- Forward


Securing Java Objects
An Introduction


Prof. David Bernstein
James Madison University

Computer Science Department
bernstdh@jmu.edu

Print

Overview
Back SMYC Forward
  • Authenticity, Integrity and Confidentiality of Objects:
    • Objects are serialized for many different reasons in many different kinds of applications
    • When deserializing it is often necessary to ensure the authenticity/integrity and/or confidentiality of the object
  • Object-Level Access Control:
    • The Java security architecture provides a mechanism for access control but focuses on system resources
    • When using an object it is often necessary to control access to its methods at runtime
Object Authenticity and Integrity
Back SMYC Forward
  • The Need:
    • Ensure the source of an object
    • Ensure that the object's state hasn't been changed
  • An "Obvious" Solution:
    • Use a digital signature
Object Authenticity and Integrity (cont.)
Back SMYC Forward
  • SignedObject :
    • A signed, deep copy of an object (in serialized form)
  • Methods:
    • public SignedObject(Serializable, PrivateKey, Signature)
    • public Object getObject()
    • public boolean verify(PublicKey, Signature)
Object Authenticity and Integrity (cont.)
Back SMYC Forward

Steps to Create a SignedObject:

  1. Create a PrivateKey/PublicKey pair
  2. Create a Signature (which is essentially just a hashing algorithm)
  3. Create the SignedObject

Steps to Retrieve a SignedObject:

  1. Get the PublicKey
  2. Get/create the Signature
  3. Verify the SignedObject
  4. Get the original Object
Object Authenticity and Integrity (cont.)
Back SMYC Forward
  • An Observation:
    • getObject() returns an Object which must be typecast
  • A Better Approach:
    • Specialize the SignedObject class and create a method that returns an object of appropriate type
    • Perhaps use the Proxy Pattern (i.e., have the specialization of SignedObject implement the same interface as the original class)
  • Note:
    • The verify() method in the SignedObject class is declared to be final so that it isn't vulnerable to specialization vulnerabilities
Object Authenticity and Integrity (cont.)
Back SMYC Forward
  • Don't Get Confused:
    • Though the process is similar, signing objects is very different from signing code (e.g., signing .jar files)
  • Signing Code:
    • Ensures the authenticity and integrity of the byte code (i.e., the instructions to be executed)
  • Signing Objects:
    • Ensures the authenticity and integrity of the state of an individual object
Object Confidentiality
Back SMYC Forward
  • The Need:
    • Ensure that the state of an object can't be accessed
  • An "Obvious" Solution:
    • Use encryption
Object Confidentiality (cont.)
Back SMYC Forward
  • SealedObject :
    • An encrypted, deep copy of an object (in serialized form)
  • Methods:
    • public SealedObject(Serializable, Cipher)
    • public Object getObject(Cipher)
Object Confidentiality (cont.)
Back SMYC Forward

Steps to Create a SealedObject:

  1. Create and initialize a Cipher
  2. Create the SealedObject

Steps to Retrieve a SealedObject:

  1. Create and initialize a Cipher
  2. Get the original Object
Object Confidentiality (cont.)
Back SMYC Forward
  • An Observation:
    • getObject() returns an Object which must be typecast
  • A Better Approach:
    • Specialize the SealedObject class and create a method that returns an object of appropriate type
    • Perhaps use the Proxy Pattern (i.e., have the specialization of SealedObject implement the same interface as the original class)
  • Note:
    • The getObject() method in the SealedObject class is declared to be final so that it isn't vulnerable to specialization vulnerabilities
An Alternative Approach
Back SMYC Forward
  • The Idea:
    • Decorate the ObjectInputStream and ObjectOutputStream so that they provide the necessary security
  • The Difference:
    • A "third party" is responsible for providing the necessary security, rather than the object itself
Object-Level Access Control
Back SMYC Forward
  • The Need:
    • Provide dynamic access to an object's members at runtime
  • An "Obvious" Solution:
    • Use the Proxy Pattern
Object-Level Access Control (cont.)
Back SMYC Forward
  • The Participants:
    • The Guard interface
    • The GuardedObject class
  • Guard:
    • void checkGuard(Object) throws SecurityException
  • GuardedObject:
    • GuardedObject(Object, Guard)
    • Object getObject() throws SecurityException
Object-Level Access Control (cont.)
Back SMYC Forward
  • A Convenience:
    • The Permission class implements the Guard interface
  • The Implication:
    • All permissions defined in the SDK can be used as guards
Object-Level Access Control (cont.)
Back SMYC Forward

Creating a Guarded Object

String filename = "/data/grades.txt" FileInputStream input = new FileInputStream(filename); FilePermission permission = new FilePermission(filename, "read"); GuardedObject guardedInput = new GuardedObject(input, permission);

Using the Guarded Object in Another Class

// If the object doesn't have read access to the file then the // call will cause a SecurityException to be thrown FileInputStream input = (FileInputStream)guardedInput.getObject();
There's Always More to Learn
Back -