1cs205: engineering software

cs205: engineering softwareuniversity of virginia fall 2006

Forgiveness and Permissions

2cs205: engineering software

Program Execution

ProgramMonitorSpeakers

SuperSoaker 2000Disk Memory

Network

Reference Monitor

3cs205: engineering software

Policy and Mechanism

• AccessController provides a mechanisms for enforcing a security policy– Can insert checking code before certain

operations are allowed

• A security policy determines what the checking code allows

4cs205: engineering software

Java Policy[jre directory]\lib\security\java.policy

// Standard extensions get all permissions by defaultgrant codeBase "file:${{java.ext.dirs}}/*" { permission java.security.AllPermission; };

// default permissions granted to all domainsgrant { // Allows any thread to stop itself using the java.lang.Thread.stop() // method that takes no argument. // Note that this permission is granted by default only to remain // backwards compatible. // It is strongly recommended that you either remove this permission // from this policy file or further restrict it to code sources // that you specify, because Thread.stop() is potentially unsafe. // See "http://java.sun.com/notes" for more information. permission java.lang.RuntimePermission "stopThread";

// allows anyone to listen on un-privileged ports permission java.net.SocketPermission "localhost:1024-", "listen"; // ... (also allows some standard properties to be read)};

5cs205: engineering software

Permissions

java.security.Permission

AllPermission

java.io.FilePermissionSocketPermission

6cs205: engineering software

Better Solution?

• Impose a policy on the browser and everything running inside it

• Windows Vista will do this:– Browser runs at “low integrity” mode– Low integrity processes cannot:

• Modify higher integrity securable objects (e.g., files, network sockets,

• Interact with higher integrity

7cs205: engineering software

Hostile Applets

• See http://java.sun.com/sfaq/chronology.html (about 1 new vulnerability/month)

• Easy to write “annoying” applets (policy is too imprecise; no way to constrain many resource operations)

• Don’t try these at home...http://www.cigital.com/hostile-applets/index.html

8cs205: engineering software

What can go wrong?• Java API doesn’t call right SecurityManager

checks (63 calls in java.*)– Font loading bug, synchronization

• ClassLoader is tricked into loading external class as internal

• Policy is too weak (allows damaging behavior)

• Enforcement relies on low-level code safety properties

9cs205: engineering software

Project Team Management

• “Democracy”– Works fine but doesn’t scale– If everyone is responsible, no one is

responsible

• “Hierarchy”– Someone is in charge: delegates work,

responsible for making sure it gets done– Requires leadership, subordination –

difficult in peer groups

10cs205: engineering software

Bytecode Verifiermalcode.class

JVML ObjectCode

Java Bytecode Verifier

Alice UserJavaVM

“Okay”

Invalid

STOP

Trusted Computing Base

11cs205: engineering software

Computer Architecture

Processor does computationMemory

stores bitsInput Devices (mouse, keyboard, accelerometer)

get input from user and environmentOutput Devices (display, speakers)

present output to user

12cs205: engineering software

Central Processing Unit (CPU)

13cs205: engineering software

Intel 4004

• First general purpose microprocessor, 1971

• 4-bit data• 46 instructions

– 8-bit instructions!

14cs205: engineering software

PC Motherboard

From http://www.cyberiapc.com/hardwarebeg.htm

Memory

CPU

15cs205: engineering software

Inside the CPU

• Registers• Loads and decodes instructions from

memory• ALU: Arithmetic Logic Unit

– Does arithmetic– Can only operate on values in registers– Must load values from memory into

registers before computing with them

16cs205: engineering software

Compiler

• Translates a program in a high-level language into machine instructions

• Calling convention– How are parameters passed to functions– How is the stack managed to return

• Register allocation– Figure out how to use registers

efficiently

17cs205: engineering software

6: int max (int a, int b) {00401010 push ebp00401011 mov ebp,esp00401013 sub esp,40h00401016 push ebx00401017 push esi00401018 push edi00401019 lea edi,[ebp-40h]0040101C mov ecx,10h00401021 mov eax,0CCCCCCCCh00401026 rep stos dword ptr [edi]7: if (a > b) {00401028 mov eax,dword ptr [ebp+8]0040102B cmp eax,dword ptr [ebp+0Ch]0040102E jle max+25h (00401035)8: return b;00401030 mov eax,dword ptr [ebp+0Ch]00401033 jmp max+28h (00401038)9: } else {10: return a;00401035 mov eax,dword ptr [ebp+8]00401038 pop edi00401039 pop esi0040103A pop ebx0040103B mov esp,ebp0040103D pop ebp0040103E ret

int max (int a, int b) { if (a > b) { return b; } else { return a; }}

push instruction is 1 byte

mov instruction is 2 bytes Dealing withfunction call:updating stack,moving arguments

Cleanup and return

18cs205: engineering software

Java Virtual Machine

19cs205: engineering software

Java Ring (1998)

20cs205: engineering software

Java Card

21cs205: engineering software

Java Virtual Machine

• Small and simple to implement• All VMs will run all programs the

same way• Secure

22cs205: engineering software

Implementing the JavaVM

load class into memoryset the instruction pointer to point to the beginning of maindo { fetch the next instruction execute that instruction } while (there is more to do);

Some other issues we will talk about next week:Verification – need to check byte codes satisfy

security policyGarbage collection – need to reclaim unused storage

23cs205: engineering software

Charge

• Next classes: understanding byte codes and the byte code verifier

• Project ideas due Wednesday