[an error occurred while processing this directive]

Upcoming Schedule

Friday, 27 October (extended until 11pm tonight): Project Team Requests

Wednesday, November 1 (beginning of class) — project idea description

Monday, November 6: Quiz 4

Friday, November 10 (beginning of class) — project design document

week of November 13 — project design reviews

week of November 27 — project progress reports

Monday, December 4 (in class) — project presentations/demos

Tuesday, December 5 (before 5pm) — project final reports including code and teammate assessments

Java Security

(from Class 27) What does it mean for a programming language to be safe?

(from Class 27) How does the Java programming language satisfy low-level code safety properties:

Type Safety
Memory Safety
Control Flow Safety

What kinds of properties can be enforced by ideal reference monitors?

What kinds of properties can not be enforced by ideal reference monitors?

How does the Java security manager differ from an ideal reference monitor?

Permissions

Excerpts from java.security.Permission:

public class Permission {
   public abstract boolean implies(Permission permission)
      EFFECTS: Returns true iff the specified permission is implied by
          this.

   ... // other methods not shown
}

public final class AllPermission extends Permission {
   The AllPermission is a permission that implies all other permissions.

From the Java API documentation:
Note: Granting AllPermission should be done with extreme care, as it implies all other permissions. Thus, it grants code the ability to run with security disabled. Extreme caution should be taken before granting such a permission to code. This permission should be used only during testing, or in extremely rare cases where an application or applet is completely trusted and adding the necessary permissions to the policy is prohibitively cumbersome.

   public boolean implies(Permission p)
      Checks if the specified permission is "implied" by this object. 
      This method always returns true.

public final class FilePermission extends Permission {

From the Java API documentation:
Be careful when granting FilePermissions. Think about the implications of granting read and especially write access to various files and directories. The "<>" permission with write action is especially dangerous. This grants permission to write to the entire file system. One thing this effectively allows is replacement of the system binary, including the JVM runtime environment.

   FilePermission(String path, String actions) 
     REQUIRES: actions is a comma-separated list of keywords selected
        from "read", "write", "execute", and "delete"
     EFFECTS: Creates a new FilePermission object with the specified
        actions.

   public boolean implies(Permission p)
      EFFECTS: Returns true iff the specified permission is implied by
         this object, false if not.
         More specifically, this method returns true if:
           * p is an instanceof FilePermission,
           * p's actions are a proper subset of this object's actions, and 
           * p's pathname is implied by this object's pathname. For example, "/tmp/*"
             implies "/tmp/foo", since "/tmp/*" encompasses the "/tmp" directory and
             all files in that directory, including the one named "foo". 
}

Do the Permission subtypes follow behavioral subtying?

What should SecurityManager.checkDelete(String file) do?

   Permissions policy = new Permissions ();
  // pathname\\- means pathname and all files (recursively) contained
  Permission p1 = new FilePermission ("C:\\-", "read,write,execute");
  Permission p2 = new AllPermission ();
  Permission p3 = new FilePermission 
         ("C:\\Program Files\\Java\\jre1.5.0_06\\bin", "write");
  policy.add(p1);
  policy.add(p2);
  policy.add(p3);
  // Which of these are true:
  // p1.implies(p3) 
  // p3.implies(p1)
  // p2.implies(p2)
  // p2.implies(p3)
  // policy.implies(new javax.sound.sampled.AudioPermission("play"))

What is granting permissions (usually) better than enumerating disallowed actions?

It's easier to ask forgiveness than it is to get permission.
Grace Hopper (developer of first compiler)

What is a good policy for running applets from untrusted sources?

What can go wrong with Java security?

Links

Some Hostile Java Applets
Java Security Web Site (Gary McGraw and Ed Felten)
Sun's Java Security [Applet Security FAQ] [Security Bug Chronology]

If J. Random Websurfer clicks on a button that promises dancing pigs on his computer monitor, and instead gets a hortatory message describing the potential dangers of the applet --- he's going to choose dancing pigs over computer security any day. If the computer prompts him with a warning screen like: "The applet DANCING PIGS could contain malicious code that might to permanent damage to your computer, steal your life's savings, and impair your ability to have children," he'll click "OK" without even reading it. Thirty seconds later he won't even remember that the warning screen even existed.

Bruce Schneier, Secrets and Lies, 2000.