Marc Schönefeld
Duration: 2 days
Opposed to the legends most white papers tell software written in Java is not secure by default. This course will provide the participants with the awareness to threats for java based software. It focuses on the current java (1.4.x , Tiger and Mustang releases) code based security features which are used to protect typical java application patterns (J2EE, Desktop Java, Applet, Servlets).
Secure Java Coding always starts from Sun’s secure programming guidelines which are presented by associating attack types and possibilities for refactoring to harden the system. Executed java classes are based on bytecode, therefore knowledge of Java bytecode is essential to understand and extend java static code analysis tools like BCEL and findbugs.
Other important terms in java code-based security are “protection domains” and “permission collections”. To reverse engineer protection domains an approach to extend the Java securitymanager is presented. A framework is presented that allows defining custom and complete permission sets when deploying java applications.
After hardening the JDK itself the java security engineer is concerned with raising the protection level of open source java middlweware components like Web servers (Jetty, Tomcat) or databases (cloudscape, pointbase) .
A laptop capable of compiling java code (preinstalled Sun JDK 1.4.2_x and IBM Eclipse IDE 3.0.x).
The student should have an understanding of most of the following concepts and technologies:
Knowledge of basic Java programming tools (java, javac, javah).
Basic to advanced Java and java bytecode programming knowledge as well as the core Java API is beneficial for understanding the key concepts
Knowledge of basic security concepts like least privilege and security models
Knowledge of common C based software threats is helpful for the JNI part
Introduction
Security in a broader sense
The history of Java security (Felten, LSD, …)
Java and security
J2SE Java 1.4 application areas
Desktop Java (J2SE)
WebServer Java (J2EE/JSP)
BackendServer Java (J2EE/EJB)
DatabaseServer Java (J2EE/JDBC)
What to attack and protect
Attacks on Integrity
Attacks on Confidentiality
Attacks on Availability
Java security architecture
Core java runtime environment security:
JVM security
Java language security
Core API security
Classloaders and protection domains
Application security:
JSSE and SSL
GSSAPI
JAAS
Java Secure Coding
Sun’s secure programming guidelines
Antipatterns
Static variables
Derived Vulnerabilities
Possible Attacks
Precautions and Detection
PoC [Covert Channels in JDK]
Privileged Code
Derived Vulnerabilities
Possible Attacks
Precautions and Detection
PoC [The Disk filling applet]
Visibilities
Derived Vulnerabilities
Possible Attacks
Precautions and Detection
PoC [XMLSniffing vulnerability in JDK 1.4.2_05]
Serialisation
Derived Vulnerabilities
Possible Attacks
Precautions and Detection
PoC [Remote Attacks and Malicious Objects]
Native Code
Derived Vulnerabilities
Possible Attacks
Precautions and Detection
PoC [The memory reading applet in the Java Media Framework]
Non-Adequate permissions for 3rd party libraries and frameworks
Derived Vulnerabilities
Possible Attacks
Precautions and Detection
PoC [Remote code execution in JBoss 3.2.1]
Java Arithmetics
Derived Vulnerabilities
Possible Attacks
Precautions and Detection
PoC [The Java.util.zip package and the flipping sign]
Java Bytecode Engineering
Quickwalk thru the Java Bytecode instruction set
Anatomy of class files
Bytecode frameworks
BCEL
ASM
Javassist
Findbugs
How to write custom detectors in with BCEL and findbugs
Classwalkers
Fieldwalkers
Methodwalkers
Finding adequate permission sets for java applications
Permissions in JDK
The jchains framework
Hardening Java protocols
JDBC security
RMI security (JRMP and RMI/IIOP)
Serialisation security
Hardening Java middleware applications
Tomcat security
Java databases security
Security in the new Tiger and Mustang releases
Selected use cases from the audience
Summary, Q&A and farewell
---Marc Schönefeld---