| Wiki Markup |
|---|
Software vulnerability reports and reports of software exploitations continue to grow at an alarming rate, and a significant number of these reports result in technical security alerts. To address this growing threat to the government, corporations, educational institutions, and individuals, systems must be developed that are free of software vulnerabilities. Coding errors cause the majority of software vulnerabilities. For example, 64 percent of the nearly 2,500 vulnerabilities in the National Vulnerability Database in 2004 were caused by programming errors \[[Heffley 2004|AA. Bibliography#Heffley 2004]\]. |
The remainder of this chapter describes misuse cases under which Java programs might be exploited, and examples of guidelines which mitigate against these attacks. Not all of the rules apply to all Java language programs; frequently their applicability depend upon how the software is deployed and your assumptions concerning trust.
...
| Wiki Markup |
|---|
The term capability was introduced by Dennis and Van Horn \[[Dennis 1966|AA. Bibliography#Dennis 1966]\]. The basic idea is that for a program to access an object it must have a special token. This token designates an object and gives the program the authority to perform a specific set of actions (such as reading or writing) on that object. Such a token is known as a capability. |
| Wiki Markup |
|---|
In an object-capability language, all program state is contained in objects that cannot be read or written without a reference, which serves as an unforgeable capability. All external resources are also represented as objects. Objects encapsulate their internal state, providing reference holders access only through prescribed interfaces \[[Mettler 2010A|AA. Bibliography#Mettler 2010A]\]. |
| Wiki Markup |
|---|
Because of Javaâs {{==}} operator, which tests pointer equality, every object has an unforgeable identity in addition to its contents. Identity tests mean that any object can be used as a token, serving as an unforgeable proof of authorization to perform some action \[[Mettler 2010B|AA. Bibliography#Mettler 2010B]\]. |
| Wiki Markup |
|---|
Authority is embodied by object references, which serve as capabilities. Authority refers to any effects that running code can have other than to perform side-effect-free computations. Authority includes not only effects on external resources such as files or network sockets, but also on mutable data structures that are shared with other parts of the program \[[Mettler 2010 2010B|AA. Bibliography#Mettler 2010B]\]. |
Some rules that involve capabilities include:
...
This guideline is of greater concern for persistent, server-type systems than for desktop applications. Checking inputs for excessive resource consumption may be unjustified for client software that expects the user to handle resource-related problems. Even for client software, however, should check for inputs that could cause persistent denial of service, such as filling up the file system.
The Secure Coding Guidelines for the Java Programming Language SCG 2009 lists some examples of possible attacks:
...
An example of a rule for preventing denial of service attacks resulting from resource exhaustion include IDS22-J. Limit the size of files passed to ZipInputStream.
References
| Wiki Markup |
|---|
\[Dennis 1966\] Jack B. Dennis and Earl C. Van Horn. 1966. Programming semantics for multiprogrammed computations. Commun. ACM 9, 3 (March 1966), 143-155. DOI=10.1145/365230.365252 [http://doi.acm.org/10.1145/365230.365252] |
Mettler Adrian Mettler, David Wagner, Tyler Close. Joe-E: A Security-Oriented Subset of Java
| Wiki Markup |
|---|
\[Mettler 2010\] Adrian Mettler and David Wagner. 2010. Class properties for security review in an object-capability subset of Java: (short paper). In Proceedings of the 5th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS '10). ACM, New York, NY, USA, , Article 7 , 7 pages. DOI=10.1145/1814217.1814224 http://doi.acm.org/10.1145/1814217.1814224 |
...