Advanced Java security

CL-JAD Advanced Java security Classroom 3 days

Even experienced Java programmers are not mastering by all means the various security services offered by Java, and are likewise not aware of the different vulnerabilities that are relevant for Web applications written in Java. The course besides introducing security components of Standard Java Edition deals with security issues of Java Enterprise Edition (JEE) and Web services. Discussion of specific services is preceded with the foundations of cryptography and secure communication. Various exercises deal with declarative and programmatic security techniques in JEE, while both transport-layer and end-to-end security of Web services is discussed. The use of all components is presented through several practical exercises, where participants can try out the discussed APIs and tools for themselves. The course also goes through and explains the most frequent and severe programming flaws of the Java language and platform and Web-related vulnerabilities. Besides the typical bugs committed by Java programmers, the introduced security vulnerabilities cover both language-specific issues and problems stemming from the runtime environment. All vulnerabilities and the relevant attacks are demonstrated through easy-to-understand exercises, followed by the recommended coding guidelines and the possible mitigation techniques. Audience: Java and JEE developers, software architects and testers, max 15 participants SDL level: 300 Preparedness: Advanced Java Exercises: Hands-on

Content
Java security technologies and services: Java language security solutions, Java Virtual Machine (JVM) and Java Runtime Environment (JRE); ByteCode Verifier and Classloader; Security Manager and Access Controller, managing permissions with the PolicyTool; Java Cryptography Architecture (JCA) and Java Cryptographic Extension (JCE), Java Secure Socket Extension (JSSE), Java Authentication and Authorization Service (JAAS), Java Keystore (JKS) and the KeyTool Java Enterprise Edition (JEE) topics: security solutions; declarative and programmatic security; annotations and deployment descriptors; Web/Presentation Tier, Enterprise Java Beans (EJB)/Business Tier, Enterprise Information System (EIS)/Integration Tier; Java Message Service (JMS), Java Database Connectivity (JDBC) Web services: SOAP and REST; Transport-layer security, application- and container-managed authentication, authorization; End-to-end security; Web Services Security (WSS), username/password authentication, signing (XML Signature) and encryption (XML Encryption) Java specific vulnerabilities: integer overflows in Java (e.g. in java.util.zip.CRC32); Calendar/ZoneInfo deserialization bug (CVE 2008-5353); unsafe reflection; Web-related vulnerabilities like SQL Injection, Command Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), HTTP Injection, Insecure Direct Object Reference; unsafe Java Native Interface (JNI); improper error and exception handling; insecure randomness of java.util.Random; object hijacking; serialization of sensitive information; dangers of mobile code; Denial-of-Service (DoS) in Java (the 2.2250738585072012e -308 bug), problem with inner classes, and many more Exercises: setting and using permissions; authentication and authorization through JAAS; using JCA/JCE providers for digital signing and encryption; permission for signed code; using JSSE switching from HTTP to HTTPS; working with file and JDBC realms, setting the deployment descriptors accordingly; authentication, specifying roles and method permissions by annotation and deployment descriptors; using wsimport to generate client artifacts plain and SSL communication with the container; application and container managed authentication; WS Security with username and password; XMLS Signature; XML Encryption; exploiting SQL injection step-by-step; crafting Cross-Site Scripting attacks; uploading and running executable code; crashing through JNI; proof-of-concept exploit of Calendar/ZoneInfo

Secure Coding Academy | [email protected]

Advanced Java security

deserialization bug; using reflection to break accessibility modifiers; object hijacking; preventing serialization; exploiting mobile code vulnerabilities; crashing Java with magic double values; exploiting inner classes.

Other courses that relate to the topic of this course:

CL-JSC - Standard Java security (Classroom, 2 days) CL-JWA - Advanced Java and Web application security (Classroom, 3 days) CL-JWE - Advanced Java, JEE and Web application security (Classroom, 4 days) RT-JST - Java security technologies (Remote, 2x1.5h) RT-JVL - Java specific vulnerabilities (Remote, 2x1.5h) RT-WVL - Web application vulnerabilities (Remote, 2x1.5h)

Detailed table of contents Day 1 IT security and secure coding

General security vs. IT security IT security related terms Definition of risk Specialty of information technology security Different aspects of IT security Requirements of different application areas IT security vs. secure coding Building a secure system From vulnerabilities to botnets and cyber crime
Nature of security flaws Reasons of difficulty From your computer to attacks against critical targets Cyber-crime an organized network of criminals Landwehrs taxonomy The Fortify taxonomy Vulnerability categories Seven Pernicious Kingdoms OWASP Top Ten (2013 release candidate)

Classification of security flaws

Java security overview

Java Java Java Java Java Java platform security overview security in brief applet security Web Start security ME security architecture Card security architecture

Secure Coding Academy | [email protected]

Advanced Java security

Foundations of Java security

The Java environment Java security Low-level security the Java language
Java language security Access modifiers Type safety Automatic memory management Java execution overview Bytecode Verifier Class Loader Protecting Java code Protection domains Security Manager and Access Controller Permission checking Effects of doPrivileged Using Java security management tools Exercise Applet Security policy for applets Exercise Applet Policy Tool Exercise Applet Check the results Exercise Application Controlling applications The default java.policy file Exercise Application Grant Required Permissions Exercise Jars Granting permission to signed code

High-level security access control

Requirements of secure communication

Security levels Secure acknowledgement
Malicious message absorption
Feasibility of secure acknowledgement Serious consequences The solution: clearing centers

Inadvertent message loss Error detection

Modeling message distortion Error detection and correction codes

Integrity

Authenticity
Modeling message manipulation Message Authentication Code (MAC)

Non-repudiation
Non-repudiation Asymmetric digital signature (RSA/DSA)

Secure Coding Academy | [email protected]

Advanced Java security

Integrity requirements
Detecting integrity violation

Confidentiality
Model of encrypted communication Encryption methods in practice Strength of encryption algorithms Requirements of remote identification Model of anonymous communication Traffic analysis Theoretically strong protection against traffic analysis Practical protection against traffic analysis Relationships between requirements

Remote identification Anonymity and traffic analysis

Summary

Day 2 Basics of cryptography

Cryptosystems
Elements of a cryptosystem Encrypted communication Symmetric encryption algorithms ECB Electronic Codebook CBC Cipher Block Chaining CFB Cipher Feedback OFB Output Feedback Comparing the modes of operation Other cryptographic algorithms
Hash or message digest Hash algorithms Message Authentication Code (MAC) Signing with a symmetric key

Symmetric-key cryptography

Asymmetric (public-key) cryptography

Public-key encryption Public-key cryptography Rule of thumb possession of private key Introduction to RSA algorithm Encrypting with RSA Providing confidentiality Digital signing with RSA Signing with a private key Blind signature

The RSA algorithm

Secure Coding Academy | [email protected]

Advanced Java security

Public Key Infrastructure (PKI)
Man-in-the-Middle (MiM) attack Digital certificates against MiM attack Certificate Authorities in Public Key Infrastructure Digital certificates X.509 digital certificate

Security protocols
Secure network protocols Specific vs. general solutions Different encryption protocols General robust encryption protocols Commonly used solutions SSL / TLS / WTLS protocols
Security services Message structure SSL/TLS handshake

Java security services

Java security services architecture Authentication and authorization
Java Authentication and Authorization Service (JAAS) Principal and credential Subject and authentication JAAS architecture Typical ways of gathering authentication information Java Generic Security Services (JGSS) Simple Authentication and Security Layer (SASL) Exercise JAAS Using JAAS for authentication and authorization Java Cryptography Architecture (JCA) Java Cryptographic Extensions (JCE) Exercise Sign Generating and verifying signatures Exercise Sign Using alternative providers The Bouncy Castle (BC) provider Java Secure Socket Extension (JSSE) Exercise Https Switching from HTTP to HTTPS The Java Keystore (JKS) Java Certification Path (CertPath)

Cryptographic services

Secure communication

Public Key Infrastructure support

Secure Coding Academy | [email protected]

Advanced Java security

Java EE security
Introduction to Java EE security
Java EE multi-tier architecture Roles and responsibilities Java EE container-based security Basic concepts: user, group, role, realm Example: setting up security roles Example: mapping roles to users and groups Example: securing the communication Basic concepts Security roles Declaring security roles Mapping security roles to users and groups Checking the callers identity programmatically Specifying security constraints Java EE authentication Specifying an authentication mechanism HTTP basic authentication Form-based authentication HTTPS client authentication Exercise Jee/WebSecurity Exercise WebSecurity Create a new user in a file realm Exercise WebSecurity Using JDBC realm Declaring security roles Mapping security roles to users and groups Accessing the callers context programmatically Specifying method permissions by annotation Specifying method permissions by the deployment descriptor Propagating the identity Exercise Jee/EJBSecurity Integration with the back-end EIS system

Security of the Web/Presentation tier

Security of the EJB/Business tier

Security of the EIS/Integration tier

Security of Web services

Security requirements and challenges Two approaches Standards Transport layer security
Exercises Transport layer security Java API for XML Web Services (JAX-WS) Using JAX-WS tools and configuring security Exercise WS Plain communication with Tomcat (tc)

Secure Coding Academy | [email protected]

Advanced Java security

Exercise Exercise Exercise Exercise Exercise Exercise WS WS WS WS WS WS SSL communication with Tomcat (tc) SSL communication with Tomcat (tc) Application managed authentication (tcauth) Container managed authentication (tcauthc) Container authentication (tcauthc) by digest Container authentication (tcauthc) by digest

Message level security

WS-Security (Web Services Security / WSS) XML Digital Signature Exercise WS-Security with digital signature (XML Signature) XML Encryption Exercise WS-Security with encryption (XML Encryption) XML Security with Username/Password Exercise WS-Security with Username/Password Web service security Composite services and SOA

Day 3 Web application vulnerabilities

Web application vulnerabilities SQL Injection Typical SQL Injection attack methods Exercise WebExample SQL Injection SQL Injection exercise SQL Injection protection methods Command injection Cross-Site Scripting (XSS) Persistent / Reflected XSS exercise XSS prevention XSS prevention tools in Java
Broken authentication and session management
Exercise WebExample Authentication bypass

Cross Site Request Forgery (CSRF)

Exercise WebExample Cross Site Request Forgery (CSRF) CSRF prevention

Some other web application vulnerabilities

Malicious file execution Insecure direct object reference Uploading an executable file Security misconfiguration Failure to restrict URL access Transport layer security issues Unvalidated redirects and forwards

Secure Coding Academy | [email protected]

Advanced Java security

Java specific vulnerabilities

Input validation
Input validation concepts Unsafe JNI Exercise Java JNI Unsafe JNI Integer Overflow A real-world integer overflow vulnerability The actual mistake in java.utils.zip.CRC32 Deserialization A real-world deserialization vulnerability The most exploited flaw in Java The actual mistake in java.util.Calendar spot the bug! Java Calendar object deserialization Exploiting the Java Calendar object deserialization Patch for Java Calendar object deserialization problem Exercise CVE-2008-5353-poc Deserialization Exercise Deserialization Implementation of a command dispatcher Unsafe reflection spot the bug! Problems related to the use of security features Insecure randomness Insecure randomness in Java Using random numbers in Java spot the bug! Exercise RandomTest Exercise Google cracking Password management stored passwords Special purpose hash algorithms for password storage Some usual password management problems Exercise Hard coded passwords Hard coded password Accessing private fields with reflection in Java Exercise Reflection Accessing private fields with reflection Accessing private fields with reflection Typical problems with error and exception handling Empty catch block Overly broad throws Overly broad catch Returning from finally block spot the bug! NullPointerException in Java Catching NullPointerException Exception handling spot the bug! CVE-2012-4681 vulnerability Vulnerability in ClassFinder.findClass()

Improper use of security features

Improper error and exception handling

Secure Coding Academy | [email protected]

Advanced Java security

Calling ClassFinder.findClass() Exploiting the CVE-2012-4681 vulnerability Exercise WebExample Information leakage through error reporting Exercise Information leakage through error reporting Time and state related problems Concurrency spot the bug! Calling Thread.run() Exercise ThreadRun Calling Thread.run() Race condition in servlets spot the bug! Race condition spot the bug! ArrayList vs Vector Dangers arising from poor code quality Poor code quality spot the bug! Unreleased resources Misspelled method spot the bug! Exercise Misspelled method Public method without final object hijacking Exercise Object Hijack Immutable String spot the bug! Exercise Immutable Strings Serializable sensitive spot the bug! Exercise Serializable Sensitive A generic Denial of Service attack against the Java environment The 2.2250738585072012e-308 bug The double bug in Tomcat The vulnerable code of DoubleValue() in FloatingDecimal.java Triggering the infinite loop Exercise Double Bug Risks associated with mobile code Private arrays spot the bug! Private arrays typed field returned from a public method Critical public spot the bug! Exercise Critical Public Possible attack scheme Inner classes spot the bug! Problem with inner classes The decompiled class file containing an inner class Exercise Inner Class

Time and state problems

Code quality problems

Mobile code

Takeaways

Secure Coding Academy | [email protected]

Advanced Java security

Note: Our classroom trainings come with a number of easy-to-understand exercises providing live hacking fun. By accomplishing these exercises with the lead of the trainer, participants can analyze vulnerable code snippets and commit attacks against them in order to fully understand the root causes of certain security problems. All exercises are prepared in a plug-and-play manner by using a pre-set desktop virtual machine, which provides a uniform development environment.

Secure Coding Academy | [email protected]