Tuesday, March 29, 2011

Using Java Security Wisely

by Jeremy Powell


Java has been touted as one of the most secure development platforms ever created. While I personally tend to be very conservative about labeling any software as secure, I have to admit that there are some promising security features in Java. The two most powerful mechanisms are the Java type system and Java security managers.

Java's first line of defense is its type system. A type system is a set of rules regarding how objects in memory can be operated on, and Java's particular flavor is quite rigorous. Every single bit of memory managed by the Java Virtual Machine is associated with a type, which restricts users, malicious or otherwise, from using those bits in any other way than the developer intended. Many memory corruption based attacks such as stack smashing, heap overflows, and format string exploits in C and C++ are rendered nearly useless in Java because of this mechanism.

Although the Java type system is free and generally requires little effort to utilize it, the mechanisms implemented in the Java security managers operate on a higher level and require much more care and thought. A security manager (java.lang.SecurityManager) contains callback methods that can be called by objects to see if the defined security policy allows that entity access to that method. This mechanism is actually already embedded into many of the more sensitive classes in the Java standard libraries. For example, file read operations (java.io.File) invoke the callback checkRead() to check that the calling thread has read access to the particular file. If it does not, then a security exception (java.lang.SecurityException) is thrown.

The security policy is customizable. Developers (and administrators) can customize the access policy according to their needs. They can also subclass the security manager and add custom hooks for their proprietary code. Given enough time, a developer could build a framework around his application that lets him or her specify exactly how differently privileged threads can access different objects.

The fact that these mechanisms are there, grants Java some nice bragging rights. However, they are of no use to anyone if they are not used, or if they are used incorrectly without regard to an overall security architecture.

2 comments:

  1. In order to use java security accurately here are some secure coding guidelines...
    http://www.oracle.com/technetwork/java/seccodeguide-139067.html

    ReplyDelete
  2. Jeremy, first let me thank you for educating your readers that Java is systematically more secure than languages such as C/C++ or Assembly. I am myself an advocate of Memory Safe Programming Languages (also called Type Safe Programming Languages).
    There are many more languages of this kind around, namely Cyclone and Modula-3. I invented one myself and I leave it to the reader to find out which one it is.
    Unfortunately, Java comes with a lot of runtime inefficiency, which is not really required. For example, Full Automatic Garbage Collection is not necessary for a Memory Safe Programming Language. Also, current Java implementations are not really that robust, which you can verify by running the YaCy Distributed Search Engine. It will sooner or later crash the JVM while parsing some PDF from the internet.
    So there is a lack of "Proven Correct" implementations of Compilers, Operating Systems, Web Browsers, Sandboxes and so on. If the firehose of government funding could be turned to these rather limited endeavours...

    ReplyDelete

Comments are moderated with the goal of reducing spam. This means that there may be a delay before your comment shows up.