Java Security - PowerPoint PPT Presentation

1 / 27
About This Presentation
Title:

Java Security

Description:

Java Security Susan Kovacs – PowerPoint PPT presentation

Number of Views:68
Avg rating:3.0/5.0
Slides: 28
Provided by: S762
Category:

less

Transcript and Presenter's Notes

Title: Java Security


1
Java Security
  • Susan Kovacs

2
Topics of Discussion
  • Why is security an issue?
  • Types of security breaches
  • Javas approach
  • the Language
  • the Libraries
  • Browsers
  • Conclusion

3
Why is security an issue?
What is an applet?
A Java program that is run from inside a web
browser. The html page loaded into the web
browser contains an ltappletgt tag, which tells the
browser where to find the Java .class files. For
example,
appletviewer http//foo.com/jo/coolApplet.html
4
Why is security an issue?
The class files for an applet are automatically
downloaded when a user goes to the containing Web
page in a browser. It is therefore likely that a
user will encounter applets from untrusted
sources. Without any security, this would be a
convenient way to spread viruses.
5
Types of breaches
  • Integrity Attacks
  • Availability Attacks
  • Disclosure Attacks
  • Annoyance Attacks

6
Types of breaches
  • Integrity Attacks
  • Deletion / modification of files
  • Modification of memory currently in use
  • Killing processes / threads

7
Types of breaches
  • Availability Attacks
  • Allocating large amounts of memory
  • Creating thousands of windows
  • Creating high priority process / threads

8
Types of breaches
  • Disclosure Attacks
  • Mailing information about your machine
  • /etc/passwd
  • Sending personal or company files to an adversary
    or competitor over the network

9
Types of breaches
  • Annoyance Attacks
  • Displaying obscene pictures on your screen
  • Playing unwanted sounds over your computer

10
Javas Approach ...
  • The Language
  • The Libraries
  • Browsers

11
The Language
  • Access control
  • Type-safe
  • Absence of pointers
  • Garbage collection
  • Packages

12
The Language
  • Access control
  • public
  • private
  • final

13
The Language
  • Type-safe

The compile time type and runtime type of
variables are guaranteed to be compatible. Prevent
s the forging of access to objects to get around
access control.
14
The Language
  • Absence of pointers

Pointers cannot be directly manipulated by user
code. Prevents both malicious and accidental
misuse of pointers.
15
The Language
  • Garbage collection

Manual deallocation provides a round-about way of
illegally casting. Java uses garbage collection
to recover unused memory instead of relying on
explicit user deallocation.
16
The Language
  • Packages

Provides namespace encapsulation. Prevents
downloaded code from shadowing system library
code with malicious code.
17
The Libraries
  • Security Manager
  • Class Loader

18
The Libraries
  • Security Manager

Contains methods which are intended to be called
to check specific types of actions. It is
intended to be subclassed and used to instantiate
the desired security policy.
19
The Libraries
  • Security Manager

Example Public boolean mkdir(String path) throws
IOException SecurityManager security
System.getSecurityManager() if (security !
null) security.checkWrite(path) return
mkdir0()
20
The Libraries
  • Class Loader

Class loaders are responsible for importing
binary data that defines the running programs
classes and interfaces. Two type primordial
object
21
The Libraries
  • Class Loader

Due to JVMs approach to loading classes, classes
can by default only see other classes that were
loaded by the same class loader. This allows for
multiple name-spaces inside a single Java
application
22
Browsers
  • The Web browser defines and implements a security
    policy for running downloaded Java code.
  • A Java enabled web browser includes
  • Java interpreter and runtime libraries
  • classes to implement a Security Manager
  • various Class Loaders

23
Examples
import java.awt. import java.io. import
java.lang. import java.applet. public
class exitTest extends Applet public void
paint(Graphics g) try
Runtime.getRuntime().exit(-1) catch
(SecurityException e)
g.drawString("Caught security exception trying to
quit", 10, 10)
24
Examples
Conclusion An applet can't kill the browser
that loaded it, unless you load the applet from a
directory on your CLASSPATH.
For further examples please visit http//java.sun.
com/sfaq/examples
25
Conclusion
In order for a program to be useful, it needs to
access certain resources. Therefore, the key is
not to deny all access but rather to provide
secured access in a controlled environment. Though
Java is not yet perfected, its features and
properties have allowed for a good balance of
power and security.
26
Questions ...
THANK YOU!
27
References
  • Flanagan, David. Java in a Nutshell. 2nd Ed.
    OReilly, California, 1997
  • Bank, Joseph. Java Security. http//swissnet.ai.m
    it.edu/jbank/javapaper/javapaper.html. 11 March
    2004
  • Venners, Bill. Security and the class loader
    architecutre. http//www.javaworld.com/javaworld/j
    w-09-1997/jw-09-hood_p.html. 27 March 2004
  • Applet Security. http//java.sun.com/sfaq. 27
    March 2004.
Write a Comment
User Comments (0)
About PowerShow.com