Applet Security

Team Web Charles Moen and XiaoJun Zhang

CSCI 5931.01 Web Security March 26, 2003

Topics

The Sandbox Stepping Outside the Sandbox

Applets & the Policy File RSA-Signed Applets

The Java Plug-in Signed Applets in Netscape Signed Applets in MS Internet Explorer Secure JDBC Connection for Applets
2

Java 2 Security Model

Policy-based

Security policy limits the resources a program can use java.policy Actions that are allowed

Permissions

The Sandbox
Memory
Operating System Local Code Java Virtual Machine

Sandbox Applet

HTTP

Server Client

Stepping Outside the Sandbox

Many reasons for stepping outside the sandbox Java 2 Security Modeltwo methods

The client can grant permissions by editing the policy file, java.policy The developer can use an RSA-signed applet that can be granted or denied permission by the client
5

Stepping Outside the Sandbox in Java 2The Policy File

Memory
java.policy
grant
SocketPermission; FilePermission;

Operating System Local Code Java Virtual Machine

SocketPermission FilePermission

Edit

Policy Applet

HTTP

Server Client

Stepping Outside the Sandbox in Java 2RSA-Signed Applets

Memory
Operating System Local Code Java Virtual Machine JAR Applet Signs a JAR file with RSA HTTP

Server Client
Verifies the signer

Certificate Authority
7

The Java Plug-in

Downloadable helper program that works with a browser

Consistent runtime environment for Java Supports all Java functions Can be called instead of the browsers VM Part of JDK and JRE Downloaded the first time it is needed by browser
8

Introduced with Java 2

The Java Plug-in

Advantages

Consistency across browsers Java capabilities provided to old browsers Same security model as Java 2

Major browsers had different security models Differences require different development

Weakness

Huge download5 to 6 MB
9

Example 1: Applets & the Policy File

Stepping out of the sandbox, method 1 Create an applet, Java Security, p. 205

public void init() { try { mUsername = System.getProperty("user.name"); } catch( SecurityException e ) { mUsername = null; } } <APPLET CODE="UsernameApplet.class" WIDTH="300" HEIGHT="200"></APPLET>
10

Example 1: Applets & the Policy File

C:\> appletviewer UsernameApplet.html

11

Example 1: Applets & the Policy File

Use a policy file:

UsernameApplet.policy

grant codeBase "file:${/}devJava${/}*" { permission java.util.PropertyPermission "user.name", "read"; }; appletviewer -J-Djava.security.policy=UsernameApplet.policy UsernameApplet.html

12

Running Example 1 in a Browser

1. Change APPLET to OBJECT APPLET is deprecated Specify codebase for downloading plug-in Use HTMLConverter 1. Edit java.policy Grant permission, like in our example

13

1. Change APPLET to OBJECT

HTMLConverter

Bundled in J2SE SDK (error on p. 206)

http://java.sun.com/j2se/1.4.1/docs/guide/plugin/ developer_guide/faq/developer.html

Either command line or GUI

> java HTMLConverter <the html file>

Result on page 207

For IE, converts to OBJECT element For NS, converts to EMBED element
14

C:\jdk1.4.1\lib>..\bin\java -jar htmlconverter.jar -gui

15

2. Edit java.policy

Must be done by the user Location is problematic

C:\Program Files\Java\j2re1.4.0_01\lib\security C:\j2sdk1.4.0_01\jre\lib\security UHCL PC Lab: unable to edit

Add the following to run our example:

grant codeBase "file:${/}devJava${/}*" { permission java.util.PropertyPermission "user.name", "read"; };

16

Open UsernameApplet.HTML

17

Example 2: RSA Signed Applets

Stepping out of the sandbox, method 2 Real deployment requires a certificate from Verisign or Thawte Jarsigner can sign applets If the Java plug-in finds an RSA-signed digital certificate in a downloaded JAR

Checks security policy for usePolicy Checks the signatures CA Then asks user if its okay

18

Example 2: RSA Signed Applets

Step 1: Generate a key and certificate Step 2: Install the certificate Step 3: Create the JAR and sign it Step 4: Deploy the JAR in the HTML Step 5: Open the HTML in a browser

19

1. Generate a key & certificate

Use the keytool to generate a key

C:\>keytool -genkey -alias appletsigningkey -keyalg RSA

For real deployment

Page 212 Create a csr file with -certreq Order a signed certificate from a CA

Export the certificate

C:\>keytool -export -alias appletsigningkey -file appletsigningkey.cer

20

2. Install the certificate

Windows

Double-click on the filename Click on the Install Certificate button Follow the steps in the Wizard, pp. 210211

21

3. Create the JAR and sign it

Create a JAR containing our applet class

C:\> jar cvf UsernameApplet.jar UsernameApplet.class

Sign the JAR with jarsigner

C:\> jarsigner UsernameApplet.jar appletsigningkey

22

4. Deploy the JAR in HTML

Add the ARCHIVE attribute (Not mentioned in the book, p. 212)

<APPLET CODE=UsernameApplet.class WIDTH=300 HEIGHT=200 ARCHIVE=UsernameApplet.jar></APPLET>

Can then use HTMLConverter

23

5. Open the HTML in browser

Click to Grant

24

Signed Applets in Netscape

Netscape 6 and 7 use the Java plug-in Netscape 4 uses its own security model

Applet asks for permission Called the Capabilities API Uses proprietary Netscape classes Incompatible with any other browser

25

Signed Applets in Netscape 4

Modifications that use the Capabilities API, page 215

public void init() { try { PrivilegeManager.enablePrivilege("UniversalPropertyRead"); mUsername = System.getProperty("user.name"); PrivilegeManager.revertPrivilege("UniversalPropertyRead"); } catch( SecurityException e ) { mUsername = null; } } C:\> javac -classpath .;capsapi_classes.zip UsernameNetscapeApplet.java
26

Signed Applets in Netscape 4

Deploying the applet

Must be signed Use Netscapes signtool Using Netscape, page 217

Initialize the certificate database

Click on the lock icon at the lower left Click on Certificate > Yours Click on Import a Certificate Set the password, then Cancel the import
27

Signed Applets in Netscape 4

Create a self-signed certificate and key Create a directory and put in the class Create a signed JAR Add an ARCHIVE attribute to the HTML Open the HTML file in Netscape, p. 220
28

C:\> signtool -G"testsigner" -d"C:\ProgramFiles\Netscape\Users\crmoen"

C:\> signtool -d"C:\Program Files\Netscape\Users\crmoen" -k"testsigner" -Z"netscapeApplet.jar" jar_directory

Signed Applets in Microsoft IE

Microsoft VM security model As of Jan. 21, 2003, by court order

Microsoft VM support discontinued Tools are no longer available Sun JRE is provided with IE

the U.S. District Court in Baltimore, Md. issued a preliminary injunction order requiring Microsoft to include the latest Java Runtime Environment (JRE) from Sun Microsystems inversions of the Microsoft Windows XP operating system or Microsoft Internet Explorer [5]

MS recommends: convert applets to .NET

29

Signed Applets in Microsoft IE

Security levels for applets

Highthe sandbox Mediumsome extras like disk scratch files Lowsame as AllPermission in Java 2 Customsimilar to policy file in Java 2

HOWTO: Using Scratch Space From Your Java Applet -

http://support.microsoft.com/default.aspx?scid=kb;EN-US;172200

Cab files are used for signed applets Tools are in the Microsoft SDK for Java
(No longer available)

30

Secure JDBC Connection for Applets [6]

The problem

Firewalls interfere with the connection between a Java applet and an external db The applet uses an IDS JDBC driver to connect to an IDS server using HTTPS

The solution from IDS Software

31

Secure JDBC Connection for Applets [6]

The client is behind a firewall. The proxy server relays the clients HTTP and/or HTTPS requests. Proxy relays HTTP requests

To provide Internet access Parses the content Assumes the connection is non-persistent and drops the connection Assumes that it cannot parse content Cannot drop connection until client does
32

Proxy also relays HTTPS requests

Secure JDBC Connection for Applets [6]

Required conditions

Proxy allows outbound HTTPS connections Applet must obtain the browser proxy server setting Applet must be signed IDS server must use ports 443 or 563 Obtains the proxy settings Instance passed to the the IDS driver when it creates a connection to the db
33

ProxyProperties class from IDS

Secure JDBC Connection for Applets [6]

Driver drv = new ids.sql.IDSDriver(); Properties info = new ProxyProperties(); String host = info.getProperty("https.proxyHost"); if (host != null) { info.put("proxy_type", "4"); // SSL Tunneling info.put("proxy_host", host); info.put("proxy_port", info.getProperty("https.proxyPort")); try { //For Netscape PrivilegeManager.enablePrivilege("UniversalConnect"); } catch (Throwable e) { } } Connection conn = drv.connect(url, info);
34

Secure JDBC Connection for Applets [6]

Applet

JDBC

IDS driver Proxy Server

HTTPS

Port 443 IDS Server

DB

Client

client-side firewall

35

Bibliography
[1] J. Garms and D. Somerfield. Professional Java Security. Birmingham, UK: Wrox Press Ltd., 2001, pp. 202228. [2] M. Pistoia, et al. Java 2 Network Security, 2nd ed. New Jersey: Prentice Hall PTR, 1999. [3] J. Conallen. Building Web Applications with UML. AddisonWesley, 2000, pp. 7072. [4] Sun (n.d.). Developer Guide FAQs. [Online]. Available: http://java.sun.com/j2se/1.4.1/docs/guide/plugin/developer_g uide/faq/developer.html [5] Microsoft (2003, Jan.). Microsoft VM Developer FAQ. [Online]. Available: http://www.microsoft.com/java/developerFAQ.htm [6] IDS Software (1999, Nov.). JDBC Connection via HTTPS Proxy. [Online]. Available: http://www.idssoftware.com/jdbchttps.html
36