Securing Java Objects

Securing Java Objects
An Introduction

Prof. David Bernstein
James Madison University

Computer Science Department

bernstdh@jmu.edu

Overview

Authenticity, Integrity and Confidentiality of Objects:
- Objects are serialized for many different reasons in many different kinds of applications
- When deserializing it is often necessary to ensure the authenticity/integrity and/or confidentiality of the object
Object-Level Access Control:
- The Java security architecture provides a mechanism for access control but focuses on system resources
- When using an object it is often necessary to control access to its methods at runtime

Object Authenticity and Integrity

The Need:
- Ensure the source of an object
- Ensure that the object's state hasn't been changed
An "Obvious" Solution:
- Use a digital signature

Object Authenticity and Integrity (cont.)

SignedObject :
- A signed, deep copy of an object (in serialized form)
Methods:
- public SignedObject(Serializable, PrivateKey, Signature)
- public Object getObject()
- public boolean verify(PublicKey, Signature)

Object Authenticity and Integrity (cont.)

Steps to Create a SignedObject:

Create a PrivateKey/PublicKey pair
Create a Signature (which is essentially just a hashing algorithm)
Create the SignedObject

Steps to Retrieve a SignedObject:

Get the PublicKey
Get/create the Signature
Verify the SignedObject
Get the original Object

Object Authenticity and Integrity (cont.)

An Observation:
- getObject() returns an Object which must be typecast
A Better Approach:
- Specialize the SignedObject class and create a method that returns an object of appropriate type
- Perhaps use the Proxy Pattern (i.e., have the specialization of SignedObject implement the same interface as the original class)
Note:
- The verify() method in the SignedObject class is declared to be final so that it isn't vulnerable to specialization vulnerabilities

Object Authenticity and Integrity (cont.)

Don't Get Confused:
- Though the process is similar, signing objects is very different from signing code (e.g., signing .jar files)
Signing Code:
- Ensures the authenticity and integrity of the byte code (i.e., the instructions to be executed)
Signing Objects:
- Ensures the authenticity and integrity of the state of an individual object

Object Confidentiality

The Need:
- Ensure that the state of an object can't be accessed
An "Obvious" Solution:
- Use encryption

Object Confidentiality (cont.)

SealedObject :
- An encrypted, deep copy of an object (in serialized form)
Methods:
- public SealedObject(Serializable, Cipher)
- public Object getObject(Cipher)

Object Confidentiality (cont.)

Steps to Create a SealedObject:

Create and initialize a Cipher
Create the SealedObject

Steps to Retrieve a SealedObject:

Create and initialize a Cipher
Get the original Object

Object Confidentiality (cont.)

An Observation:
- getObject() returns an Object which must be typecast
A Better Approach:
- Specialize the SealedObject class and create a method that returns an object of appropriate type
- Perhaps use the Proxy Pattern (i.e., have the specialization of SealedObject implement the same interface as the original class)
Note:
- The getObject() method in the SealedObject class is declared to be final so that it isn't vulnerable to specialization vulnerabilities

An Alternative Approach

The Idea:
- Decorate the ObjectInputStream and ObjectOutputStream so that they provide the necessary security
The Difference:
- A "third party" is responsible for providing the necessary security, rather than the object itself

Object-Level Access Control

The Need:
- Provide dynamic access to an object's members at runtime
An "Obvious" Solution:
- Use the Proxy Pattern

Object-Level Access Control (cont.)

The Participants:
- The Guard interface
- The GuardedObject class
Guard:
- void checkGuard(Object) throws SecurityException
GuardedObject:
- GuardedObject(Object, Guard)
- Object getObject() throws SecurityException

Object-Level Access Control (cont.)

A Convenience:
- The Permission class implements the Guard interface
The Implication:
- All permissions defined in the SDK can be used as guards

Object-Level Access Control (cont.)

Creating a Guarded Object

  String          filename = "/data/grades.txt"
  FileInputStream input = new FileInputStream(filename);
  FilePermission  permission = new FilePermission(filename, "read");
  GuardedObject   guardedInput = new GuardedObject(input, permission);

Using the Guarded Object in Another Class

  // If the object doesn't have read access to the file then the
  // call will cause a SecurityException to be thrown
  FileInputStream input = (FileInputStream)guardedInput.getObject();