|
| 1 | +## Language Design |
| 2 | +*Note: More information available from [Overview of Java SE Security (oracle.com)](https://docs.oracle.com/javase/8/docs/technotes/guides/security/overview/jsoverview.html)* |
| 3 | +$$\text{Java} \underset{compile}{\longrightarrow} Bytecode \underset{interpret}{\longrightarrow} Execute$$ |
| 4 | +Java is compiled to a portable bytecode that is then interpreted. |
| 5 | +- Bytecode comes in `.class` files |
| 6 | +- Bytecode can be created manually, and is not necessarily produced by a java compiler. |
| 7 | +The Java Virtual Machine loads the `.class`, and can then execute. |
| 8 | +$$\text{Loader} \to \text{Verifier} \to \text{Linker} \to \text{Bytecode Interpreter}$$ |
| 9 | +Each program can have multiple threads with their own stacks, sharing a heap. |
| 10 | +### Class Loader |
| 11 | +A loader (potentially extending the default [ClassLoader](https://docs.oracle.com/javase/8/docs/api/java/lang/ClassLoader.html)) loads files (or from network) and extracts bytecode. |
| 12 | +- This loading mechanism can be overridden and replaced |
| 13 | +- The classloader used to load a given class is included in the class object |
| 14 | +- Each class has a *protection domain* associated |
| 15 | + - [[Code Signing]] can be used in some circumstances to verify the origin of a class. |
| 16 | +### Verifier |
| 17 | +Checks the bytecode prior to loading (security & correctness), throwing a `verifyError` on failure. |
| 18 | + |
| 19 | +Given that there is no way to determine the source of some bytecode (i.e. if it was generated by `javac`, or manually constructed), bytecode cannot be trusted to be correct or not contain malicious non-java standard compliant code. |
| 20 | +#### Correctness Checks |
| 21 | +- Every instruction has a valid opcode, and obeys type discipline |
| 22 | +- Every branch goes to the start of a valid instruction |
| 23 | +- Access modifiers are not breached (e.g. access from outside class method to private member), including final (e.g. cannot extend `final class`) |
| 24 | +- No operand stack overflows or underflows |
| 25 | +- Methods have structurally correct signatures |
| 26 | +A larger list of checks is available from |
| 27 | +### Linker |
| 28 | +Adds a compiled class or interface to the runtime, initialises static fields, and resolves names to reference the correct loaded classes/methods/statics. |
| 29 | +### Runtime Security |
| 30 | +Checks for [[Generic Bugs]] are performed (for example array bounds checks, null pointer access checks). Furthermore pointer arithmetic is not supported, and garbage collection is automatic. |
| 31 | +### Native Interaction |
| 32 | +Bytecode can be compiled into native (e.g. x86, ARM) instructions, as well as interoped with native code compiled from C/C++/other languages. |
| 33 | +- JIT is good for performance, and a core feature of [[HotSpot]] |
| 34 | +- Required for interaction with OS, drivers, etc that present a system call interface, or library interface over the C ABI. |
| 35 | +- Similarly C# and the [[Common Language Runtime]] |
| 36 | + |
| 37 | +## Security Manager |
| 38 | +Java library methods call the security manager to check permissions on operations. |
| 39 | + |
| 40 | +When called at runtime the *Security Manager* assesses: |
| 41 | +- The protection domain of the calling class (including the signer if [[Code Signing]] - validated at load time, and the location of the java class) |
| 42 | +- A system policy is used to allow or deny permission to call the java library method. |
| 43 | + |
| 44 | +The checks usable can be found in the [SecurityManager documentation](https://docs.oracle.com/javase/8/docs/api/java/lang/SecurityManager.html#method.detail). |
| 45 | + |
| 46 | +Stack inspection is used to determine the calling method. |
| 47 | +- Permissions depend of the permission of methods above it on the stack. |
| 48 | +- Vulnerabilities have been found in the implementation of this method (see [[10 Years of Java Exploits]]) |
| 49 | + |
0 commit comments