Java Applet SecurityThe ProblemSandbox IdeaSandbox cont'd4 Major Components of the SandboxJVM Built-in FeaturesClass LoaderClass Loader cont'dSlide 9Slide 10Class VerifierSlide 12Security ManagerOther MethodsQuestions?Java Applet SecurityDiana DongCS 265Spring 2004The ProblemMillions of users download Java applets everyday, sometimes without prior approval from the userHow to ensure malicious applets will not wreak havoc on the local machine?Sandbox IdeaA place where Java applet code can be executed, but no areas outside of the sandbox can be accessed by the applet.Removes the responsibility of checking applet source from the userEnsures execution of malicious applet will not do damage to the local machineSandbox cont'dSandbox prohibits:File system accessNetwork accessCreation of processProcess acess4 Major Components of the SandboxJava Virtual Machine (JVM) built-in featuresClass loaderClass file verifierSecurity managerJVM Built-in FeaturesType-safe reference castingStructured memory access (no pointers)Automatic garbage collection (can't explicitly free allocated memory)Array bounds checkingClass LoaderResponsible for importing binary data that defines the running program's classes and interfaces Two types of class loaders: primordial class loader and class loader objectsClass Loader cont'dPrimordial class loader loads trusted classes, such as the Java API. Classes that are loaded this way becomes part of the JVM.Class loader objects are untrusted objects loaded into the JVM and instantiated like any other objectClass Loader cont'dClass Loader cont'dHow does it protect?Prevents malicious code from interfering with benevolent code – namespace. Classes are loaded into its own namespace. No access to other classes outside of its own namespace. It guards the borders of the trusted class libraries. Customizable.Class VerifierChecks the integrity of the class file to ensure no illegal bytecodes have been addedUses built-in theorem prover to check integrityClass Verifier4 passes1. Class file is read into interpreter and basic format of class file is checked2. Additional verification of the class file without looking at the bytecodes3. Bytecode verification of each method4. Additional bytecode verification at runtimeSecurity ManagerDefines which requests are allowed or disallowed through methods which can be overriddenWorks hand-in-hand with the class loader to define the boundaries of the sandbox, i.e. what is allowed or disallowed.Other MethodsActiveX uses code signing and digital signature. Verified signatures from trusted source imply reliable ActiveX control.Java too offer digital signature in addition to the
View Full Document