java jvm jre
play

Java/JVM/JRE Li Gong lgong@mozilla.com Security Seminar Series - PowerPoint PPT Presentation

Feb 09, 2024 •11 likes •271 views

Practical Implications of Java/JVM/JRE Li Gong lgong@mozilla.com Security Seminar Series Computer Lab, Cambridge, UK May 04, 2011 Disclaimers via Old Quotes Theorem -- Any problem in computer science can be solved with another level

  1. Practical Implications of Java/JVM/JRE Li Gong lgong@mozilla.com Security Seminar Series Computer Lab, Cambridge, UK May 04, 2011

  2. Disclaimers via Old Quotes • Theorem -- “Any problem in computer science can be solved with another level of indirection” *David Wheeler/Butler Lampson+ • Corollary -- “There is nothing new in computer science after 1970s” (all just rehash of old problems in new settings) [Lampson?] • Nevertheless, old tricks applied in different environments can have new practical impacts

  3. Who Do We (Secure Systems Builders) Work For? • Programmers/application developers – “Users” do not directly use the OS • So the key objective is to help the developer get what is intended with his/her code – Make the most common cases the easiest to write – Reduce risks of badly written code • Major assumption – The system “we” produce has correct behaviors

  4. Four Major Concerns for JDK 1.2 (as written in late 1996) • Usability – Suitable for a wide variety of applications • Simplicity – Easy to understand and analyze • Adequacy – Enough features before the next release • Adaptability – Do not over prescribe – Can evolve with ease

  5. How Java Code Is Run/Executed Java source code Java compiler Java bytecode Bytecode verifier Java virtual machine JVM written in C/Java Native OS

  6. How Java Code Is Run/Executed • Java source code is compiled into Java bytecode • Bytecode is fed into and interpreted by JVM/JRE • Design objectives – Only valid bytecode is run – Only intended consequences occur • Good intended behaviors are ensured by usual testing • Bad unintended behaviors must be prevented • JVM/JRE itself written in part in Java

  7. How Java Code Is Run/Executed • Java source code is compiled into Java bytecode – How do we know the source is valid Java code? – A correct compiler accepts valid Java source code and produces valid Java bytecode – Can we trust the compiler someone else uses? No? • Bytecode is fed into and interpreted by JVM/JRE – How do we ensure that we accept only valid bytecode?

  8. It’s an Input Validation Problem • F(n), n = 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 – N is completely/well structured – N has a small space – Input validation is trivial • Java bytecode – Not completely/well structured – Has a large space – Consider an extreme example H(x) where x is 128 bit arbitrary number and H() is a one-way hash function that produces 256 bit hash values. Given any y, is y valid hash? • Java is dynamically extensible – Type safety problem (think of buffer overflows)

  9. Ensuring Bytecode Validality • Static bytecode verifier • Runtime type checking • Have we covered all cases? – UW bytecode basher by Brian Bershad, Gun Sirer • Can we type check sufficiently fast during run time? – Acceptable in the absolute – Acceptable in the relative

  10. Preventing Bad Unintended Consequences • Least-privilege principle – Associate objects with protection domains, each with its own set of privileges – Calculate dynamically “active privileges” (or if a specific privilege is active) • Internal representation of privileges – java.security.permission classes, generic, extensible – The “implies” method • External declarations of privileges – Policy specification (not intended as the only solution) • Note: no requirement for MLS, info flow, etc.

  11. Critical Issues of Least Privilege • Can privilege calculations be done sufficiently fast? – Typical environments have simple permissions – Can be punted away – write your own algorithm • Protection domains retrofitted into JVM/JRE – JIT cannot combine frames from different domains and other complications – Protection domains related to class/type extensions* • Special privileged operations – Programmers must declare these explicitly

  12. Get the Book and/or Read the Docs

  13. JDK 1.2 Security Feature List (12/11/1996) • Project code named Gibraltar • Features – Authentication – Delegation – Fine-grained access control – Policy management – Audit – Secret sharing – Key generation – Storage of private keys (e.g., passwords) • Alpha (05/1997), FCS (09/1997)

  14. Other Considerations Circa 1996/7 • Export control of crypto packages – Key escrow/key recovery, RSA/Bsafe/Cylink/others, CDSA, MS CAPI – “Church of Cryptology” • Where is Java security headed – Is it just a component of the browser? More specifically the Netscape browser?

  15. Other Considerations (Cont.) • Protect against decompilation of Java bytecode – Code obfuscation – Encrypted bytecode • Control of resource consumption by applets • Java on a smartcard • Java as e-commerce platform (Java Wallet) • JavaOS (Java Station) – Security needs for a standalone OS? • Sun company wide security architecture and strategy?

  16. So Where Is the Drama? • The whole project is equally a social (and political) process, not just a tech project • Stressful – 1000~ meetings in 30 months, 300 pages of meeting notes • Fast moving -- be ready to take the single available shot • Constant onslaught of security bugs – The Friday fire drills – Microsoft was a Java licensee; but was it a good partner? • There were people who wanted to “kill” it – Sun internal (delete our workspace, override security code, resist changes to the VM, resist security audit) – Fringes inside IBM (and other places) – Netscape fight (more later)

  17. Technical Lessons Learned • Systematic is better and easier than ad hoc – Implementing least privilege in JDK 1.2 turned out to be easier and more robust than a “bolted - on” binary sandbox model in JDK 1.0/1.1 • Do not use NULL – you cannot later change the behavior of a NULL (Null ClassLoader, Null SecurityManager) • Do not overload functions – finding a class (which should be easily extensible) and defining it (which should be tightly controlled)

  18. Is Java Fail Safe? • Java cannot guarantee sequential execution, due to exceptions handling, even with Catch and Finally • What happens when machine run out of memory? What’s the defined behavior then?

  19. Alternative Ideas • Erlingsson and Schneider, Inlined Reference Monitor (IRM) – Why interesting: support for arbitrary enforceable policy – Why not in: too late in the JDK 1.2 cycle to be fully evaluated • Balfanz and Gong, multi-processing – Why: support for different security policies and properties for different processes – Why not in: too radical departure from JDK, too disruptive to existing code, not backward compatible

  20. GuardedObject • An object containing a resource (e.g., a file) and a specific guard (a permission) – The resource is accessible only if the permission is allowed • Access permission is checked at the point of resource consumption, ensuring the right check is done in the right context – Can pass objects (references) around freely – Can prepare resources before actual requests – developers do not need to know about security managers or access control checks • This is “slipped” into JDK, but not used internally, because it is alien to the familiar usage of invoking SecurityManager

  21. Observations – The Good (the practical impacts) • Java security has matured – From “what it is” to “how to utilize the features” – Did too little, too much, or just right? • Raised the bar for everyone else – Anyone designing a new language/platform must consider type safety, systems security, least privilege, etc. • Impacted thousands of programmers on their security awareness

  22. Observations – The Bad • Those companies who can afford the time and effort to improve security do not feel incented to spend the/adequate resources • Those who want to differentiate from the dominate players cannot afford the time and effort • When rarely a good/better security platform emerges, competition would not allow it to be adopted across the industry

  23. Observations – The Bad (cont.) • Many/any extensible systems (e.g., browser add-ons, iPhone apps) need the same sort of protection/security infrastructure, but they tend to be built on different technology platforms, so reuse is difficult or impossible

  24. Observations – The Ugly • A new thing (a toy widget, scripting language, etc.) starts nice and small, with limited usage scope and no security considerations • It gains good traction • The feature set keeps expanding and the toy becomes a widely adopted • Soon the “small toy” resembles a full system or programming platform, except without adequate security support

  25. 12-Month Battle with Netscape • The three battles – JFC vs Netscape’s IFC (combined into Swing) – Hotspot vs Netscape’s proposed Java VM – Java security vs Netscape Java security extensions • IBM as arbitrator – Don Neal overall IBM taskforce lead (Bob Blakely took over the lead 3 months later) – Arbitration resolution meeting 10/15/2007

  26. “ Never Forget Class Struggle! ” • Email me at lgong@mozilla.com

Recommend

JAVA Java vs. Java Java Language Specification

JAVA Java vs. Java Java Language Specification

BR 10/05 JAVA Java vs. Java Java Language Specification http://java.sun.com/docs/books/jls/second_edition/html/j.title.doc.html Java programming language is compiled into java byte code Java Virtual Machine Specification

1.07k views • 44 slides
Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006)

Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006)

Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006) Java 7 (2010) Other topics Basic concurrency in Java Java Memory Model describes how threads interact through memory Single thread

812 views • 34 slides
Java Java Basics Java Program Statements Java Review Conditional statements

Java Java Basics Java Program Statements Java Review Conditional statements

Java Java Basics Java Program Statements Java Review Conditional statements Repetition statements (loops) Writing Classes in Java Selim Aksoy Class definitions Bilkent University Encapsulation and Java modifiers

346 views • 11 slides
1 Java compilation model Java bytecode format void spin () { int i; for (i = 0; i < 100;

1 Java compilation model Java bytecode format void spin () { int i; for (i = 0; i < 100;

The Java programming environment Introduction to JVM Based on material produced by Bill Venners 1 2 The Java platform The role of the virtual machime byte code generated by the Java front-end is an intermediate representation (IR)

834 views • 3 slides
TM Technology for Blu-ray and TV: Java Creating your own Blu-ray Java Discs The Blu-ray Java

TM Technology for Blu-ray and TV: Java Creating your own Blu-ray Java Discs The Blu-ray Java

TM Technology for Blu-ray and TV: Java Creating your own Blu-ray Java Discs The Blu-ray Java Authoring Team: Bill Foote, Chihiro Saito, A. Sundararajan, Jaya Hangal TS-5449 Talk Outline HD Cookbook Community Overview Target: Blu-ray

592 views • 44 slides
DTrace Topics: -> java/lang/System.arraycopy <- java/lang/System.arraycopy Java <-

DTrace Topics: -> java/lang/System.arraycopy <- java/lang/System.arraycopy Java <-

# ./jflow.d <- java/lang/Thread.sleep -> Greeting.greet -> java/io/PrintStream.println -> java/io/PrintStream.print -> java/io/PrintStream.write -> java/io/PrintStream.ensureOpen <- java/io/PrintStream.ensureOpen ->

632 views • 34 slides
Migrating to Java 9 Modules @Sander_Mak By Sander Mak Migrating to Java 9 Java 8 java -cp ..

Migrating to Java 9 Modules @Sander_Mak By Sander Mak Migrating to Java 9 Java 8 java -cp ..

Migrating to Java 9 Modules @Sander_Mak By Sander Mak Migrating to Java 9 Java 8 java -cp .. -jar myapp.jar Java 9 java -cp .. -jar myapp.jar Today's journey Running on Java 9 Java 9 modules Migrating to modules Modularising code

851 views • 45 slides
C vs Java Dalhousie University Winter 2019 Comparing C to Java Assumption: You know Java well.

C vs Java Dalhousie University Winter 2019 Comparing C to Java Assumption: You know Java well.

CSCI 2132: Software Development Norbert Zeh Faculty of Computer Science C vs Java Dalhousie University Winter 2019 Comparing C to Java Assumption: You know Java well. Focus on differences between C and Java. Arithmetic Operators Most

152 views • 14 slides
Actually, C++ and Java are much the same as C. C was designed in the 1970s. 1 Java 2 C 3

Actually, C++ and Java are much the same as C. C was designed in the 1970s. 1 Java 2 C 3

C is a high level language (HLL) Its syntax is much the same as Java and C++, but no objects. Actually, C++ and Java are much the same as C. C was designed in the 1970s. 1 Java 2 C 3 Why C ? 1. Millions of lines of code have been

377 views • 23 slides
JAVA Language Mapping Java IDL (CORBA) introduced in Version 1.2 of the Java 2 platform,

JAVA Language Mapping Java IDL (CORBA) introduced in Version 1.2 of the Java 2 platform,

BR 11/05 JAVA Language Mapping Java IDL (CORBA) introduced in Version 1.2 of the Java 2 platform, provides an interface between Java programs and distributed objects and services built using the Common Object Request Broker

355 views • 31 slides
JAVA Basics & OOP 2020/3/14 Write Once, Run Anywhere Java Virtual Machine (JVM)

JAVA Basics & OOP 2020/3/14 Write Once, Run Anywhere Java Virtual Machine (JVM)

Poly- mor- phism Abstra ction Class OOP Inheri -tance En- capsu- lation Kuan-Ting Lai JAVA Basics & OOP 2020/3/14 Write Once, Run Anywhere Java Virtual Machine (JVM) http://net-informations.com/java/intro/jvm.htm Java Overview

660 views • 44 slides
RIDING THE JET STREAMS FUAD MALIKOV | HAZELCAST JAVA 8 STREAM API WHAT IS IT? JAVA 8 PRE JAVA

RIDING THE JET STREAMS FUAD MALIKOV | HAZELCAST JAVA 8 STREAM API WHAT IS IT? JAVA 8 PRE JAVA

RIDING THE JET STREAMS FUAD MALIKOV | HAZELCAST JAVA 8 STREAM API WHAT IS IT? JAVA 8 PRE JAVA 8 HISTORIC TIMES Collections Iterators For loops If-else statements WORD COUNT CODE Pre Java 8 Stream examples Get the unique

489 views • 19 slides
The testing pyramid Maurcio F. Aniche M.F.Aniche@tudelft.nl A.java ATest.java Thats what

The testing pyramid Maurcio F. Aniche M.F.Aniche@tudelft.nl A.java ATest.java Thats what

The testing pyramid Maurcio F. Aniche M.F.Aniche@tudelft.nl A.java ATest.java Thats what we have been calling B.java BTest.java Unit Testing . C.java CTest.java Some definitions ISQTB: Searches for defects in, and verifies the

604 views • 17 slides
C++ -> Java Moving from C++ to Java Execu7ve

C++ -> Java Moving from C++ to Java Execu7ve

C++ -> Java Moving from C++ to Java Execu7ve Summary Introduces Java to a C++ programmer. Provides a roadmap for understanding advanced

798 views • 50 slides
Upgrading Past Java 9 Sounds Scary and I dont want to pay for Java Super happy with Java 8,

Upgrading Past Java 9 Sounds Scary and I dont want to pay for Java Super happy with Java 8,

Upgrading Past Java 9 Sounds Scary and I dont want to pay for Java Super happy with Java 8, Super happy with Java 8, thanks thanks Starting with Java 11, Oracle will provide JDK releases under the open source GNU General Public License

1.01k views • 71 slides
Todays topics Java Syntax and Grammars Sample Programs Upcoming More

Todays topics Java Syntax and Grammars Sample Programs Upcoming More

Todays topics Java Syntax and Grammars Sample Programs Upcoming More Java Reading Great Ideas , Chapter 2 Java! Java is a buzzword-enabled language From Sun (the developers of Java), Java is a simple,

582 views • 28 slides
Introduction to Java Brief history of Java Sample Java Program Compiling &

Introduction to Java Brief history of Java Sample Java Program Compiling &

Introduction to Java Brief history of Java Sample Java Program Compiling & Executing Reading: => Section 1.1 1 Introduction to Java History Invented in 1991 - Sun Microsystems, Inc (James Gosling). Sun

593 views • 12 slides
Java SE 9 and the Application Server Kevin Sutter MicroProfile and Java EE Architect

Java SE 9 and the Application Server Kevin Sutter MicroProfile and Java EE Architect

InterConnect EclipseCon Europe 2017 2017 Java SE 9 and the Application Server Kevin Sutter MicroProfile and Java EE Architect @kwsutter 1 Java SE 9 Standalone 2 10/30/17 Java 9 Standard Features JSR 379: Java SE 9 Release

468 views • 32 slides
Java I/O For the next couple of classes we will be Java I/O talking about Java I/O Last

Java I/O For the next couple of classes we will be Java I/O talking about Java I/O Last

Java I/O For the next couple of classes we will be Java I/O talking about Java I/O Last class: basics and low level I/O This class: wrappers and high level I/O Reading, Writing, and stuff Pt II All Java I/O classes

251 views • 8 slides
e Java Memory Model . Jesper qvist . . . e Java Environment . . . 2 . . e Java

e Java Memory Model . Jesper qvist . . . e Java Environment . . . 2 . . e Java

. e Java Memory Model . Jesper qvist . . . e Java Environment . . . 2 . . e Java Environment . . . 3 . . Java Execution . Possible reordering due to Compiler, JVM, or CPU! Plus visibility problems due to CPU caches! .

473 views • 21 slides
How Java works The java compiler takes a .java file and generates a .class file The .class

How Java works The java compiler takes a .java file and generates a .class file The .class

How Java works The java compiler takes a .java file and generates a .class file The .class file contains Java bytecodes, the assembler language for Java programs Bytecodes are executed in a JVM (java virtual machine), the valid

426 views • 8 slides
Professional Java Projects CS1331 Professional Java Projects You know the basics of Java. Today

Professional Java Projects CS1331 Professional Java Projects You know the basics of Java. Today

Professional Java Projects CS1331 Professional Java Projects You know the basics of Java. Today youll learn the basic elements of professional Java projects, including the classpath, separating source and compiler output, project

388 views • 10 slides
OpenJDK The Future of Open Source Java on GNU/Linux Dalibor Topi Java F/OSS Ambassador

OpenJDK The Future of Open Source Java on GNU/Linux Dalibor Topi Java F/OSS Ambassador

OpenJDK The Future of Open Source Java on GNU/Linux Dalibor Topi Java F/OSS Ambassador Blog aggregated on http://planetjdk.org Java Implementations Become Open Source Java ME, Java SE, and Java EE 2 Why now? Java is everywhere

660 views • 39 slides
Java 8 in Anger Trisha Gee Developer & Technical Advocate, JetBrains java.lang and

Java 8 in Anger Trisha Gee Developer & Technical Advocate, JetBrains java.lang and

#QConNewYork Java 8 in Anger Trisha Gee Developer & Technical Advocate, JetBrains java.lang and java.util Packages Parallel Array Sorting Standard Encoding and Decoding Base64 Java 8 has many new features Unsigned Arithmetic

324 views • 31 slides

More recommend