• Authenticity, Integrity and Confidentiality of Objects:
  • Objects are serialized for many different reasons in many different kinds of applications
  • When deserializing it is often necessary to ensure the authenticity/integrity and/or confidentiality of the object
• Object-Level Access Control:
  • The Java security architecture provides a mechanism for access control but focuses on system resources
  • When using an object it is often necessary to control access to its methods at runtime

• The Need:
  • Ensure the source of an object
  • Ensure that the object's state hasn't been changed
• An "Obvious" Solution:
  • Use a digital signature

• SignedObject :
  • A signed, deep copy of an object (in serialized form)
• Methods:
  • public SignedObject(Serializable, PrivateKey, Signature)
  • public Object getObject()
  • public boolean verify(PublicKey, Signature)

Steps to Create a SignedObject:

1. Create a PrivateKey/PublicKey pair
2. Create a Signature (which is essentially just a hashing algorithm)
3. Create the SignedObject

Steps to Retrieve a SignedObject:

1. Get the PublicKey
2. Get/create the Signature
3. Verify the SignedObject
4. Get the original Object

• An Observation:
  • getObject() returns an Object which must be typecast
• A Better Approach:
  • Specialize the SignedObject class and create a method that returns an object of appropriate type
  • Perhaps use the Proxy Pattern (i.e., have the specialization of SignedObject implement the same interface as the original class)
• Note:
  • The verify() method in the SignedObject class is declared to be final so that it isn't vulnerable to specialization vulnerabilities

• Don't Get Confused:
  • Though the process is similar, signing objects is very different from signing code (e.g., signing .jar files)
• Signing Code:
  • Ensures the authenticity and integrity of the byte code (i.e., the instructions to be executed)
• Signing Objects:
  • Ensures the authenticity and integrity of the state of an individual object

• The Need:
  • Ensure that the state of an object can't be accessed
• An "Obvious" Solution:
  • Use encryption

• SealedObject :
  • An encrypted, deep copy of an object (in serialized form)
• Methods:
  • public SealedObject(Serializable, Cipher)
  • public Object getObject(Cipher)

Steps to Create a SealedObject:

1. Create and initialize a Cipher
2. Create the SealedObject

Steps to Retrieve a SealedObject:

1. Create and initialize a Cipher
2. Get the original Object

• An Observation:
  • getObject() returns an Object which must be typecast
• A Better Approach:
  • Specialize the SealedObject class and create a method that returns an object of appropriate type
  • Perhaps use the Proxy Pattern (i.e., have the specialization of SealedObject implement the same interface as the original class)
• Note:
  • The getObject() method in the SealedObject class is declared to be final so that it isn't vulnerable to specialization vulnerabilities

• The Idea:
  • Decorate the ObjectInputStream and ObjectOutputStream so that they provide the necessary security
• The Difference:
  • A "third party" is responsible for providing the necessary security, rather than the object itself

• The Need:
  • Provide dynamic access to an object's members at runtime
• An "Obvious" Solution:
  • Use the Proxy Pattern

• The Participants:
  • The Guard interface
  • The GuardedObject class
• Guard:
  • void checkGuard(Object) throws SecurityException
• GuardedObject:
  • GuardedObject(Object, Guard)
  • Object getObject() throws SecurityException

• A Convenience:
  • The Permission class implements the Guard interface
• The Implication:
  • All permissions defined in the SDK can be used as guards