java jvm jre
play

Java/JVM/JRE Li Gong lgong@mozilla.com Security Seminar Series - PowerPoint PPT Presentation

Feb 09, 2024 •11 likes •271 views

Practical Implications of Java/JVM/JRE Li Gong lgong@mozilla.com Security Seminar Series Computer Lab, Cambridge, UK May 04, 2011 Disclaimers via Old Quotes Theorem -- Any problem in computer science can be solved with another level

  1. Practical Implications of Java/JVM/JRE Li Gong lgong@mozilla.com Security Seminar Series Computer Lab, Cambridge, UK May 04, 2011

  2. Disclaimers via Old Quotes • Theorem -- “Any problem in computer science can be solved with another level of indirection” *David Wheeler/Butler Lampson+ • Corollary -- “There is nothing new in computer science after 1970s” (all just rehash of old problems in new settings) [Lampson?] • Nevertheless, old tricks applied in different environments can have new practical impacts

  3. Who Do We (Secure Systems Builders) Work For? • Programmers/application developers – “Users” do not directly use the OS • So the key objective is to help the developer get what is intended with his/her code – Make the most common cases the easiest to write – Reduce risks of badly written code • Major assumption – The system “we” produce has correct behaviors

  4. Four Major Concerns for JDK 1.2 (as written in late 1996) • Usability – Suitable for a wide variety of applications • Simplicity – Easy to understand and analyze • Adequacy – Enough features before the next release • Adaptability – Do not over prescribe – Can evolve with ease

  5. How Java Code Is Run/Executed Java source code Java compiler Java bytecode Bytecode verifier Java virtual machine JVM written in C/Java Native OS

  6. How Java Code Is Run/Executed • Java source code is compiled into Java bytecode • Bytecode is fed into and interpreted by JVM/JRE • Design objectives – Only valid bytecode is run – Only intended consequences occur • Good intended behaviors are ensured by usual testing • Bad unintended behaviors must be prevented • JVM/JRE itself written in part in Java

  7. How Java Code Is Run/Executed • Java source code is compiled into Java bytecode – How do we know the source is valid Java code? – A correct compiler accepts valid Java source code and produces valid Java bytecode – Can we trust the compiler someone else uses? No? • Bytecode is fed into and interpreted by JVM/JRE – How do we ensure that we accept only valid bytecode?

  8. It’s an Input Validation Problem • F(n), n = 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 – N is completely/well structured – N has a small space – Input validation is trivial • Java bytecode – Not completely/well structured – Has a large space – Consider an extreme example H(x) where x is 128 bit arbitrary number and H() is a one-way hash function that produces 256 bit hash values. Given any y, is y valid hash? • Java is dynamically extensible – Type safety problem (think of buffer overflows)

  9. Ensuring Bytecode Validality • Static bytecode verifier • Runtime type checking • Have we covered all cases? – UW bytecode basher by Brian Bershad, Gun Sirer • Can we type check sufficiently fast during run time? – Acceptable in the absolute – Acceptable in the relative

  10. Preventing Bad Unintended Consequences • Least-privilege principle – Associate objects with protection domains, each with its own set of privileges – Calculate dynamically “active privileges” (or if a specific privilege is active) • Internal representation of privileges – java.security.permission classes, generic, extensible – The “implies” method • External declarations of privileges – Policy specification (not intended as the only solution) • Note: no requirement for MLS, info flow, etc.

  11. Critical Issues of Least Privilege • Can privilege calculations be done sufficiently fast? – Typical environments have simple permissions – Can be punted away – write your own algorithm • Protection domains retrofitted into JVM/JRE – JIT cannot combine frames from different domains and other complications – Protection domains related to class/type extensions* • Special privileged operations – Programmers must declare these explicitly

  12. Get the Book and/or Read the Docs

  13. JDK 1.2 Security Feature List (12/11/1996) • Project code named Gibraltar • Features – Authentication – Delegation – Fine-grained access control – Policy management – Audit – Secret sharing – Key generation – Storage of private keys (e.g., passwords) • Alpha (05/1997), FCS (09/1997)

  14. Other Considerations Circa 1996/7 • Export control of crypto packages – Key escrow/key recovery, RSA/Bsafe/Cylink/others, CDSA, MS CAPI – “Church of Cryptology” • Where is Java security headed – Is it just a component of the browser? More specifically the Netscape browser?

  15. Other Considerations (Cont.) • Protect against decompilation of Java bytecode – Code obfuscation – Encrypted bytecode • Control of resource consumption by applets • Java on a smartcard • Java as e-commerce platform (Java Wallet) • JavaOS (Java Station) – Security needs for a standalone OS? • Sun company wide security architecture and strategy?

  16. So Where Is the Drama? • The whole project is equally a social (and political) process, not just a tech project • Stressful – 1000~ meetings in 30 months, 300 pages of meeting notes • Fast moving -- be ready to take the single available shot • Constant onslaught of security bugs – The Friday fire drills – Microsoft was a Java licensee; but was it a good partner? • There were people who wanted to “kill” it – Sun internal (delete our workspace, override security code, resist changes to the VM, resist security audit) – Fringes inside IBM (and other places) – Netscape fight (more later)

  17. Technical Lessons Learned • Systematic is better and easier than ad hoc – Implementing least privilege in JDK 1.2 turned out to be easier and more robust than a “bolted - on” binary sandbox model in JDK 1.0/1.1 • Do not use NULL – you cannot later change the behavior of a NULL (Null ClassLoader, Null SecurityManager) • Do not overload functions – finding a class (which should be easily extensible) and defining it (which should be tightly controlled)

  18. Is Java Fail Safe? • Java cannot guarantee sequential execution, due to exceptions handling, even with Catch and Finally • What happens when machine run out of memory? What’s the defined behavior then?

  19. Alternative Ideas • Erlingsson and Schneider, Inlined Reference Monitor (IRM) – Why interesting: support for arbitrary enforceable policy – Why not in: too late in the JDK 1.2 cycle to be fully evaluated • Balfanz and Gong, multi-processing – Why: support for different security policies and properties for different processes – Why not in: too radical departure from JDK, too disruptive to existing code, not backward compatible

  20. GuardedObject • An object containing a resource (e.g., a file) and a specific guard (a permission) – The resource is accessible only if the permission is allowed • Access permission is checked at the point of resource consumption, ensuring the right check is done in the right context – Can pass objects (references) around freely – Can prepare resources before actual requests – developers do not need to know about security managers or access control checks • This is “slipped” into JDK, but not used internally, because it is alien to the familiar usage of invoking SecurityManager

  21. Observations – The Good (the practical impacts) • Java security has matured – From “what it is” to “how to utilize the features” – Did too little, too much, or just right? • Raised the bar for everyone else – Anyone designing a new language/platform must consider type safety, systems security, least privilege, etc. • Impacted thousands of programmers on their security awareness

  22. Observations – The Bad • Those companies who can afford the time and effort to improve security do not feel incented to spend the/adequate resources • Those who want to differentiate from the dominate players cannot afford the time and effort • When rarely a good/better security platform emerges, competition would not allow it to be adopted across the industry

  23. Observations – The Bad (cont.) • Many/any extensible systems (e.g., browser add-ons, iPhone apps) need the same sort of protection/security infrastructure, but they tend to be built on different technology platforms, so reuse is difficult or impossible

  24. Observations – The Ugly • A new thing (a toy widget, scripting language, etc.) starts nice and small, with limited usage scope and no security considerations • It gains good traction • The feature set keeps expanding and the toy becomes a widely adopted • Soon the “small toy” resembles a full system or programming platform, except without adequate security support

  25. 12-Month Battle with Netscape • The three battles – JFC vs Netscape’s IFC (combined into Swing) – Hotspot vs Netscape’s proposed Java VM – Java security vs Netscape Java security extensions • IBM as arbitrator – Don Neal overall IBM taskforce lead (Bob Blakely took over the lead 3 months later) – Arbitration resolution meeting 10/15/2007

  26. “ Never Forget Class Struggle! ” • Email me at lgong@mozilla.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

JAVA Java vs. Java Java Language Specification

JAVA Java vs. Java Java Language Specification

BR 10/05 JAVA Java vs. Java Java Language Specification http://java.sun.com/docs/books/jls/second_edition/html/j.title.doc.html Java programming language is compiled into java byte code Java Virtual Machine Specification

1.07k views • 44 slides
Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006)

Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006)

Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006) Java 7 (2010) Other topics Basic concurrency in Java Java Memory Model describes how threads interact through memory Single thread

812 views • 34 slides
Java Java Basics Java Program Statements Java Review Conditional statements

Java Java Basics Java Program Statements Java Review Conditional statements

Java Java Basics Java Program Statements Java Review Conditional statements Repetition statements (loops) Writing Classes in Java Selim Aksoy Class definitions Bilkent University Encapsulation and Java modifiers

346 views • 11 slides
1 Java compilation model Java bytecode format void spin () { int i; for (i = 0; i < 100;

1 Java compilation model Java bytecode format void spin () { int i; for (i = 0; i < 100;

The Java programming environment Introduction to JVM Based on material produced by Bill Venners 1 2 The Java platform The role of the virtual machime byte code generated by the Java front-end is an intermediate representation (IR)

834 views • 3 slides
TM Technology for Blu-ray and TV: Java Creating your own Blu-ray Java Discs The Blu-ray Java

TM Technology for Blu-ray and TV: Java Creating your own Blu-ray Java Discs The Blu-ray Java

TM Technology for Blu-ray and TV: Java Creating your own Blu-ray Java Discs The Blu-ray Java Authoring Team: Bill Foote, Chihiro Saito, A. Sundararajan, Jaya Hangal TS-5449 Talk Outline HD Cookbook Community Overview Target: Blu-ray

592 views • 44 slides
DTrace Topics: -> java/lang/System.arraycopy <- java/lang/System.arraycopy Java <-

DTrace Topics: -> java/lang/System.arraycopy <- java/lang/System.arraycopy Java <-

# ./jflow.d <- java/lang/Thread.sleep -> Greeting.greet -> java/io/PrintStream.println -> java/io/PrintStream.print -> java/io/PrintStream.write -> java/io/PrintStream.ensureOpen <- java/io/PrintStream.ensureOpen ->

632 views • 34 slides
Migrating to Java 9 Modules @Sander_Mak By Sander Mak Migrating to Java 9 Java 8 java -cp ..

Migrating to Java 9 Modules @Sander_Mak By Sander Mak Migrating to Java 9 Java 8 java -cp ..

Migrating to Java 9 Modules @Sander_Mak By Sander Mak Migrating to Java 9 Java 8 java -cp .. -jar myapp.jar Java 9 java -cp .. -jar myapp.jar Today's journey Running on Java 9 Java 9 modules Migrating to modules Modularising code

851 views • 45 slides
C vs Java Dalhousie University Winter 2019 Comparing C to Java Assumption: You know Java well.

C vs Java Dalhousie University Winter 2019 Comparing C to Java Assumption: You know Java well.

CSCI 2132: Software Development Norbert Zeh Faculty of Computer Science C vs Java Dalhousie University Winter 2019 Comparing C to Java Assumption: You know Java well. Focus on differences between C and Java. Arithmetic Operators Most

152 views • 14 slides
Actually, C++ and Java are much the same as C. C was designed in the 1970s. 1 Java 2 C 3

Actually, C++ and Java are much the same as C. C was designed in the 1970s. 1 Java 2 C 3

C is a high level language (HLL) Its syntax is much the same as Java and C++, but no objects. Actually, C++ and Java are much the same as C. C was designed in the 1970s. 1 Java 2 C 3 Why C ? 1. Millions of lines of code have been

377 views • 23 slides
JAVA Language Mapping Java IDL (CORBA) introduced in Version 1.2 of the Java 2 platform,

JAVA Language Mapping Java IDL (CORBA) introduced in Version 1.2 of the Java 2 platform,

BR 11/05 JAVA Language Mapping Java IDL (CORBA) introduced in Version 1.2 of the Java 2 platform, provides an interface between Java programs and distributed objects and services built using the Common Object Request Broker

355 views • 31 slides
JAVA Basics & OOP 2020/3/14 Write Once, Run Anywhere Java Virtual Machine (JVM)

JAVA Basics & OOP 2020/3/14 Write Once, Run Anywhere Java Virtual Machine (JVM)

Poly- mor- phism Abstra ction Class OOP Inheri -tance En- capsu- lation Kuan-Ting Lai JAVA Basics & OOP 2020/3/14 Write Once, Run Anywhere Java Virtual Machine (JVM) http://net-informations.com/java/intro/jvm.htm Java Overview

660 views • 44 slides
RIDING THE JET STREAMS FUAD MALIKOV | HAZELCAST JAVA 8 STREAM API WHAT IS IT? JAVA 8 PRE JAVA

RIDING THE JET STREAMS FUAD MALIKOV | HAZELCAST JAVA 8 STREAM API WHAT IS IT? JAVA 8 PRE JAVA

RIDING THE JET STREAMS FUAD MALIKOV | HAZELCAST JAVA 8 STREAM API WHAT IS IT? JAVA 8 PRE JAVA 8 HISTORIC TIMES Collections Iterators For loops If-else statements WORD COUNT CODE Pre Java 8 Stream examples Get the unique

489 views • 19 slides
The testing pyramid Maurcio F. Aniche M.F.Aniche@tudelft.nl A.java ATest.java Thats what

The testing pyramid Maurcio F. Aniche M.F.Aniche@tudelft.nl A.java ATest.java Thats what

The testing pyramid Maurcio F. Aniche M.F.Aniche@tudelft.nl A.java ATest.java Thats what we have been calling B.java BTest.java Unit Testing . C.java CTest.java Some definitions ISQTB: Searches for defects in, and verifies the

604 views • 17 slides
C++ -> Java Moving from C++ to Java Execu7ve

C++ -> Java Moving from C++ to Java Execu7ve

C++ -> Java Moving from C++ to Java Execu7ve Summary Introduces Java to a C++ programmer. Provides a roadmap for understanding advanced

798 views • 50 slides
Upgrading Past Java 9 Sounds Scary and I dont want to pay for Java Super happy with Java 8,

Upgrading Past Java 9 Sounds Scary and I dont want to pay for Java Super happy with Java 8,

Upgrading Past Java 9 Sounds Scary and I dont want to pay for Java Super happy with Java 8, Super happy with Java 8, thanks thanks Starting with Java 11, Oracle will provide JDK releases under the open source GNU General Public License

1.01k views • 71 slides
Todays topics Java Syntax and Grammars Sample Programs Upcoming More

Todays topics Java Syntax and Grammars Sample Programs Upcoming More

Todays topics Java Syntax and Grammars Sample Programs Upcoming More Java Reading Great Ideas , Chapter 2 Java! Java is a buzzword-enabled language From Sun (the developers of Java), Java is a simple,

582 views • 28 slides
Navigating Compliance in a CoreOS World Paul Querna | @pquerna CTO, ScaleFT May 10, 2016 Has

Navigating Compliance in a CoreOS World Paul Querna | @pquerna CTO, ScaleFT May 10, 2016 Has

Navigating Compliance in a CoreOS World Paul Querna | @pquerna CTO, ScaleFT May 10, 2016 Has 200+ Page Questionnaires Runs CoreOS Fun! New! Not Fun! Old! Many Standards for Many Purposes

491 views • 33 slides
Bilateral counterparty risk valuation with stochastic dynamical models and application to Credit

Bilateral counterparty risk valuation with stochastic dynamical models and application to Credit

Bilateral counterparty risk valuation with stochastic dynamical models and application to Credit Default Swaps Agostino Capponi California Institute of Technology Division of Engineering and Applied Sciences acapponi@caltech.edu Fields

1.01k views • 72 slides
a Ten-Year Retrospective Li Gong Mozilla Online Ltd. lgong@mozilla.com www.mozillaonline.com

a Ten-Year Retrospective Li Gong Mozilla Online Ltd. lgong@mozilla.com www.mozillaonline.com

Java Security: a Ten-Year Retrospective Li Gong Mozilla Online Ltd. lgong@mozilla.com www.mozillaonline.com December 10, 2009 300~ Pages of Meeting Notes 1000~ Meetings in 30 months Why Security Technologies Seldom Make Into Actual

608 views • 21 slides
High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is

High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is

1 2 High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is University of Illinois at Chicago & much slower than it could be. Technische Universiteit Eindhoven Is software applied to much data? with

1.17k views • 115 slides
CRUSOE: DATA MODEL FOR CYBER SITUATIONAL AWARENESS Tuesday 28 th August, 2018 Martin Husk Jana

CRUSOE: DATA MODEL FOR CYBER SITUATIONAL AWARENESS Tuesday 28 th August, 2018 Martin Husk Jana

CRUSOE: DATA MODEL FOR CYBER SITUATIONAL AWARENESS Tuesday 28 th August, 2018 Martin Husk Jana Komrkov Martin Latovika Daniel Tovark Introduction and Motivation CRUSOE Data Model Page 2 / 23 Cyber Situational Awareness

561 views • 23 slides
Tables The main purpose of an HTML table is to organize data in a two-dimensional grid. Many web

Tables The main purpose of an HTML table is to organize data in a two-dimensional grid. Many web

CS125 Spring 2014 Interim Tables The main purpose of an HTML table is to organize data in a two-dimensional grid. Many web designers have also used tables for the layout of entire web pages. This usage is now deprecated. CSS layouts are meant

959 views • 10 slides
HTML & CSS Level 1: Week 4 May 26, 2015 Instructor: Devon Persing This week CSS

HTML & CSS Level 1: Week 4 May 26, 2015 Instructor: Devon Persing This week CSS

HTML & CSS Level 1: Week 4 May 26, 2015 Instructor: Devon Persing This week CSS abbreviations Using classes and ids for styles Pseudo-selectors Backgrounds with images, opacity, and gradients Review! History designed by

1.34k views • 67 slides
Adding CSS to your HTML Lecture 3 CGS 3066 Fall 2016 September 27, 2016 Making your document

Adding CSS to your HTML Lecture 3 CGS 3066 Fall 2016 September 27, 2016 Making your document

Adding CSS to your HTML Lecture 3 CGS 3066 Fall 2016 September 27, 2016 Making your document pretty CSS is used to add presentation to the HTML document. We have seen 3 ways of adding CSS. In this lecture, we will look at different

613 views • 12 slides

More recommend