ABSTRACT
The ubiquitously-installed Java Runtime Environment (JRE) provides a complex, flexible set of mechanisms that support the execution of untrusted code inside a secure sandbox. However, many recent exploits have successfully escaped the sandbox, allowing attackers to infect numerous Java hosts. We hypothesize that the Java security model affords developers more flexibility than they need or use in practice, and thus its complexity compromises security without improving practical functionality. We describe an empirical study of the ways benign open-source Java applications use and interact with the Java security manager. We found that developers regularly misunderstand or misuse Java security mechanisms, that benign programs do not use all of the vast flexibility afforded by the Java security model, and that there are clear differences between the ways benign and exploit programs interact with the security manager. We validate these results by deriving two restrictions on application behavior that restrict (1) security manager modifications and (2) privilege escalation. We demonstrate that enforcing these rules at runtime stop a representative proportion of modern Java 7 exploits without breaking backwards compatibility with benign applications. These practical rules should be enforced in the JRE to fortify the Java sandbox.
- L. Gong, M. Mueller, H. Prafullchandra, and R. Schemers, "Going beyond the sandbox: An overview of the new security architecture in the Java Development Kit 1.2.," in USENIX Symposium on Internet Technologies and Systems, pp. 103--112, 1997. Google ScholarDigital Library
- L. Gong and G. Ellison, Inside Java (TM) 2 Platform Security: Architecture, API Design, and Implementation. Pearson Education, 2003. Google ScholarDigital Library
- IBM Security Systems, "IBM X-Force threat intelligence report." http://www.ibm.com/security/xforce/, February 2014.Google Scholar
- L. Garber, "Have Java's Security Issues Gotten out of Hand?," in 2012 IEEE Technology News, pp. 18--21, 2012. Google ScholarDigital Library
- A. Singh and S. Kapoor, "Get Set Null Java Security." http://www.fireeye.com/blog/technical/2013/06/get-set-null-java-security.html, June 2013.Google Scholar
- D. Svoboda, "Anatomy of Java Exploits." http://www.cert.org/blogs/certcc/post.cfm?EntryID=136.Google Scholar
- A. Gowdiak, "Security Vulnerabilities in Java SE," Tech. Rep. SE-2012-01 Project, Security Explorations, 2012.Google Scholar
- J. W. Oh, "Recent Java exploitation trends and malware," Tech. Rep. BH-US-12, Black Hat, 2012.Google Scholar
- E. Tempero, C. Anslow, J. Dietrich, T. Han, J. Li, M. Lumpe, H. Melton, and J. Noble, "Qualitas corpus: A curated collection of java code for empirical studies," in Asia Pacific Software Engineering Conference (APSEC), pp. 336--345, Dec. 2010. Google ScholarDigital Library
- "Permissions in the JDK." http://docs.oracle.com/javase/7/docs/technotes/guides/security/permissions.html, 2014.Google Scholar
- "Default Policy Implementation and Policy File Syntax." http://docs.oracle.com/javase/7/docs/technotes/guides/security/PolicyFiles.html.Google Scholar
- A. Banerjee and D. A. Naumann, "Stack-based access control and secure information flow," Journal of Functional Programming, vol. 15, pp. 131--177, Mar. 2005. Google ScholarDigital Library
- F. Besson, T. Blanc, C. Fournet, and A. Gordon, "From stack inspection to access control: A security analysis for libraries," in Computer Security Foundations Workshop, pp. 61--75, June 2004. Google ScholarDigital Library
- D. S. Wallach and E. W. Felten, "Understanding Java Stack Inspection," in IEEE Symposium on Security and Privacy, pp. 52--63, 1998.Google Scholar
- C. Fournet and A. D. Gordon, "Stack Inspection: Theory and Variants," in ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), pp. 307--318, 2002. Google ScholarDigital Library
- F. Long, D. Mohindra, R. C. Seacord, D. F. Sutherland, and D. Svoboda, The CERT Oracle Secure Coding Standard for Java. SEI Series in Software Engineering, Addison-Wesley Professional, 1st ed., Sept. 2011. Google ScholarDigital Library
- D. Svoboda and Y. Toda, "Anatomy of Another Java Zero-Day Exploit." https://oracleus.activeevents.com/2014/connect/sessionDetail.ww?SESSION_ID=2120, Sept. 2014.Google Scholar
- "Vulnerability Summary for CVE-2012-0507." https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0507, June 2012.Google Scholar
- N. Hardy, "The Confused Deputy: (or Why Capabilities Might Have Been Invented)," SIGOPS Oper. Syst. Rev., vol. 22, pp. 36--38, Oct. 1988. Google ScholarDigital Library
- "Vulnerability Summary for CVE-2012-4681." http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4681, Oct. 2013.Google Scholar
- D. Hovemeyer and W. Pugh, "Finding bugs is easy," SIGPLAN Not., vol. 39, pp. 92--106, Dec. 2004. Google ScholarDigital Library
- "Java Virtual Machine Tool Interface." https://docs.oracle.com/javase/7/docs/technotes/guides/jvmti/.Google Scholar
- S. M. Blackburn, R. Garner, C. Hoffman, A. M. Khan, K. S. McKinley, R. Bentzur, A. Diwan, D. Feinberg, D. Frampton, S. Z. Guyer, M. Hirzel, A. Hosking, M. Jump, H. Lee, J. E. B. Moss, A. Phansalkar, D. Stefanović, T. VanDrunen, D. von Dincklage, and B. Wiedermann, "The DaCapo benchmarks: Java benchmarking development and analysis," in Object-Oriented Programing, Systems, Languages, and Applications (OOPSLA), pp. 169--190, Oct. 2006. Google ScholarDigital Library
- M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov, "The most dangerous code in the world: Validating SSL certificates in non-browser software," in ACM Conference on Computer and Communications Security (CCS), pp. 38--49, ACM, 2012. Google ScholarDigital Library
- J. Somorovsky, A. Mayer, J. Schwenk, M. Kampmann, and M. Jensen, "On breaking SAML: Be whoever you want to be," in USENIX Security, pp. 21--21, 2012. Google ScholarDigital Library
- Z. Li, W. He, D. Akhawe, and D. Song, "The emperor's new password manager: Security analysis of web-based password managers," in USENIX Security, 2014. Google ScholarDigital Library
- J. Cappos, A. Dadgar, J. Rasley, J. Samuel, I. Beschastnikh, C. Barsan, A. Krishnamurthy, and T. Anderson, "Retaining sandbox containment despite bugs in privileged memory-safe code," in ACM Conference on Computer and Communications Security (CCS), pp. 212--223, ACM, 2010. Google ScholarDigital Library
- N. Provos, M. Friedl, and P. Honeyman, "Preventing Privilege Escalation," in USENIX Security, 2003. Google ScholarDigital Library
- D. Li and W. Srisa-an, "Quarantine: A Framework to Mitigate Memory Errors in JNI Applications," in Conference on Principles and Practice of Programming in Java (PPPJ), pp. 1--10, 2011. Google ScholarDigital Library
- J. Siefers, G. Tan, and G. Morrisett, "Robusta: Taming the Native Beast of the JVM," in ACM Conference on Computer and Communications Security (CCS), pp. 201--211, 2010. Google ScholarDigital Library
- M. Sun and G. Tan, "JVM-Portable Sandboxing of Java's Native Libraries," in European Symposium on Research in Computer Security (ESORICS), pp. 842--858, 2012.Google Scholar
- M. Cova, C. Kruegel, and G. Vigna, "Detection and Analysis of Drive-by-download Attacks and Malicious JavaScript Code," in International World Wide Web Conference (WWW), pp. 281--290, 2010. Google ScholarDigital Library
- S. Ford, M. Cova, C. Kruegel, and G. Vigna, "Analyzing and Detecting Malicious Flash Advertisements," in Annual Computer Security Applications Conference (ACSAC), pp. 363--372, 2009. Google ScholarDigital Library
- G. Helmer, J. Wong, and S. Madaka, "Anomalous Intrusion Detection System for Hostile Java Applets," J. Syst. Softw., vol. 55, pp. 273--286, Jan. 2001. Google ScholarDigital Library
- J. Schlumberger, C. Kruegel, and G. Vigna, "Jarhead Analysis and Detection of Malicious Java Applets," in Annual Computer Security Applications Conference (ACSAC), pp. 249--257, 2012. Google ScholarDigital Library
- T. Blasing, L. Batyuk, A.-D. Schmidt, S. A. Camtepe, and S. Albayrak, "An android application sandbox system for suspicious software detection," in Conference on Malicious and Unwanted Software (MALWARE), pp. 55--62, 2010.Google Scholar
- L. Gong, "Java security: a ten year retrospective," in Annual Computer Security Applications Conference (ACSAC), pp. 395--405, 2009. Google ScholarDigital Library
- "IntelliJ IDEA inspections list (632)." http://www.jetbrains.com/idea/documentation/inspections.jsp.Google Scholar
Recommendations
Evaluating the Java Native Interface JNI: Leveraging Existing Native Code, Libraries and Threads to a Running Java Virtual Machine
This article aims to explore JNI features and to discover fundamental operations of the Java programming language, such as arrays, objects, classes, threads and exception handling, and to illustrate these by using various algorithms and code samples. ...
Evaluating the Java Native Interface JNI: Data Types and Strings
This article describes how the java native interface JNI is a powerful feature of the java platform that started to draw attention in the latter years as an efficient programming framework for building and delivering innovative technological ...
Comments