SlideShare a Scribd company logo

Security in the Real World - JavaOne 2013

Download as ODP, PDF
M
MattKilner

Java was built from the ground up with security clearly in mind and is now the engine powering a huge number of business-critical systems. With this visibility and opportunity come attacks, and this session goes through the state of security in Java in 2013 and discusses some of the attack vectors. It presents a couple of real-world examples and also addresses the real-world challenges in getting security fixes out quickly. Finally, it touches on hardware cryptography. Come learn more about the reality of security today and take away a better awareness of exactly how Java helps protect you.

Technology
1 of 74
Matthew Kilner – IBM Java L3 Service – Core team lead 23rd September 2013 Security in the Real World © 2013 IBM Corporation
Important Disclaimers  THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY.  WHILST EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION CONTAINED IN THIS PRESENTATION, IT IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED.  ALL PERFORMANCE DATA INCLUDED IN THIS PRESENTATION HAVE BEEN GATHERED IN A CONTROLLED ENVIRONMENT. YOUR OWN TEST RESULTS MAY VARY BASED ON HARDWARE, SOFTWARE OR INFRASTRUCTURE DIFFERENCES.  ALL DATA INCLUDED IN THIS PRESENTATION ARE MEANT TO BE USED ONLY AS A GUIDE.  IN ADDITION, THE INFORMATION CONTAINED IN THIS PRESENTATION IS BASED ON IBM’S CURRENT PRODUCT PLANS AND STRATEGY, WHICH ARE SUBJECT TO CHANGE BY IBM, WITHOUT NOTICE.  IBM AND ITS AFFILIATED COMPANIES SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR OTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION.  NOTHING CONTAINED IN THIS PRESENTATION IS INTENDED TO, OR SHALL HAVE THE EFFECT OF:  - CREATING ANY WARRANT OR REPRESENTATION FROM IBM, ITS AFFILIATED COMPANIES OR ITS OR THEIR SUPPLIERS AND/OR LICENSORS 2 © 2013 IBM Corporation
About me  Matthew Kilner   Work for IBM – 13 years working on IBM Java • Memory Management • Class Sharing • RAS – Currently leading the Core customer support team.   Contact info – kilnerm@uk.ibm.com – Twitter: @IBMJTC – Youtube: IBM_JTC   Visit the IBM booth #5112 and meet other IBM developers at JavaOne 2013 3 © 2013 IBM Corporation
What should you get from this talk?  An understanding of the most common attack vectors used to target Java.   An insight into the details of some example vulnerabilities.   An understanding of the current importance of security in the context of the Java platform.   Some ideas of how you can write more secure code. © 2013 IBM Corporation
The problem with keeping anything secure  "The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location... and I'm not even too sure about that one" -- (attributed) Dennis Huges, FBI.   A complex system will have many attack vectors   Systems need to balance stability, performance and security © 2013 IBM Corporation
Security that doesn’t interfere ■  Java and the Java Virtual Machine provide defense in depth –Class loaders –Verification –Access Controller / Security Manager –Java Cryptography Extensions (JCE) –Java Secure Sockets Extension (JSSE) –Java Authentication and Authorization Service (JAAS)    Security is expected to be a trusted resource –It just works –It has been verified (thoroughly) by vendors   Be aware of what isn’t secured!   Key: Java should negate the need to build (and verify!) your own security layers  Available implicitly or explicitly during development / deployment © 2013 IBM Corporation
Security Layers in Java  Some things you get “for free” Diagram Reference: Java Security, Scott Oaks, O’Reilly Media, May 24, 2001, Second Edition, ISBN-10: 0596001576, ISBN-13: 978-0596001575  Others you use when you ask for them © 2013 IBM Corporation
Common attack vectors  The most common attack vectors in the context of Java fall into four categories: – Untrusted Data – Untrusted Code – Applet / Browser – Local   Through the rest of the talk we will look at each in a little more detail © 2013 IBM Corporation
Attack Vectors: Untrusted Data  The untrusted data vector is exploitable when an application parses a specific data type from an untrusted source. – The vulnerability may exist in the application code or underlying JDK code.   For example, – You are using an image parsing module that contains a vulnerability that can lead to an infinite loop when the image file is crafted in a specific manner. – If your server application allows users to upload images for parsing an attacker could create a Denial of Service attack by uploading maliciously formed images.   This type of problem has widely varying consequences, from DOS attacks through to arbitrary code execution © 2013 IBM Corporation
Double.parseDouble Denial-of-Service Attack (CVE-2010-4476) © 2013 IBM Corporation
Double.parseDouble Old but special  The Alert was officially published in Febuary 2011   Is a very worthy inclusion because: • It was the first alert to cause real panic • Easily exploitable & Pervasive © 2013 IBM Corporation
Double.parseDouble The problem  A bug had been present in Double.parseDouble since early versions of the JDK.   Passing "2.2250738585072012e-308" to the method causes an infinite loop.   The catalyst was a determination of just how easy it was to exploit –Populating header fields in webserver requests with the value resulted in a DOS attack. –  © 2013 IBM Corporation
Double.parseDouble The result  A fix was made very quickly   The ease of exploit and pervasiveness of the vulnerability resulted in a huge exercise to update products distributing the JDK.   Fixes were provided right back to 1.3.1 and on obscure platforms like OS/2.  © 2013 IBM Corporation
Hashing Denial-of-Service Attack (CVE-2011-4858) © 2013 IBM Corporation
Hashing Denial-of-Service Attack  String hash codes and hashing structures have been around “for ever”   The attack is possible through a combination of: – Performance short comings – Documented / predictable behavior   Can be used to exploit vulnerabilities in existing software   Algorithmic Complexity Attack © 2013 IBM Corporation
Hashing Denial-of-Service Attack How String Hashing Works  String hashing algorithm is well known and reversible  It is easy to construct strings that have identical hash codes == 2112 == 2031744 © 2013 IBM Corporation
Hashing Denial-of-Service Attack How Hashing Structures Work HashMap © 2013 IBM Corporation
Hashing Denial-of-Service Attack How Hashing Structures Work HashMap Array to hold the various <key,value> pairs © 2013 IBM Corporation
Hashing Denial-of-Service Attack How Hashing Structures Work HashMap Use the hash code for “QuantityAa” to find a location in the array Array to hold the various <key,value> pairs © 2013 IBM Corporation
Hashing Denial-of-Service Attack How Hashing Structures Work HashMap Find the appropriate “bucket” and add the entry < “QuantityAa”, “1234” > © 2013 IBM Corporation
Hashing Denial-of-Service Attack How Hashing Structures Work HashMap < “QuantityAa”, “1234” > © 2013 IBM Corporation
Hashing Denial-of-Service Attack How Hashing Structures Work HashMap < “QuantityAa”, “1234” > < “QuantityBB”, “987” > © 2013 IBM Corporation
Hashing Denial-of-Service Attack How Hashing Structures Work HashMap < “QuantityAa”, “1234” > < “QuantityBB”, “987” > Warning: Lookup / Insertion requires a string comparison!!! © 2013 IBM Corporation
Hashing Denial-of-Service Attack How Hashing Structures Work HashMap < “QuantityAa”, “1234” > < “QuantityBB”, “987” > Warning: Lookup / Insertion requires a string comparison!!!  Keys with identical hashes will always fall into the same bucket © 2013 IBM Corporation
Hashing Denial-of-Service Attack The Danger of strings as Keys in Hashing Structures  Deep buckets with malicious keys can cause serious performance issues HashMap < “AaAaAaAaAa … AaAaAa”, “1234” > < “AaAaAaAaAa … AaAaBB”, “987” > Near duplicate string with difference at the end © 2013 IBM Corporation
Hashing Denial-of-Service Attack The primary exploit  Websites make use of parameters as part of client / server communication  The Server is responsible for managing the parameters for the servlet  Hash structures are a typical way of managing these <key,value> pairs   Issue: Long insert / lookup times for parameters that have high hash collision rate    Reference: http://www.nruns.com/_downloads/advisory28122011.pdf  Result: Web servers could be effectively “disabled” with simple requests  © 2013 IBM Corporation
Hashing Denial-of-Service Attack Current Solution  Hashing structures now use an alternate hash code for String – Use alternate only at a certain capacity – Algorithm where the hash code cannot be calculated externally   Why not modify String.hashCode()? – It’s spec! – Reliance in existing software   NOTE: With alternate hash, iteration order is now changed! – Spec’d as “unspecified” – Doesn’t matter – code relies on this any way – Solution can cause existing working software to fail! © 2013 IBM Corporation
Hashing Denial-of-Service Attack Current Solution  The JVM now supports a system property to enable the behavior at thresholds: • -Djdk.map.althashing.threshold=<threshold>   Apache Tomcat property maxParameterCount to limit number of parameters © 2013 IBM Corporation
Attack Vectors: Untrusted Code  Untrusted code originates from an unknown to untrusted source – It is not under the application environments control – It is not know to be benign. – It should be treated with caution   Typically executed via an unsigned applet or webstart application – Browser based client side exploit – The JDK security sandbox offers protection   The attack vector works due to vulnerabilities that allow the untrusted code to escape the confines of the sandbox, sometimes disabling it completely. – Allows the code to do whatever it likes.   While most common on the client side the vulnerability applies equally to any environment where code executes under a security manager. © 2013 IBM Corporation
Gondvv Vulnerability (CVE-2012-4681) © 2013 IBM Corporation
Java Security Manager Bypass (Gondvv)  Imagine visiting a website and your calculator application pops up     How did that happen?   Arbitrary code has been run on your machine – how compromised are you? © 2013 IBM Corporation
Java Security Manager Bypass (Gondvv) The key change to sun.awt.SunToolkit  A simple access modifier change (within a larger change) exposed a vulnerability © 2013 IBM Corporation
Java Security Manager Bypass (Gondvv) The key change to sun.awt.SunToolkit  A simple access modifier change (within a larger change) exposed a vulnerability © 2013 IBM Corporation
Java Security Manager Bypass (Gondvv) The key change to sun.awt.SunToolkit  A simple access modifier change (within a larger change) exposed a vulnerability © 2013 IBM Corporation
Java Security Manager Bypass (Gondvv) The key change to sun.awt.SunToolkit  A simple access modifier change (within a larger change) exposed a vulnerability Set the security permissions to that of the current code (privileged) in place of the callers security permissions © 2013 IBM Corporation
Java Security Manager Bypass (Gondvv) The key change to sun.awt.SunToolkit  A simple access modifier change (within a larger change) exposed a vulnerability Use reflection to acquire a Field object on the given class © 2013 IBM Corporation
Java Security Manager Bypass (Gondvv) The key change to sun.awt.SunToolkit  A simple access modifier change (within a larger change) exposed a vulnerability Set the reflect object Field usage to ignore access checks. Privileged action permitted through doPrivileged() © 2013 IBM Corporation
Java Security Manager Bypass (Gondvv) How the exploit works com.sun.beans.finder ClassFinder © 2013 IBM Corporation
Java Security Manager Bypass (Gondvv) How the exploit works com.sun.beans.finder ClassFinder findClass() sun.awt SunToolkit © 2013 IBM Corporation
Java Security Manager Bypass (Gondvv) How the exploit works com.sun.beans.finder ClassFinder java.beans findClass() sun.awt Statement “setSecurityManager()” SunToolkit AccessControlContext © 2013 IBM Corporation
Java Security Manager Bypass (Gondvv) How the exploit works com.sun.beans.finder ClassFinder java.beans Statement findClass() “setSecurityManager()” sun.awt SunToolkit getField() AccessControlContext © 2013 IBM Corporation
Java Security Manager Bypass (Gondvv) How the exploit works com.sun.beans.finder ClassFinder java.beans Statement findClass() “setSecurityManager()” sun.awt SunToolkit getField() AccessControlContext java.lang.reflect Field © 2013 IBM Corporation
Java Security Manager Bypass (Gondvv) How the exploit works com.sun.beans.finder ClassFinder java.beans Statement findClass() “setSecurityManager()” sun.awt SunToolkit getField() AccessControlContext Elevated permissions for statement set() java.lang.reflect Field © 2013 IBM Corporation
Java Security Manager Bypass (Gondvv) How the exploit works com.sun.beans.finder ClassFinder java.beans Statement findClass() “setSecurityManager()” sun.awt SunToolkit getField() AccessControlContext Elevated permissions for statement set() java.lang.reflect Field © 2013 IBM Corporation
Java Security Manager Bypass (Gondvv) How the exploit works com.sun.beans.finder ClassFinder java.beans Statement findClass() “setSecurityManager()” sun.awt execute() Elevated permissions for sandbox SunToolkit getField() AccessControlContext Elevated permissions for statement set() java.lang.reflect Field © 2013 IBM Corporation
Java Security Manager Bypass (Gondvv) How the exploit works com.sun.beans.finder ClassFinder java.beans Statement findClass() “setSecurityManager()” sun.awt execute() Elevated permissions for sandbox SunToolkit getField() AccessControlContext Elevated permissions for statement set() java.lang.reflect Field java.lang Runtime © 2013 IBM Corporation
Java Security Manager Bypass (Gondvv) How the exploit works com.sun.beans.finder ClassFinder java.beans Statement findClass() “setSecurityManager()” sun.awt execute() Elevated permissions for sandbox SunToolkit getField() AccessControlContext Elevated permissions for statement set() java.lang.reflect Field java.lang Runtime exec(“…”) © 2013 IBM Corporation
Java Security Manager Bypass (Gondvv) How the exploit works com.sun.beans.finder ClassFinder java.beans Statement findClass() “setSecurityManager()” sun.awt execute() Elevated permissions for sandbox SunToolkit getField() AccessControlContext Elevated permissions for statement set() java.lang.reflect Field java.lang Runtime exec(“…”) © 2013 IBM Corporation
Java Security Manager Bypass (Gondvv) Epilogue   Needed to be running untrusted code   Java7 VM required • Most users were still at 6.0   A simple change to an access modifier exposed the entire system   NOTE: A fix was turned around in very short order © 2013 IBM Corporation
Method Handles © 2013 IBM Corporation
Method Handles  JSR 292: Supporting Dynamically Typed Languages on the JavaTM Platform – A new bytecode for custom dynamic linkage (invokedynamic) – MethodHandle (and support classes) as a “function pointer” interface for linkage –  Fast invocation of bound methods – Method handle invocation speed can be far superior to reflect methods –  A MethodHandle resembles java.lang.reflect.Method – Access checking is performed at lookup, not at every call – Conversion available from reflection side to MethodHandle types © 2013 IBM Corporation
Method Handles Access and Security Checks Reflection MethodHandles SecurityManager checks at lookup Yes Yes Access checks at lookup No Yes Access checks at invocation Yes No Checks at setAccessible(true) Yes N/A Anyone can invoke? No: by default Yes: setAccessible(true) Yes – by default © 2013 IBM Corporation
Method Handles Security Where It Matters © 2013 IBM Corporation
Method Handles A Word of Caution  The lookup mechanism has interesting privilege characteristics –Be careful about what code has access to it © 2013 IBM Corporation
"New Year Day" / "EveryDay" (CVE-2013-0422) © 2013 IBM Corporation
"New Year Day" / "EveryDay" A combination of exploits  Client side applet based attack   A combination of two vulnerabilities • The ability to access privelidged classes via JMX • A reflection issue in MethodHandles that prevented correct access checks •  Easy to exploit   © 2013 IBM Corporation
"New Year Day" / "EveryDay" How it worked   Escalation Class  The escalation class implements privileged action  The action sets the SecurityManager to Null © 2013 IBM Corporation
"New Year Day" / "EveryDay" How it worked   Escalation Class Applet  The bytes are stored in an array in the applet. © 2013 IBM Corporation
"New Year Day" / "EveryDay" How it worked   Escalation Class Applet com.sun.jmx.mbeanserver MBeanInstantiator  Next we aquire an instance of MbeanInstantiator via the public API JmxMBeanServer.getMBeanInstantiator(). © 2013 IBM Corporation
"New Year Day" / "EveryDay" How it worked   Escalation Class Applet sun.org.mozilla.javascript.internal Context com.sun.jmx.mbeanserver MBeanInstantiator findClass() sun.org.mozilla.javascript.internal GeneratedClassLoader  The findClass method is used to obtain two private classes © 2013 IBM Corporation
"New Year Day" / "EveryDay" How it worked   Escalation Class java.lang.invoke Applet Methodhandles Local Lookup sun.org.mozilla.javascript.internal Context com.sun.jmx.mbeanserver MBeanInstantiator findClass() sun.org.mozilla.javascript.internal GeneratedClassLoader  A local instance of MethodHandles.lookup is created © 2013 IBM Corporation
"New Year Day" / "EveryDay" How it worked   Methodhandles Applet java.lang.invoke Methodhandle Local Lookup Escalation Class java.lang.invoke “java.lang.invoke.MethodHandles. FindConstructor” sun.org.mozilla.javascript.internal Context com.sun.jmx.mbeanserver MBeanInstantiator findClass() sun.org.mozilla.javascript.internal GeneratedClassLoader  This is then used to create a method Handle to the findConstructor method in the Methodhandles class © 2013 IBM Corporation
"New Year Day" / "EveryDay" How it worked   Methodhandles Applet sun.org.mozilla.javascript.internal Context com.sun.jmx.mbeanserver MBeanInstantiator java.lang.invoke Methodhandle Local Lookup Escalation Class java.lang.invoke “java.lang.invoke.MethodHandles. FindConstructor” java.lang.invoke Methodhandle “sun.org.mozilla.javascript.internal findClass() Context()” sun.org.mozilla.javascript.internal GeneratedClassLoader sun.org.mozilla.javascript.internal Context Context Object  When invoked against our Context class we obtain a new methodHandle that allows us to create an instance of Context © 2013 IBM Corporation
"New Year Day" / "EveryDay" How it worked   Escalation Class Applet sun.org.mozilla.javascript.internal Context Context Object java.lang.invoke Methodhandle “sun.org.mozilla.javascript.internal Context.createClassLoader()” java.lang.invoke Methodhandle “sun.org.mozilla.javascript.internal GeneratedClassLoader. defineClass()”  The same technique is used to create methodHandles for Context.createClassloaded and GeneratedClassLoader.define class © 2013 IBM Corporation
"New Year Day" / "EveryDay" How it worked   Escalation Class Applet sun.org.mozilla.javascript.internal Context Context Object java.lang.invoke sun.org.mozilla.javascript.internal Methodhandle GeneratedClassLoader “sun.org.mozilla.javascript.internal Classloader Object Context.createClassLoader()” java.lang.invoke Methodhandle “sun.org.mozilla.javascript.internal GeneratedClassLoader. defineClass()”  A classloader object is created © 2013 IBM Corporation
"New Year Day" / "EveryDay" How it worked   Escalation Class Applet sun.org.mozilla.javascript.internal Context Context Object java.lang.invoke sun.org.mozilla.javascript.internal Methodhandle GeneratedClassLoader “sun.org.mozilla.javascript.internal Classloader Object Context.createClassLoader()” java.lang.invoke Methodhandle “sun.org.mozilla.javascript.internal GeneratedClassLoader. defineClass()” Escalation Class Loaded Class  Enabling the defineClass method to be called, passing our escalation class bytes. © 2013 IBM Corporation
"New Year Day" / "EveryDay" How it worked   Escalation Class Applet sun.org.mozilla.javascript.internal Context Context Object java.lang.invoke sun.org.mozilla.javascript.internal Methodhandle GeneratedClassLoader “sun.org.mozilla.javascript.internal Classloader Object Context.createClassLoader()” java.lang.invoke Methodhandle “sun.org.mozilla.javascript.internal GeneratedClassLoader. defineClass()” Escalation Class Loaded Class newInstance()  Create an instance of it, and the security manager is disabled. © 2013 IBM Corporation
"New Year Day" / "EveryDay" The resolution  JDK 7u11 included the “fix” –Reports suggest only the reflection exposure was closed. –The default security level was changed to ensure users are always prompted before running unsigned or self signed content. –  This was implementation dependant, the IBM JDK was not affected. © 2013 IBM Corporation
Attack Vectors: Applet / Browser, Local  Applet / Browser – These vulnerabilities are specific to applications running in or via the browser – The vulnerability exists either in the plugin or browser, or it is in the underlying JDK but only exposed when run in the browser environment. –  Local – The local vector requires an attacker to have access to the system on which the JDK is running. – A simple example would be an application writing data to a temporary file before sending it to a printer. • If the files are created with inappropriate permissions any user on the system could access them. © 2013 IBM Corporation
And after all that… © 2013 IBM Corporation
Security is Important to Java What’s being done about security?  IBM and Oracle are working to ensure Java is (and remains) secure! –http://www-03.ibm.com/security/secure-engineering/ –http://www.oracle.com/technetwork/topics/security/whatsnew/index.html  Reporting Issues: –http://www-03.ibm.com/security/secure-engineering/report.html –http://www.oracle.com/us/support/assurance/reporting/index.html  Writing more secure code: – Read and adhere to Oracles “Secure Coding Guidelines”: –http://www.oracle.com/technetwork/java/seccodeguide-139067.html  © 2013 IBM Corporation
Conclusions  Java Security is defense in depth   Trust, but Verify   Java and JVM designed to provide security at a low cost to developers   Many moving parts in security – Things can go wrong, but quick to resolve –Security is Hard – Rolling your own is even worse © 2013 IBM Corporation
Questions? –  © 2013 IBM Corporation
IBM@JavaOne http://ibm.co/JavaOne2013 74 IBM Confidential © 2013 IBM Corporation

Recommended

JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...
JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...
JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...0xdaryl
 
Debugging Native heap OOM - JavaOne 2013
Debugging Native heap OOM - JavaOne 2013Debugging Native heap OOM - JavaOne 2013
Debugging Native heap OOM - JavaOne 2013MattKilner
 
Windows Debugging Tools - JavaOne 2013
Windows Debugging Tools - JavaOne 2013Windows Debugging Tools - JavaOne 2013
Windows Debugging Tools - JavaOne 2013MattKilner
 
JavaOne 2013: Garbage Collection Unleashed - Demystifying the Wizardry
JavaOne 2013: Garbage Collection Unleashed - Demystifying the WizardryJavaOne 2013: Garbage Collection Unleashed - Demystifying the Wizardry
JavaOne 2013: Garbage Collection Unleashed - Demystifying the WizardryRyan Sciampacone
 
JavaOne BOF 5957 Lightning Fast Access to Big Data
JavaOne BOF 5957 Lightning Fast Access to Big DataJavaOne BOF 5957 Lightning Fast Access to Big Data
JavaOne BOF 5957 Lightning Fast Access to Big DataBrian Martin
 
JavaOne2013: Securing Java in the Server Room - Tim Ellison
JavaOne2013: Securing Java in the Server Room - Tim EllisonJavaOne2013: Securing Java in the Server Room - Tim Ellison
JavaOne2013: Securing Java in the Server Room - Tim EllisonChris Bailey
 
JavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for JavaJavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for JavaChris Bailey
 
JavaOne2013: Build Your Own Runtime Monitoring for the IBM JDK with the Healt...
JavaOne2013: Build Your Own Runtime Monitoring for the IBM JDK with the Healt...JavaOne2013: Build Your Own Runtime Monitoring for the IBM JDK with the Healt...
JavaOne2013: Build Your Own Runtime Monitoring for the IBM JDK with the Healt...Chris Bailey
 

Recommended

JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...
JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...
JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...0xdaryl
 
Debugging Native heap OOM - JavaOne 2013
Debugging Native heap OOM - JavaOne 2013Debugging Native heap OOM - JavaOne 2013
Debugging Native heap OOM - JavaOne 2013MattKilner
 
Windows Debugging Tools - JavaOne 2013
Windows Debugging Tools - JavaOne 2013Windows Debugging Tools - JavaOne 2013
Windows Debugging Tools - JavaOne 2013MattKilner
 
JavaOne 2013: Garbage Collection Unleashed - Demystifying the Wizardry
JavaOne 2013: Garbage Collection Unleashed - Demystifying the WizardryJavaOne 2013: Garbage Collection Unleashed - Demystifying the Wizardry
JavaOne 2013: Garbage Collection Unleashed - Demystifying the WizardryRyan Sciampacone
 
JavaOne BOF 5957 Lightning Fast Access to Big Data
JavaOne BOF 5957 Lightning Fast Access to Big DataJavaOne BOF 5957 Lightning Fast Access to Big Data
JavaOne BOF 5957 Lightning Fast Access to Big DataBrian Martin
 
JavaOne2013: Securing Java in the Server Room - Tim Ellison
JavaOne2013: Securing Java in the Server Room - Tim EllisonJavaOne2013: Securing Java in the Server Room - Tim Ellison
JavaOne2013: Securing Java in the Server Room - Tim EllisonChris Bailey
 
JavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for JavaJavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for JavaChris Bailey
 
JavaOne2013: Build Your Own Runtime Monitoring for the IBM JDK with the Healt...
JavaOne2013: Build Your Own Runtime Monitoring for the IBM JDK with the Healt...JavaOne2013: Build Your Own Runtime Monitoring for the IBM JDK with the Healt...
JavaOne2013: Build Your Own Runtime Monitoring for the IBM JDK with the Healt...Chris Bailey
 
JavaOne 2013: Effective Foreign Function Interfaces: From JNI to JNR
JavaOne 2013: Effective Foreign Function Interfaces: From JNI to JNRJavaOne 2013: Effective Foreign Function Interfaces: From JNI to JNR
JavaOne 2013: Effective Foreign Function Interfaces: From JNI to JNRRyan Sciampacone
 
JavaOne2013: Implement a High Level Parallel API - Richard Ning
JavaOne2013: Implement a High Level Parallel API - Richard NingJavaOne2013: Implement a High Level Parallel API - Richard Ning
JavaOne2013: Implement a High Level Parallel API - Richard NingChris Bailey
 
JavaOne2013 Leveraging Linked Data and OSLC
JavaOne2013 Leveraging Linked Data and OSLCJavaOne2013 Leveraging Linked Data and OSLC
JavaOne2013 Leveraging Linked Data and OSLCSteve Speicher
 
JPA Performance Myths -- JavaOne 2013
JPA Performance Myths -- JavaOne 2013JPA Performance Myths -- JavaOne 2013
JPA Performance Myths -- JavaOne 2013richardgcurtis
 
Bci for Beginners
Bci for BeginnersBci for Beginners
Bci for BeginnersIainLewis
 
Concierge: Bringing OSGi (Back) to Embedded Devices
Concierge: Bringing OSGi (Back) to Embedded DevicesConcierge: Bringing OSGi (Back) to Embedded Devices
Concierge: Bringing OSGi (Back) to Embedded DevicesJan S. Rellermeyer
 
QCon Shanghai: Trends in Application Development
QCon Shanghai: Trends in Application DevelopmentQCon Shanghai: Trends in Application Development
QCon Shanghai: Trends in Application DevelopmentChris Bailey
 
Virtualization aware Java VM
Virtualization aware Java VMVirtualization aware Java VM
Virtualization aware Java VMTim Ellison
 
Building highly available architectures with WAS and MQ
Building highly available architectures with WAS and MQBuilding highly available architectures with WAS and MQ
Building highly available architectures with WAS and MQMatthew White
 
L203326 intro-maria db-techu2020-v9
L203326 intro-maria db-techu2020-v9L203326 intro-maria db-techu2020-v9
L203326 intro-maria db-techu2020-v9Tony Pearson
 
InfoSphere Streams Technical Overview - Use Cases Big Data - Jerome CHAILLOUX
InfoSphere Streams Technical Overview - Use Cases Big Data - Jerome CHAILLOUXInfoSphere Streams Technical Overview - Use Cases Big Data - Jerome CHAILLOUX
InfoSphere Streams Technical Overview - Use Cases Big Data - Jerome CHAILLOUXIBMInfoSphereUGFR
 
SHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOps
SHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOpsSHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOps
SHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOpsRob Convery
 
Effective admin and development in iib
Effective admin and development in iibEffective admin and development in iib
Effective admin and development in iibm16k
 
The benefits of IBM FlashSystems
The benefits of IBM FlashSystemsThe benefits of IBM FlashSystems
The benefits of IBM FlashSystemsLuca Comparini
 
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin Center
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin CenterDeploy, Monitor and Manage in Style with WebSphere Liberty Admin Center
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin CenterWASdev Community
 
Impact 2014 - IIB - selecting the right transformation option
Impact 2014 - IIB - selecting the right transformation optionImpact 2014 - IIB - selecting the right transformation option
Impact 2014 - IIB - selecting the right transformation optionAndrew Coleman
 
Performance case studies Common Europe june 2012
Performance case studies Common Europe june 2012Performance case studies Common Europe june 2012
Performance case studies Common Europe june 2012COMMON Europe
 
IBM i Job wait accounting job watcher june 2012
IBM i Job wait accounting job watcher june 2012IBM i Job wait accounting job watcher june 2012
IBM i Job wait accounting job watcher june 2012COMMON Europe
 
Probabilistic Data Structures and Approximate Solutions Oleksandr Pryymak
Probabilistic Data Structures and Approximate Solutions Oleksandr PryymakProbabilistic Data Structures and Approximate Solutions Oleksandr Pryymak
Probabilistic Data Structures and Approximate Solutions Oleksandr PryymakPyData
 
Computer
ComputerComputer
ComputerShivangi Shah
 
Faster persistent data structures through hashing
Faster persistent data structures through hashingFaster persistent data structures through hashing
Faster persistent data structures through hashingJohan Tibell
 
Hashing
HashingHashing
HashingRamzi Alqrainy
 

More Related Content

What's hot

JavaOne 2013: Effective Foreign Function Interfaces: From JNI to JNR
JavaOne 2013: Effective Foreign Function Interfaces: From JNI to JNRJavaOne 2013: Effective Foreign Function Interfaces: From JNI to JNR
JavaOne 2013: Effective Foreign Function Interfaces: From JNI to JNRRyan Sciampacone
 
JavaOne2013: Implement a High Level Parallel API - Richard Ning
JavaOne2013: Implement a High Level Parallel API - Richard NingJavaOne2013: Implement a High Level Parallel API - Richard Ning
JavaOne2013: Implement a High Level Parallel API - Richard NingChris Bailey
 
JavaOne2013 Leveraging Linked Data and OSLC
JavaOne2013 Leveraging Linked Data and OSLCJavaOne2013 Leveraging Linked Data and OSLC
JavaOne2013 Leveraging Linked Data and OSLCSteve Speicher
 
JPA Performance Myths -- JavaOne 2013
JPA Performance Myths -- JavaOne 2013JPA Performance Myths -- JavaOne 2013
JPA Performance Myths -- JavaOne 2013richardgcurtis
 
Bci for Beginners
Bci for BeginnersBci for Beginners
Bci for BeginnersIainLewis
 
Concierge: Bringing OSGi (Back) to Embedded Devices
Concierge: Bringing OSGi (Back) to Embedded DevicesConcierge: Bringing OSGi (Back) to Embedded Devices
Concierge: Bringing OSGi (Back) to Embedded DevicesJan S. Rellermeyer
 
QCon Shanghai: Trends in Application Development
QCon Shanghai: Trends in Application DevelopmentQCon Shanghai: Trends in Application Development
QCon Shanghai: Trends in Application DevelopmentChris Bailey
 
Virtualization aware Java VM
Virtualization aware Java VMVirtualization aware Java VM
Virtualization aware Java VMTim Ellison
 
Building highly available architectures with WAS and MQ
Building highly available architectures with WAS and MQBuilding highly available architectures with WAS and MQ
Building highly available architectures with WAS and MQMatthew White
 
L203326 intro-maria db-techu2020-v9
L203326 intro-maria db-techu2020-v9L203326 intro-maria db-techu2020-v9
L203326 intro-maria db-techu2020-v9Tony Pearson
 
InfoSphere Streams Technical Overview - Use Cases Big Data - Jerome CHAILLOUX
InfoSphere Streams Technical Overview - Use Cases Big Data - Jerome CHAILLOUXInfoSphere Streams Technical Overview - Use Cases Big Data - Jerome CHAILLOUX
InfoSphere Streams Technical Overview - Use Cases Big Data - Jerome CHAILLOUXIBMInfoSphereUGFR
 
SHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOps
SHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOpsSHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOps
SHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOpsRob Convery
 
Effective admin and development in iib
Effective admin and development in iibEffective admin and development in iib
Effective admin and development in iibm16k
 
The benefits of IBM FlashSystems
The benefits of IBM FlashSystemsThe benefits of IBM FlashSystems
The benefits of IBM FlashSystemsLuca Comparini
 
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin Center
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin CenterDeploy, Monitor and Manage in Style with WebSphere Liberty Admin Center
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin CenterWASdev Community
 
Impact 2014 - IIB - selecting the right transformation option
Impact 2014 - IIB - selecting the right transformation optionImpact 2014 - IIB - selecting the right transformation option
Impact 2014 - IIB - selecting the right transformation optionAndrew Coleman
 
Performance case studies Common Europe june 2012
Performance case studies Common Europe june 2012Performance case studies Common Europe june 2012
Performance case studies Common Europe june 2012COMMON Europe
 
IBM i Job wait accounting job watcher june 2012
IBM i Job wait accounting job watcher june 2012IBM i Job wait accounting job watcher june 2012
IBM i Job wait accounting job watcher june 2012COMMON Europe
 

What's hot (18)

JavaOne 2013: Effective Foreign Function Interfaces: From JNI to JNR
JavaOne 2013: Effective Foreign Function Interfaces: From JNI to JNRJavaOne 2013: Effective Foreign Function Interfaces: From JNI to JNR
JavaOne 2013: Effective Foreign Function Interfaces: From JNI to JNR
 
JavaOne2013: Implement a High Level Parallel API - Richard Ning
JavaOne2013: Implement a High Level Parallel API - Richard NingJavaOne2013: Implement a High Level Parallel API - Richard Ning
JavaOne2013: Implement a High Level Parallel API - Richard Ning
 
JavaOne2013 Leveraging Linked Data and OSLC
JavaOne2013 Leveraging Linked Data and OSLCJavaOne2013 Leveraging Linked Data and OSLC
JavaOne2013 Leveraging Linked Data and OSLC
 
JPA Performance Myths -- JavaOne 2013
JPA Performance Myths -- JavaOne 2013JPA Performance Myths -- JavaOne 2013
JPA Performance Myths -- JavaOne 2013
 
Bci for Beginners
Bci for BeginnersBci for Beginners
Bci for Beginners
 
Concierge: Bringing OSGi (Back) to Embedded Devices
Concierge: Bringing OSGi (Back) to Embedded DevicesConcierge: Bringing OSGi (Back) to Embedded Devices
Concierge: Bringing OSGi (Back) to Embedded Devices
 
QCon Shanghai: Trends in Application Development
QCon Shanghai: Trends in Application DevelopmentQCon Shanghai: Trends in Application Development
QCon Shanghai: Trends in Application Development
 
Virtualization aware Java VM
Virtualization aware Java VMVirtualization aware Java VM
Virtualization aware Java VM
 
Building highly available architectures with WAS and MQ
Building highly available architectures with WAS and MQBuilding highly available architectures with WAS and MQ
Building highly available architectures with WAS and MQ
 
L203326 intro-maria db-techu2020-v9
L203326 intro-maria db-techu2020-v9L203326 intro-maria db-techu2020-v9
L203326 intro-maria db-techu2020-v9
 
InfoSphere Streams Technical Overview - Use Cases Big Data - Jerome CHAILLOUX
InfoSphere Streams Technical Overview - Use Cases Big Data - Jerome CHAILLOUXInfoSphere Streams Technical Overview - Use Cases Big Data - Jerome CHAILLOUX
InfoSphere Streams Technical Overview - Use Cases Big Data - Jerome CHAILLOUX
 
SHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOps
SHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOpsSHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOps
SHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOps
 
Effective admin and development in iib
Effective admin and development in iibEffective admin and development in iib
Effective admin and development in iib
 
The benefits of IBM FlashSystems
The benefits of IBM FlashSystemsThe benefits of IBM FlashSystems
The benefits of IBM FlashSystems
 
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin Center
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin CenterDeploy, Monitor and Manage in Style with WebSphere Liberty Admin Center
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin Center
 
Impact 2014 - IIB - selecting the right transformation option
Impact 2014 - IIB - selecting the right transformation optionImpact 2014 - IIB - selecting the right transformation option
Impact 2014 - IIB - selecting the right transformation option
 
Performance case studies Common Europe june 2012
Performance case studies Common Europe june 2012Performance case studies Common Europe june 2012
Performance case studies Common Europe june 2012
 
IBM i Job wait accounting job watcher june 2012
IBM i Job wait accounting job watcher june 2012IBM i Job wait accounting job watcher june 2012
IBM i Job wait accounting job watcher june 2012
 

Viewers also liked

Probabilistic Data Structures and Approximate Solutions Oleksandr Pryymak
Probabilistic Data Structures and Approximate Solutions Oleksandr PryymakProbabilistic Data Structures and Approximate Solutions Oleksandr Pryymak
Probabilistic Data Structures and Approximate Solutions Oleksandr PryymakPyData
 
Faster persistent data structures through hashing
Faster persistent data structures through hashingFaster persistent data structures through hashing
Faster persistent data structures through hashingJohan Tibell
 
Chapter 4 record storage and primary file organization
Chapter 4 record storage and primary file organizationChapter 4 record storage and primary file organization
Chapter 4 record storage and primary file organizationJafar Nesargi
 
Indexing and-hashing
Indexing and-hashingIndexing and-hashing
Indexing and-hashingAmi Ranjit
 
Best for b trees
Best for b treesBest for b trees
Best for b treesDineshRaaja
 
BTree, Data Structures
BTree, Data StructuresBTree, Data Structures
BTree, Data StructuresJibrael Jos
 
Concept of hashing
Concept of hashingConcept of hashing
Concept of hashingRafi Dar
 
B trees in Data Structure
B trees in Data StructureB trees in Data Structure
B trees in Data StructureAnuj Modi
 
Hashing Techniques in Data Structures Part2
Hashing Techniques in Data Structures Part2Hashing Techniques in Data Structures Part2
Hashing Techniques in Data Structures Part2SHAKOOR AB
 
Op Sy 03 Ch 41
Op Sy 03 Ch 41Op Sy 03 Ch 41
Op Sy 03 Ch 41 Google
 
12. Indexing and Hashing in DBMS
12. Indexing and Hashing in DBMS12. Indexing and Hashing in DBMS
12. Indexing and Hashing in DBMSkoolkampus
 

Viewers also liked (20)

Probabilistic Data Structures and Approximate Solutions Oleksandr Pryymak
Probabilistic Data Structures and Approximate Solutions Oleksandr PryymakProbabilistic Data Structures and Approximate Solutions Oleksandr Pryymak
Probabilistic Data Structures and Approximate Solutions Oleksandr Pryymak
 
Computer
ComputerComputer
Computer
 
Faster persistent data structures through hashing
Faster persistent data structures through hashingFaster persistent data structures through hashing
Faster persistent data structures through hashing
 
Hashing
HashingHashing
Hashing
 
Ds 8
Ds 8Ds 8
Ds 8
 
Chapter 4 record storage and primary file organization
Chapter 4 record storage and primary file organizationChapter 4 record storage and primary file organization
Chapter 4 record storage and primary file organization
 
Hashing
HashingHashing
Hashing
 
Indexing and-hashing
Indexing and-hashingIndexing and-hashing
Indexing and-hashing
 
Best for b trees
Best for b treesBest for b trees
Best for b trees
 
BTree, Data Structures
BTree, Data StructuresBTree, Data Structures
BTree, Data Structures
 
File organisation
File organisationFile organisation
File organisation
 
4.4 hashing
4.4 hashing4.4 hashing
4.4 hashing
 
Concept of hashing
Concept of hashingConcept of hashing
Concept of hashing
 
b+ tree
b+ treeb+ tree
b+ tree
 
B trees dbms
B trees dbmsB trees dbms
B trees dbms
 
B trees in Data Structure
B trees in Data StructureB trees in Data Structure
B trees in Data Structure
 
Hashing Techniques in Data Structures Part2
Hashing Techniques in Data Structures Part2Hashing Techniques in Data Structures Part2
Hashing Techniques in Data Structures Part2
 
File structures
File structuresFile structures
File structures
 
Op Sy 03 Ch 41
Op Sy 03 Ch 41Op Sy 03 Ch 41
Op Sy 03 Ch 41
 
12. Indexing and Hashing in DBMS
12. Indexing and Hashing in DBMS12. Indexing and Hashing in DBMS
12. Indexing and Hashing in DBMS
 

Similar to Security in the Real World - JavaOne 2013

Securing Java in the Server Room
Securing Java in the Server RoomSecuring Java in the Server Room
Securing Java in the Server RoomTim Ellison
 
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdfLayer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdfdistortdistort
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningCA API Management
 
Visibility & Security for the Virtualized Enterprise
Visibility & Security for the Virtualized EnterpriseVisibility & Security for the Virtualized Enterprise
Visibility & Security for the Virtualized EnterpriseEMC
 
Visibility & Security for the Virtualized Enterprise
Visibility & Security for the Virtualized EnterpriseVisibility & Security for the Virtualized Enterprise
Visibility & Security for the Virtualized EnterpriseEMC
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec TrainingMike Spaulding
 
VA_InterConnect2017
VA_InterConnect2017VA_InterConnect2017
VA_InterConnect2017Canturk Isci
 
A taxonomy of obfuscating transformations
A taxonomy of obfuscating transformationsA taxonomy of obfuscating transformations
A taxonomy of obfuscating transformationsemanuele_nl
 
Uncover What's Inside the Mind of a Hacker
Uncover What's Inside the Mind of a HackerUncover What's Inside the Mind of a Hacker
Uncover What's Inside the Mind of a HackerIBM Security
 
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET Journal
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
 
Closing Mainframe Integrity Gaps
Closing Mainframe Integrity GapsClosing Mainframe Integrity Gaps
Closing Mainframe Integrity GapsRay Overby
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackAn Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackTechSecIT
 
7 Ways to Stay 7 Years Ahead of the Threat
7 Ways to Stay 7 Years Ahead of the Threat7 Ways to Stay 7 Years Ahead of the Threat
7 Ways to Stay 7 Years Ahead of the ThreatIBM Security
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 
Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)Canturk Isci
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Akash Mahajan
 
Secure Computing With Java
Secure Computing With JavaSecure Computing With Java
Secure Computing With Javawhite paper
 
IRJET- Security Attacks Detection in Cloud using Machine Learning Algorithms
IRJET- Security Attacks Detection in Cloud using Machine Learning AlgorithmsIRJET- Security Attacks Detection in Cloud using Machine Learning Algorithms
IRJET- Security Attacks Detection in Cloud using Machine Learning AlgorithmsIRJET Journal
 

Similar to Security in the Real World - JavaOne 2013 (20)

Securing Java in the Server Room
Securing Java in the Server RoomSecuring Java in the Server Room
Securing Java in the Server Room
 
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdfLayer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdf
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
 
Visibility & Security for the Virtualized Enterprise
Visibility & Security for the Virtualized EnterpriseVisibility & Security for the Virtualized Enterprise
Visibility & Security for the Virtualized Enterprise
 
Visibility & Security for the Virtualized Enterprise
Visibility & Security for the Virtualized EnterpriseVisibility & Security for the Virtualized Enterprise
Visibility & Security for the Virtualized Enterprise
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
 
VA_InterConnect2017
VA_InterConnect2017VA_InterConnect2017
VA_InterConnect2017
 
A taxonomy of obfuscating transformations
A taxonomy of obfuscating transformationsA taxonomy of obfuscating transformations
A taxonomy of obfuscating transformations
 
Uncover What's Inside the Mind of a Hacker
Uncover What's Inside the Mind of a HackerUncover What's Inside the Mind of a Hacker
Uncover What's Inside the Mind of a Hacker
 
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
 
Closing Mainframe Integrity Gaps
Closing Mainframe Integrity GapsClosing Mainframe Integrity Gaps
Closing Mainframe Integrity Gaps
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackAn Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
 
7 Ways to Stay 7 Years Ahead of the Threat
7 Ways to Stay 7 Years Ahead of the Threat7 Ways to Stay 7 Years Ahead of the Threat
7 Ways to Stay 7 Years Ahead of the Threat
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 
Secure Computing With Java
Secure Computing With JavaSecure Computing With Java
Secure Computing With Java
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik Ferguson
 
IRJET- Security Attacks Detection in Cloud using Machine Learning Algorithms
IRJET- Security Attacks Detection in Cloud using Machine Learning AlgorithmsIRJET- Security Attacks Detection in Cloud using Machine Learning Algorithms
IRJET- Security Attacks Detection in Cloud using Machine Learning Algorithms
 

Recently uploaded

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 

Recently uploaded (20)

E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 

Security in the Real World - JavaOne 2013

  • 1. Matthew Kilner – IBM Java L3 Service – Core team lead 23rd September 2013 Security in the Real World © 2013 IBM Corporation
  • 2. Important Disclaimers  THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY.  WHILST EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION CONTAINED IN THIS PRESENTATION, IT IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED.  ALL PERFORMANCE DATA INCLUDED IN THIS PRESENTATION HAVE BEEN GATHERED IN A CONTROLLED ENVIRONMENT. YOUR OWN TEST RESULTS MAY VARY BASED ON HARDWARE, SOFTWARE OR INFRASTRUCTURE DIFFERENCES.  ALL DATA INCLUDED IN THIS PRESENTATION ARE MEANT TO BE USED ONLY AS A GUIDE.  IN ADDITION, THE INFORMATION CONTAINED IN THIS PRESENTATION IS BASED ON IBM’S CURRENT PRODUCT PLANS AND STRATEGY, WHICH ARE SUBJECT TO CHANGE BY IBM, WITHOUT NOTICE.  IBM AND ITS AFFILIATED COMPANIES SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR OTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION.  NOTHING CONTAINED IN THIS PRESENTATION IS INTENDED TO, OR SHALL HAVE THE EFFECT OF:  - CREATING ANY WARRANT OR REPRESENTATION FROM IBM, ITS AFFILIATED COMPANIES OR ITS OR THEIR SUPPLIERS AND/OR LICENSORS 2 © 2013 IBM Corporation
  • 3. About me  Matthew Kilner   Work for IBM – 13 years working on IBM Java • Memory Management • Class Sharing • RAS – Currently leading the Core customer support team.   Contact info – kilnerm@uk.ibm.com – Twitter: @IBMJTC – Youtube: IBM_JTC   Visit the IBM booth #5112 and meet other IBM developers at JavaOne 2013 3 © 2013 IBM Corporation
  • 4. What should you get from this talk?  An understanding of the most common attack vectors used to target Java.   An insight into the details of some example vulnerabilities.   An understanding of the current importance of security in the context of the Java platform.   Some ideas of how you can write more secure code. © 2013 IBM Corporation
  • 5. The problem with keeping anything secure  "The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location... and I'm not even too sure about that one" -- (attributed) Dennis Huges, FBI.   A complex system will have many attack vectors   Systems need to balance stability, performance and security © 2013 IBM Corporation
  • 6. Security that doesn’t interfere ■  Java and the Java Virtual Machine provide defense in depth –Class loaders –Verification –Access Controller / Security Manager –Java Cryptography Extensions (JCE) –Java Secure Sockets Extension (JSSE) –Java Authentication and Authorization Service (JAAS)    Security is expected to be a trusted resource –It just works –It has been verified (thoroughly) by vendors   Be aware of what isn’t secured!   Key: Java should negate the need to build (and verify!) your own security layers  Available implicitly or explicitly during development / deployment © 2013 IBM Corporation
  • 7. Security Layers in Java  Some things you get “for free” Diagram Reference: Java Security, Scott Oaks, O’Reilly Media, May 24, 2001, Second Edition, ISBN-10: 0596001576, ISBN-13: 978-0596001575  Others you use when you ask for them © 2013 IBM Corporation
  • 8. Common attack vectors  The most common attack vectors in the context of Java fall into four categories: – Untrusted Data – Untrusted Code – Applet / Browser – Local   Through the rest of the talk we will look at each in a little more detail © 2013 IBM Corporation
  • 9. Attack Vectors: Untrusted Data  The untrusted data vector is exploitable when an application parses a specific data type from an untrusted source. – The vulnerability may exist in the application code or underlying JDK code.   For example, – You are using an image parsing module that contains a vulnerability that can lead to an infinite loop when the image file is crafted in a specific manner. – If your server application allows users to upload images for parsing an attacker could create a Denial of Service attack by uploading maliciously formed images.   This type of problem has widely varying consequences, from DOS attacks through to arbitrary code execution © 2013 IBM Corporation
  • 10. Double.parseDouble Denial-of-Service Attack (CVE-2010-4476) © 2013 IBM Corporation
  • 11. Double.parseDouble Old but special  The Alert was officially published in Febuary 2011   Is a very worthy inclusion because: • It was the first alert to cause real panic • Easily exploitable & Pervasive © 2013 IBM Corporation
  • 12. Double.parseDouble The problem  A bug had been present in Double.parseDouble since early versions of the JDK.   Passing "2.2250738585072012e-308" to the method causes an infinite loop.   The catalyst was a determination of just how easy it was to exploit –Populating header fields in webserver requests with the value resulted in a DOS attack. –  © 2013 IBM Corporation
  • 13. Double.parseDouble The result  A fix was made very quickly   The ease of exploit and pervasiveness of the vulnerability resulted in a huge exercise to update products distributing the JDK.   Fixes were provided right back to 1.3.1 and on obscure platforms like OS/2.  © 2013 IBM Corporation
  • 14. Hashing Denial-of-Service Attack (CVE-2011-4858) © 2013 IBM Corporation
  • 15. Hashing Denial-of-Service Attack  String hash codes and hashing structures have been around “for ever”   The attack is possible through a combination of: – Performance short comings – Documented / predictable behavior   Can be used to exploit vulnerabilities in existing software   Algorithmic Complexity Attack © 2013 IBM Corporation
  • 16. Hashing Denial-of-Service Attack How String Hashing Works  String hashing algorithm is well known and reversible  It is easy to construct strings that have identical hash codes == 2112 == 2031744 © 2013 IBM Corporation
  • 17. Hashing Denial-of-Service Attack How Hashing Structures Work HashMap © 2013 IBM Corporation
  • 18. Hashing Denial-of-Service Attack How Hashing Structures Work HashMap Array to hold the various <key,value> pairs © 2013 IBM Corporation
  • 19. Hashing Denial-of-Service Attack How Hashing Structures Work HashMap Use the hash code for “QuantityAa” to find a location in the array Array to hold the various <key,value> pairs © 2013 IBM Corporation
  • 20. Hashing Denial-of-Service Attack How Hashing Structures Work HashMap Find the appropriate “bucket” and add the entry < “QuantityAa”, “1234” > © 2013 IBM Corporation
  • 21. Hashing Denial-of-Service Attack How Hashing Structures Work HashMap < “QuantityAa”, “1234” > © 2013 IBM Corporation
  • 22. Hashing Denial-of-Service Attack How Hashing Structures Work HashMap < “QuantityAa”, “1234” > < “QuantityBB”, “987” > © 2013 IBM Corporation
  • 23. Hashing Denial-of-Service Attack How Hashing Structures Work HashMap < “QuantityAa”, “1234” > < “QuantityBB”, “987” > Warning: Lookup / Insertion requires a string comparison!!! © 2013 IBM Corporation
  • 24. Hashing Denial-of-Service Attack How Hashing Structures Work HashMap < “QuantityAa”, “1234” > < “QuantityBB”, “987” > Warning: Lookup / Insertion requires a string comparison!!!  Keys with identical hashes will always fall into the same bucket © 2013 IBM Corporation
  • 25. Hashing Denial-of-Service Attack The Danger of strings as Keys in Hashing Structures  Deep buckets with malicious keys can cause serious performance issues HashMap < “AaAaAaAaAa … AaAaAa”, “1234” > < “AaAaAaAaAa … AaAaBB”, “987” > Near duplicate string with difference at the end © 2013 IBM Corporation
  • 26. Hashing Denial-of-Service Attack The primary exploit  Websites make use of parameters as part of client / server communication  The Server is responsible for managing the parameters for the servlet  Hash structures are a typical way of managing these <key,value> pairs   Issue: Long insert / lookup times for parameters that have high hash collision rate    Reference: http://www.nruns.com/_downloads/advisory28122011.pdf  Result: Web servers could be effectively “disabled” with simple requests  © 2013 IBM Corporation
  • 27. Hashing Denial-of-Service Attack Current Solution  Hashing structures now use an alternate hash code for String – Use alternate only at a certain capacity – Algorithm where the hash code cannot be calculated externally   Why not modify String.hashCode()? – It’s spec! – Reliance in existing software   NOTE: With alternate hash, iteration order is now changed! – Spec’d as “unspecified” – Doesn’t matter – code relies on this any way – Solution can cause existing working software to fail! © 2013 IBM Corporation
  • 28. Hashing Denial-of-Service Attack Current Solution  The JVM now supports a system property to enable the behavior at thresholds: • -Djdk.map.althashing.threshold=<threshold>   Apache Tomcat property maxParameterCount to limit number of parameters © 2013 IBM Corporation
  • 29. Attack Vectors: Untrusted Code  Untrusted code originates from an unknown to untrusted source – It is not under the application environments control – It is not know to be benign. – It should be treated with caution   Typically executed via an unsigned applet or webstart application – Browser based client side exploit – The JDK security sandbox offers protection   The attack vector works due to vulnerabilities that allow the untrusted code to escape the confines of the sandbox, sometimes disabling it completely. – Allows the code to do whatever it likes.   While most common on the client side the vulnerability applies equally to any environment where code executes under a security manager. © 2013 IBM Corporation
  • 31. Java Security Manager Bypass (Gondvv)  Imagine visiting a website and your calculator application pops up     How did that happen?   Arbitrary code has been run on your machine – how compromised are you? © 2013 IBM Corporation
  • 32. Java Security Manager Bypass (Gondvv) The key change to sun.awt.SunToolkit  A simple access modifier change (within a larger change) exposed a vulnerability © 2013 IBM Corporation
  • 33. Java Security Manager Bypass (Gondvv) The key change to sun.awt.SunToolkit  A simple access modifier change (within a larger change) exposed a vulnerability © 2013 IBM Corporation
  • 34. Java Security Manager Bypass (Gondvv) The key change to sun.awt.SunToolkit  A simple access modifier change (within a larger change) exposed a vulnerability © 2013 IBM Corporation
  • 35. Java Security Manager Bypass (Gondvv) The key change to sun.awt.SunToolkit  A simple access modifier change (within a larger change) exposed a vulnerability Set the security permissions to that of the current code (privileged) in place of the callers security permissions © 2013 IBM Corporation
  • 36. Java Security Manager Bypass (Gondvv) The key change to sun.awt.SunToolkit  A simple access modifier change (within a larger change) exposed a vulnerability Use reflection to acquire a Field object on the given class © 2013 IBM Corporation
  • 37. Java Security Manager Bypass (Gondvv) The key change to sun.awt.SunToolkit  A simple access modifier change (within a larger change) exposed a vulnerability Set the reflect object Field usage to ignore access checks. Privileged action permitted through doPrivileged() © 2013 IBM Corporation
  • 38. Java Security Manager Bypass (Gondvv) How the exploit works com.sun.beans.finder ClassFinder © 2013 IBM Corporation
  • 39. Java Security Manager Bypass (Gondvv) How the exploit works com.sun.beans.finder ClassFinder findClass() sun.awt SunToolkit © 2013 IBM Corporation
  • 40. Java Security Manager Bypass (Gondvv) How the exploit works com.sun.beans.finder ClassFinder java.beans findClass() sun.awt Statement “setSecurityManager()” SunToolkit AccessControlContext © 2013 IBM Corporation
  • 41. Java Security Manager Bypass (Gondvv) How the exploit works com.sun.beans.finder ClassFinder java.beans Statement findClass() “setSecurityManager()” sun.awt SunToolkit getField() AccessControlContext © 2013 IBM Corporation
  • 42. Java Security Manager Bypass (Gondvv) How the exploit works com.sun.beans.finder ClassFinder java.beans Statement findClass() “setSecurityManager()” sun.awt SunToolkit getField() AccessControlContext java.lang.reflect Field © 2013 IBM Corporation
  • 43. Java Security Manager Bypass (Gondvv) How the exploit works com.sun.beans.finder ClassFinder java.beans Statement findClass() “setSecurityManager()” sun.awt SunToolkit getField() AccessControlContext Elevated permissions for statement set() java.lang.reflect Field © 2013 IBM Corporation
  • 44. Java Security Manager Bypass (Gondvv) How the exploit works com.sun.beans.finder ClassFinder java.beans Statement findClass() “setSecurityManager()” sun.awt SunToolkit getField() AccessControlContext Elevated permissions for statement set() java.lang.reflect Field © 2013 IBM Corporation
  • 45. Java Security Manager Bypass (Gondvv) How the exploit works com.sun.beans.finder ClassFinder java.beans Statement findClass() “setSecurityManager()” sun.awt execute() Elevated permissions for sandbox SunToolkit getField() AccessControlContext Elevated permissions for statement set() java.lang.reflect Field © 2013 IBM Corporation
  • 46. Java Security Manager Bypass (Gondvv) How the exploit works com.sun.beans.finder ClassFinder java.beans Statement findClass() “setSecurityManager()” sun.awt execute() Elevated permissions for sandbox SunToolkit getField() AccessControlContext Elevated permissions for statement set() java.lang.reflect Field java.lang Runtime © 2013 IBM Corporation
  • 47. Java Security Manager Bypass (Gondvv) How the exploit works com.sun.beans.finder ClassFinder java.beans Statement findClass() “setSecurityManager()” sun.awt execute() Elevated permissions for sandbox SunToolkit getField() AccessControlContext Elevated permissions for statement set() java.lang.reflect Field java.lang Runtime exec(“…”) © 2013 IBM Corporation
  • 48. Java Security Manager Bypass (Gondvv) How the exploit works com.sun.beans.finder ClassFinder java.beans Statement findClass() “setSecurityManager()” sun.awt execute() Elevated permissions for sandbox SunToolkit getField() AccessControlContext Elevated permissions for statement set() java.lang.reflect Field java.lang Runtime exec(“…”) © 2013 IBM Corporation
  • 49. Java Security Manager Bypass (Gondvv) Epilogue   Needed to be running untrusted code   Java7 VM required • Most users were still at 6.0   A simple change to an access modifier exposed the entire system   NOTE: A fix was turned around in very short order © 2013 IBM Corporation
  • 50. Method Handles © 2013 IBM Corporation
  • 51. Method Handles  JSR 292: Supporting Dynamically Typed Languages on the JavaTM Platform – A new bytecode for custom dynamic linkage (invokedynamic) – MethodHandle (and support classes) as a “function pointer” interface for linkage –  Fast invocation of bound methods – Method handle invocation speed can be far superior to reflect methods –  A MethodHandle resembles java.lang.reflect.Method – Access checking is performed at lookup, not at every call – Conversion available from reflection side to MethodHandle types © 2013 IBM Corporation
  • 52. Method Handles Access and Security Checks Reflection MethodHandles SecurityManager checks at lookup Yes Yes Access checks at lookup No Yes Access checks at invocation Yes No Checks at setAccessible(true) Yes N/A Anyone can invoke? No: by default Yes: setAccessible(true) Yes – by default © 2013 IBM Corporation
  • 53. Method Handles Security Where It Matters © 2013 IBM Corporation
  • 54. Method Handles A Word of Caution  The lookup mechanism has interesting privilege characteristics –Be careful about what code has access to it © 2013 IBM Corporation
  • 55. "New Year Day" / "EveryDay" (CVE-2013-0422) © 2013 IBM Corporation
  • 56. "New Year Day" / "EveryDay" A combination of exploits  Client side applet based attack   A combination of two vulnerabilities • The ability to access privelidged classes via JMX • A reflection issue in MethodHandles that prevented correct access checks •  Easy to exploit   © 2013 IBM Corporation
  • 57. "New Year Day" / "EveryDay" How it worked   Escalation Class  The escalation class implements privileged action  The action sets the SecurityManager to Null © 2013 IBM Corporation
  • 58. "New Year Day" / "EveryDay" How it worked   Escalation Class Applet  The bytes are stored in an array in the applet. © 2013 IBM Corporation
  • 59. "New Year Day" / "EveryDay" How it worked   Escalation Class Applet com.sun.jmx.mbeanserver MBeanInstantiator  Next we aquire an instance of MbeanInstantiator via the public API JmxMBeanServer.getMBeanInstantiator(). © 2013 IBM Corporation
  • 60. "New Year Day" / "EveryDay" How it worked   Escalation Class Applet sun.org.mozilla.javascript.internal Context com.sun.jmx.mbeanserver MBeanInstantiator findClass() sun.org.mozilla.javascript.internal GeneratedClassLoader  The findClass method is used to obtain two private classes © 2013 IBM Corporation
  • 61. "New Year Day" / "EveryDay" How it worked   Escalation Class java.lang.invoke Applet Methodhandles Local Lookup sun.org.mozilla.javascript.internal Context com.sun.jmx.mbeanserver MBeanInstantiator findClass() sun.org.mozilla.javascript.internal GeneratedClassLoader  A local instance of MethodHandles.lookup is created © 2013 IBM Corporation
  • 62. "New Year Day" / "EveryDay" How it worked   Methodhandles Applet java.lang.invoke Methodhandle Local Lookup Escalation Class java.lang.invoke “java.lang.invoke.MethodHandles. FindConstructor” sun.org.mozilla.javascript.internal Context com.sun.jmx.mbeanserver MBeanInstantiator findClass() sun.org.mozilla.javascript.internal GeneratedClassLoader  This is then used to create a method Handle to the findConstructor method in the Methodhandles class © 2013 IBM Corporation
  • 63. "New Year Day" / "EveryDay" How it worked   Methodhandles Applet sun.org.mozilla.javascript.internal Context com.sun.jmx.mbeanserver MBeanInstantiator java.lang.invoke Methodhandle Local Lookup Escalation Class java.lang.invoke “java.lang.invoke.MethodHandles. FindConstructor” java.lang.invoke Methodhandle “sun.org.mozilla.javascript.internal findClass() Context()” sun.org.mozilla.javascript.internal GeneratedClassLoader sun.org.mozilla.javascript.internal Context Context Object  When invoked against our Context class we obtain a new methodHandle that allows us to create an instance of Context © 2013 IBM Corporation
  • 64. "New Year Day" / "EveryDay" How it worked   Escalation Class Applet sun.org.mozilla.javascript.internal Context Context Object java.lang.invoke Methodhandle “sun.org.mozilla.javascript.internal Context.createClassLoader()” java.lang.invoke Methodhandle “sun.org.mozilla.javascript.internal GeneratedClassLoader. defineClass()”  The same technique is used to create methodHandles for Context.createClassloaded and GeneratedClassLoader.define class © 2013 IBM Corporation
  • 65. "New Year Day" / "EveryDay" How it worked   Escalation Class Applet sun.org.mozilla.javascript.internal Context Context Object java.lang.invoke sun.org.mozilla.javascript.internal Methodhandle GeneratedClassLoader “sun.org.mozilla.javascript.internal Classloader Object Context.createClassLoader()” java.lang.invoke Methodhandle “sun.org.mozilla.javascript.internal GeneratedClassLoader. defineClass()”  A classloader object is created © 2013 IBM Corporation
  • 66. "New Year Day" / "EveryDay" How it worked   Escalation Class Applet sun.org.mozilla.javascript.internal Context Context Object java.lang.invoke sun.org.mozilla.javascript.internal Methodhandle GeneratedClassLoader “sun.org.mozilla.javascript.internal Classloader Object Context.createClassLoader()” java.lang.invoke Methodhandle “sun.org.mozilla.javascript.internal GeneratedClassLoader. defineClass()” Escalation Class Loaded Class  Enabling the defineClass method to be called, passing our escalation class bytes. © 2013 IBM Corporation
  • 67. "New Year Day" / "EveryDay" How it worked   Escalation Class Applet sun.org.mozilla.javascript.internal Context Context Object java.lang.invoke sun.org.mozilla.javascript.internal Methodhandle GeneratedClassLoader “sun.org.mozilla.javascript.internal Classloader Object Context.createClassLoader()” java.lang.invoke Methodhandle “sun.org.mozilla.javascript.internal GeneratedClassLoader. defineClass()” Escalation Class Loaded Class newInstance()  Create an instance of it, and the security manager is disabled. © 2013 IBM Corporation
  • 68. "New Year Day" / "EveryDay" The resolution  JDK 7u11 included the “fix” –Reports suggest only the reflection exposure was closed. –The default security level was changed to ensure users are always prompted before running unsigned or self signed content. –  This was implementation dependant, the IBM JDK was not affected. © 2013 IBM Corporation
  • 69. Attack Vectors: Applet / Browser, Local  Applet / Browser – These vulnerabilities are specific to applications running in or via the browser – The vulnerability exists either in the plugin or browser, or it is in the underlying JDK but only exposed when run in the browser environment. –  Local – The local vector requires an attacker to have access to the system on which the JDK is running. – A simple example would be an application writing data to a temporary file before sending it to a printer. • If the files are created with inappropriate permissions any user on the system could access them. © 2013 IBM Corporation
  • 70. And after all that… © 2013 IBM Corporation
  • 71. Security is Important to Java What’s being done about security?  IBM and Oracle are working to ensure Java is (and remains) secure! –http://www-03.ibm.com/security/secure-engineering/ –http://www.oracle.com/technetwork/topics/security/whatsnew/index.html  Reporting Issues: –http://www-03.ibm.com/security/secure-engineering/report.html –http://www.oracle.com/us/support/assurance/reporting/index.html  Writing more secure code: – Read and adhere to Oracles “Secure Coding Guidelines”: –http://www.oracle.com/technetwork/java/seccodeguide-139067.html  © 2013 IBM Corporation
  • 72. Conclusions  Java Security is defense in depth   Trust, but Verify   Java and JVM designed to provide security at a low cost to developers   Many moving parts in security – Things can go wrong, but quick to resolve –Security is Hard – Rolling your own is even worse © 2013 IBM Corporation