SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 90

changes.mady.by.user Shannon Haas

Saved on

compared with

New Version 91

changes.mady.by.user Shannon Haas

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

Java uses code signing as a requirement for granting elevated privileges to code. Many security policies permit signed code to operate with elevated privileges. For example, Java applets can escape the default sandbox restrictions when signed. Consequently, users can grant explicit permissions either to a particular code base or to all code signed by a particular signer. This approach places control of security in the hands of the user, who can choose whether to run an application with full or restricted permissions.

Wiki MarkupSigning code, however, has its own problems. According to Schneier \ [[Schneier 2000|AA. References#Schneier 00]\]

First, users have no idea how to decide if a particular signer is trusted or not. Second, just because a component is signed doesn't mean that it is safe. Third, just because two components are individually signed does not mean that using them together is safe; lots of accidental harmful interactions can be exploited. Fourth, "safe" is not an all-or-nothing thing; there are degrees of safety. And fifth, the fact that the evidence of attack (the signature on the code) is stored on the computer under attack is mostly useless: The attacker could delete or modify the signature during the attack, or simply reformat the drive where the signature is stored.

...

Detecting code that should be considered privileged or sensitive requires programmer assistance. Given identified privileged code as a starting point, automated tools could compute the closure of all code that can be invoked from that point. Such a tool could plausibly determine whether a body of signed code both includes that entire closure and excludes all other code.

Related Guidelines

...

[ISO/IEC TR 24772:2010http://www.aitcnet.org/isai/]

Adherence to least privilege [XYN] ]] ></ac:plain-text-body></ac:structured-macro>

Bibliography

...

[[Dormann 2008AA. References#Dormann 08]]

 

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f31581e3-27bb-4754-be0a-2ae3a171eb3f"><ac:plain-text-body><![CDATA[

[[McGraw 1999AA. References#McGraw 99] ]

Appendix C, Sign Only Privileged Code

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c73cce23-99b1-48b3-80c7-c18db8c59330"><ac:plain-text-body><![CDATA[

[[Schneier 2000AA. References#Schneier 00]]

 ]]></ac:plain-text-body></ac:structured-macro>

...

15. Runtime Environment (ENV)      15. Runtime Environment (ENV)