so my name is Andrew gross I work on the job of ulnar ability team at Oracle and I will be talking about our secure coding guidelines today wrong button this is a safe harbor statement any prognostication may be wrong and the rest may be lies so what I’d like to start with today brief over run I’ll do a quick introduction and give an overview of Java SE security which will lead into our guidelines then I’ll give a couple of slides on vulnerabilities just sort of have some terminology to work with then I will proceed into the interesting part the guidelines and then a quick conclusion to wrap things up at the end so in general I like to take questions as I go along but I may have erred on the side of trying to convey too much to you all today so we’ll take a few as we go but probably save those for later in the presentation when we get into the good stuff introduction so we’re talking about the risks of insecure coding if you’re here you probably have some idea or deal with this every day as those of us do at Oracle and so we’re talking about the Java secure coding guidelines the primary goal here the unique material is about untrusted code or working with code of different privileged values so there are many ways to do that from outright hostile applets to doing something where you have a curated store of applications that a user can download onto some home entertainment device so we want to now that we’re once we’re aware of them you know the idea is not that everyone’s an expert and can fix these what I do in my other presentations is the idea is to recognize when there are dragons there if you know this is a bad area you don’t have to be an expert you don’t have to have the answer but you need to know that you need to go find someone to help you you know no shame in asking there’s lots and lots of stuff that I don’t know so the goal here I’m gonna focus on the new material for Java SE 8 I’ll hit some old good ones but then try and stick to the new material and for the target audience we’re looking at Java programmers risk managers security engineers anybody who has to either catch this at the architecture level design level coding level or once it’s out the door and sort of how we deal with that how we deal with that whole loop and I already mentioned we’re working on untrusted code so security overview the really high high point overview will look you have runtime security obviously the libraries and the VM conspire to keep things safe at runtime we have a wide variety of security api’s you’ve probably heard my colleagues talk about the security libraries all of the API ciphers hashes all that good stuff it’s pluggable if you don’t like what we have bring your own and then a set of security tools for handling certificates and passwords and signing your code so that you know that what you want executed is what’s actually showing up in the VM and the policy tool for setting a security policy for your applications so starting with runtime security will focus on this we have the obvious language protections public private protected then we have memory management so Java collection sorry garbage collection not to imply the other bytecode verification so there are lots of things here that where we don’t have problems you know we eliminate a lot of buffer overflow problems in the Java code then we have the Security Manager which will get all of the security decisions we have the access controller which does the actual mechanics of the access control checks we have you can set up fine-grained policies for each of your applique and we have class loaders to give a I salute into code so if they’re in the hierarchy they can see each other but if they’re off on different branches of the tree then the codes isolated and unless you bridge that they can’t see each other so main thing here is to work touch on how the security manager and the access control works so there’s a check permission call and the security manager if you’ve looked at the Java

source code you’ve probably seen that in a number of places that filters down typically to the access controllers check permission and what happens with Java code as most of you are probably aware each class has a protection domain that has some set of permissions read a file write a file network socket / network socket permission to particular hosts so there are a whole set of permissions each each class when it’s loaded by the class loader has a protection domain with some set of permissions and then when you run code you have various things on the stack you’re down some call tree then a security check happens what happens at that point is the security manager access controller they go wandering down that call stack and see what permissions everything on the stack had so if you want to write a temporary file then all code that’s active on the stack at the time has to have that permission so it’s the intersection of all these permissions so this again let’s see where it was going here so this is how the check is done so for an example if we have an untrusted class that wants to call into a trusted library in this case the trusted library is going to do a system get property that requires a security check so what we expect to happen here so we have our call stacks we have all trusted code coming down and then we have our untrusted outlet code sitting here at the bottom so what’s going to happen is we go all the way through typically the untrusted outlets not going to have the mission so we’ll get rejected we’ll get a security exception or an extension that access control a exception depending on what exactly went wrong so if your library code and you want to exercise your permissions and make this work because you know that this particular property is safe then in this case what you’ll need to do is exercise your permissions so the canonical way of doing this is through access controller with the due privilege there are a bunch of varieties of this this is the the all-singing all-dancing this is full power so if you have if the trusted code has all permissions when it fires up this do privilege anything that goes in here is going to work the problem with that is that anything that goes in here is going to work and that may not be what you want every time you know some of you may have heard of trusted method chains there are a bunch of of different things that can go on here help straight down to just plain coding error gee I didn’t think about this particular aspect so what we’d like to so what happens what this is the way it exercises its permissions as it cuts off that stack check so it cuts it off with whoever invoked the due privilege so in this case we have our trusty class with our get options so get options is going to be the thing that invokes so that’s the last thing that will be considered in our stack walk so putting it visually for 70% of you we see here’s our trusted class and then we’ve cut off the last piece so in this case all trusted code they will all get they will all have the permission and the get option to get get property will work let’s see so again being careful with this be careful with the data you take in if you know you have tainted objects be very careful with them you know if you have something where you just need a string and you’re computing it inside of the do privileged you really want that to be so it’s much better to calculate your strings outside pass them in this final and then use them internally in whatever manner is have you taken somebody else’s object and called to string on it who knows what that’s going to do then on the other end once you’ve done your operation be careful what you hand back when you’re in privileged mode you can get objects and that have capabilities that are not available to a normal user to normal application code and if you take one of those and hand it back you’ve now given them a bunch of capability that they didn’t have before and that may know if you’re careful it may not but if it if not it may violate your security policy and your expectations so now that we’ve done all permissions here’s an incantation for doing no permission in this case we create an access control contacts with a protection domain that has no permissions listed so in that case there are no permissions if there’s a any kind of security check when we’re using this

context nothing’s going to pass and now that we’ve done both ends in the middle we have a couple of options one I’ll discuss on the next slide the one in the lower right corner is called limited due privilege it’s JEP 140 in this case what you can do is selectively add a permission to the context you’re in so the idea is that all the permission checks will happen normally well and go all the way up the stack they won’t be truncated by this version of due privilege however if this file permission is what’s being requested then it will stop at this frame and say you’re allowed to do this so if you have all permission code and you just want to exercise one bit of permission you know do these privileges in a cautious way then this is a convenient way to do it that just showed up an eighth one warning here if you use an access control context that’s just null the null value is passed in for that parameter it gives you all permission counter-intuitive not what you expect easy to trip up on so the other the other in-between is to is for things like callbacks so if I have I’m registering event processors I have an event queue running somewhere else I have three or four applications I’m collecting events and then I’ll run them on this event queue on a different thread so what I’d like to do is use the get context method get the current the ambient context when the handler is is registered excuse me then what we do is whenever we fire this handler we then go we check to see if the access control context is null if somebody’s been tampering because get context won’t return all so if one shows up here that’s a problem and then we fire off the event with the access control context we collected before so it’s like we just sort of from the security point of view we collected here and we’re just continuing with the same permissions over here whenever we’d fire off this event sorry booby-trapped up here so quick word on vulnerabilities standard definitions this is a flaw in our code that allows something to happen that we didn’t expect and didn’t want to allow and the causes of these there’s architecture there’s design there’s implementation and environmental issues so what was secure yesterday maybe the sysadmin changed the system out from under you and you didn’t expect that or something else happened in it when you apply to patch or an update so there are a number of layers where problems can happen so we really want defense-in-depth build in checks at every level oh and if you find one please feel free to send it in we’d love to give you credit vulnerability team needs something interesting to look at so make it really interesting and subtle we love those so common vulnerability and numeration you’ve probably all seen these it’s essentially just you know counting the hat put a label on every vulnerability so we can talk about it and know that we’re talking about the same thing in this case there’s no score so there’s not really a rating of severity for that we use the common vulnerability scoring system this is as the advantages of being standard in public NBD has a calculator so you can play with that and see how it works and they also collect scores for the various CDs so that you can go through and look at past items to see so if you have something new and you don’t quite know what to do with it you can go back and look at the old ones and kind of get some get some norm of what other people have scored that kind of issue so the brief overview essentially this talks about scores you based on attack vector can I do it from the internet anywhere in the world do I have to be at the console those kinds of issues then we have the complexity you know can I do this as one liner that works all the time or is there a race condition or after man-in-the-middle or I have to do like seven weeks of computation on a supercomputer the authentication here is whether you need to use to get in so if I can hit a website and just give you a URL and you out to lunch for a week that’s the no authentication if you have a vulnerability but it’s behind the page somewhere that has a login so I have to have a username and password before I can launch the vulnerability at you so that gives it

it’s slightly more difficult so the rating goes down slightly and then the impact standard things confidentiality can you see my bank account integrity did you set it to zero and availability can I get my cash out of the bank or not and so these map into a lot of the HIPAA and Sox issues personally identifiable and information huge credit card breaches those are the kinds of problems that they’re talking about here okay any brief questions before we get into the the meat of things okay I’ve confused everyone thoroughly good next step so I won’t read these to you there are a bunch of common issues there ones that you likely recognize some of these are very Java and flavor you know input formatting that’s like 50 to 80% of the problems and then have limited privileges minimum privileges see Java looking it’s super classes and those change out from under you see input checking the DISA realization always fun everybody have pictures okay so here are our guidelines which is what I’m talking about and as I said before we focus a lot more on the multiple levels of privilege code either completely untrusted or differently privileged so some of the problems are intentionally hostile some of the problems or I have two apps running on the same container and they kind of accidentally stomped on each other so it’s from minor – to major depending on your situation lots of other really good material in the area and certainly with native code we have the same native code problems that everyone else does and there are 30 or 40 years of background on that so here’s the overview of the guidelines I will kind of brush over this so the first few chapters are more general but apply to any language any kind of system you’re putting together the later ones are more for untrusted code and then we released a new version of the guidelines with sv8 so there’s some new guidelines I’ll try and focus on those and we did some updates of things where we have new language features that change sort of how we would fix problems and we added a index for j’ni appendix for a number of issues in that area so first few all kind of go through quickly so we can get on to the fun stuff so the first one that pretty much sums it up you want code that you look at it’s obvious there’s not a problem you don’t want to look at the code and say well you know there’s nothing obvious that jumps out I worked at one company and we had a possible buffer overflow and we asked somebody to look at it he said well I looked at the code for three hours I can’t find anywhere that calls it with a string that’s too long is that the right answer anybody okay it would have taken 30 seconds to fix the buffer and never ever have a problem rather than a static okay at this instant in time or fine but could changes let’s see so good design minimize your code if you have n copies n minus one or probably wrong well at least n minus 1 along restrict your privileges you know your trust boundaries nor data is coming in where it’s going out so you minimize and capsulate encapsulations a good plan here everybody’s got that utility class where it’s like well this doesn’t really fit anywhere so all of a sudden you have this huge class that has all sorts of random unrelated things and there are all sorts of fun the side effects and then the last one blinding li obvious document your assumptions you know if you have security here you need to write down this is what it should be and when you call this these things should be true because you’re gonna leave somebody else’s come out and come along and take care of your code and three or four people later somebody’s gonna do something and have no idea that you’re assuming that this value was greater than one not greater than zero so obviously no flaws easy to see it’s very clear that there’s not a path through on the other hand these are a little more

unclear so how much how much time would we spend doing this whereas we could do this be done so which which one which one is good anybody come on fifty-fifty oh so one of them is good I’m sure that’s just by accident so denial-of-service just a couple comments here the canonical example is decompression where you’re taking a file that is intentionally be decompressed and you know that it’s going to generate much more output a lot of these algorithms are fairly complex take a lot of effort to implement correctly especially with video codecs and now you’re looking at expanding it into some unknown amount of space and a lot of people focus on the getting the decompression correct and not on sort of light you know I just wrote 3 gigabytes off the end of memory so it’s something to be aware of when you’re writing this and if you’re writing the complex code like that I salute you you need to think about these things ahead of time maybe prepared because retrofitting this stuff afterwards is very painful and quick comment thou integer overflow in the past and if you look online and our guidelines we have some recommendations you turn the math around so that someone can’t give you a big value that added to another value rolls over and becomes negative a slightly clearer and easier way to handle it we have these new java.lang math methods that will throw an exception if an integer overflow is going to occur so this is a much cleaner easier to read yeah nice things that are there to work well see confidential information we kind of talked about that earlier debug builds may log this but your production builds shouldn’t and you should be careful with your exceptions especially with the code of varying privilege levels because you may reveal something about the structure of the program or the system that you didn’t intend to so four applets revealing a file name is something that that typically comes up so injection sequel injection probably everybody has had to deal with that at one point so these are just a number of places where you need to watch your and for example the BMP files is an image format they refer to an external file for a color profile so not something you expect out of an image format so there are all sorts of little surprises and various files and formats going around and being familiar with those is important to take care of these edge conditions that can pop up anything else well I’ll briefly talk about floating-point for those of you who have to do some global climate models you’re probably familiar with this already the idea is when you have floating point numbers part of the spec is that the computation can handle infinity so if you accidentally divide one by zero you get a value back but that’s a magic number that symbolizes infinity if you cause other problems you can get a not a number and so these are specific values and if you do floating-point equality you know FP equals equals whatever that’s not going to work so what can happen is these values if you have a computation these can propagate through if you’re using floating-point is a loop iterator or is the loop value and you’re expecting to be able to do comparisons someone might be able to sneak a value in on you and either stuff you in Tennant’s and that loop or have you terminate abruptly so to check for these last line there are these methods for checking directly to see if you have these values present so probably most of you don’t have to do that but if you do good to know so accessibility and extensibility this is a lot about how you set up your classes you know when I have a class do I make it final do I which methods do I allow you to override you know what is the critical functionality if you have a method called check permission probably best not to let it be over aidable by a subclass we’re talking about isolating code don’t hand out class loaders because these are very powerful and depending on which one they could have different properties or access even being extensibility so the making things final and so super class and subclass is a is a good one I’ll give an example of that for a moment so in jdk 102 way back when we have Java security

provider which extends properties which extends hash-table because providers essentially just a hash-table mapping algorithm aims to implementations so pretty straightforward it’s a natural idea you know it’s a hash table my data’s hash table I’ll just extend this and get a bunch of properties that I need really quickly well the issue here is that providers can’t be tinkered with because somebody could replace your AES encryption with no encryption and you’re now spewing clear text where you didn’t expect to so we override these methods and we put in security checks so everything’s fine no problems right but code changes so there’s an entry set method that was added to the superclass this allows you to remove elements from the provider provider didn’t get updated in the same time frame so there’s now a way around the protections that were put in place so we’re now able to remove entries where the policy said we weren’t supposed to the design of provider was to prevent you from making unauthorized changes so I’ll kind of brush over this essentially you know the big point your super classes can cause problems if you depend on them they may change over time your code as auto code may live on for 10 years and there will be lots of JDK versions coming out and maybe we add a method that that’s really helpful but doesn’t match with the security policy that you’re expecting so in this case one big point is for the default methods on interfaces that came in JDK eight those default methods are now part of your class if you implement some interface and it gets a default method you just got a default method for free and for 99% of coding that’s wonderful that’s exactly what you want but for a case like this provider case where there is some security value and some meta information that’s not in the interface you’re now looking at a problem maybe this is like one of our collections where we now have a replace all method if that got added that probably violates what you’re looking for and then this essentially says what I said before foreshadowing let’s see input validation not much to add here there’s lots and lots of books on input validation HTML XML all of these things will take external data they may be malformed you need to be careful when you take this in there have been plenty of XML parsing problems go for forever one point of note is if you are using native methods so if you’re using j’ni to bind to some external library native code then what we recommend is writing a wrapper around the native methods so you have your you know private static native method and if you write a wrapper around that that validates all the data so Java’s everything in java is signed well primitives that are numbers and when you pass that to c code c code may be expecting an unsigned value and they may be may not be checking for negatives they may not be checking for other properties so it’s best to make your checks where you can see them in the java code so that you know they’re done you should also put them in the native code but if they’re in the java then that way each developer on whichever side knows that the right things are being checked how are we doing okay any quick questions at this point you’re almost as good as the right after lunch crowd and I mean that con as a compliment so mutability this is all about data that can change so there some data structures classes are immutable you can pass them around you don’t have to worry about them in other cases things like arrays you can have an array that’s final but then the values are not final and in this case there’s sort of three main issues here and I’ll try and be succinct so you’re looking at an issue of input so if you take data from someone else so if someone passes you an array then you want to validate that do your checking and for mutability you want to make a copy of that array assuming that it’s appropriate because

if someone passes you an array you do validation without copying it they still have the reference and they’re following behind you on another thread changing the values you know if it’s just an array events that you’re adding together not very interesting if it’s a set of certificates that you’re using to validate data or code to run data to be acted upon that has a slightly different value so let’s see yeah I didn’t put first okay I’ll put up the input slight while they do output output is the opposite problem so if I have an internal data structure reference that I want to pass to someone so I have an array of certificates that I want to pass out and I want you to be able to see what certificates I’m using so you can make a decision on that if I pass the reference to my internal array you can now start changing those values that’s not what I want so I need to make a copy of that on output pass it to you as untrusted code and the untrusted code even if it goes and probs things change the values to whatever it doesn’t matter because my code and my trusted library is protected and secure so you know essentially anything that comes in that’s important should be copied anything that’s important should be copied on the way out and so for instance here since this is good one so if you take an input that’s a list the lists have to give you the same num same objects in the same order every time you use them no does it even have to give you the same set of objects each time you generate an iterator does the length or the size have to actually match the number of objects okay so in this case if someone hands you a list you probably want to copy that into an own implementation something that you can trust is going to give you the correct answers each time or at least a consistent set of answers so last couple of points if you have something where the object identity object equals is over rideable equals can answer true in a number of cases where you’re not expecting it so if someone gets an object into your hash map whenever you do the search in the hash map you can lie about your hash code lie about equality and you can start picking up references to objects that you didn’t expect and so let’s see wrapping internal state that’s just what I was mentioning earlier where you take in data if you take a list putting it into something like an ArrayList and then doing whatever validation before you put it into your internal fields once you’ve done that then you have the ability to know that that data is good and is not going to change the object construction so in this case if you have a sensitive object so there are a number a number of singleton the objects that’s a common pattern you want there to be exactly one so you want to control the construction of the object so that’s serialization constructors cloning other a whole variety of ways that you can get a new object a new copy of the object new instance and then let’s see I think I cover the rest of these so for object construction there are a number of subtle things here between the language standard and the vm standard so we’ll give you a next slide has a good example of a correct way to do it so if you’re throwing exceptions these may not destroy the object so if they come out you may be able to override finalize and get a reference to the object and even a partially constructed object may have functionality that you didn’t intend to be leaked constructors that call in the outside code that has a number of problems so if it’s an override Abul method then i can override that method and grab a copy of this and tuck it away in a static somewhere if you can declare the class final that’s great because untrusted code will be able to build off of your library code so you know does this need to be extensible because it’s a security issue security related class so there are a number of things to think about there and if you allow finalized to be overridden then it’s best to have some kind of initialized flag right at the end of your constructors to show that you did actually complete so you

did your security checks you did your data validation everything is set up and good and then I can say initialized at the end I can also in all my methods check to see if I initialize to set before I actually try to use the data or do anything with any power so here’s the subtle one so for this case any exception that’s thrown before the super constructor is called will destroy the object and you have to do a little bit of trickery to make this one work so in this case you take the security check and use that as a parameter to the main constructor so people come in through the protected constructor the security check gets evaluated because it’s an argument to the next constructor yet that throws an exception then everything is gone you know there’s no residual object there’s no finalize it’s all taken care of let’s see cloning this is essentially just that if you can clone an object or if I can extend your class and implement cloneable that’s just a shallow copy of the objects that’s not a deep copy of everything so whatever if you have a string that will have a separate copy but if it’s an object then I’ll have the actual objects inside and since I control this extension class I may be able to modify those in some fashion that wasn’t really anticipated in the design any questions before we play with serialization okay so serialization for security point of view nearly always a bad idea there’s just a huge amount of rope there and you can hang yourself several times before you’ve really gotten the hang of it so don’t do this for security sensitive things you may have passwords you may have keys you may have private keys certificates lying around and it’s much better to reload those and regenerate those on the fly than to serialize this thing because when you serialize an object you may leak data if you didn’t do the the exit properly and an attacker can give you an arbitrary set of bytes to deserialize which could have any random values which may or may not have anything to do with what your class was intended to do and when you deserialize you have to go through a lot of work to validate everything and to that point deserialization you need to view as construction so instead of reading these we can go talk about them so for let’s see the main point here is serialization adds a public interface to all your fields because it writes all the bytes out I can take that file use Emacs my favorite hex editor and just change whatever values and then hand it back to you and if you’re not checking if you expect this to be greater than 1 instead of greater than 0 maybe you’re doing checking or maybe there’s a flag which enables some additional privilege or a whole bunch of different pathologies that could be here and you also have a hidden public constructor because anyone can deserialize something they can just throw it into an object input stream and say give me an object so guarding sensitive data as I mentioned maybe you have a crypto key in that case that’s you want that to be a transient field to be something that’s loaded on the fly with the proper permission checks in this case there are a number different options for how you control this so transient keeps the field from being written serial persistent fields allows you to specify which fields get serialized out read object write object write replace implementing external izybelle all of these give you the ability to control what goes out so in right object if you had us if there’s a security check to get one particular object that you had internal you need to do that same security check before you write the data out as if it required a security check for you to get it then whoever’s decir like whoever serializing you is essentially getting a copy of that you need to make sure they’re authorized so simple example here for big imager in this case in the constructor the sign has to have a constrained set of values so constructor

does this now if your deserializing there are a number of considerations so you’ll need to make your own custom read object to handle reading data in avoid default read object default read object takes whatever is on the stream dumps it into the field and then you get to validate and if someone’s sitting on another thread they may be able to use that object before you finished your validation so you have never want to have a field have an illegal value at any point so the way we do this is take our read object and we get the fields and then out of the fields we look up each particular field that we want to extract then we do the same validation check that we had on the previous slide and only after all of that is done do we assign it to a field to an actual local variable instance variable same difference so if you need to serialize stuff go for it but please be very very careful with it there are lots of unexpected things that can go on question I’m sure there must be but we’ve only recently gotten to the point of thinking about that issue so well as I’ll say later hopefully there’s somebody’s library they can use that somebody else has already you’ve written and a lot of people have looked at because if you’re rolling your own you know it no down Jason’s relatively new so Wow not that new but new on a glacial scale there’s no implications to be read into that please so let’s seize Trudy manager checks I mentioned this earlier if in your constructor you make a security manager check you need to make the same check when you’re writing objects out you need to make the same checks when you’re doing a read object and deserializing you need to make sure that anything that goes out anything that comes in all the same checks are being done so if there are values that you compute and your constructors don’t serialize those and read them back in you need to compute them in your read object when you report you’re sorry when you reconstitute you need to do those same checks and finally if your deserializing other people’s data you need to be aware of the permissions that you have at the time so if you dis you realize with all permissions all those security checks I asked you to put in those are all gonna pass no problem you’re much better off doing no permission as I said quite a few slides earlier gave an example you can do serialize with no permission then no security check will pass if something untoward is going on it will be caught at that point or if you know that one particular permission is needed then you can do a least privileged set up in a set up of context with one or two permissions and just the ones that you want and that way a lot of these chaining vulnerabilities are more accidental because all permission is used everywhere rather than a limited set it becomes much harder problem to try and chain one permission into an escalation than having everything anymore serialization questions okay now for the fun stuff so for access control we essentially did all of these in the overview at the beginning a lot of this talks about do privilege how to control what permissions are in play how to capture them how to replay them how to limit them how things really work so like the accidentally putting in a null for an access control contacts that is not something that’s obvious and we try to call that out so that people don’t get stung by it one that I have uncovered is 9/5 if you’re doing caching so what one typically does in the normal case is say do I have you know you have this request for some object I’ll put it do I have it in the cache no I’ll create it do the permission check throw it in the cache hand it back to

you the normal case untrust you know standard applications that’s perfectly fine way to do it the problem now I see some nods thank you is that if the permission check is only when I create the response if I throw it in the cache if somebody else comes with the same request I just check the cache I didn’t check their permissions I have no idea if they’re allowed to have this or not so this is a very easy pitfall to fall into and so it’s something where you know your normal everyday coding your intuition from that is going to be wrong because you’ll put the check in the wrong place and so now for where I spend a lot of my time these are a number of issues that have possibly been in the news or not and it talks about there’s some magic in the libraries or optimizations an optimization always cause problems with security so these three cases we’re warning about there are methods and the libraries that will look at the calling class so if you have a class and you call this library method I will look at what your class is and I will make a decision based on what your class loader is I might bypass the security check I might use your class loader to do something load another class or a resource or I might use your language access in a way that you’re not expecting so a typically code has package access maybe there’s something that was meant to be hidden that’s in the same package and now I can magically get to it because we didn’t really think about this path and so just to set up the problem here there’s a problem in computer security called the confused deputy then probably should have called it Barney Fife or something but yeah okay I’ll go with something more Gen X next time so the idea here is that I have trusted library code it can do anything and then I have my little unprivileged app here it makes a request of the trusted library trusted library says oh you want this oh yeah I’ll go get it here have it but it didn’t check the whether that was allowed to wasn’t allowed transaction so there needs to be additional checking here so what happens is the trusted library is to confuse deputy it’s making a request on your behalf but it’s not validating that you are who you say you are or that you’re allowed to have what you’re looking for so you can see from what I described earlier if you have these sensitive classes that classes that are sensitive sorry methods that are sensitive to their caller it would be very easy to forget checks and only expect like systems the code to call you or expect that everybody’s you know no one would ever ask for that class so these methods are called color sensitive in this case they do exactly what we’re warning you about they may look at your class loader your the colors class loader so if I called this method directly it’s not going to get me the right answer but if I call the system library that then calls this method and just returns the result then I can get something that I’m not allowed to have so these are somewhat tricky and helps them especially with the language access have some properties that are just not obvious so best to avoid them I won’t put the list here it’s online it’s quite long unfortunately so you can see that this is where the confused deputy problem plays in and so your privilege code needs to add extra checks if you’re going to be using these so if you’re doing something like you have a hard-coded string and it’s only for a public class you know returning the value if that’s something that the user could generate themselves is not an issue whereas on the other hand if it’s something where you’re not that limited you might have you know what we do in coding all day we work very hard to make our functionality be this but the problem is sometimes we kind of open up this extra stuff over here that we didn’t intend to but you know this wasn’t quite working for us and we couldn’t get the last piece so we made a little fudge and and didn’t notice that extra stuff was let through the gate so for this different kinds of things you

can do if you put a trampoline class in between that’s something where you can set the class loader to one that has effectively no privileges you can set the permissions on the class itself so that when we do the stack walk this trampoline class has no permission so you’ve cut off any issue they’re only allow access to public classes and public methods that’s easy to check and if you use the package access extension that’s that’s in the libraries to essentially block off implementation classes because we have api’s which are the intended way in and do validation and then the implementation classes may not do validation in the same way so if you call in kind of from the side you might be able to get past some checks that were assumed to happen at a higher level see for method invoke this one is more informational you don’t nothing invoked is privileged but it doesn’t count there’s magic in the VM that ignores this class whenever you’re doing and invoke because these color sensitive methods fed to a method invoked would then have all permission if you just did a simple simple switch to call it that way so using reflection instead of linking to it directly so don’t have to worry about that so but for the color sensitive names let’s see how we’re doing on time I think I can finish in this case a lot of things of default methods we mentioned earlier lambdas all of these things have the permission of their creating class so lambdas are not a new problem they’re just a new instance of an existing issues so since they’re new and wizzy everybody’s gonna want to use them but we need to remember that there really is some mechanics behind this that we need to pay attention to so if you’re calling color sensitive methods and these types of objects then you could have problems you need to do the checking and be aware avoided if at all possible and let’s see one more thing here I remembered in a second oh yeah so if you’re using interfaces or default methods and use names of these color sensitive methods they might be available for a trusted method chaining attack which you should read about they’re great fun but I won’t go into those in depth here it’s just something to be aware of depending on your environment so last slide for this case we’re looking at a number of objects number of things that have sort of privilege and access checks inherent in their creation so class example our method handles the GSR 292 invoke dynamic those are allocated so all the security checks happen when that method handle is created so if you create a method handle with privilege and you hand it to untrusted code untrusted code can execute it and do whatever so method references method objects need to be careful of these things the four method handles lookup this is the preferred way to find to get a method handle an instance what this has inherent in it is a privilege so if I go ask for a lookup object for some other class I have nothing to do with that class I just want to look up for it I get a public lookup which means I can only look up public fields and public methods if I take that and pass it to anyone no problem anybody can get that anybody can do that however if I’m in the class itself and I get the lookup object it now has full privileges it can look up private fields private methods I can get anything out of the class I’ve essentially just given you everything in that class so it’s not obvious and if you print out the object it will the string representation will show you which version you have but a lot like the class permissions you don’t necessarily know what it is you may not be thinking specifically about that at the time any questions no Kim in conclusion if you follow the guidelines and they are guidelines you have to use judgment you may want to stick with them you may want to break them but like all rules they’re there so you think before you break them doesn’t necessarily mean it’s bad but you need

to be aware validate your input data that’s a huge amount of the world if you can reuse libraries you know if there ever is a JSON library that does the right thing I encourage everyone to use it you know think about your attack surfaces think where data is coming in and going out make sure you’re doing the right things that those boundaries the right checks you know if you have new code that’s coming in that’s something that you want to look at first because that’s where the hackers will look first and then they’ll look at your really old code let’s see don’t use blacklist standard and last points a good one that I really like for negative testing if there’s something that’s not supposed to happen if I’m not supposed to be able to pass in these illegal values it’s good to have a test which says okay you can’t pass an minus 1 or 0 or minus a million or whatever other value because you know that it works for the good stuff you’ve tested that you’ve done great sqe but you know if I go one beyond that – I have a fencepost error or there are other problems you know does it not work and then it works again so there are a number of things to check there and having things that fail on known bad data things that you expect to fail is always a good sanity check and conclusion want to keep the bad guys out keep our data private and keep the programmers awareness of security upfront when they’re doing the design and coding the cheapest bug to fix this when the developer says well I’ll do oh wait a minute maybe that’s insecure I should do this other thing you know millions of dollars once that’s out the door but if your programmer is thinking of it then it’s the cheapest bug you’ll ever fix any final questions ok I’ll be outside I’ll be happy to take questions if you didn’t want to ask in front of everyone until no one is left thank you very much

You Want To Have Your Favorite Car?

We have a big list of modern & classic cars in both used and new categories.