Software Security

1
Software Security

• Pieter.Hartel_at_utwente.nl

2
(No Transcript)
3
Overview

• Java
• Java Card
• Code Certification
• Attacks
• Conclusions

4
Java Java Card
Che00 Z. Chen. Java Card Chapter 3 and 9 of
Technology for Smart Cards Architecture and
programmer's guide. Addison Wesley, Reading,
Massachusetts, 2000. http//developer.java.sun.com
/developer/Books/consumerproducts/javacard/
5
What is Java Safety?

• Definition nothing bad will happen
• Type safety
• Memory safety
• Java safety is limited

Balance Feb 3 8.00 Feb 4 2.00 Feb 6 7.00-
6
What is Java Security?

• Access control to resources
• Java security policy (what)
• Policy manager assigns permissions to code base
• Java security mechanisms (how)
• Stack Inspection checks each frame

7
How is Java implemented?
Java program
Byte code class file
interpreter
compiler

• Parsing
• Type checking
• Code generation

• Class loading
• Byte code verification
• Execution

Sandbox Class loading Byte code
Verification Policy manager Stack Inspection
8
Java?JVM Initialis. example
Java Point p new Point
(1,0) JVM 0 new Point 3 dup 4
iconst_1 5 iconst_0 6 invokespecial
Point(int,int)
9
Security through obscurity?

• Information needed for safe loading ? information
  needed for de-compilation
• Only name obfuscation feasible

10
Java card

• Basics
• Processing APDUs (more...)
• High level features
• Persistent objects in EEPROM
• Transient objects in RAM (Clear on Reset, Clear
  on Deselect)
• Atomic operations and transactions
• Applet firewall and controlled object sharing
  (more...)
• No need for expensive message passing

11
Java ? Java Card

• Java card is a subset of java
• Subset of API, exceptions
• No concurrency, no garbage collection
• Java card is an extension of java
• Transactions, sharable objects, persistence
• However, a smart card is not a PC
• Tamper resistant ?
• Small, slow ?

12
Java Card architecture
13
Applet Development
14
Applet naming

• AID RID5 PIX0..11
• RID assigned by ISO to companies
• PIX assigned by individual company

15
Applet life cycle

• JCRE never stops
• APDU controls applet, format
• install and process applet methods

16
Processing an APDU

• 4 public void process(APDU apdu)
• 6 byte buffer apdu.getBuffer()
• 7 byte cla bufferISO7816.OFFSET_CLA
• 8 byte ins bufferISO7816.OFFSET_INS
• 12 short bytesLeft (short) (bufferISO7816.OFF
  SET_LC 0x00FF)
• 13 if(bytesLeft lt (short)55) ISOException.throwI
  t( ISO7816.SW_WRONG_LENGTH )
• 15 short readCount apdu.setIncomingAndReceive(
  )
• 16 while(bytesLeft gt 0)
• 18 bytesLeft - readCount
• 19 readCount apdu.receiveBytes (
  ISO7816.OFFSET_CDATA )
• 20
• 29 short le apdu.setOutgoing()
• 30 if(le lt (short)2) ISOException.throwIt(
  ISO7816.SW_WRONG_LENGTH )
• 31 apdu.setOutgoingLength( (short)3 )
• 34 buffer0 (byte)1 buffer1 (byte)2
  buffer3 (byte)3
• 35 apdu.sendBytes ( (short)0 , (short)3 )
• 37

17
Applet firewall

• Separates Applets
• Protects against mistakes
• Provides controlled sharing
• Firewall partitions object space in different
  Contexts

18
Contexts

• JCRE defines privileged context
• Package defines regular context
• Context defines ownership, stacked
• Current context gets new object
• Invoke, return, exception may context switch

19
Client Sever Communication
Server may grant/deny access
20
Sharable Interface Object (1)
Server
package com.fasttravel.airmiles import
javacard.framework. public interface
AirMilesInterface extends Shareable public
void grantMiles (short amount)

• A sharable interface object is like a normal
  object to the owner
• Others can only access the methods defined in the
  shareable interface

21
Sharable Interface Object (2)
Server
public class AirMilesApp extends Applet
implements
AirMilesInterface private short miles
public void grantMiles(short amount)
miles (short)(miles amount)
AirMilesInterface sio (AirMilesInterface) (
JCSystem.getAppletShareableInterfaceObject(aid,SEC
RET)) if ( sio null ) ISOException.throwIt
(SW_FAILED_TO_OBTAIN_SIO) sio.grantMiles(amount)

Client
22
Java Card implementation

• Class loading
• Signature verification
• Execution

• Class loading
• Byte code verification
• CAP file generation
• Digital signature

Key management problem
23
Signatures for code certification

• Producer of code c
• Hash the code c
• hhash(c)
• Sign with private key k sdecrypt(k,h)
• Send (c, s) to the consumer
• Why not sign c?

• Consumer of code (c, s)
• Hash code c
• hhash(c)
• Check s with public key K hencrypt(K,s)
• Ok if hh
• Is then also hh?

?h encrypt(K,decrypt(k,h)) h
24
Conclusions

• State of the art
• Easier to program than assembly
• Open issues
• Garbage collection
• Commercial success
• Java (2 Billion phones, 1 Billion PCs)
• Java card (4 Billion cards)

25
Code certification without signatures
Nec97 G. C. Necula. Proof-carrying code. In
24th Principles of programming languages (POPL),
pages 106-119, Paris, France, Jan 1997. ACM.
http//doi.acm.org/10.1145/263699.263712
26
Self Certified Code

• Server (consumes code)
• Publish safety policy Given precondition
  Weakest precondition Rules
• Validation Import code proof and Check proof
• Run

• Client (produces code)
• Certification
• Generate proof and
• Export Code proof

No Crypto
Attack possible ?
27
SCC Architecture
Untrusted Source Program
Compilation and Certification
Code Producer
Native Safety Code Certificate
Code Consumer
Safety Policy
Certificate Validation
Enable execution
28
Extended abstract machine

• op n where n ? minint...maxint
• r0 r1 r2
• instr LD rd, n(rs) May read at rsn
• ST rs, n(rd) May write at rdn
• ADD rs, op, rd
• BEQ rs, n May jump to n if rs0
• RET

Safety conditions
29
Code example simple filter

• Address of tag in r0
• ADD r0, 8, r1 Address of data in r1
• LD r0, 8(r0) Data in r0
• LD r2,-8(r1) Tag in r2
• ADD r0, 1, r0 Increment r0
• BEQ r2,7 Branch if tag 0
• ST r0, 0(r1)
• RET

Before After
r0
30
Pre post condition
Please Check at home

• Precondition
• r0 is word aligned
• May read tag at r0
• May read data at r08
• May write data at r08 if tag?0.
• Abstract Machine semantics
• Generate safety conditions
• Postcondition
• true

Before After
r0
31
Average runtime per packet
BPF M3-VIEW SFI PCC
32
High upfront cost
33
Advantages/Disadvantages

• No cryptography, no key management
• Any policy possible
• Can be used for unsafe language.
• Does it scale up?
• Window of opportunity from validation to
  execution (more...)

34
Attacks
35
Vulnerability

• Time-of-check ? time-of-use
• A single bit error gives 70 probability of
  taking over the JVM

Gov03 S. Govindavajhala and A. W. Appel. Using
memory errors to attack a virtual machine. In
24th Symp. on Security and Privacy (SP), pages
154-165, Berkeley, California, May 2003. IEEE
Computer Society. http//doi.ieeecomputersociety.o
rg/10.1109/SECPRI.2003.1199334
36
Memory error attack

• Cosmic ray Converts A ref to B ref
• Subvert type system
• 70 success with millions of references

Class A
Class B
Class B
Cosmic ray flips bit
37
The experiment
Picture from Sudhakar Govindavajhala
38
And the rest of the world?

• The Operating System is the main culprit
• 15,000 bugs in the Linux kernel, far more in
  Windows
• An estimated 24 in the Minix-3 micro-kernel,
  drivers isolated...
• Can the kernel be verified?

Tan06a A. S. Tanenbaum, J. N. Herder, and H.
Bos. Can we make operating systems reliable and
secure? IEEE Computer, 39(5)44-51, 2006.
http//dx.doi.org/10.1109/MC.2006.156
39
Conclusions

• Java is a good starting point
• Reduce the trusted computing base
• Micro kernel
• Verification works in the small
• Security is not necessarily crypto
• Out of the box thinking...