Applet Security

1
Applet Security

• Team Web
• Charles Moen and XiaoJun Zhang
• CSCI 5931.01 Web Security
• March 26, 2003

2
Topics

• The Sandbox
• Stepping Outside the Sandbox
• Applets the Policy File
• RSA-Signed Applets
• The Java Plug-in
• Signed Applets in Netscape
• Signed Applets in MS Internet Explorer
• Secure JDBC Connection for Applets

3
Java 2 Security Model

• Policy-based
• Security policy limits the resources a program
  can use
• java.policy
• Permissions
• Actions that are allowed

4
The Sandbox
Memory
Operating System
Local Code Java Virtual Machine
5
Stepping Outside the Sandbox

• Many reasons for stepping outside the sandbox
• Java 2 Security Modeltwo methods
• The client can grant permissions by editing the
  policy file, java.policy
• The developer can use an RSA-signed applet that
  can be granted or denied permission by the client

6
Stepping Outside the Sandbox in Java 2The Policy
File
Memory
Operating System
Local Code Java Virtual Machine
HTTP
7
Stepping Outside the Sandbox in Java 2RSA-Signed
Applets
Memory
Operating System
Local Code Java Virtual Machine
8
The Java Plug-in

• Downloadable helper program that works with a
  browser
• Consistent runtime environment for Java
• Supports all Java functions
• Can be called instead of the browsers VM
• Introduced with Java 2
• Part of JDK and JRE
• Downloaded the first time it is needed by browser

9
The Java Plug-in

• Advantages
• Consistency across browsers
• Java capabilities provided to old browsers
• Same security model as Java 2
• Major browsers had different security models
• Differences require different development
• Weakness
• Huge download5 to 6 MB

10
Example 1 Applets the Policy File

• Stepping out of the sandbox, method 1
• Create an applet, Java Security, p. 205

public void init() try mUsername
System.getProperty("user.name") catch(
SecurityException e ) mUsername
null
ltAPPLET CODE"UsernameApplet.class" WIDTH"300"
HEIGHT"200"gtlt/APPLETgt
11
Example 1 Applets the Policy File
C\gt appletviewer UsernameApplet.html
12
Example 1 Applets the Policy File

• Use a policy file UsernameApplet.policy

grant codeBase "file/devJava/"
permission java.util.PropertyPermission
"user.name", "read"
appletviewer -J-Djava.security.policyUsernameAppl
et.policy UsernameApplet.html
13
Running Example 1 in a Browser

• Change APPLET to OBJECT
• APPLET is deprecated
• Specify codebase for downloading plug-in
• Use HTMLConverter
• Edit java.policy
• Grant permission, like in our example

14
1. Change APPLET to OBJECT

• HTMLConverter
• Bundled in J2SE SDK (error on p. 206)
• http//java.sun.com/j2se/1.4.1/docs/guide/plugin/d
  eveloper_guide/faq/developer.html
• Either command line or GUI
• gt java HTMLConverter ltthe html filegt
• Result on page 207
• For IE, converts to OBJECT element
• For NS, converts to EMBED element

15
C\jdk1.4.1\libgt..\bin\java -jar
htmlconverter.jar -gui
16
2. Edit java.policy

• Must be done by the user
• Location is problematic
• C\Program Files\Java\j2re1.4.0_01\lib\security
• C\j2sdk1.4.0_01\jre\lib\security
• UHCL PC Lab unable to edit
• Add the following to run our example

grant codeBase "file/devJava/"
permission java.util.PropertyPermission
"user.name", "read"
17
Open UsernameApplet.HTML
18
Example 2 RSA Signed Applets

• Stepping out of the sandbox, method 2
• Real deployment requires a certificate from
  Verisign or Thawte
• Jarsigner can sign applets
• If the Java plug-in finds an RSA-signed digital
  certificate in a downloaded JAR
• Checks security policy for usePolicy
• Checks the signatures CA
• Then asks user if its okay

19
Example 2 RSA Signed Applets

• Step 1 Generate a key and certificate
• Step 2 Install the certificate
• Step 3 Create the JAR and sign it
• Step 4 Deploy the JAR in the HTML
• Step 5 Open the HTML in a browser

20
1. Generate a key certificate

• Use the keytool to generate a key

C\gtkeytool -genkey -alias appletsigningkey
-keyalg RSA

• For real deployment
• Page 212
• Create a csr file with -certreq
• Order a signed certificate from a CA

• Export the certificate

C\gtkeytool -export -alias appletsigningkey -file
appletsigningkey.cer
21
2. Install the certificate

• Windows
• Double-click on the filename
• Click on the Install Certificate button
• Follow the steps in the Wizard, pp. 210211

22
3. Create the JAR and sign it

• Create a JAR containing our applet class

C\gt jar cvf UsernameApplet.jar
UsernameApplet.class

• Sign the JAR with jarsigner

C\gt jarsigner UsernameApplet.jar appletsigningkey
23
4. Deploy the JAR in HTML

• Add the ARCHIVE attribute(Not mentioned in the
  book, p. 212)

ltAPPLET CODEUsernameApplet.class WIDTH300
HEIGHT200 ARCHIVEUsernameApplet.jargtlt/APPLET
gt

• Can then use HTMLConverter

24
5. Open the HTML in browser
25
Signed Applets in Netscape

• Netscape 6 and 7 use the Java plug-in
• Netscape 4 uses its own security model
• Applet asks for permission
• Called the Capabilities API
• Uses proprietary Netscape classes
• Incompatible with any other browser

26
Signed Applets in Netscape 4

• Modifications that use the Capabilities API, page
  215

public void init() try PrivilegeManager.ena
blePrivilege("UniversalPropertyRead")
mUsername System.getProperty("user.name")
PrivilegeManager.revertPrivilege("UniversalPropert
yRead") catch( SecurityException e )
mUsername null
C\gt javac -classpath .capsapi_classes.zip Userna
meNetscapeApplet.java
27
Signed Applets in Netscape 4

• Deploying the applet
• Must be signed
• Use Netscapes signtool
• Initialize the certificate database
• Using Netscape, page 217
• Click on the lock icon at the lower left
• Click on Certificate gt Yours
• Click on Import a Certificate
• Set the password, then Cancel the import

28
Signed Applets in Netscape 4

• Create a self-signed certificate and key

C\gt signtool -G"testsigner"
-d"C\ProgramFiles\Netscape\Users\crmoen"

• Create a directory and put in the class

• Add an ARCHIVE attribute to the HTML
• Open the HTML file in Netscape, p. 220

29
Signed Applets in Microsoft IE

• Microsoft VM security model
• As of Jan. 21, 2003, by court order
• Microsoft VM support discontinued
• Tools are no longer available
• Sun JRE is provided with IE

the U.S. District Court in Baltimore, Md.
issued a preliminary injunction order requiring
Microsoft to include the latest Java Runtime
Environment (JRE) from Sun Microsystems
inversions of the Microsoft Windows XP
operating system or Microsoft Internet Explorer
5

• MS recommends convert applets to .NET

30
Signed Applets in Microsoft IE

• Security levels for applets
• Highthe sandbox
• Mediumsome extras like disk scratch files
• HOWTO Using Scratch Space From Your Java Applet
  - http//support.microsoft.com/default.aspx?scidk
  bEN-US172200
• Lowsame as AllPermission in Java 2
• Customsimilar to policy file in Java 2
• Cab files are used for signed applets
• Tools are in the Microsoft SDK for Java(No
  longer available)

31
Secure JDBC Connectionfor Applets 6

• The problem
• Firewalls interfere with the connection between a
  Java applet and an external db
• The solution from IDS Software
• The applet uses an IDS JDBC driver to connect to
  an IDS server using HTTPS

32
Secure JDBC Connectionfor Applets 6

• The client is behind a firewall.
• The proxy server relays the clients HTTP and/or
  HTTPS requests.
• Proxy relays HTTP requests
• To provide Internet access
• Parses the content
• Assumes the connection is non-persistent and
  drops the connection
• Proxy also relays HTTPS requests
• Assumes that it cannot parse content
• Cannot drop connection until client does

33
Secure JDBC Connectionfor Applets 6

• Required conditions
• Proxy allows outbound HTTPS connections
• Applet must obtain the browser proxy server
  setting
• Applet must be signed
• IDS server must use ports 443 or 563
• ProxyProperties class from IDS
• Obtains the proxy settings
• Instance passed to the the IDS driver when it
  creates a connection to the db

34
Secure JDBC Connectionfor Applets 6
Driver drv new ids.sql.IDSDriver()
Properties info new ProxyProperties() String
host info.getProperty("https.proxyHost")
if (host ! null) info.put("proxy_type",
"4") // SSL Tunneling info.put("proxy_host",
host) info.put("proxy_port",
info.getProperty("https.proxyPort")) try
//For Netscape PrivilegeManager.enablePrivilege(
"UniversalConnect") catch (Throwable e)

Connection conn drv.connect(url, info)
35
Secure JDBC Connectionfor Applets 6
client-side firewall
36
Bibliography

• 1 J. Garms and D. Somerfield. Professional Java
  Security. Birmingham, UK Wrox Press Ltd., 2001,
  pp. 202228.
• 2 M. Pistoia, et al. Java 2 Network Security,
  2nd ed. New Jersey Prentice Hall PTR, 1999.
• 3 J. Conallen. Building Web Applications with
  UML. Addison-Wesley, 2000, pp. 7072.
• 4 Sun (n.d.). Developer Guide FAQs. Online.
  Available http//java.sun.com/j2se/1.4.1/docs/gui
  de/plugin/developer_guide/faq/developer.html
• 5 Microsoft (2003, Jan.). Microsoft VM
  Developer FAQ. Online. Available
  http//www.microsoft.com/java/developerFAQ.htm
• 6 IDS Software (1999, Nov.). JDBC Connection
  via HTTPS Proxy. Online. Available
  http//www.idssoftware.com/jdbchttps.html