CIS 551 / TCOM 401 Notes


Access Control

      What are the security issues in mobile code (for example, a java applet)?


Java and C# Security

    Browsers enforce security in the Java virtual machine using properties of the Java Language.

    Java and C# are designed to eliminate unsafe casts and buffer overflows

    Applets are compiled as Java bytecode

    Mobile code is susceptible to man-in-the-middle tampering


Applet Security Problems

    Browsers monitor applet requests for resources (network connections, files, etc.)

    Applets should have access to a minimal set of resources (a la least privilege)


Access Control For Applets

    In Unix, everything is a file, applet access involves finer levels of granularity

    Applets may need to use code with different levels of access

    How is the access control policy specified?


Java Security Model

    Virtual Machine

    Classes can come from all over the Internet

    When a class is loaded, the security manager assigns it to a domain

    Security policy in Java assigns permissions to domains


Kinds of Permissions

    Permissions are java objects is equivalent to root access

    Developers can create custom permission subclasses

    Permission classes don't directly inherit the permissions of the calling class


Code Trustworthiness

    Code origin is one way to decide what level of trust to grant

    A trusted domain can digitally sign bytecode to prevent tampering


Classloader Hieracrhy

    Classloaders are java objects

    Who loads the first classloader?


Classloader Resolution

    Classes in virtual machine can refer to other classes

    Classloader will check security policy information

    Permissions are assigned statically

    An applet may not have access to all permissions while running


Example Java Policy

    Files provide a mapping from domains to positions

    Define mappings between domains and permissions

    This slide example:


Example Trusted Code

    Security Manager is another java class

   This slide example


Example Client

   Slide:   Untrusted Applet makes an attempt to write to files by calling trusted "FileWrite" code. 

    Decision depends on context


Stack Inspection

    In Java access depends on the runtime stack of code - every stack frame is annotated with privileges

    Look through stack for context when exercising privileges


Stack Inspection Example

    Stack Inspection occurs at checkPermission at the top


Other Possibilities

    Information Flow

    Calls to "disable privilege"


Stack Inspection Algorithm

    The "Netscape" way in the slide is more secure

    Actual implementation may have changed since the slide was created


Two Implementations

    Walking down the stack is expensive and prohibits some complier optimizations

    The alternative is to pass permissions among stack frames


Stack Inspection

    Interesting alternative to UNIX-style permissions - gets around setuid problem

    Complicated to understand instantaneous security policy

    In practice stack inspection doesn't get you some of the way to applet security

    However, lots of tradeoffs involved, and "the jury is still out"