Monday, May 01, 2006

Code Centric Security Model

Java Security Series Part 2

Security model

One of the important goals in a secure system is to protect critical resourses. In this context a protection domain is a concept which defines all the entities that can access a particular or group of critical resourses. This concept is extrapolated in Java and is abstracted in java.security.ProtectionDomain class. The protection domain in Java encompasses two details -
  • What (code) can access critical resourse - Code Centric Security model
  • Who (user) can access critical resourse - User Centric Security model

Code Centric Security Model

With the original Java 1.0, any Java code on the local machine could access any resourse such as file system, runtime properties, network etc as the local applications were completely trusted and were thought to be safe. Only the applications which were remote, as in applets were seen with caution and subjected to security. In this system, the applet code was made to run in what is called "Sand Box" which is nothing but a protection domain for the applet code which has no access to a fixed set of critical resourse.

However, with the introduction of Signed applets in Java 1.1, this sand box was made configurable with applets from different code sources (applet written by different signers and downloaded from different location) could do different things in the sand box. User based on the trust on a signer and location could lax the strict sand box; however, the sand box itself was still protecting only a fixed set of critical resource and hence the Protection domain here was said to be with a fixed boundary.

With the introduction of Java 2 Platform Security in Java 1.2, a regular security framework was designed. In this framework, all code belongs to a Protection Domain and the protection domain determines the resources that are accessible to the code. The protection domain here itself is NOT of fixed boundary as the means to define a critical resource is extensible.

java.security.Persmission

This class abstracts the permissible access on a particular resourse. Java provides a hierarchy of sub-classes from this parent class to provide the notion of different types of access on different resources. For example, FilePermission, SocketPermission etc to specify access to file system resources and network resources.

By further sub-classing this class, custom resource access can be defined - and this is crux to a flexible boundary Protection Domain.

A permission object typically has two attributes - (1) target name - name of a particular target object of a particular type of resource; for example a file named C:\Sandesh.doc (2) action list - all the access privileges on the target object - such as read, write etc.

java.security.ProtectionDomain

This class abstracts the permissible activities that a particular trusted code (trust here implies on the author of the code and the location of download of the code) can perform.

As and when a class is loaded by the class loader, the class loader initializes the Class instance with the protection domain to which it belongs.

In Java 1.4, it encapsulates mainly 3 entities - (1) CodeSource (2) Permissions (3) Principals

java.security.CodeSource

This class abstracts the trusted entity based on which protection domains work and as explained consists of (1) signer of code (2) location of code download

Initialization of ProtectionDomain for a Class instance

As we saw earlier, there are three default class loaders that get installed when JVM is started - (1) Bootstrap class loader (2) Extensions class loader (3) System class loader.

These class loaders are responsible for assigning the right Protection Domain during when defining a class. Bootstrap class loader is of native type and assigns all the System classes (classes present in jre/lib/rt.jar) to System Protection Domain which has AllPermission access rights.

The extension and system class loaders are of type java.net.URLClassLoader which inturn inherits from java.security.SecureClassLoader.

While the extensions class loader loads classes from jre/lib/ext directory and system class loader loads from the CLASSPATH environment variable, their intialization process of the protection domain of classes loaded by them is the same as both of them are of the same type.

java.net.URLClassLoader overrides findClass as expected and here, it first gets the raw bytes from the URLs it knows about and then from the same also gets the signer information and from this constructs a CodeSourse object and then calls defineClass, to define the class.

java.security.SecureClassLoader overrides defineClass. SecureClassLoader maintains a cache of ProtectionDomain using a HashMap with key being the code sourse. It first checks if the ProtectionDomain for the given code sourse is already present in the cache and reuses if cached. Otherwise, it calls getPermissions to get an initial set of permissions for the protection domain. This function is overridden by URLClassLoader which inserts an initial set of permission which allows the code source to -

  • If the protocol specified by URL is "file" and the path specified by the URL is a file, then read permission to that file is granted
  • If the protocol specified by URL is "file" and the path specified by the URL is a directory, then read permission to all files and directories recursively
  • If the protocol specified is anything else, permissions to connect to and accept from URL's network host is allowed.

Please note that SecureClassLoader.getPermissions returns an empty set of permissions because it has no idea on what permissions to give [Note: In JDK 1.3, this method actually initialized the initial permissions with permissions read from java.security.Policy.getPermissions(CodeSource) method. But it seems to support dynamic policies, this has changed in 1.4 and has kind of become redundant.]. SecureClassLoader.defineClass then constructs a java.security.ProtectionDomain object using the code source instance, class loader instance and the initial permissions and associates the ProtectionDomain with the Class.

java.security.PermissionCollection and java.security.Permissions

These are two kinds of containers for the permission objects and the difference between the two being that PermissionCollection is a homogenous set of Permission objects where as Permissions are heterogenous.

Binding permissions to ProtectionDomain

Protection Domain provides a mapping between code source and its permissions. In Java 1.2, SecureClassLoader's getPermissions method read java.security.Policy for the configured permissions for a particular code source. Policy object here is used to decouple the policy configuration from the security framework. Policy is itself an abstract class and expects a provider to provide the actual permissions for the code source. This way, users can plugin custom access management systems to the security framework. By default com.sun.security.PolicyFile gave an implementation where the users could configure permissions in an ASCII file.

Static binding of permissions to Protection Domain is not always a good idea. There are some access management systems which can specify if a security context has a particular permission, but cannot specify all the permissions available for a security context. Also, if permissions are to be more dynamic in nature, static binding will not obviously work. In Java 1.4, dynamic policy binding was introduced. Here, the interaction between ProtectionDomain and Policy object has changed. The way it works in 1.4 is - (1) SecureClassLoader no longer asks the Policy object for permissions during creation of ProtectionDomain object, but returns an empty permissions list (2) Protection domain when queried if a particular permission is implied, first checks the policy if a particular permission is implied. This causes the dynamic behavior, as the permissions are never really bound to the ProtectionDomain object, but loosely coupled using the Policy object. (3) Only if the Policy object does not imply the permission, does the default permissions in the Protection domain object consulted.

By default the policy implementation used is com.sun.security.auth.PolicyFile. A different implementation can be configured by changing the security settings in jre/lib/ext/security/java.security file.

com.sun.security.auth.PolicyFile initializes the permissions by reading jre/lib/ext/security/java.policy file. This configuration can be changed by editing policy.url properties specified in jre/lib/ext/security/java.security

9 Comments:

Blogger ninest123 Ninest said...

ninest123 10.27
tiffany jewelry, michael kors outlet, oakley sunglasses wholesale, ugg boots, louis vuitton, jordan shoes, nike air max, burberry outlet, uggs outlet, prada outlet, louis vuitton, ugg boots, louis vuitton outlet, michael kors outlet store, ray ban sunglasses, louis vuitton outlet, replica watches, replica watches, uggs outlet, michael kors outlet, polo ralph lauren outlet online, nike free, ray ban sunglasses, oakley sunglasses, christian louboutin outlet, michael kors outlet online, longchamp outlet, louis vuitton outlet, christian louboutin, tiffany and co, prada handbags, cheap oakley sunglasses, polo outlet, longchamp outlet, tory burch outlet, longchamp outlet, nike outlet, oakley sunglasses, oakley sunglasses, ray ban sunglasses, christian louboutin shoes, christian louboutin uk, chanel handbags, uggs on sale, burberry handbags, nike air max, kate spade outlet, michael kors outlet online

9:46 AM  
Blogger ninest123 Ninest said...

hollister uk, nike roshe run uk, sac longchamp pas cher, nike air max uk, north face, vans pas cher, michael kors, kate spade, nike blazer pas cher, longchamp pas cher, ray ban uk, nike free run, abercrombie and fitch uk, louboutin pas cher, coach outlet store online, timberland pas cher, nike roshe, north face uk, polo ralph lauren, oakley pas cher, nike air max, sac vanessa bruno, hollister pas cher, polo lacoste, true religion outlet, ralph lauren uk, nike tn, sac hermes, ray ban pas cher, coach outlet, jordan pas cher, michael kors, coach purses, nike air force, true religion jeans, lululemon canada, michael kors pas cher, mulberry uk, nike air max uk, true religion outlet, burberry pas cher, michael kors outlet, nike free uk, converse pas cher, coach outlet, hogan outlet, new balance, guess pas cher, true religion outlet, air max

9:47 AM  
Blogger ninest123 Ninest said...

bottega veneta, new balance shoes, nike air max, soccer jerseys, louboutin, giuseppe zanotti outlet, lululemon, mac cosmetics, vans, nike trainers uk, vans outlet, abercrombie and fitch, reebok outlet, nike air max, converse, iphone 6 cases, insanity workout, ghd hair, hollister clothing, converse outlet, oakley, nfl jerseys, baseball bats, herve leger, gucci, nike huaraches, mont blanc pens, north face outlet, ferragamo shoes, valentino shoes, north face outlet, p90x workout, longchamp uk, nike roshe run, soccer shoes, wedding dresses, timberland boots, hollister, hermes belt, hollister, ralph lauren, jimmy choo outlet, chi flat iron, asics running shoes, ray ban, instyler, mcm handbags, beats by dre, celine handbags, babyliss, gucci handbags, michael kors outlet online

9:48 AM  
Blogger ninest123 Ninest said...

toms shoes, ugg, ugg uk, moncler, moncler, juicy couture outlet, hollister, ugg,uggs,uggs canada, michael kors outlet online, canada goose outlet, lancel, wedding dresses, moncler outlet, canada goose, swarovski, barbour uk, moncler, canada goose outlet, louis vuitton, ugg,ugg australia,ugg italia, louis vuitton, moncler uk, louis vuitton, ugg pas cher, louis vuitton, montre pas cher, links of london, marc jacobs, barbour, louis vuitton, canada goose uk, michael kors handbags, canada goose outlet, pandora charms, supra shoes, replica watches, canada goose, juicy couture outlet, coach outlet, karen millen uk, moncler outlet, moncler, pandora uk, doudoune moncler, thomas sabo, swarovski crystal, pandora jewelry, canada goose jackets, michael kors outlet, canada goose, doke gabbana, pandora jewelry
ninest123 10.27

9:49 AM  
Blogger oakleyses said...

christian louboutin uk, louis vuitton outlet, christian louboutin shoes, michael kors pas cher, louis vuitton outlet, sac longchamp pas cher, prada handbags, gucci handbags, tiffany and co, polo ralph lauren outlet online, christian louboutin outlet, cheap oakley sunglasses, longchamp outlet, uggs on sale, polo outlet, louis vuitton, nike air max, oakley sunglasses, longchamp outlet, nike free, nike outlet, longchamp outlet, longchamp pas cher, chanel handbags, nike air max, oakley sunglasses, nike free run, tiffany jewelry, oakley sunglasses wholesale, louboutin pas cher, ray ban sunglasses, ugg boots, replica watches, air max, louis vuitton outlet, oakley sunglasses, nike roshe, louis vuitton, tory burch outlet, ray ban sunglasses, jordan shoes, christian louboutin, prada outlet, polo ralph lauren, burberry pas cher, ugg boots, jordan pas cher, kate spade outlet, ray ban sunglasses

8:38 AM  
Blogger oakleyses said...

nike blazer pas cher, mulberry uk, burberry handbags, michael kors, timberland pas cher, oakley pas cher, ray ban uk, vans pas cher, coach purses, north face, nike free uk, new balance, ray ban pas cher, sac hermes, michael kors, nike air force, ralph lauren uk, nike air max, kate spade, nike roshe run uk, true religion jeans, north face uk, hogan outlet, michael kors outlet online, nike air max uk, uggs outlet, nike tn, burberry outlet, hollister uk, coach outlet store online, replica handbags, lululemon canada, michael kors outlet online, michael kors outlet online, michael kors outlet, michael kors outlet online, converse pas cher, michael kors outlet, true religion outlet, true religion outlet, polo lacoste, hollister pas cher, coach outlet, guess pas cher, true religion outlet, abercrombie and fitch uk, nike air max uk, sac vanessa bruno, michael kors outlet

8:40 AM  
Blogger oakleyses said...

hollister, oakley, celine handbags, instyler, nike trainers uk, ghd hair, converse outlet, hollister clothing, hermes belt, beats by dre, ray ban, lancel, herve leger, timberland boots, nike air max, chi flat iron, longchamp uk, asics running shoes, vans, nike air max, insanity workout, reebok outlet, giuseppe zanotti outlet, abercrombie and fitch, nike roshe run, north face outlet, louboutin, jimmy choo outlet, iphone cases, gucci, mcm handbags, north face outlet, valentino shoes, soccer shoes, hollister, wedding dresses, babyliss, bottega veneta, baseball bats, p90x workout, nfl jerseys, nike huaraches, new balance shoes, soccer jerseys, mont blanc pens, ralph lauren, vans outlet, mac cosmetics, ferragamo shoes, lululemon

8:43 AM  
Blogger oakleyses said...

hollister, louis vuitton, moncler outlet, pandora uk, moncler, canada goose outlet, ugg,ugg australia,ugg italia, marc jacobs, toms shoes, moncler outlet, louis vuitton, canada goose, swarovski crystal, supra shoes, moncler, ugg, juicy couture outlet, wedding dresses, thomas sabo, karen millen uk, ugg pas cher, canada goose jackets, pandora jewelry, louis vuitton, moncler, swarovski, pandora jewelry, links of london, moncler uk, louis vuitton, coach outlet, ugg uk, canada goose uk, ugg,uggs,uggs canada, canada goose, doudoune moncler, louis vuitton, pandora charms, juicy couture outlet, canada goose outlet, canada goose outlet, canada goose, moncler, replica watches, montre pas cher

8:46 AM  
Blogger Liu Liu said...

Nick Saban’s relatively brief time as head coach of the Miami Dolphins is not looked upon fondly by most fans of the team. He went 15-17 christian louboutin shoes in his two seasons, but basically quit on the nfl jerseys store team in the final weeks Nike Air Max 90 of the 2006 season, focused more on his next job, at the University of Alabama, instead of the one he christian louboutin uk was under contract for.And at least one player who played – or at Christian Louboutin Women Flat least practiced – under Saban during those ill-fated christian louboutin men flat final weeks Nike Roshe Run hasn’t forgotten NFL Jerseys how Nike Free Run he was louboutin outlet treated. According to Nike Air Max 2015 Shoes receiver P.K. Sam, a journeyman cheap nfl jerseys who spent time with five NFL teams as well as two CFL clubs, Saban cut wholesale nfl jerseys him after he left the team christian louboutin Panettone spiked leather wallet briefly to see his dying father

2:54 PM  

Post a Comment

<< Home