Security of the Java software platform

Last updated

The Java software platform provides a number of features designed for improving the security of Java applications. This includes enforcing runtime constraints through the use of the Java Virtual Machine (JVM), a security manager that sandboxes untrusted code from the rest of the operating system, and a suite of security APIs that Java developers can utilise. Despite this, criticism has been directed at the programming language, and Oracle, due to an increase in malicious programs that revealed security vulnerabilities in the JVM, which were subsequently not properly addressed by Oracle in a timely manner.

Contents

Security features

The JVM

The binary form of programs running on the Java platform is not native machine code but an intermediate bytecode. The JVM performs verification on this bytecode before running it to prevent the program from performing unsafe operations such as branching to incorrect locations, which may contain data rather than instructions. It also allows the JVM to enforce runtime constraints such as array bounds checking. This means that Java programs are significantly less likely to suffer from memory safety flaws such as buffer overflow than programs written in languages such as C which do not provide such memory safety guarantees.

The platform does not allow programs to perform certain potentially unsafe operations such as pointer arithmetic or unchecked type casts. It manages memory allocation and initialization and provides automatic garbage collection which in many cases (but not all) relieves the developer from manual memory management. This contributes to type safety and memory safety.

Security manager

The platform provides a security manager which allows users to run untrusted bytecode in a "sandboxed" environment designed to protect them from malicious or poorly written software by preventing the untrusted code from accessing certain platform features and APIs. For example, untrusted code might be prevented from reading or writing files on the local filesystem, running arbitrary commands with the current user's privileges, accessing communication networks, accessing the internal private state of objects using reflection, or causing the JVM to exit.

The security manager also allows Java programs to be cryptographically signed; users can choose to allow code with a valid digital signature from a trusted entity to run with full privileges in circumstances where it would otherwise be untrusted.

Users can also set fine-grained access control policies for programs from different sources. For example, a user may decide that only system classes should be fully trusted, that code from certain trusted entities may be allowed to read certain specific files, and that all other code should be fully sandboxed.

Security APIs

The Java Class Library provides a number of APIs related to security, such as standard cryptographic algorithms, authentication, and secure communication protocols.

Potential sources of security vulnerabilities in Java applications

There are a number of possible sources of security vulnerabilities in Java applications, some of which are common to non-Java applications and some of which are specific to the Java platform. (Note that these refer to potential sources of vulnerabilities which need to be kept in mind by security-conscious programmers: this is not intended as a list of actual vulnerabilities.)

Examples of potential sources of vulnerability common to Java and non-Java applications are:

However, much discussion of Java security focusses on potential sources of vulnerability specific to the Java platform. These include:

A vulnerability in the Java platform will not necessarily make all Java applications vulnerable. When vulnerabilities and patches are announced, for example by Oracle, the announcement will normally contain a breakdown of which types of application are affected (example).

For example, a hypothetical security flaw which affects only the security manager sandboxing mechanism of a particular JVM implementation would mean that only Java applications which run arbitrary untrusted bytecode would be compromised: applications where the user fully trusts and controls all bytecode being executed would not. This would mean that, say, a web browser plugin based on that JVM would be vulnerable to malicious applets downloaded from public websites, but a server-side web application running on the same version of the JVM where the administrator has full control over the classpath would be unaffected. [1] As with non-Java applications, security vulnerabilities can stem from parts of the platform which may not initially appear to be security-related. For example, in 2011, Oracle issued a security fix for a bug in the Double.parseDouble method. [2] This method converts a string such as "12.34" into the equivalent double-precision floating point number. The bug caused this method to enter an infinite loop when called on a specific input. This bug had security implications, because for example if a web server converts a string typed into a form by the user using this method, a malicious user could type in the string which triggers the bug. This would cause the web server thread processing the malicious request to enter an infinite loop and become unavailable for serving requests from other users. Doing this repeatedly to a vulnerable web server would be an easy denial-of-service attack: all the web server's threads for responding to user requests would soon be stuck in the infinite loop and the web server would be unable to serve any legitimate users at all.

Criticism of security manager

The security manager in the Java platform (which, as mentioned above, is designed to allow the user to safely run untrusted bytecode) has been criticized in recent years for making users vulnerable to malware, especially in web browser plugins which execute Java applets downloaded from public websites, more informally known as "Java in the browser".

Oracle's efforts to address these vulnerabilities resulted in a delay to the release of Java 8. [3]

2012

An OS X trojan referred to as Flashback exploited a vulnerability in Java, which had not been patched by Apple, although Oracle had already released a patch. [4] In April, Apple later released a removal tool for Lion users without Java. [5] With Java 7 Update 4, Oracle began to release Java directly for Lion and later. [6]

In October, Apple released an update that removed the Java plugin from all browsers. [7] This was seen as a move by Apple to distance OS X from Java. [8]

2013

In January, a zero-day vulnerability was found in all versions of Java 7, including the latest version Java 7 Update 10, which was already exploited in the wild. [9] The vulnerability was caused by a patch to fix an earlier vulnerability. [10] In response, Apple blacklisted the latest version of the Java plugin. [11] Oracle released a patch (Update 11) within three days. [12] Microsoft also released a patch for Internet Explorer versions 6, 7, and 8. [13]

Cyberespionage malware Red October was found exploiting a Java vulnerability that was patched in October 2011. [14] The website for Reporters Without Borders was also compromised by a Java vulnerability in versions prior to Update 11. [15]

After the release of Update 11, another vulnerability began circulating online, [16] which was later confirmed. [17] It was also found that Java's security mode itself was vulnerable due to a bug. [18] In response, Mozilla disabled Java (as well as Adobe Reader and Microsoft Silverlight) in Firefox by default, [19] while Apple blacklisted the latest Java plugin again. [20]

In February, Twitter reported that it had shut down an attack. Twitter advised users to disable Java, although it did not explain why. [21] Later in the month, Facebook reported that it had been hacked by a zero-day Java attack. [22] Apple also reported an attack. [23] It was found that a breach of an iPhone developer forum was used to attack Twitter, Facebook, and Apple. [24] The forum itself was unaware of the breach. [25] Following Twitter, Facebook, and Apple, Microsoft reported that it was also similarly compromised. [26]

Another vulnerability discovered allowed for the Java security sandbox to be completely bypassed in the original release of Java 7, as well as Updates 11 and 15. [27] In March, trojan called McRat was found exploiting a zero-day Java vulnerability. [28] Oracle then released another patch to address the vulnerability. [29]

See also

Related Research Articles

<span class="mw-page-title-main">Java applet</span> Small application written in Java

Java applets are small applications written in the Java programming language, or another programming language that compiles to Java bytecode, and delivered to users in the form of Java bytecode, applets were deprecated by Java 9 in 2017.

<span class="mw-page-title-main">Java (programming language)</span> Object-oriented programming language

Java is a high-level, class-based, object-oriented programming language that is designed to have as few implementation dependencies as possible. It is a general-purpose programming language intended to let programmers write once, run anywhere (WORA), meaning that compiled Java code can run on all platforms that support Java without the need to recompile. Java applications are typically compiled to bytecode that can run on any Java virtual machine (JVM) regardless of the underlying computer architecture. The syntax of Java is similar to C and C++, but has fewer low-level facilities than either of them. The Java runtime provides dynamic capabilities that are typically not available in traditional compiled languages.

<span class="mw-page-title-main">Java virtual machine</span> Virtual machine that runs Java programs

A Java virtual machine (JVM) is a virtual machine that enables a computer to run Java programs as well as programs written in other languages that are also compiled to Java bytecode. The JVM is detailed by a specification that formally describes what is required in a JVM implementation. Having a specification ensures interoperability of Java programs across different implementations so that program authors using the Java Development Kit (JDK) need not worry about idiosyncrasies of the underlying hardware platform.

In computer security, a sandbox is a security mechanism for separating running programs, usually in an effort to mitigate system failures and/or software vulnerabilities from spreading. The sandbox metaphor derives from the concept of a child's sandbox—a play area where children can build, destroy, and experiment without causing any real-world damage. It is often used to kill untested or untrusted programs or code, possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operating system. A sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as storage and memory scratch space. Network access, the ability to inspect the host system, or read from input devices are usually disallowed or heavily restricted.

<span class="mw-page-title-main">Java (software platform)</span> Set of computer software and specifications

Java is a set of computer software and specifications that provides a software platform for developing application software and deploying it in a cross-platform computing environment. Java is used in a wide variety of computing platforms from embedded devices and mobile phones to enterprise servers and supercomputers. Java applets, which are less common than standalone Java applications, were commonly run in secure, sandboxed environments to provide many features of native applications through being embedded in HTML pages.

The Java programming language and Java software platform have been criticized for design choices including the implementation of generics, forced object-oriented programming, the handling of unsigned numbers, the implementation of floating-point arithmetic, and a history of security vulnerabilities in the primary Java VM implementation, HotSpot. Software written in Java, especially its early versions, has been criticized for its performance compared to software written in other programming languages. Developers have also remarked that differences in various Java implementations must be taken into account when writing complex Java programs that must work with all of them.

The Java language has undergone several changes since JDK 1.0 as well as numerous additions of classes and packages to the standard library. Since J2SE 1.4, the evolution of the Java language has been governed by the Java Community Process (JCP), which uses Java Specification Requests (JSRs) to propose and specify additions and changes to the Java platform. The language is specified by the Java Language Specification (JLS); changes to the JLS are managed under JSR 901. In September 2017, Mark Reinhold, chief Architect of the Java Platform, proposed to change the release train to "one feature release every six months" rather than the then-current two-year schedule. This proposal took effect for all following versions, and is still the current release schedule.

OpenJDK is a free and open-source implementation of the Java Platform, Standard Edition. It is the result of an effort Sun Microsystems began in 2006. The implementation is licensed under the GNU General Public License 2 with a linking exception, preventing components that linked to the Java Class Library becoming subject to the terms of the GPL license. OpenJDK is the official reference implementation of Java SE since version 7, and is the most popular distribution of the JDK.

Android is a mobile operating system based on a modified version of the Linux kernel and other open-source software, designed primarily for touchscreen-based mobile devices such as smartphones and tablets. It is the world's most widely used operating system due to it being used on most smartphones and tablets outside of iPhones and iPads, which use Apple's iOS and iPadOS, respectively. As of October 2024, Android accounts for 45% of the global operating system market, followed by Windows with 26%.

Google Native Client (NaCl) is a discontinued sandboxing technology for running either a subset of Intel x86, ARM, or MIPS native code, or a portable executable, in a sandbox. It allows safely running native code from a web browser, independent of the user operating system, allowing web apps to run at near-native speeds, which aligns with Google's plans for ChromeOS. It may also be used for securing browser plugins, and parts of other applications or full applications such as ZeroVM.

Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference. First held in April 2007 in Vancouver, the contest is now held twice a year, most recently in March 2024. Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. Winners of the contest receive the device that they exploited and a cash prize. The Pwn2Own contest serves to demonstrate the vulnerability of devices and software in widespread use while also providing a checkpoint on the progress made in security since the previous year.

<span class="mw-page-title-main">Gatekeeper (macOS)</span> Security feature of macOS

Gatekeeper is a security feature of the macOS operating system by Apple. It enforces code signing and verifies downloaded applications before allowing them to run, thereby reducing the likelihood of inadvertently executing malware. Gatekeeper builds upon File Quarantine, which was introduced in Mac OS X Leopard (10.5) and expanded in Mac OS X Snow Leopard (10.6). The feature originated in version 10.7.3 of Mac OS X Lion as the command-line utility spctl. A graphical user interface was originally added in OS X Mountain Lion (10.8) but was backported to Lion with the 10.7.5 update.

Browser security is the application of Internet security to web browsers in order to protect networked data and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript, sometimes with cross-site scripting (XSS) with a secondary payload using Adobe Flash. Security exploits can also take advantage of vulnerabilities that are commonly exploited in all browsers.

Java bytecode is the instruction set of the Java virtual machine (JVM), the language to which Java and other JVM-compatible source code is compiled. Each instruction is represented by a single byte, hence the name bytecode, making it a compact form of data.

Apache Struts 2 is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model–view–controller (MVC) architecture. The WebWork framework spun off from Apache Struts 1 aiming to offer enhancements and refinements while retaining the same general architecture of the original Struts framework. In December 2005, it was announced that WebWork 2.2 was adopted as Apache Struts 2, which reached its first full release in February 2007.

Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities. It was announced on 15 July 2014.

<span class="mw-page-title-main">Dirty COW</span> Computer security vulnerability

Dirty COW is a computer security vulnerability of the Linux kernel that affected all Linux-based operating systems, including Android devices, that used older versions of the Linux kernel created before 2018. It is a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel's memory-management subsystem. Computers and devices that still use the older kernels remain vulnerable.

EternalBlue is a computer exploit software developed by the U.S. National Security Agency (NSA). It is based on a vulnerability in Microsoft Windows that allowed users to gain access to any number of computers connected to a network. The NSA knew about this vulnerability but did not disclose it to Microsoft for several years, since they planned to use it as a defense mechanism against cyber attacks. In 2017, the NSA discovered that the software was stolen by a group of hackers known as the Shadow Brokers. Microsoft was informed of this and released security updates in March 2017 patching the vulnerability. While this was happening, the hacker group attempted to auction off the software, but did not succeed in finding a buyer. EternalBlue was then publicly released on April 14, 2017.

<span class="mw-page-title-main">BlueKeep</span> Windows security hole

BlueKeep is a security vulnerability that was discovered in Microsoft's Remote Desktop Protocol (RDP) implementation, which allows for the possibility of remote code execution.

Log4Shell (CVE-2021-44228) is a zero-day vulnerability reported in November 2021 in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online. Apache gave Log4Shell a CVSS severity rating of 10, the highest available score. The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.

References

  1. Security Alert for CVE-2013-0422 Released. Oracle Corporation. Retrieved 2013-04-24.
  2. Oracle Releases Hotfix for the Double.parseDouble Bug in Record Time. InfoQ. Retrieved 2013-04-24.
  3. Secure The Train. Blog of Mark Reinhold, Chief Architect of Oracle's Java Platform Group. 2013-04-18.
  4. Goodin, Dan (April 2, 2012). "Mac Flashback trojan exploits unpatched Java vulnerability, no password needed". Ars Technica. Retrieved February 18, 2014.
  5. Geuss, Megan (April 14, 2012). "Flashback malware removal tool arrives for Java-less Mac users". Ars Technica. Retrieved February 18, 2014.
  6. Foresman, Chris (April 27, 2012). "Forget Apple: Oracle to bring Java security fixes directly to Mac users". Ars Technica. Retrieved February 18, 2014.
  7. Goodin, Dan (October 18, 2012). "Apple removes Java from all OS X Web browsers". Ars Technica. Retrieved February 18, 2014.
  8. Cheng, Jacqui (December 23, 2012). "Where OS X security stands after a volatile 2012". Ars Technica. Retrieved February 18, 2014.
  9. Goodin, Dan (January 10, 2013). "Critical Java zero-day bug is being "massively exploited in the wild" (Updated)". Ars Technica. Retrieved February 18, 2014.
  10. Goodin, Dan (January 11, 2013). "Critical Java vulnerability made possible by earlier incomplete patch (Updated)". Ars Technica. Retrieved February 18, 2014.
  11. Foresman, Chris (January 11, 2013). "Apple blacklists Java on OS X to prevent latest "critical" exploits". Ars Technica. Retrieved February 18, 2014.
  12. Mattise, Nathan (January 14, 2013). "Oracle patches widespread Java zero-day bug in three days (Updated)". Ars Technica. Retrieved February 18, 2014.
  13. Goodin, Dan (January 14, 2013). "Microsoft releases emergency update to patch Internet Explorer bug". Ars Technica. Retrieved February 18, 2014.
  14. Goodin, Dan (January 15, 2013). "Red October relied on Java exploit to infect PCs". Ars Technica. Retrieved February 18, 2014.
  15. Goodin, Dan (January 22, 2013). "Just-patched Java, IE bugs used to snare human rights sites". Ars Technica. Retrieved February 18, 2014.
  16. Goodin, Dan (January 16, 2013). "$5,000 will buy you access to another, new critical Java vulnerability (Updated)". Ars Technica. Retrieved February 18, 2014.
  17. Goodin, Dan (January 18, 2013). "Critical Java vulnerabilities confirmed in latest version". Ars Technica. Retrieved February 18, 2014.
  18. Goodin, Dan (January 28, 2013). "Java's new "very high" security mode can't protect you from malware". Ars Technica. Retrieved February 18, 2014.
  19. Goodin, Dan (January 31, 2013). "Firefox to block content based on Java, Reader, and Silverlight". Ars Technica. Retrieved February 18, 2014.
  20. Foresman, Chris (January 31, 2013). "For second time in a month, Apple blacklists Java Web plugin". Ars Technica. Retrieved February 18, 2014.
  21. Goodin, Dan (February 2, 2013). "Twitter detects and shuts down password data hack in progress". Ars Technica. Retrieved February 18, 2014.
  22. Gallagher, Sean (February 15, 2013). "Facebook computers compromised by zero-day Java exploit". Ars Technica. Retrieved February 18, 2014.
  23. Cheng, Jacqui (February 19, 2013). "Apple HQ also targeted by hackers, will release tool to protect customers". Ars Technica. Retrieved February 18, 2014.
  24. Gallagher, Sean (February 19, 2013). "Facebook, Twitter, Apple hack sprung from iPhone developer forum". Ars Technica. Retrieved February 18, 2014.
  25. Cheng, Jacqui (February 20, 2013). "Dev site behind Apple, Facebook hacks didn't know it was booby-trapped". Ars Technica. Retrieved February 18, 2014.
  26. Bright, Peter (February 22, 2013). "Microsoft joins Apple, Facebook, and Twitter; comes out as hack victim". Ars Technica. Retrieved February 18, 2014.
  27. Brodkin, Jon (February 25, 2013). "Java's latest security problems: New flaw identified, old one attacked". Ars Technica. Retrieved February 18, 2014.
  28. Goodin, Dan (March 1, 2013). "Another Java zero-day exploit in the wild actively attacking targets". Ars Technica. Retrieved February 18, 2014.
  29. Mattise, Nathan (March 5, 2013). "Oracle releases new Java patch to address this week's McRat problem". Ars Technica. Retrieved February 18, 2014.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.