Java is a language that is born with the network needs. His various specific choices are greatly tilted on the network. The network environment means great danger. In order to protect the end user, Sun proposes the concept of sandbox. All procedures must be implemented in the sandbox, can't do anything that is not allowed, such as writing disks, open processes, etc.
One, sandbox (SANDBOX)
Generally speaking, you can only run a trusted program. You must guarantee the program from trusted channels and regularly tap to ensure that the program can be trusted. But once the program is running, he gets complete control. If it is a malicious program, it can make any destruction because there is no restriction after the program is running. So in traditional security mode, you must try to isolate malicious code when you get the program.
However, the sandbox security model allows you to rest assured that the unknown source of the unknown source, you don't have to force whether a program can contain malicious programs; do not use the virus scan, because Java's sandbox itself will not allow viruses Or malicious code does anything possible to have a destructive thing.
You can also suspect whether the Java's sandbox itself has a vulnerability, whether there is a way to let developers bypass the sandbox. In order to understand the sandbox you must understand several basic structures constituting the Java sandbox:
1, the structure of the type loader (TheclassLoadRectage)
2, the verification of class files (TheclassFileverifier)
3, Java virtual machine and Java language built-in security system (SafetyfeaturesBuiltintintothejavavirtualmachine (andthelanguage))
4, security manager and javaapi
The type loader and security manager are customized. You can develop your own security policies by customizing these buildings. As a developer may do not need to customize these components, you may often use the sandbox to be developed by others. For example, when developing Applet, you will be restricted by the sandbox used by the browser.
Second, the structure of the type loader (TheclassLoadRechitecture)
As the first defense line of the Java platform, the class loader implements security strategies through two ways:
1. Protect the trusted class library is not infringed
2, isolated from trusted code, untrusted code
The Java class loader implements the trusted class library by preventing non-trust code disguise as trusted code. If you can deceive the Java virtual machine, let him think that he is trusted Javaapi, then he can set the defense line set by the sandbox. By preventing the category that is not trusted as a trusted class, Java's class loader structure can eliminate this unsafe hidden danger.
Java's class loader structure can build a protected namespace (Name-Spaces) by using a different class loader to trusted code. A named space is a unusable loaded class with a Java virtual machine maintenance. If you have already added a "Volcano" class in a namespace, then you can't add it in another "Volcano" class in the same namespace. But by creating multiple namespaces, add multiple "Volcano" classes.
In the Java virtual machine, a class can only access other classes in the same namespace. The classes in different names are even different from each other unless you provide a way to allow them to interact. This way even if a class containing malicious code is loaded into a virtual machine, he cannot hinder the normal execution of your program.
Usually a class loader relies on other class loaders (often the original product loader) to achieve custom loading. In order to achieve a custom security policy, a class loader is often used by the following four steps.
1. Determine whether the category of the request is in a packet that is prohibited, if you throw a security exception (SecurityException), otherwise the second step 2 is continued 2, the class loader will request the request to the original class loader. If the original product loader is successfully loaded, it will return this class directly, otherwise the third step will continue.
3, if a trusted but not allowed to add a class, throw a safe exception, otherwise the fourth step will continue
4. The final class loader tries to load this class with its own way, such as downloading from the web. If success, return this class, otherwise throw (NoclassdefinitionFounderror).
Through these steps, this type of loader protects the protected package. The first step: prevent classes in a prohibited package being loaded. In the third step, it is prohibited from being placed in a trusted package.
Third, the verifier of class files
The validator of the class file ensures that the already loaded classes have a complete structure. If you find that she will throw an exception. Another need to prevent it is those that modify the class file to achieve special things, such as the end of directly jump to the method, which may cause the Java virtual machine to crash. In order to ensure the robustness of the Java program, the Java virtual machine must verify the imported files. Although the implementation of the Java virtual machine allows this verification at any time, most of them are verified after the class load is completed. In most cases, all bytecodes are verified together, which is more efficient than validation before each execution.
Typically, verification is divided into two steps: the first step, check the structure integrity of the class file and the correctness of the bytecode, usually check after loading. In the second step, check all references, variables, and methods exist, usually check before execution.
1, first step: internal inspection (InternalChecks)
In the first step, the inspector checks all the things that can be checked by checking the class file itself. In addition, it also checks the word code integrity, the structure of the class file, and the internal consistency, such as "0xcafebabe" at the beginning of the file.
The class checker also checks that the file is not deleted or increasing. The class file is saved in the class file, which makes the file length inspection possible.
The class checker also checks if each small component has a well definition, such as a declaration of the method. The class checker also checks the language characteristics checking up time check at runtime.
Bytecode Verification is performed when the class checker checks these structural integrity and contentformagenalconsistence. The bytecode describes the method of Java as a single-byte instruction called an Optographic (OPCODES). Each operation code may follow one or more operands (Operands). The operand provides the data necessary for the Java virtual machine to perform an operator code. A continuous execution code constitutes a thread of the Java virtual machine. Each thread has its own Java Stack (JavaStack), and the stack is composed of some discontinuous blocks (Frames). The calls of each method are all of their own blocks for saving local variables and computational intermediate variables. The area where the intermediate variable in the block is saved is called an operandstack (OPERANDSTACK). An operation code and his operands may depend on the local variable stored in the operand stack or method block.
The bytecode checker made a lot of checks. He guarantees whether the program is executed there, she can always get a certain type of operation code, and the operand stack always contains the same type and number of items. He is not able to be accessed before the variable is initialized. He guarantees that the fields in the class are always bound, and when the methods in the class are called, they are always given appropriate parameters. The bytecode checker also checks if each opcode is available, whether there is a suitable number of operands, whether there is a suitable local variable and operand stack. This is just part of all inspections. After all check is executed, you can save all byte codes to be implemented by Java virtual machines. The first part of the check ensures that the class file has a suitable format, unified content, is bound by the Java language rule, and the bytecode can be implemented by Java virtual machine. If any questions or uncertain factors are found, he will throw an error (Error) and this class file will not be used by the program.
2, step 2: Symbolic reference "VerificationOfSymbolicReferences)
The first step is performed immediately after the class is loaded by the Java virtual machine, and the second step is checked to be delayed to the class containing the zoning code is truly executed. In the second part check, the Java virtual machine follows the references in the class file to check the referenced class files to ensure the correctness of the class reference. Because the second step is often necessary to load other classes, all most providers are executed when the bytecode is actually executed.
The second step is also part of the dynamicLinking. Symbol references are some strings that contain naming and other possible information. In order to determine the referenced item, the reference class symbol reference must be replaced with the full name of the class; reference to other class member variables must provide a descriptor of class name, variable name, and variable; reference method must provide class name, method name, The descriptor of the method.
The process of dynamically connecting is also the process of converting symbols to direct reference. The Java virtual machine completes this conversion through two basic steps:
1), find the referenced class, if necessary, load
2), the symbol reference is replaced by byte reference, such as class, member variable, pointer or shift
Java Virtual Machine Records These direct references, so when you use these references again, it can use this direct reference directly without converting the character reference. If during the conversion process, the class is discovered is not available, then the inspector will throw an error.
3, binary compatibility
The front two checks are only checked according to class files, but no guarantee class files are compatible. Because the Java program is dynamically connected, it does not exclude binary incompatibility (binarycompatibility) that causes modifications to associated source files. Java's compiler often recompiles other class files that modify.
When you delete, modify the method in the class, you will break the binary compatibility of the class, and the method will not be added.
Fourth, Java virtual machine built-in security mechanism
The Java program will do the following exam in addition to the inspections on the upper side:
1, type safety check
2, structured memory access (no pointer operator)
3, auto garbage collection (not always able to release allocated memory)
4, array boundary check
5, reference non-NULL check
Prohibit Direct memory access to the Java program guarantees enough robustness. First, you can directly access the memory program, often lead to confusion, crash or even other programs, which are major security issues. This level of robustness is equally important in embedded devices, because no one wants to restart a call. Second, direct memory access has also given a hacker a chance to steal, destroy information. So forced direct memory access, that is, enhanced the robustness of the program, and the possible conspiracy of hackers.
There is no clear memory structure is also an important aspect of the Java virtual machine built-in security mechanism, and it is also an important supplement to prohibiting direct memory access. Runtime memory space refers to the memory area that is used by the Java virtual machine to save the necessary data, including: Java stack (each thread has its own), a method area (area for saving byte code) and a garbage Collecting piles (for saving new objects). Any address information is not saved in the Java class file, and the Java virtual machine is always stored when it is loaded with the class code and the corresponding other resolution information. The Java virtual machine always starts a thread that determines where the Java stack will be stored. When you create an object, you will decide where to store this object. This hacker does not want to find the address of a particular class information in memory, because each execution may use different memory addresses. The memory organization of the Java virtual machine is not part of the specification, and the Java virtual machine designer decides if it organizes its own memory. This makes it possible to re-come back when the hacker is clearly organized by a Java virtual machine memory. Although it is unable to do through the bytecode, the local method can be. When you perform your local method, you will jump out of the sandbox, no longer controlled by the security manager, he can do anything. However, the security manager contains a rule: whether the program can load the dynamic connection library (DynamiBrary). Because the local method must load a new dynamic connection library. For example, an unreliable applet is not able to load the dynamic connection library. When a thread calls the local method, he jumps out of the Java sandbox, Java's security model is also degraded into traditional security model: his security must be ensured before running.
The final security barrier between Java virtual machines is StructuredERRORHANDLINGWITHEXCEPTIONS. By error handling, the program does not have to crash even if the program throws an exception or even errors. The error (ERROR) often leads to the termination of a thread, but other threads in the program may do some other things, so the program is not necessary to collapse.
Six, safety manager and javaapi
By using the class loader, different namespaces can be split in the Java virtual machine to protect the namespaces. But if you want to save resources other than Java virtual machines, you need to use security managers. The security manager defines the boundaries of the sandbox. You can implement your own security policies by custom security managers. JavaAPI will be licensed as any of the actions that may cause unsafe factors. Corresponding to each insecure method, the security manager also provides a corresponding method to determine if the execution is permitted. These methods have "Check", such as Checkread (), Checkwrite ().
The methods typically need to check are:
1), Checkconnect (StringHost, Intport), CheckConnect (StringHost, Intport, ObjectContext): Receive Socket connections from the specified host and port
2), CheckAccept (StringHost, Intport): Open a socket connection to the specified host and port
3), checkaccess (threadt): changing thread status (changing priority, termination, etc.)
4) CHECKLISTEN (INTPORT): Monitor the specified port, wait for the connection
5), Checkmulicast (INEDDRESSMADDR), CheckmultiSt (INEDDRESSMADDR, BYTETT): Add, leave, send or accept IP multicast before calling 6), checksetfactory (): Set the Socket class that is used by Serversocket or Socket or set by URL URL stream processor call
7), checkexit (): Termination program
8), Checklink (): Dynamic connection library for loading the package
9), CheckcreateClassLoader (): Create a new class loader
10), CheckpackageAccess (StringPKG): Access the class in the specified package (class loader)
11), CheckPackageDefinition (STRINGPKG): Add classes in the specified package (class loader)
12) CheckpropertiesAccess (): Access and modify the general system properties
13) CHECKPROPERTIESACCESS (STRINGKEY): Access the specified system properties
14), Checkread (StringFile), Checkread (StringFile, ObjectContext): Read the specified file
15), Checkwrite (FileDescriptorfd), Checkwrite (StringFile): Write the specified file
16), Checkdelete (StringFile): Delete the specified file
17), CheckTopleVelwindow (ObjectWindow): Call before the display specified by any warning is displayed
18), CheckPrintJobaccess (): Initialize a print task request called
19), ChecksystemClipboardAccess (): Access the system clipboard before being called
20) CHECKAWTEVENTQUEAACCCCCCESS (): Access to the AWT event queue before being called
21), Checkmembraccess (): Call before accessing class information by image API
These are so-called old-fashioned verification methods, please refer to Java.lang.securityManager's Javadoc. After version 1.2, some licenses are defined, and these classes can be judged whether it is allowed. Two new methods are also added in SecurityManager:
1) Checkpermission (Permissionperm): Call before a certain operation is performed.
2) CHECKPERMISSION (PermissionPerm, ObjectContext): Called before actions (required permissions) in the passing security context
Since all JavaAPI always check if the security manager is allowed before execution, JavaAPI can be prohibited from performing a specific operation by custom security policies. But there are two possibilities that may lead to dangerous operations, but they are not listed above, they are: allocating memory, opening new threads. They may result in: allocated to the memory until the collapse, has been open to the speed of the new thread to reduce the system. This attack is called a DenialOfService because it can prevent users to hinder the use of their own computers. Security Manager is not possible to prevent all possible to afford or trouble end users. Once the security manager is installed, it cannot be replaced, extended, and modified after the program is executed. Although you can only install a security manager for your program, you can define your own security strategy. In addition, the security manager also provides a method to determine whether the request is to that class loader. This allows us to use different security policies to different types of loaders. This is the best way to treat those who are unknown.
7. Authentication
The concept of authentication is introduced in the Java 1.Security package in Java1.1, through authentication you can achieve different security policies for different program providers.
Below is a schematic diagram of the encryption process is a decryption process:
8. Security strategies outside technology
Safety is a balance between investment and risks. The more you invest, but the security is worthwhile to see your own decision. But when you have the following things, then all security policies will fail: Download and run the program directly, there is no shutter when they are going, and there is no smashing when discarding the file, you invite the assistant is a spy. Safety in the actual life is not fully solved by technology.
