Dr. Waitak Wong

About This Presentation

Title:

Dr. Waitak Wong

Description:

package (default): Accessible by classes in the same package ... tools for creating and managing security keys and certificates. 47. Java Security Architecture ... – PowerPoint PPT presentation

Number of Views:32

Avg rating:3.0/5.0

Slides: 160

Provided by: waita

Category:

more less

Transcript and Presenter's Notes

Title: Dr. Waitak Wong

1
Java J2EE Application Security

Dr. Waitak Wong
Department of Information Management
Chung Hua University, Hsinchu, Taiwan

2
Today's Agenda

About Security
Application Security
Java Security from the Ground Up
Standalone Java Application Techniques
Hacking Java Client-Sever Application
Java Network Applications RMI

3
Today's Agenda (cont.)

Exploiting Java Web Tier Components
Web Services Security
Enterprise Java Beans Security

4
About Security

Common Security Threats
Three concepts of CIA security model
Definition of security

5
Common Security Threats

Identity interception
Steal your identity and use it as their own
Masquerading
Grab your identity and use it elsewhere with the
intention of perpetrating fraud
Replay attack
Capture your request and replay that request
Data interception and manipulation
Read your data (such as credit card info)

6
Common Security Threats

Repudiation
Deny your/his completed transaction
Denial of Service
Terminate the service

7
Three concepts of CIA security model

Confidentiality
information must not be disclosed to any
unauthorized person
Integrity
authorized actions (unauthorized data changes)
separation and protection for resources
error detection and correction (data corruption)
Availability
presence of objects or service in a usable form
capacity to meet service needs
adequate timeliness of a service

8
Definition of security

Deter
Generate a feasible and believable deterrence
Detect
Detect how, when and where intrusion has taken
place
Protect
Manage people and the Information System in an
effective manner so as to protect against
unauthorized usage

9
Definition of security

React
react to an intrusion
ensure that penetration does not happen again.
vulnerability is eliminated
Recover
recover all data and programs from a breach in
security

10
Application Security - Not just technology
its a process -

System-level Security Vs.
Application-level Security

11
System-level Security Vs. Application-level
Security

Defeating System-level security may not provide
attackers with appropriate access to the
application-level data, logic, or methods that
they seek

Application-level Security
System-level security
Enterprise Data
Attacker
12
System-level Security Vs. Application-level
Security (cont.)

Work together to build a secure
system/application combination

System-level security
Application-level Security
Enterprise Data
Attacker
Attacker
13
System-level Security Vs. Application-level
Security (cont.)

It is more efficient to push some security
responsibilities up to the application level
instead of handling them at the operating-system
level

14
Java Security from the Ground Up

Java Language Safety Features
Java Security Model
Java Security Architecture

15
Java Language Safety Features

Objects have access levels
private Accessible by defining class
package (default) Accessible by classes in the
same package
protected Same as package, with addition of
access by any subclass
public Accessible by any class

16
Java Language Safety Features

Access methods are strictly adhered to
No pointers (no access to arbitrary memory and
automatic garbage collection)
final methods or variables cannot be changed
Variables MUST be initialized before use
Array bounds are enforced
Strict object casting rules

17
Java Security Enforcement
18
Java Security Enforcement

Enforcement happens at different times
Compile time enforcement
Class load time enforcement
Runtime enforcement

19
Compile Time Enforcement
20
Compile Time Enforcement

Validate language syntax
Enforce method and variable access rules
Enforce variable initialization
Enforce some casting operations

21
Class Load Time Enforcement
22
Class Load Time Enforcement

Bytecode verification
Verifies class file format
Accesses objects as correct type
Final classes are not subclassed
Final methods are not overridden
Every class has a single superclass Verify that
casting legality checks are in place

23
Class Load Time Enforcement

No operand stack overflows or underflows
All field and method accesses are legal
Method calls use correct number types of
arguments

24
Runtime Enforcement
25
Runtime Enforcement

Array bounds checking
Throws ArrayIndexOutOfBoundsException
Object casting
Throws ClassCastException
Security Manager
Throws SecurityException
Depends on the Access Controller

26
Java Security Model
27
Java Security Model
Sandbox a strictly defined arena where they
cannot affect other system resources. It
provides virtually no flexibility.
28
Java Security Model (cont.)
29
Components work with Sandbox

Class loader
first link in the security chain
enforces the name space hierarchy
Byte code verification
checks that there are violations like stack
overflows, name space violations, illegal data
type casts, etc.
Security manager
It enforces the boundary of the sandbox

30
Java Security Model (cont.)
JDK 1.1 security model
Applets either received unlimited access or were
confined to the sandbox there was no option for
selective access to resources.
31
Java Security Model (cont.)
32
Java Security Model (cont.)
33
Java Security Model (cont.)
34
Java Security Model (cont.)
35
Java Security Model (cont.)
36
Java Security Model (cont.)
37
Java Security Model (cont.)
38
Java Security Model (cont.)
Introduces the concept of a ProtectionDomain,
which permits a highly flexible security policy
decoupled from its implementation
39
Java Security Model (cont.)
40
Java Security Model (cont.)
41
Java Security Model (cont.)
42
Java Security Model (cont.)
43
Java Security Model (cont.)
44
Java Security Model (cont.)
45
Java Security Model (cont.)
46
Java Security Architecture

The J2SE 1.3 introduced
policy-based access control
X.509 v3 implementation of certificate interfaces
tools for creating and managing security keys and
certificates

47
Java Security Architecture

J2SE 1.4 continued by adding
Java Authentication and Authorization Service
(JAAS)
Java Cryptography Extension (JCE)
Java Secure Socket Extension (JSSE)
Features for Kerberos communication

48
Java Security Architecture Road Map
1
5
7
4
6
2
3
49
Java Security Architecture
50
Java Cryptographic Architecture
51
Java Cryptographic Architecture (cont.)
52
JCE Architecture

Extension to JCA
Framework for multiple CSPs
Sun distributes a JCE provider
Designed for export
Provide a framework for encryption and
decryption, key generation, key agreement, and
Message Authentication Code (MAC).
Encryption allows symmetric, asymmetric, block,
and stream ciphers, with addition support for
secure streams and sealed objects.

53
JCA JCE
54
JCE v1.2.1
55
JCE v1.2.1

Unapproved providers cannot plug-in
Providers unusable without framework
Crypto strength is configured in jurisdiction
policy files

56
JCA JCE
57
JCA JCE (cont.)
58
JCA JCE (cont.)
59
JAAS Architecture

Provides a Java security API to perform
authentication and authorization security service
for Java application
JAAS is designed to be pluggable.
Pluggable authentication
User-based authorization
Fine-grained access control capabilities
Framework for single sign-on

60
JAAS Architecture (cont.)
61
JAAS Architecture (cont.)
62
JAAS Architecture (cont.)
63
JAAS Architecture (cont.)
64
JAAS Architecture v1.0
65
JAAS Architecture v1.0 (cont.)
66
Java Secure Sockets Extension

Provides Secure Socket Layer (SSL) connections
over TCP/IP sockets.

67
Java Secure Sockets Extension (cont.)

JSSE is a set of Java packages that enables
secure Internet communications.
Standard socket APIs for SSL and TLS
Transport level Authentication, Integrity, and
Privacy
Supports standard cipher suites
Includes https URL handler

68
JSSE v1.0.1
69
J2SE v1.4 "Merlin" Security

CertPath API
GSSAPI Java Bindings
Public Key Cryptography Standards (PKCS)

70
J2SE v1.4 "Merlin" Cert Path

Validation of Certification Paths
Building of Certification Paths
Creation of Certification Paths
Retrieval of certs/CRLs

71
J2SE v1.4 "Merlin" Cert Path
72
J2SE v1.4 "Merlin" Cert Path
SPI (service provider interface) layer
73
J2SE v1.4 "Merlin" Kerberos

Network Authentication System
Internet Standard (RFC 1510)
Access via JAAS, JGSS, maybe JSSE

74
J2SE v1.4 "Merlin" Kerberos Features

Single Sign-on in a Kerberized environment
Credential cache integrates with platform
Kerberos
Interoperate with Solaris 8 software, Windows
2000, and MIT distributions

75
J2SE v1.4 "Merlin" Kerberos
76
J2SE v1.4 "Merlin" PKCS

De-facto standards widely used today
Evolved to cover technologies from encryption to
smartcards
Utilizes public key technology

77
J2SE v1.4 "Merlin" PKCS (cont.)
78
Road Map Security

End-to-end security
Integrated Security Services
Evolve with standards
Further performance improvements

79
Standalone Java Application SecurityTechniques

Encryption and secure digesting of sensitive data
using JCE
Logging and auditing using the Java Logging API

80
Encryption and secure digesting of sensitive
data using JCE
- ,??!???(??)???????-ltgt?-

Defeat a casual unauthorized read or write
attempt
Adding salt to the data
Generating a secret key
Encrypt the data
Data verification with message digests

81
Encryption and secure digesting of sensitive
data using JCE (cont.)
Encrypt
Digesting
Data
Encoding
Account Balance 12345 300.3 54321
1000.52
Account Encrypted Balance Message
Digest 12345 R/cT9Xhe44QwZEo5yruroGmJOLlj
QTI vMY6nlyuZcFsdHWphVmPxAu1V3o 54321
RIerr4ua0qatf/TYzVVMHpzARJJvQL4
Pc9XQrnvtR7MD9I4KcsjN3xat0
82
Logging and auditing using the Java Logging API

Modification of data by an unauthorized user with
an authorized users credentials
Log security-related messages and direct the log
messages to a file, a database, a network socket,
or even the console

83
Logging and auditing using the Java Logging API
(cont.)

Decide what to log
Successful and unsuccessful login attempt
Logouts and application shutdowns
Successfully accessing functionality
Unsuccessfully attempting to access any
functionality
Severe application exceptions that could affect
the integrity of application data or functionality

84
Hacking Java Client/Server Application

Attacking a client-server application (network)
is easier than attacking a standalone application
(physical access)
A two-tier application can be attacked
Outside of the application Attack the database
server
The network Attack the data as it transits
Application itself Attack the client side

85
Attack the database server

Application-level Database credential
Using application userid and pwd database
credentials
No way to track the attacker (semi-anonymous)

86
Attack the database server (cont.)

JDBC Data Sources with JNDI authentication and
embedded credential
Hiding the Database
Authenticate a particular users access to the
Data Source with that users credentials.

87
Attack the database server (cont.)

User-level Database passwords and JCE for
encryption
Encrypt sensitive data, write it to database, and
generate a message digest for each data record.
User-level database passwords and Stored
Procedures or callable statements for access
control
No users or application can directly access the
application tables

88
Attack the data as it transits

Packet sniffing
Solution
Secure the Database connection

89
Packet Sniffing Mysql Login Packet
90
Packet Sniffing Mysql Request Packet
91
Packet sniffing Mysql Response Packet
92
Secure the Database connection

Use a secure JDBC driver
Use a secure SSL tunnel
Use JSSE to implement an SSL Tunneling Client and
Server
Use JCE to encrypt the data at the Application
Level

93
Use JSSE to implement an SSL Tunneling Client and
Server
94
Attack the client side

Applets and WebStart applications, where remote
class loading is a necessity
Attackers might succeed in placing unwanted or
dangerous files on our client.

Remote code
Client codes that need remote class loading
Remote code
95
Attack the client side (cont.)

Solution
Securing JAR files
Specify the classpath on the command line
Protecting Applet-based client

96
Securing JAR files

JAR file a mechanism for distributing
application code in an encapsulated form
Jar signer To associate a digital signature
with a JAR file, and to later verify the
signature vs. an entry in keystore
Sealing package within a JAR file
Notify JVM that the packages contained in the JAR
file are atomic.

Remark keystore a physical repository for the
digital certificates that are used to verify that
a file was sent by the entity you expected
97
Specify the classpath on the command line

Dont rely on the CLASSPATH environment variable,
because that opens a door for attackers to insert
their own classes
A good practice to always specify your
applications classpath on the command line in a
read only startup script.

98
Protecting Applet-based client

Type confusion attack attacker would develop
bycode that could confuse as to the type of the
object at a particular memory location
Took advantage of flaws (failure to stop illegal
class casting or accessing an objects private
instance variables) in the bytecode verifiers
embedded in particular VMs.

99
Protecting Applet-based client (cont.)

Problem flaws in an underlying VM
Solution Use the Java Plug-in
When the browser sees a special tag embedded in
an HTML page indicating that a Java applet is
presented, it ignores the browsers built-in VM
and invokes the Java Plug-in, which uses Suns
JRE
With Java Plug-in, applets will run with the
default Java Security manager.

100
Protecting WebStart-based Client

Java WebStart ?? Java Network Launching Protocol
(JNLP) and API
Combine the benefits of applet-based deployment
with the benefits of standalone applications (no
need for a web browser or applet container)
WebStart code is loaded remotely ? it is
vulnerable to well known hacking technique such
as Server spoofing, class replacement, and
tricking unknowledgable users into granting
wide-ranging system access.

101
Protecting WebStart-based Client (cont.)

Solution
Regulated via the SignedBy attribute in
javaws.policy file or the system policy file
Two additional security settings defined in the
JNLP file for the application AllPermissions
attribute and the J2EE-Client attribute.
Including the JNLP files in the signed JAR file

102
Java Network Applications RMI

The Dangers of RMI
Unauthorized Use of Server Side Functions
Loading class and jar files remotely

103
The Dangers of RMI

RMI makes all method calls across network in
plain text without any authentication.
Information could be read in transit by a packet
sniffer

104
The Dangers of RMI (cont.)

Solution
Selective encryption
Encrypting the Account number and Balance
Encrypted communication channel
Using SSL connection between Client and Server

105
Unauthorized Use of Server Side Functions

Solution
Alter the remote methods so that the server can
verify the users identity
Authenticated communication channel
Create an authenticated socket class
Create a socket factory so that RMI can use the
new socket

106
Loading class and jar files remotely

RMI allows the class and JAR files to be loaded
from a remote location for application
distribution
Hackers could modify the JAR code and convince
the users to run it. Then they could control the
system.
Solution
Alter the remote methods so that the server can
verify the users identity

107
Exploiting Java Web Tier Components

A Java web application utilizes several
technologies
JSP and Servlets
Static HTML content
The Tomcat web container / web server

108
Exploiting Java Web Tier Components (cont.)

System-level security is extremely important for
any web application
You can apply the following security measures to
the web application
Passing servlet parameters in the URL instead of
in the HTTP header
Configuring certain servlets to deny HTTP GET
request

109
Exploiting Java Web Tier Components (cont.)

Implementing a solid web application exception
handling
Overriding container defaults for directory
listing and servlet invocation
Implementing a form-based authentication scheme
Resist session stealing attacks
Implementing and requiring HTTPS via SSL to be
used for all browsers to container connection

110
Exploiting Java Web Tier Components (cont.)
111
Exploiting Java Web Tier Components (cont.)
112
Web Services Security

Web Services
Web Service Technologies
Quick Comparison Related Technologies
The Java Web Services Developer Pack
Web Services Application Vulnerabilities
Securing Web Services Application
Web Services Security Scheme

113
Web Services

The ability to publish, discover, or invoke a set
of services in a platform-independent manner,
using XML and standard, web-based protocols for
transport.

114
Web Services Technologies

Simple Object Access Protocol (SOAP)
Provide a platform neutral, XML-based mechanism
to request services
Web Services Description Language (WSDL)
The interface description of the service

115
Web Services Technologies (cont.)

Universal Description Discovery and Integration
(UDDI)
The naming service, where service providers can
advertise their services to prospective clients

116
Quick Comparison to Related Technologies
Function CORBA JAVA RMI Web Services
Naming Service COSNaming rmiregistry UDDI
Interface Description IDL extends java.rmi.Remote WSDL
Wire Protocol IIOP JRMP or JMI-IIOP SOAP
117
The Java Web Services Developer Pack

Java technologies for web services
JAXM
A Java Interface to generate SOAP messages
JAX-RPC
An interface on top of JAXM provides RMI-like
interface to web services

118
The Java Web Services Developer Pack (cont.)

JAXR
Java access to UDDI-based registries
A Host for Web Services Endpoints
A reference implementation using servlets running
on Jakarta Tomcat

119
Web Services Application Vulnerabilities

The transport data is viewable or changeable with
a common text editor
The WSDL metadata to invoke the service is
usually available to the general public
Propagation of security identity or credentials
between the client and service is not standard
and can be quite problematic, especially in a
workflow-based architecture

120
Watching SOAP Request and Response with tcpmon
121
Securing Web Services Application

Securing the client/server connection
Connecting web services via secure tunneling over
SSL
Authentication with web services
Implementing declarative authorization for web
services
Implementing programmatic authorization for web
services

122
Securing Web Services Application (cont.)

Confidentiality and integrity of payload
information
Propagation of credential information

123
Securing the client/server connection

Use SSL/TLS for All Non-public Web Service Ports
J2EE provides an option for all communication
with the application to use SSL/TLS or not

124
(No Transcript)
125
(No Transcript)
126
(No Transcript)
127
(No Transcript)
128
XML Key Management Spec.
129
XML Key Management Spec.
130
XML Key Management Spec.
131
eXtensible Access Control
132
Security Assertion Markup Language
133
Security Assertion Markup Language
134
(No Transcript)
135
(No Transcript)
136
Enterprise Java Beans Security
137
J2EE Security Architecture

Covers both web-tier and EJB-tiers.
At Web-tier, the access control is performed
against each web resource which is represented in
the form of an URL
At EJB-tier, the access control can be applied
against each business method of a bean.
The container can enforce access control based on
roles defined in the web-tier and EJB-tier.

138
J2EE Security Architecture

A security role represents a grouping of
principals and is associated with permissions, or
authorization within the application.
A principal is assigned a role, and a role is
granted permission to execute specific methods.
User credentials are represented in the form of
Principal objects. The Principal objects are
created from the actual user identity information
that was entered by user.

139
(No Transcript)
140
(No Transcript)
141
(No Transcript)
142
(No Transcript)
143
(No Transcript)
144
(No Transcript)
145
EJB Security Architecture

EJBs have two options for managing security
Declarative security
Declarations made in the deployment descriptor
dictate the security of the components.
Security boundaries are based on the beans and
the methods provided by the beans
Security is based on which roles are allowed to
use which beans and which methods they are
allowed to execute within the beans.

146
EJB Security Architecture

Programmatic security
The EJB API provides several methods that
indicate the role of the caller and the principal
of the caller to control the execution of
application security

147
(No Transcript)
148
(No Transcript)
149
(No Transcript)
150
(No Transcript)
151
(No Transcript)
152
J2EE Protection Domain
153
(No Transcript)
154
(No Transcript)
155
(No Transcript)
156
Contact Details
Dr. Waitak Wong Email wtwong_at_mi.chu.edu.tw
Phone 03-5186529 Department of Information
Management Chu Hua University No. 707, Sec. 2,
WuFu Rd., Hsinchu, Taiwan
157
Grossary