Software vulnerability reports and reports of software exploitations continue to grow at an alarming rate, and a significant number of these reports result in technical security alerts. To address this growing threat to the government, corporations, educational institutions, and individuals, systems must be developed that are free of software vulnerabilities must be developed.
Coding errors cause the majority of software vulnerabilities. For example, 64 percent of the nearly 2,500 vulnerabilities in the National Vulnerability Database in 2004 were caused by programming errors \ [[Heffley 2004|AA. Bibliography#Heffley 2004]\]. Wiki Markup
Java is a relatively secure language: there is . It has no explicit pointer manipulation; array and string bounds are automatically checked; attempts at referencing a null pointer are trapped; the arithmetic operations are well defined and platform independent, as are the type conversions. The built-in bytecode verifier ensures that these checks are always in place. Moreover, there are Java provides comprehensive, fine-grained security mechanisms available in Java that can control access to individual files, sockets, and other sensitive resources. To take advantage of the security mechanisms, the Java Virtual Machine (JVM) must have a security manager in place. This is an ordinary Java object of class java.lang.SecurityManager
(or a subclass) that can be put in place programmatically but is more usually specified via a command line parameter.unmigrated-wiki-markupJava is believed to be a type-safe language \[[LSOD 02|AA. Bibliography#LSOD 02]\]. For that reason, it should not be possible to compromise
a Java program by misusing the type system. To see why type safety is so important, consider the following types:
Code Block |
---|
public class TowerOfLondon {
private Treasure theCrownJewels;
...
}
public class GarageSale {
public Treasure myCostumeJewerly;
...
}
|
Wiki Markup |
---|
If these two types could be confused, it would be possible to access the private field {{theCrownJewels}} as if it were the public field {{myCostumeJewerly}}. More generally, a _type confusion attack_ could allow Java security to be compromised by making the internals of the security manager open to abuse. A team of researchers at Princeton University showed that any type confusion in Java could be used to completely overcome Javaâs security mechanisms (see Securing Java Ch. 5, Sec. 7 \[[McGraw 1999|AA. Bibliography#McGraw 1999]\]). |
Javaâs type safety means that fields that are declared private or protected or that have default (package) protection should not be globally accessible. However, there are a number of vulnerabilities âbuilt inâ to Java that enable this protection to be overcome. These should come as no surprise to the Java expert, as they are well documented, but they may trap the unwary.
A field that is declared public may be directly accessed by any part of a Java program and may be modified from anywhere in a Java program (unless the field is declared final). Clearly, sensitive information must not be stored in a public field, as it could be compromised by anyone who could access the JVM running the program.
There are, however, ways in which Java program safety can be compromised. The remainder of this chapter describes misuse use cases under which Java programs might be exploited , and examples of guidelines which rules that mitigate against these attacks. Not all of the rules apply to all Java language programs; frequently, their applicability depend upon depends on how the software is deployed and your assumptions concerning trust.
Input Validation and Data Sanitization
Leaking CapabilitiesSensitive Data
Leaking Sensitive DataCapabilities
...