1 cs205: engineering software university of virginia fall 2006 forgiveness and permissions
TRANSCRIPT
1cs205: engineering software
cs205: engineering softwareuniversity of virginia fall 2006
Forgiveness and Permissions
2cs205: engineering software
Program Execution
ProgramMonitorSpeakers
SuperSoaker 2000Disk Memory
Network
Reference Monitor
3cs205: engineering software
Policy and Mechanism
• AccessController provides a mechanisms for enforcing a security policy– Can insert checking code before certain
operations are allowed
• A security policy determines what the checking code allows
4cs205: engineering software
Java Policy[jre directory]\lib\security\java.policy
// Standard extensions get all permissions by defaultgrant codeBase "file:${{java.ext.dirs}}/*" { permission java.security.AllPermission; };
// default permissions granted to all domainsgrant { // Allows any thread to stop itself using the java.lang.Thread.stop() // method that takes no argument. // Note that this permission is granted by default only to remain // backwards compatible. // It is strongly recommended that you either remove this permission // from this policy file or further restrict it to code sources // that you specify, because Thread.stop() is potentially unsafe. // See "http://java.sun.com/notes" for more information. permission java.lang.RuntimePermission "stopThread";
// allows anyone to listen on un-privileged ports permission java.net.SocketPermission "localhost:1024-", "listen"; // ... (also allows some standard properties to be read)};
5cs205: engineering software
Permissions
java.security.Permission
AllPermission
java.io.FilePermissionSocketPermission
6cs205: engineering software
Better Solution?
• Impose a policy on the browser and everything running inside it
• Windows Vista will do this:– Browser runs at “low integrity” mode– Low integrity processes cannot:
• Modify higher integrity securable objects (e.g., files, network sockets,
• Interact with higher integrity
7cs205: engineering software
Hostile Applets
• See http://java.sun.com/sfaq/chronology.html (about 1 new vulnerability/month)
• Easy to write “annoying” applets (policy is too imprecise; no way to constrain many resource operations)
• Don’t try these at home...http://www.cigital.com/hostile-applets/index.html
8cs205: engineering software
What can go wrong?• Java API doesn’t call right SecurityManager
checks (63 calls in java.*)– Font loading bug, synchronization
• ClassLoader is tricked into loading external class as internal
• Policy is too weak (allows damaging behavior)
• Enforcement relies on low-level code safety properties
9cs205: engineering software
Project Team Management
• “Democracy”– Works fine but doesn’t scale– If everyone is responsible, no one is
responsible
• “Hierarchy”– Someone is in charge: delegates work,
responsible for making sure it gets done– Requires leadership, subordination –
difficult in peer groups
10cs205: engineering software
Bytecode Verifiermalcode.class
JVML ObjectCode
Java Bytecode Verifier
Alice UserJavaVM
“Okay”
Invalid
STOP
Trusted Computing Base
11cs205: engineering software
Computer Architecture
Processor does computationMemory
stores bitsInput Devices (mouse, keyboard, accelerometer)
get input from user and environmentOutput Devices (display, speakers)
present output to user
12cs205: engineering software
Central Processing Unit (CPU)
13cs205: engineering software
Intel 4004
• First general purpose microprocessor, 1971
• 4-bit data• 46 instructions
– 8-bit instructions!
14cs205: engineering software
PC Motherboard
From http://www.cyberiapc.com/hardwarebeg.htm
Memory
CPU
15cs205: engineering software
Inside the CPU
• Registers• Loads and decodes instructions from
memory• ALU: Arithmetic Logic Unit
– Does arithmetic– Can only operate on values in registers– Must load values from memory into
registers before computing with them
16cs205: engineering software
Compiler
• Translates a program in a high-level language into machine instructions
• Calling convention– How are parameters passed to functions– How is the stack managed to return
• Register allocation– Figure out how to use registers
efficiently
17cs205: engineering software
6: int max (int a, int b) {00401010 push ebp00401011 mov ebp,esp00401013 sub esp,40h00401016 push ebx00401017 push esi00401018 push edi00401019 lea edi,[ebp-40h]0040101C mov ecx,10h00401021 mov eax,0CCCCCCCCh00401026 rep stos dword ptr [edi]7: if (a > b) {00401028 mov eax,dword ptr [ebp+8]0040102B cmp eax,dword ptr [ebp+0Ch]0040102E jle max+25h (00401035)8: return b;00401030 mov eax,dword ptr [ebp+0Ch]00401033 jmp max+28h (00401038)9: } else {10: return a;00401035 mov eax,dword ptr [ebp+8]00401038 pop edi00401039 pop esi0040103A pop ebx0040103B mov esp,ebp0040103D pop ebp0040103E ret
int max (int a, int b) { if (a > b) { return b; } else { return a; }}
push instruction is 1 byte
mov instruction is 2 bytes Dealing withfunction call:updating stack,moving arguments
Cleanup and return
18cs205: engineering software
Java Virtual Machine
19cs205: engineering software
Java Ring (1998)
20cs205: engineering software
Java Card
21cs205: engineering software
Java Virtual Machine
• Small and simple to implement• All VMs will run all programs the
same way• Secure
22cs205: engineering software
Implementing the JavaVM
load class into memoryset the instruction pointer to point to the beginning of maindo { fetch the next instruction execute that instruction } while (there is more to do);
Some other issues we will talk about next week:Verification – need to check byte codes satisfy
security policyGarbage collection – need to reclaim unused storage
23cs205: engineering software
Charge
• Next classes: understanding byte codes and the byte code verifier
• Project ideas due Wednesday