651, Understanding Java Security Permissions – A Practical ApproachUnderstanding Java™2 Platform Security Permissions—A Practical ApproachLarry KovedMarco PistoiaAaron KershenbaumJava Security TeamIBM T.J. Watson Research Center651, Understanding Java Security Permissions – A Practical Approach2Overall Presentation GoalLearn about the authorization features in the Java™2 Platform, Standard Edition (J2SE™) security modelSpecifically, focus on the permission/ authorization model and the Permission APISee a prototype tool which demonstrates an automated technique for determining which Permissions are required by a Java technology-based program651, Understanding Java Security Permissions – A Practical Approach3Learning Objectives• As a result of this presentation, you will be able to:– Understand the Java 2 Platform Permission/Authorization Model– Define “grant” statements for authorizing code to perform restricted operations– Use the Java 2 Permission API– Understand the concept of privileged code and when/how to use it651, Understanding Java Security Permissions – A Practical Approach4Speaker’s Qualifications•Dr. Aaron Kershenbaumis a Research Staff Member at IBM Research, and former Professor at Polytechnic University in New York.His current focus is security for the Java platform.• Mr. Larry Kovedis a Research Staff Member at IBM Research. He co-leads IBM’s security team for the Java platform.•Mr. Marco Pistoiais an Advisory Software Engineer at IBM Research, working on security for the Java platform.He has co-authored several books on Java technology, including “Java™2 Network Security”.651, Understanding Java Security Permissions – A Practical Approach5Agenda• Why Java™Platform Security?• Java 2 Platform Authorization Model• Scenario I and II• Permission API• Demo651, Understanding Java Security Permissions – A Practical Approach6Security for the Java™Platform (“Java Security”) The Benefits!BrowserAppletInt er netA program masquerades as the real user of the systemImpersonationA program uses system resources without authorizationDenial of serviceA program gets read access and steals sensitive informationPrivacy invasionA program gets read/write access and makes changes to the systemSystem modificationDescriptionAttack NameJava security assists in preventing the following types of attacks651, Understanding Java Security Permissions – A Practical Approach7Java 2 Platform, Authorization• Resource Protection• SecurityManager• Security Policy• CodeSource• ProtectionDomain• SecureClassLoader• Run-time access controls651, Understanding Java Security Permissions – A Practical Approach8Access to ProtectedExternal Resources• All protected external system resources, including native libraries, are accessible only via trusted codeAPP1APP2APP3TrustedCodeFile Print AWTNet...Composition of aJava application environment651, Understanding Java Security Permissions – A Practical Approach9Operation of the Security Manager• The installed Security Manager is only active on request• It checks a Permission only when it is called by other system functionsReturn...Or...SecurityManagerjava.net.Socketyour.programSocket()Untrusted name spaceSecurityExceptionTrusted name spacecheckConnect()checkPermission()651, Understanding Java Security Permissions – A Practical Approach10Default SecurityManager ControlsSecurityPermissionRuntimePermissionRuntimePermissionPropertyPermissionAWTPermissionRuntimePermissionFilePermission,AWTPermissionFilePermissionRuntimePermissionRuntimePermissionSocketPermission, RuntimePermission NetworkThreadFile SystemOperatingSystemJVMPackages and ClassesSecurity651, Understanding Java Security Permissions – A Practical Approach11The Concept of CodeSource• Combination of a set of signers (certificates) and a CodeBase URL• It is the basis for many authorization decisions• By default, the Java 2 architecture uses a policy file to associate permissions with CodeSourcesCertificate 1Code Base URLCodeSource...Certificate N651, Understanding Java Security Permissions – A Practical Approach12The Concept of ProtectionDomain• A ProtectionDomain is an aggregation of a CodeSource and Permissions granted to the CodeSource by the Policy in effect• Each class loaded into the VM via a ClassLoader is assigned to a ProtectionDomain as determined by the Policy• Classes signed by the same keys and from the same URL are placed in the same ProtectionDomain• Classes that have the same Permissions but are from different CodeSources belong to different ProtectionDomainsCodeSourceProtection DomainPermission 1...Permission M651, Understanding Java Security Permissions – A Practical Approach13Function of SecureClassLoader• SecureClassLoader assigns the appropriate ProtectionDomain to each loaded class1. SecureClassLoader creates the CodeSource for the class2. The CodeSource is used to locate, or instantiate, the ProtectionDomain for the class3. SecureClassLoader assists the VM in loading other classes4. These classes are also assigned the appropriate ProtectionDomain based on their CodeSourceClass APolicyProtectionDomainSecureClassLoader651, Understanding Java Security Permissions – A Practical Approach14The Fine-Grained Access Control Model of the Java 2 Platform• Ability to grant specific permissionsto a particular piece of codeabout accessing specific resourceson the client, depending on the signerof the code and/or the locationfrom which the code was loaded Local/remote, signed/unsigned JVMResourcesDomain CDomain ADomain BSandboxPolicy651, Understanding Java Security Permissions – A Practical Approach15What a Policy File Looks Like• The default Policy implementation is a flat file consisting of a number of grant entries• Each entry describes the permissions granted to a particular CodeSource• Each grant entry may contain one or more permissionsgrant signedBy "mykey",codeBase "file:/application/*" {permission java.lang.RuntimePermission"queuePrintJob";permission java.io.FilePermission"${user.home}${/}.profile", "read";};651, Understanding Java Security Permissions – A Practical Approach16System and Application DomainsSystem Domain Application DomainRest r ict edGr ant ed AllPer missio nPrimordial Class LoaderChecked by class file
View Full Document
Unlocking...