec
kRea
d()
Prot
ectio
nD
omai
n
Cod
eSou
rce
(url
, sig
ner)
Acc
essC
ontr
olle
r
chec
kRea
d()
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou27
Per
mis
sion
s
•P
ositi
ve p
erm
issi
ons
only
•P
erm
issi
ons
impl
y ot
her
perm
issi
ons
–E
xam
ple:
File
Per
mis
sion
(“<
<A
LL_F
ILE
S>
>”,
“re
ad”)
im
plie
s F
ileP
erm
issi
on(“
/tmp/
foo.
txt”
, “re
ad”)
•U
ser
defin
ed p
erm
issi
ons
supp
orte
d
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou28
Sam
ple
Per
mis
sion
s
•F
ile a
cces
s–
java
.io.F
ileP
erm
issi
on“/
tmp/
*”, “
read
,writ
e”–
java
.io.F
ileP
erm
issi
on“$
{use
r.ho
me}
${/}
*”, “
read
”
•S
yste
m p
erm
issi
ons
–ja
va.la
ng.R
untim
ePer
mis
sion
“get
Cla
ssLo
ader
”, “
”;
•A
WT
per
mis
sion
s–
java
.aw
t.AW
TP
erm
issi
on“a
cces
sEve
ntQ
ueue
”, “
”;
•N
etw
ork
acce
ss–
java
.io.S
ocke
tPer
mis
sion
“*:1
024-
”, “
conn
ect”
–ja
va.io
.Soc
ketP
erm
issi
on“*
:808
0”, “
acce
pt,li
sten
”
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou29
Pol
icy
•G
rant
a s
et o
f per
mis
sion
s to
cla
sses
bas
ed o
n–
Sou
rce
(UR
L)–
Sig
ner(
s)
gran
t{
// al
l cla
sses
perm
issi
onja
va.io
.Fil
ePer
mis
sion
“<<
AL
L_F
ILE
S>>
”, “
read
”;}; gr
ant
code
Bas
e“h
ttp://
ww
w.c
s.co
lum
bia.
edu/
~ako
nsta
n/ja
va”{
…};
keys
tore
“/ap
pdir
/key
stor
e.jk
s”;
gran
tsi
gned
By
“Ale
xand
er, C
olum
bia”
{ …
};gr
ant
sign
edB
y“A
lexa
nder
”, c
odeB
ase
“htt
p://w
ww
...”
{ …
};
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou30
Pol
icy
Thr
eats
•D
iffic
ult t
o m
anag
e•
Sun
JV
M r
eads
pol
icy
at c
lass
-load
tim
e•
No
sign
atur
e re
voca
tion
prot
ocol
31
Sec
urity
Man
ager
&A
cces
s C
ontr
olle
r
Cla
ssfi
les
(byt
ecod
e)
Cla
ssL
oade
r
Pol
icy
Cla
ssob
ject
stat
icby
teco
deve
rifi
erV
M R
unti
me
Secu
rity
Man
ager
chec
kRea
d()
Prot
ectio
nD
omai
n
Cod
eSou
rce
(url
, sig
ner)
Acc
essC
ontr
olle
r
chec
kRea
d()
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou32
Sec
urity
Man
ager
•F
ocal
poi
nt o
f acc
ess-
cont
rol
•Ja
va 2
del
egat
es to
Acc
essC
ontr
olle
r•
Ext
ensi
ble
–U
sers
can
add
thei
r ow
n pe
rmis
sion
cla
sses
•ch
eckP
erm
issi
on(P
erm
issi
onpe
rm)
•ch
eckP
erm
issi
on(P
erm
issi
onpe
rm,
Obj
ect c
onte
xt)
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou33
RM
I Sec
urity
Man
ager
•M
obile
cod
e–
Ser
ializ
ed o
bjec
ts in
clud
e co
deba
seU
RL
–C
lient
dow
nloa
ds c
lass
byt
ecod
efr
om U
RL
–O
bjec
ts in
stan
tiate
d
Inst
anti
ate
Java
VM
Java
VM
HT
TPd
HT
TP
GE
T c
ode.
jar
Obj
ect s
eria
liza
tion
stre
am(+
cod
ebas
e)
java
.rm
i.cod
ebas
e=
“htt
p://a
cme.
com
/cod
e.ja
r”
acm
e.co
m
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou34
Acc
ess
Con
trol
ler
•S
tatic
sin
glet
on in
stan
ce•
Che
cks
acce
ss to
sys
tem
res
ourc
es–
Bas
ed o
n cu
rren
t sec
urity
pol
icy
–Im
plem
ents
sta
ck in
spec
tion
algo
rithm
•M
arks
cod
e as
priv
ilege
d–
Sim
ilar
to U
NIX
set
-uid
conc
ept
•O
btai
ns “
snap
shot
”of
cal
ling
cont
ext
–U
sed
to p
erfo
rm o
ut-o
f-co
ntex
t sec
urity
ch
ecks
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou35
Con
text
Acc
ess
Con
trol
Alg
orith
m
•P
rinci
ple
of le
ast p
rivile
ge•
Gra
nt a
cces
s iff
ever
y pr
otec
tion
dom
ain
in th
e cu
rren
t exe
cutio
n co
ntex
t (st
ack)
has
that
pe
rmis
sion
appl
icat
ion
com.acme.Editor.openFile(String)
syst
emjava.io.FileInputStream(File)
syst
emSecurityManager.checkRead()
syst
emSecurityManager.checkPermission()
syst
emAccessController.checkPermission()
appl
icat
ion
com.acme.Editor.actionPerformed(ActionEvent)
syst
emjava.awt.EventDispatchThread
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou36
Priv
ilege
d O
pera
tions
•E
xpor
t res
tric
ted
serv
ices
to u
naut
horiz
ed c
lient
s
•U
NIX
set
uid
conc
ept
•P
reve
nts
furt
her
stac
k in
spec
tion
Object value =
AccessControlor.doPrivileged(newPrivilegedAction() {
public Object run() {
// do some privileged action
return(value);
}};
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou37
Thr
ead
Con
text
•N
ew th
read
s in
herit
par
ent t
hrea
d co
ntex
t•
Con
text
sna
psho
t tak
en a
t cre
atio
n tim
e•
Con
text
che
ckin
g al
gorit
hm
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou38
Acc
ess
Con
trol
Ris
ks
•G
ivin
g co
de p
erm
issi
on to
inst
all i
ts o
wn
secu
rity
man
ager
•N
egle
ctin
g to
invo
ke th
e se
curit
y ch
eck
•W
ritin
g pr
ivile
ged
obje
cts
that
dep
end
on
exte
rnal
ly m
odifi
able
sta
te
39
Pol
icy
exam
ple
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou40
Pol
icy
Exa
mpl
e
publ
ic c
lass
Pol
icyT
est{
publ
ic s
tatic
voi
d m
ain(
Stri
ng[]
arg
s) th
row
s E
xcep
tion
{Sy
stem
.out
.pri
ntln
(Sys
tem
.get
Pro
pert
y(“u
ser.
nam
e"))
;} }
java
-D
java
.sec
urit
y.m
anag
erPo
licy
Tes
tja
va.s
ecur
ity.
Acc
essC
ontr
olE
xcep
tion
: acc
ess
deni
ed (
java
.uti
l.Pro
pert
yPer
mis
sion
user
.nam
ere
ad)
at ja
va.s
ecur
ity.
Acc
essC
ontr
olC
onte
xt.c
heck
Per
mis
sion
(Acc
essC
ontr
olC
onte
xt.ja
va:2
70)
at ja
va.s
ecur
ity.
Acc
essC
ontr
olle
r.ch
eckP
erm
issi
on(A
cces
sCon
trol
ler.
java
:401
)at
java
.lang
.Sec
urit
yMan
ager
.che
ckP
erm
issi
on(S
ecur
ityM
anag
er.ja
va:5
42)
at ja
va.la
ng.S
ecur
ityM
anag
er.c
heck
Pro
pert
yAcc
ess(
Sec
urit
yMan
ager
.java
:129
1)at
java
.lang
.Sys
tem
.get
Pro
pert
y(S
yste
m.ja
va:5
72)
at P
olic
yTes
t.mai
n(Po
licy
Tes
t.jav
a:3)
Exc
epti
on in
thre
ad "
mai
n"
•R
ead
prot
ecte
d sy
stem
pro
pert
y
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou41
Pol
icy
Exa
mpl
e (2
)
gran
t cod
ebas
e"f
ile:"
{pe
rmis
sion
java
.util
.Pro
pert
yPer
mis
sion
"use
r.*"
, "re
ad";
};
java
-D
java
.sec
urity
.man
ager
-Dja
va.s
ecur
ity.p
olic
y=pr
oper
ty-r
ead.
polic
yPo
licyT
est
Ale
xand
er
•P
olic
y fil
e al
low
s lo
cally
load
ed c
lass
es to
re
ad a
ll pr
oper
ties
star
ting
with
“us
er.”
42
Writ
ing
Sec
ure
Java
cod
e
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou43
Obj
ect S
ecur
ity
•C
lass
sec
urity
–U
se p
rivat
e fie
lds,
avo
id p
rote
cted
, nev
er p
ublic
–U
se fi
nal c
lass
es•
Avo
id s
ubcl
assi
ngat
tack
s (t
rade
off w
ith e
xten
sibi
lity)
•D
o no
t ret
urn
refe
renc
es to
mut
able
obj
ects
–E
xam
ples
: arr
ays,
col
lect
ions
•K
eep
priv
ilege
d co
de s
hort
•V
alid
ate
de-s
eria
lized
dat
a–
Use
Sig
nedO
bjec
t/Sea
ledO
bjec
t
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou44
His
tory
of J
ava
Sec
urity
Bug
s
•D
NS
atta
ck–
App
let w
ould
be
serv
ed b
y ho
st w
hose
DN
S
entr
y po
inte
d to
ano
ther
add
ress
•D
enia
l of s
ervi
ce a
ttack
s–
Thr
eads
/Win
dow
s/M
emor
y–
Lock
ing
criti
cal o
bjec
ts (
e.g.
cla
sslo
ader
)
•B
ytec
ode
verif
ier/
clas
s-lo
ader
bug
s–
Cre
ate
type
con
fusi
on–
Com
bine
with
oth
er b
ug to
obt
ain
full
cont
rol
45
Java
sec
urity
AP
I
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou46
Cry
ptog
raph
y
•Ja
va C
rypt
ogra
phy
Arc
hite
ctur
e (J
CA
)–
Inte
rfac
e A
PI
–S
uppo
rts
diffe
rent
“pr
ovid
er”
impl
emen
tatio
ns
•E
ncry
ptio
n–
Sym
met
ric/A
sym
met
ric
•A
uthe
ntic
atio
n–
Mes
sage
dig
ests
, dig
ital s
igna
ture
s
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou47
SS
Lfi
nal S
erve
rSoc
kets
erve
r =
SS
LSe
rver
Sock
etF
acto
ry.g
etD
efau
lt()
.cre
ateS
erve
rSoc
ket(
8888
);
Thr
ead
thre
ad=
new
Thr
ead(
) {
publ
ic v
oid
run(
) {
try
{Sy
stem
.out
.pri
ntln
("W
aiti
ngfo
r an
SSL
con
nect
ion
...")
;So
cket
soc
ket=
ser
ver.
acce
pt()
;Sy
stem
.out
.pri
ntln
("C
onne
ctio
nfr
om"
+ s
ocke
t.get
Inet
Add
ress
());
} ca
tch
(Thr
owab
lee)
{ e
.pri
ntSt
ackT
race
(); }
// X
XX
-no
err
or h
andl
ing
or s
ocke
t clo
sing
!}
}; thre
ad.s
tart
();
Syst
em.o
ut.p
rint
ln("
Con
nect
ing
to lo
cal h
ost.
..");
Sock
et s
ocke
t=SS
LSo
cket
Fac
tory
.get
Def
ault
().c
reat
eSoc
ket(
"loc
alho
st",
888
8);
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou48
SS
L (2
)
keyt
ool-
genk
ey-k
eyal
gR
SA -
keys
tore
test
.jks
-dna
me
"CN
=T
est U
ser"
Ent
er k
eyst
ore
pass
wor
d: t
est1
23E
nter
key
pas
swor
d fo
r <
myk
ey>
(RE
TU
RN
if s
ame
as k
eyst
ore
pass
wor
d):
java
-Dja
vax.
net.s
sl.tr
ustS
tore
=te
st.jk
s-D
java
x.ne
t.ssl
.key
Stor
e=te
st.jk
s-D
java
x.ne
t.ssl
.key
Stor
ePas
swor
d=te
st12
3Se
cure
Con
nect
ing
to lo
cal h
ost .
..W
aitin
g fo
r an
SSL
con
nect
ion
...C
onne
ctio
n fr
om /1
27.0
.0.1
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou49
Ref
eren
ces
•Ja
va 2
Sec
urity
Arc
hite
ctur
e–
http
://ja
va.s
un.c
om/j2
se/1
.4/d
ocs/
guid
e/se
curit
y/•
Boo
k R
efer
ence
s–
Li G
ong,
Insi
de J
ava
2 P
latfo
rm S
ecur
ity, A
ddis
on-W
esle
y, 1
999:
S
ecur
ity a
rchi
tect
ure
and
ratio
nale
.–
Jess
Gar
ms
Dan
iel S
omer
field
, Pro
fess
iona
l Jav
a S
ecur
ity, W
rox
Pre
ss, 2
001:
focu
s on
sec
urity
AP
Is a
nd p
ract
ical
sec
urity
ex
ampl
es–
Gar
y M
cGra
w, E
dwar
d W
. Fel
ten.
Sec
urin
g Ja
va, W
iley
1999
: ge
nera
l sec
urity
prin
cipl
es a
s re
latin
g to
Jav
a, h
isto
ry o
f sec
urity
br
each
es–
Ale
xand
er V
. Kon
stan
tinou
, et a
l. B
egin
ning
Jav
a N
etw
orki
ng,
Wro
xP
ress
, 200
1: g
ener
al J
ava
netw
orki
ng in
form
atio
n
Oct
ober
31s
t , 20
02A
lexa
nder
V. K
onst
antin
ou50
Ref
eren
ces
(2)
•Ja
va J
asm
inas
sem
bler
/D-J
ava
disa
ssem
bler
–ht
tp://
mrl.
nyu.
edu/
~m
eyer
/jasm
in/
–ht
tp://
ww
w.c
at.n
yu.e
du/~
mey
er/jv
m/d
java
/
•A
ltern
ativ
e la
ngua
ge J
ava-
VM
com
pile
rs–
http
://gr
unge
.cs.
tu-b
erlin
.de/
~to
lk/v
mla
ngua
ges.
htm
l
•P
iete
r H
. Har
tel,
Luc
Mor
eau,
For
mal
izin
g th
e sa
fety
of
Java
, the
Jav
a vi
rtua
l mac
hine
, and
Jav
a C
ard.
AC
M
Com
putin
g S
urve
ys, v
.33,
n.4
, Dec
embe
r 20
01•
Java
SS
L ov
er R
MI
–ht
tp://
ww
w.c
s.co
lum
bia.
edu/
~ak
onst
an/r
mi-s
sl/