Applet Security Team Web Charles Moen and Xiao

Applet Security Team Web Charles Moen and Xiao. Jun Zhang CSCI 5931. 01 Web Security March 26, 2003

Topics n n The Sandbox Stepping Outside the Sandbox n n n Applets & the Policy File RSA-Signed Applets The Java Plug-in Signed Applets in Netscape Signed Applets in MS Internet Explorer Secure JDBC Connection for Applets 2

Java 2 Security Model n Policy-based n n n Security policy limits the resources a program can use java. policy Permissions n Actions that are allowed 3

The Sandbox Memory Operating System Local Code Java Virtual Machine Sandbox HTTP Applet Server Client 4

Stepping Outside the Sandbox n n Many reasons for stepping outside the sandbox Java 2 Security Model—two methods n n The client can grant permissions by editing the policy file, java. policy The developer can use an RSA-signed applet that can be granted or denied permission by the client 5

Stepping Outside the Sandbox in Java 2—The Policy File Memory java. policy grant … Socket. Permission; File. Permission; Edit Operating System Local Code Java Virtual Machine Socket. Permission File. Permission Policy Applet HTTP Server Client 6

Stepping Outside the Sandbox in Java 2—RSA-Signed Applets Memory Operating System Local Code Java Virtual Machine JAR Applet Signs a JAR file with RSA HTTP Server Client Verifies the signer Certificate Authority 7

The Java Plug-in n Downloadable helper program that works with a browser n n Consistent runtime environment for Java Supports all Java functions Can be called instead of the browser’s VM Introduced with Java 2 n n Part of JDK and JRE Downloaded the first time it is needed by browser 8

The Java Plug-in n Advantages n n n Consistency across browsers Java capabilities provided to old browsers Same security model as Java 2 n n n Major browsers had different security models Differences require different development Weakness n Huge download— 5 to 6 MB 9

Example 1: Applets & the Policy File n n Stepping out of the sandbox, method 1 Create an applet, Java Security, p. 205 public void init() { try { m. Username = System. get. Property("user. name"); } catch( Security. Exception e ) { m. Username = null; } } <APPLET CODE="Username. Applet. class" WIDTH="300" HEIGHT="200"></APPLET> 10

Example 1: Applets & the Policy File C: > appletviewer Username. Applet. html 11

Example 1: Applets & the Policy File n Use a policy file: Username. Applet. policy grant code. Base "file: ${/}dev. Java${/}*" { permission java. util. Property. Permission "user. name", "read"; }; appletviewer -J-Djava. security. policy=Username. Applet. policy Username. Applet. html 12

Running Example 1 in a Browser 1. Change APPLET to OBJECT n APPLET is deprecated n Specify codebase for downloading plug-in n Use HTMLConverter 2. Edit java. policy n Grant permission, like in our example 13

1. Change APPLET to OBJECT n HTMLConverter n n n Bundled in J 2 SE SDK (error on p. 206) http: //java. sun. com/j 2 se/1. 4. 1/docs/guide/plugin/ developer_guide/faq/developer. html Either command line or GUI n n > java HTMLConverter <the html file> Result on page 207 n n For IE, converts to OBJECT element For NS, converts to EMBED element 14

C: jdk 1. 4. 1lib>. . binjava -jar htmlconverter. jar -gui 15

2. Edit java. policy n Must be done by the user n Location is problematic n n C: Program FilesJavaj 2 re 1. 4. 0_01libsecurity C: j 2 sdk 1. 4. 0_01jrelibsecurity UHCL PC Lab: unable to edit Add the following to run our example: grant code. Base "file: ${/}dev. Java${/}*" { permission java. util. Property. Permission "user. name", "read"; }; 16

Open Username. Applet. HTML 17

Example 2: RSA Signed Applets n n Stepping out of the sandbox, method 2 Real deployment requires a certificate from Verisign or Thawte Jarsigner can sign applets If the Java plug-in finds an RSA-signed digital certificate in a downloaded JAR n n n Checks security policy for “use. Policy” Checks the signature’s CA Then asks user if it’s okay 18

Example 2: RSA Signed Applets Step 1: Generate a key and certificate Step 2: Install the certificate Step 3: Create the JAR and sign it Step 4: Deploy the JAR in the HTML Step 5: Open the HTML in a browser 19

1. Generate a key & certificate n Use the keytool to generate a key C: >keytool -genkey -alias appletsigningkey -keyalg RSA n For real deployment n n Page 212 Create a csr file with “-certreq” Order a signed certificate from a CA Export the certificate C: >keytool -export -alias appletsigningkey -file appletsigningkey. cer 20

2. Install the certificate Windows n n n Double-click on the filename Click on the “Install Certificate” button Follow the steps in the Wizard, pp. 210– 211 21

3. Create the JAR and sign it n Create a JAR containing our applet class C: > jar cvf Username. Applet. jar Username. Applet. class n Sign the JAR with jarsigner C: > jarsigner Username. Applet. jar appletsigningkey 22

4. Deploy the JAR in HTML n Add the “ARCHIVE” attribute (Not mentioned in the book, p. 212) <APPLET CODE=“Username. Applet. class” WIDTH=“ 300” HEIGHT=“ 200” ARCHIVE=“Username. Applet. jar”></APPLET> n Can then use HTMLConverter 23

5. Open the HTML in browser Click to Grant 24

Signed Applets in Netscape 6 and 7 use the Java plug-in n Netscape 4 uses its own security model n n Applet asks for permission Called the Capabilities API Uses proprietary Netscape classes Incompatible with any other browser 25

Signed Applets in Netscape 4 n Modifications that use the Capabilities API, page 215 public void init() { try { Privilege. Manager. enable. Privilege("Universal. Property. Read"); m. Username = System. get. Property("user. name"); Privilege. Manager. revert. Privilege("Universal. Property. Read"); } catch( Security. Exception e ) { m. Username = null; } } C: > javac -classpath. ; capsapi_classes. zip Username. Netscape. Applet. java 26

Signed Applets in Netscape 4 n Deploying the applet n n n Must be signed Use Netscape’s signtool Initialize the certificate database n Using Netscape, page 217 n n Click on the lock icon at the lower left Click on Certificate > Yours Click on “Import a Certificate” Set the password, then Cancel the import 27

Signed Applets in Netscape 4 n Create a self-signed certificate and key C: > signtool -G"testsigner" -d"C: Program. FilesNetscapeUserscrmoen" n n Create a directory and put in the class Create a signed JAR C: > signtool -d"C: Program FilesNetscapeUserscrmoen" -k"testsigner" -Z"netscape. Applet. jar" jar_directory n n Add an ARCHIVE attribute to the HTML Open the HTML file in Netscape, p. 220 28

Signed Applets in Microsoft IE n n Microsoft VM security model As of Jan. 21, 2003, by court order n n n Microsoft VM support discontinued Tools are no longer available Sun JRE is provided with IE “…the U. S. District Court in Baltimore, Md. issued a preliminary injunction order requiring Microsoft to include the latest Java Runtime Environment (JRE) from Sun Microsystems in…versions of the Microsoft® Windows® XP operating system or Microsoft Internet Explorer…” [5] n MS recommends: convert applets to. NET 29

Signed Applets in Microsoft IE n Security levels for applets n n High—the sandbox Medium—some extras like disk scratch files n HOWTO: Using Scratch Space From Your Java Applet - http: //support. microsoft. com/default. aspx? scid=kb; EN-US; 172200 n n Low—same as All. Permission in Java 2 Custom—similar to policy file in Java 2 Cab files are used for signed applets Tools are in the Microsoft SDK for Java (No longer available) 30

Secure JDBC Connection for Applets [6] n The problem n n Firewalls interfere with the connection between a Java applet and an external db The solution from IDS Software n The applet uses an IDS JDBC driver to connect to an IDS server using HTTPS 31

Secure JDBC Connection for Applets [6] n n n The client is behind a firewall. The proxy server relays the client’s HTTP and/or HTTPS requests. Proxy relays HTTP requests n n To provide Internet access Parses the content Assumes the connection is non-persistent and drops the connection Proxy also relays HTTPS requests n n Assumes that it cannot parse content Cannot drop connection until client does 32

Secure JDBC Connection for Applets [6] n Required conditions n n n Proxy allows outbound HTTPS connections Applet must obtain the browser proxy server setting Applet must be signed IDS server must use ports 443 or 563 Proxy. Properties class from IDS n n Obtains the proxy settings Instance passed to the IDS driver when it creates a connection to the db 33

Secure JDBC Connection for Applets [6] Driver drv = new ids. sql. IDSDriver(); Properties info = new Proxy. Properties(); String host = info. get. Property("https. proxy. Host"); if (host != null) { info. put("proxy_type", "4"); // SSL Tunneling info. put("proxy_host", host); info. put("proxy_port", info. get. Property("https. proxy. Port")); try { //For Netscape Privilege. Manager. enable. Privilege("Universal. Connect"); } catch (Throwable e) { } } Connection conn = drv. connect(url, info); 34

Secure JDBC Connection for Applets [6] Applet JDBC IDS driver HTTPS Proxy Server Port 443 DB IDS Server Client client-side firewall 35

Bibliography [1] J. Garms and D. Somerfield. Professional Java Security. Birmingham, UK: Wrox Press Ltd. , 2001, pp. 202– 228. [2] M. Pistoia, et al. Java 2 Network Security, 2 nd ed. New Jersey: Prentice Hall PTR, 1999. [3] J. Conallen. Building Web Applications with UML. Addison. Wesley, 2000, pp. 70– 72. [4] Sun (n. d. ). Developer Guide FAQs. [Online]. Available: http: //java. sun. com/j 2 se/1. 4. 1/docs/guide/plugin/developer_g uide/faq/developer. html [5] Microsoft (2003, Jan. ). Microsoft VM Developer FAQ. [Online]. Available: http: //www. microsoft. com/java/developer. FAQ. htm [6] IDS Software (1999, Nov. ). JDBC Connection via HTTPS Proxy. [Online]. Available: http: //www. idssoftware. com/jdbchttps. html 36