Part 1: Java security foundation - virtual machine and bytecode security
Introduction: Safety issues are very important for many people. From its history, Java security mainly means that virtual machines and bytecode are safe. However, this view ignores two important aspects - the app and
cyber security. In a series of articles, Todd Sundsted explained Java virtual machine security, application security, network security, explains what measures should be taken to fully consolidate your Java security. In this first part, he explained to us the basics of Java security: virtual machine and bytecode security.
"It seems that no one has been dismissed because of unsafe Java code." This sentence is my revised version of the popularity "no one has been dismissed by IBM". Those who are more concerned about network speeds and those who are more interested in adding more value items to resumes often commit safety issues.
Let's take another worrying phenomenon: When I talk about security issues with managers and engineers, I often find that they have some misunderstandings about their behavior. They don't have to consider security issues, because "Java itself is equal to Safety". Under the guidance of such misconceptions, engineers don't consider the following three security issues: virtual machine security, application security, network security.
In the following series of articles, I will try my best to correct this error. Next, I will discuss Java security on the three issues, and how to steal the general security issues. In addition, I will introduce some ways to create a secure application.
· Three security issues:
When Java's initial appearance, developers, researchers, and news media circles have a sharp response. In the morning, Java security means the security of the bytecode and the virtual machine security. Since Java's past is mainly used as a small application development language downloaded to the local execution, the security and execution environment of downloading the code is an important thing. Safety in this case means properly installing the loader and security manager and verifying the downloaded code.
In the few years of developing C / C programs before, I have never worried that the virtual machine security problem - this problem is completely centered on the center of Java. Talking about security issues, I am worried that I always have an application vulnerability or an execution of the process or system security. In the C domain, security includes restricting the "setuid" code range (in the UNIX environment, the setuid code is running as another user process - typical case is superuser) and strive to avoid buffer and other types of stack problems. .
The introduction of distributed applications has brought other problems. As indicated by its name, the distributed program consists of multiple parts, and each part resides on its own machine and communicates with other parts of the public network. A web application is a typical list. Security in the network means signing, authorization, application component, encrypted communication pipe, etc.
Many developers are unclear that the above aspects is different, and as Java is safe at the virtual machine, the entire application is safe. I hope to change this idea. Let's start to discuss Java virtual machine security.
· Safety foundation: virtual machine security
Virtual machine security, has always been the focus of developers for a long time, almost until now there is still no results.
I initially interested in discussing virtual machine security is before turning to applications and network security. I decided to give it the same fair time as the other two parts. For two reasons: First, excellent programming materials have included a large number of vulnerabilities found in the past six years, many security issues span me Three aspects to be discussed. In order to thorough understanding, you must be fully familiar with three aspects, including Java virtual machine security.
If you check the various security issues found in the past 6 years (see http://www.javaworld.com/javaworld/jw-06-2001/jw-0615-howto.html#resources official list), you will find them It is divided into a series of directories. In terms of the virtual machine security concerned, the most important security vulnerabilities are expanded around the bytecode that is not verified and may illegal and the Java type system is destroyed. In actual development, both are often associated with unfair verified code
In JVM through the network
When downloading class code on the server, it has no way to know if these bytecodes can be implemented. The secure byte code never indicates that the virtual machine is unmuntered and invalid when the Java is running.
Typically, the Java compiler ensures that the bytecode in the created class file is safe. However, you can also manually write the Java compiler that is not allowed. The Java Verifier checks all bytecodes in a series of very imagined methods and verifies those unregulated code. Once the verification is complete, JVM knows that the program code is safe - as long as the verifier works normally.
Let's take a look at a list to better understand the role played by the checkor.
Consider the following class:
Public Class Test1
{
Public static void main (String [] ARSTRING)
{
Float a = new float (56.78);
Integer b = new integer (1234);
System.out.println (a.tostring ());
}
}
When you write it and run, the program will print out the string "56.78" to the screen. This is a floating point variable allocated in the class. We are about to modify a code, deceive the virtual machine to activate the toString () method in the integer variable rather than floating-point variables (you can download and modify the source from the URL http://www.javaworld.com/javaworld/jw- 06-2001 / JW-0615-HOWTO.HTML # resources).
Let's take a look at the output of this paragraph after-compiled code:
Method void main (java.lang.string [])
0 new # 3
3 dup
4 LDC2_W # 13
7 InvokeSpecial # 8
10 ASTORE_1
11 new # 4
14 Dup
15 SIPUSH 1234
18 InvokeSpecial # 9
21 ASTORE_2
22 getStatic # 10
25 ALOAD_1
26 Invokevirtual # 12
29 Invokevirtual # 11
32 return
The above code contains the anti-compilation output of the main () function. At the address offset 25 of this method, the virtual machine is loaded with a reference to the floating point variable created at 0 to 10. This is where we want to modify.
Below is the revised anti-compile code:
Method void main (java.lang.string [])
0 new # 3
3 dup
4 LDC2_W # 13
7 InvokeSpecial # 8
10 ASTORE_1
11 new # 4
14 Dup
15 SIPUSH 1234
18 InvokeSpecial # 9
21 ASTORE_2
22 getStatic # 10
25 ALOAD_2
26 Invokevirtual # 12
29 Invokevirtual # 11
32 return
This class is exactly the same as the bytecode at the offset 25, which is an integer variable.
Note that the modified code is still safe, which means that the JVM will still execute the code without crash or isolate the error code. However, the verifier still distinguishes these changes. In my system, when I run this code, there is an error: Exception in thread "main" java.lang.verifyerror:
(Class: Test1, Method: Main Signature: ([ljava / lang / string;) V)
INCOMPATIBLE Object Argument for Function Call
If you turn off the verifier or you find a virtual machine vulnerability and pass the checkler's inspection, the illegal code will start. Execute the following command, I receive the value: 1234 - integer variable value.
Java -Noverify Test1
There are no big damage to this list, but potential hazards are inexpensive. The above techniques are linked to the virtual machine vulnerability, resulting in executive code that is not checked, then this will cause serious type of chaos.
· Type chaos
Type concept is a bitter to Java programming languages. Each value is associated with the same type. JVM is the type of value to determine what kind of operation can work on what kind of value.
The type of program is critical to virtual machine security. A macro, unspecified code-activated type confusion attack will try to let JVM believe that the memory block that is a class of columns is indeed another class, and attacks. If the attack is successful, the program will operate in a designer unexpectedly. This kind of attack is called "type confusion attack" because the virtual machine has no customary class.
If the class has been fully verified, "Type Confusion Attack" will not happen. In the second list above, the verifier captures this attempt and throws an exception. That is, security is guaranteed as long as the verifier is not closed or bypass.
Fortunately, the last vulnerability I worried about the Java bytecode checkor was found in the end of 1999. Based on this fact, you may think that you will not fall in danger, however, this is too negligent.
Although there are fewer loopholes, there is still a sufficient opportunity to leave the code mixed. Remember, you can manually turn off the verboator test. In the next article, I list three major Java programs to turn off the checker in what kind of environment. One of the programs has an important RMI (remote method call) component (such as you will learn later, RMI allows classes to load into the program over the network and let your program out of control). If you can avoid this, don't turn off the verifier verification.
JVM security is a very important aspect of the Java security system. The discussion of these unfounded code and type confusion will help you understand why. For download code and type, there is no appropriate verification guarantee, security computing will become an empty talk.
Next time, we will explore the Java security in another: application security.
