Title: Reasoning%20about%20Data%20Abstractions
1cs205 engineering software university of
virginia fall 2006
Security in Java Real or Decaf?
(Duke suicide picture by Gary McGraw.)
2Project
- Last problem set final report is due last day
of class - Teams of 2-5 send me team requests before 11am
Friday
3Project Ideas
- Due next Wednesday
- For now, no suggestions you can do anything you
want, as long as it - Is small enough to finish by Dec 4
- Is complex enough that a successful project will
demonstrate understanding of and ability to apply
key concepts in CS205 - If you are really stuck...
4Buzzword Description
from Class 2...
- A simple, object-oriented, distributed,
interpreted, robust, secure, architecture
neutral, portable, high-performance,
multithreaded, and dynamic language. - Sun95
5What is a secure programming language?
- Language is designed so it cannot express certain
computations considered insecure. - Language is designed so that (accidental) program
bugs are likely to be caught by the compiler or
run-time environment instead of leading to
security vulnerabilities.
A few attempt to do this PLAN, packet filters
6Safe Programming Languages
- Type Safety
- Compiler and run-time environment ensure that
bits are treated as the type they represent - Memory Safety
- Compiler and run-time environment ensure that
program cannot access memory outside defined
storage - Control Flow Safety
- Cant jump to arbitrary addresses
Is Java the first language to have them?
No way! LISP had them all in 1960.
7Java? Safety
- Type Safety
- Most types checked statically
- Coercions, array assignments type checked at run
time - Memory Safety
- No direct memory access (e.g., pointers)
- Primitive array type with mandatory run-time
bounds checking - Control Flow Safety
- Structured control flow, no arbitrary jumps
8Malicious Code
- Can a safe programming language protect you from
malcode? - Code your servers in it to protect from buffer
overflow bugs - Only allow programs from untrustworthy origins to
run if the are programmed in the safe language
9Safe Languages?
- But how can you tell program was written in the
safe language? - Get the source code and compile it (most vendors,
and all malicious attackers refuse to provide
source code) - Special compilation service cryptographically
signs object files generated from the safe
language (SPIN, Bershad96) - Verify object files preserve safety properties of
source language (Java)
10JVML
malcode.java Java? Source Code
malcode.class JVML Object Code
javac Compiler
JavaVM
Alice wants to know JVML code satisfies Java?s
safety properties.
11Does JVML satisfy Java?s safety properties?
No, well learn some about JVML later...
12Bytecode Verifier
malcode.class JVML Object Code
Java Bytecode Verifier
Invalid
Okay
STOP
JavaVM
13Bytecode Verifier
- Checks class file is formatted correctly
- Checks JVML code satisfies safety properties
- Simulates program execution to know types are
correct, but doesnt need to examine any
instruction more than once
14Verifying Safety Properties
- Type safe
- Stack and variable slots must store and load as
same type - Memory safe
- Must not attempt to pop more values from stack
than are on it - Doesnt access private fields and methods outside
class implementation - Control flow safe
- Jumps must be to valid addresses within function,
or call/return
15Running Mistyped Code
gt java Simple Exception in thread "main"
java.lang.VerifyError (class Simple, method
main signature (Ljava/lang/String)V)
Register 0 contains wrong type
16Java
javac Compiler
malcode.java
malcode.class JVML
Trusted Computing Base
Java Bytecode Verifier
Invalid
Okay
STOP
JavaVM
17Charge
- Next classes understanding byte codes and the
byte code verifier - Start thinking about project ideas and teams
- Send team requests by email before 11am Friday