Secure Java packages: a proposal

[Twisted]

As security-conscious Java programmers surely know, package-private
access doesn't stop untrusted code having access -- anyone, including
Joe Cracker, can make a class and define it in *your* package.

But this could be changed. Here's how:

* A "closed package" would have a certain format to its name, such that
the name started with
a string that could be converted into a fairly large integer + check
digits and validated with
some sort of CRC check; then a dot and arbitrary further characters.
Any package name
meeting this description (i.e. the first word, dot-delimited, when
decoded in the appropriate
manner, passes its validation check) would be closed. The scheme
would be designed so that
ordinary words would not tend to pass the check (a rare but legal
identifier character, say,
might be always present). Accidentally creating closed packages would
therefore be easily
avoidable. The CRC check/whatever would serve this purpose, not a
security purpose.
* The VM would balk at loading any class defined in a closed package
unless it met an
authentication check.
* The authentication check would consist in extracting/obtaining a
signature chunk from/relating
to the class, decoding it using the integer obtained from the package
name above as a public
key, and comparing against a SHA-1 (or even stronger hash) of the
class.

Then no class would be loaded into a closed package that wasn't signed
by whoever named the package. Knowing the name of the package gives
someone only the public of a key-pair, so does not enable Joe Cracker
to introduce a hostile class thereto; altering an existing class binary
or recompiling from modified source would likewise change the hash and
invalidate the signature. The signature would prove, then, that *the
specific binary loaded* by the VM was authorized by the package "owner"
(whoever generated the key pair, and then the package name from the
public key of the pair), or at least knew the private key.

Note that the signature would not necessarily have to be part of the
..class file. It could be loaded off a Web site, authentication server,
or whatever seems appropriate. It could come from an untrusted source;
the worst they could do by altering/spoofing signatures without knowing
the private key is disable some classes in protected packages. This
might enable a denial of service attack, of course, so having multiple
and/or local signature info and accepting a class if you accept any
signature for it might make sense.

Runtime .class generation into, or alteration of classes in, closed
packages might need to be disallowed (VM balks), or limited to being
done by classes already in the package. Subpackages (i.e., given
package.this.that, foo.package.this.that) already don't have privileged
access to package private members, and so aren't a security risk here.

Of course, the proposed scheme would break the "com.foo.bar"
reversed-hostname package naming convention, but could be altered to
suit. Or we could dispense with that convention. I'm not a big fan of
it anyway, since it implicitly discriminates against anyone who can't
afford to pay a premium for their own personal domain name on top of
whatever they already pay for internet access (not to think of people
with NO NET ACCESS AT ALL) ... and therefore a lot of individual,
garage-band, and FOSS developers. (I don't know what a .com domain goes
for currently, but I do know it's a recurring fee rather than one-time,
and I also know that if it's so much as one red cent plus the need to
go out and sign up with a CC company to have a CC# to put in some Web
form somewhere so that the next CD Universe type event will expose me
to a risk of identity theft, then it is one red cent more than I am
willing to pay for the ability to follow this naming convention -- so
sue me.)

 

[Maru]

Is that really a concern? I thought we should be using the access
specifiers as a way to achive encapsulation and not to achieve
security. We could use other mechanisms for security (Like signed jars,
JAAS, etc...)
-Maru

 

[Adam Maass]

As security-conscious Java programmers surely know, package-private
access doesn't stop untrusted code having access -- anyone, including
Joe Cracker, can make a class and define it in *your* package.

But this could be changed.

This is what "sealed" jar files are for. It doesn't completely solve the
problem, though...

 

[Furious George]

This is what "sealed" jar files are for. It doesn't completely solve the
problem, though...

If you distribute your class files to others, then others can mix their
untrusted code with yours. The only solution to this problem is to not
distribute your class files.

 

[Twisted]

Trusted and untrusted code interoperating creates this concern, since
it may be possible for hostile code to corrupt an instance of a trusted
class if it has access to its less-public members...

After hearing that many compile-time-private members are
run-time-package-private (inner classes and anything they access, for
example) this seems even more potentially useful.

At the same time, AOP may mean all security models centred around
object encapsulation models go out the window. Anything AOP by
definition addresses "crosscutting concerns" and to do so must be able
to reach into and add new side effects to existing method calls and
such events. In so doing, it provides a potential route for an attacker
to inject hostile code (e.g. a backdoor), via a "backdoor aspect" say,
into a trusted class, no matter what its usual privileges.
Aspect-granularity security rather than class-granularity may be needed
(and nevermind the ancient, naive user-granularity, let alone
hunk-of-hardware granularity of grandpap's days!) ... One thing often
suggested as an application of AOP is actually to handle security as a
crosscutting concern, inserting security audits into running code at
certain sensitive points (say, whenever a "bankBalance" value gets
modified), and make a "security module" anyone can bolt onto production
code by putting a new class, dll, or whatever into a system. Of course,
this means Joe Attacker can put an "insecurity module" into production
code in the exact same way, providing a backdoor. Such an employee is
especially likely to become a disgruntled one in the near future, given
their attitude; and when they do ...

Of course, the solution to AOP-introduced security headaches is
probably to be found in AOP; it does seem generally to be the rule that
each new generation of <insert technology here> both causes new
problems and provides the tools to fix them. Industry makes carbon
emissions on, well, an industrial scale, but allows for sequestering it
on the same scale, for example. And of course, in the computer/data
security area, quantum computing threatens to blow the foundation (NP
!= P) out from under standard PKE and other cryptosystems, but then
there's this new thing called quantum encryption...

(Soon, I suppose, the physicists will discover evidence that all that
quantum weirdness and nonlocal, acausal stuff is just the result of the
universe being a) massively parallel and b) coded by someone who never
heard of "synchronized (this) {}". Then someone will find a way to hack
the virtual machine, someone else will use this to break quantum
encryption and create fearsome new weapons that act remotely without an
interceptable signal, and someone else still will realize that the same
ability enables them to communicate uninterceptibly and securely ...
hey, someone jog my memory, didn't greg bear write a story about
something like that once?)

 

[Twisted]

Jar files and packages are orthogonal. Package-private is the highest
level of privacy you can count on in the runtime environment. Secure
packages are needed to block mix-and-match attacks and the like.
Serialization also introduces headaches; some can be solved with
end-to-end encryption of object streams (whether objects are
time-shifted, e.g. saved to disk, space-shifted, e.g. sent over the
network, or both) but others require treating incoming objects as
potentially hostile, even if they are instances of a trusted class...

 

[Twisted]

Mix it, yes; get your own to do something against your will, less
easily, depending on how much access they have.

I suppose given some scenarios (such as the possibility of the VM being
hostile?) the only really surefire security is to centralize the most
mission-critical stuff on specific hardware, and make all sensitive
transactions go through that hardware, keep all private keys other than
individual user keys there, and password hashes, and ... -- control
that hardware physically (locked doors), encryption to/from it,
thorough audit of all code running on it, and so forth, and the damage
that can be done without compromising that hardware or the software
running on it may be limitable.

The other security ultimate is the polar opposite: hugely
decentralized, distributed systems nobody can completely kill or even
seriously fragment without dedicating a lot of resources. Like the
Internet itself, which runs almost wholly on untrusted code, and where
all the various people in positions of responsibility have vested, but
parochal, interests, and parochial access. I guess it's also like
democracy vs. police state -- which is squeaky clean and tidy, and
which actually runs smoothly and efficiently for a long time?
Ultimately, the only real security may be that had by not having all
one's eggs in one basket. The most robust systems have failover and
distributed networks in them, computerized or otherwise, rather than
being micromanaged in an attempt to make them never fail. Failure is
handled, even attacks, rather than any attempt being made to 100%
prevent them. Which may be considered a comment on things in general,
or on Bush and the Patriot Act and War on Terror, or on computers, or
Chinese censorship, or anything else you please, I guess.

 

[John C. Bollinger]

Jar files and packages are orthogonal.

No, not entirely. Perhaps you do not realize that Adam's suggestion of
a "sealed" jar file was a variant on existing technical terminology.
The Jar specification supports a feature called "package sealing", which
permits a jar creator to indicate to the VM that the only classes that
are permitted to be in a specified package are the ones contained in a
particular jar. As I recall, this is backed up by a digital signature
so that new or modified classes cannot be inserted.

You will note the broad similarities between this feature and your
suggested scheme.

 

[Twisted]

Hrm. "Sealed jar" just implies, to me, that the jar is rejected if it
hasn't got a published md5sum or something, indicating that someone's
changed, added, or removed something from the "official" version.
Archive signing is a common security measure but not especially strong
on its own, since it doesn't stop something not in the archive being
bad, or badness that somehow got in before the signing. (Bugs; or the
vendor of some classes is hostile.) Seems my proto-specification would
be a bit more flexible than what you describe, since it dispenses with
the artificial requirement to stuff everything into an archive, and
does allow for extension *by authorized persons* in the future.

 

[Morten Alver]

(Soon, I suppose, the physicists will discover evidence that all that
quantum weirdness and nonlocal, acausal stuff is just the result of the
universe being a) massively parallel and b) coded by someone who never
heard of "synchronized (this) {}". Then someone will find a way to hack
the virtual machine, someone else will use this to break quantum
encryption and create fearsome new weapons that act remotely without an
interceptable signal, and someone else still will realize that the same
ability enables them to communicate uninterceptibly and securely ...
hey, someone jog my memory, didn't greg bear write a story about
something like that once?)

Maybe you're thinking of "Moving Mars"? I'm sure I thought of that one
before seeing that your mentioned Greg Bear. Great book, by the way.

 

[Twisted]

think you're right Morten...

 

[Owen Jacobson]

Hrm. "Sealed jar" just implies, to me, that the jar is rejected if it
hasn't got a published md5sum or something, indicating that someone's
changed, added, or removed something from the "official" version.

That's nice, but it's wrong. "Sealed" has a meaning for JAR files defined
in the JAR specification:

<http://java.sun.com/j2se/1.5.0/docs/guide/jar/jar.html#Per-Entry Attributes>

(well, right above there, actually)

Admittedly, the JAR file speficiation is a little light on details of what
"Sealed" means, but take it that the guy you replied to (and didn't quote!
tsk.) is correct.[0]

The feature you're thinking of is a signed JAR.

HTH,
Owen

[0] Where IS the meaning of sealed defined? It's not anywhere in the API
docs for java.util.jar or java.lang.ClassLoader or java.lang.Package.

 

[Twisted]

There's no need to be insulting.

 

[Chris Uppal]

Where IS the meaning of sealed defined? It's not anywhere in the API
docs for java.util.jar or java.lang.ClassLoader or java.lang.Package.

Come to that, who's responsible for implementing the checks ? If I write a
classloader, am I supposed to duplicate a load of underspecified security
checks ?

-- chris

 

[Furious George]

Come to that, who's responsible for implementing the checks ? If I write a
classloader, am I supposed to duplicate a load of underspecified security
checks ?

That is an excellent point. Twisted can implement his/her own
classloader which incorporates the proposal. If it is really needed,
people will beat a path to Twisted's door.

 

[Thomas Hawtin]

Come to that, who's responsible for implementing the checks ? If I write a
classloader, am I supposed to duplicate a load of underspecified security
checks ?

Yes. See the source code URLClassLoader.java. And then look at the
nested class that handles checkPackageAccess as well (stops linking to
sun.*, coms.sun.deploy.*, etc).

Tom Hawtin

 

[Adam Maass]

That's nice, but it's wrong. "Sealed" has a meaning for JAR files defined
in the JAR specification:


<http://java.sun.com/j2se/1.5.0/docs/guide/jar/jar.html#Per-Entry Attributes>

(well, right above there, actually)

Try this:

http://java.sun.com/j2se/1.5.0/docs/guide/extensions/spec.html#sealing

-- Adam Maass

 

[Chris Uppal]

Thomas Hawtin wrote:

[me:]

Yes. See the source code URLClassLoader.java. And then look at the
nested class that handles checkPackageAccess as well (stops linking to
sun.*, coms.sun.deploy.*, etc).

Ah yes. That good old security technique: voluntary co-operation:

"Will all trespassers please report to security before entering."

Oh well, it's useful for something, I suppose...

-- chris