A Secure Implemetatio of Java Ier Classes By Aasua Bhowmik ad William Pugh Departmet of Computer Sciece Uiversity of Marylad More ifo at: http://www.cs.umd.edu/~pugh/java
Motivatio ad Overview Preset implemetatio of Java ier classes provides a security hole i order to allow ier classes access the private fields of the outer class ad vice versa We desiged a secure techique for allowig access to private fields ad methods No eed to chage the JVM Very little overhead Developed a byte code trasformig tool which modify the class files ad make the ier classes safe
Java Ier Classes Ier class is a ew feature added i Java 1.1 Ier classes are classes defied as member of other class Ier classes are allowed to access the private members of the eclosig class ad vice versa For each istace of a outer class there is a correspodig istace of the ier classes class A { private a; class B { private b; void f() { b = a+a; // accessig pvt. var of A public g(){ B myobj = ew B(); myobj.f(); it x = myobj.b; // accessig pvt. var of A
Ier Classes AreÕt Uderstood By JVMs Ier classes are implemeted as a compiler trasformatio JVM do ot eed to uderstad ier classes Ð code will ru o 1.0 JVMÕs JVM prohibits access to private members from outside the class Compiler trasforms the class, cotaiig ier classes, to a umber of o-ested classes
Implemetatio of Ier Classes class A class A private it m; private class B { private it x; void f(){ x = m; public void g(){ B ob = ew B(); ob.f(); After compilatio private it m; public void g() { A$B ob = ew A$B(); ob.f(); it access$0() { retur m; class A$B A this$0; private it x; void f(){ x = this$0.access$0(); Access$0() of class A has package level visibility. The class A$B also has package level visibility
Security Threats with Preset Implemetatio The private data members of classes get exposed through access fuctios Other classes belogig to the same package ca call the access fuctios ad tamper the private data member fu(){ A a = ew A();.. it x = a.access$0(); Class C Udesired access Class C ad A belogs to the same package Class A private it m; public void g() { A$B ob = ew A$B(); ob.f(); it access$0() { retur m;
Is This A Problem? Lots of Java code uses ier classes Usig ew 1.2 security model, all privileged code is put i ier classes Still requires attacker get iside package Oe security barrier dow Ð Prefer defese i depth Ed Felto recommeds agaist usig curret versio of ier classes
New Implemetatio of Ier Classes The access to the private members are restricted oly to the iteded classes The ew implemetatio is built o top of the curret implemetatio Ð class files are rewritte No eed to chage the JVM A secret key is shared betwee all the classes that eed access to each others private data members Ð Class B wats to access a class AÕs private member m Ð ivokes AÕs access fuctio Ð B passes itõs shared secret key to AÕs access fuctio Ð A verifies whether BÕs secret key ad AÕs secret key are the same object if yes, give access to its private variable m otherwise, throw a security exceptio
New Implemetatio of Ier Classes The secret key is a object allocated dyamically durig ru time. Class A allocates a object i its static iitializer ad stores it i its ow private static field A.sharedSecret Class A passes dow the secret key by ivokig the receivesecretkey(a.sharedsecret) of class B I receivesecretkey(object) B stores AÕs secret key i itõs ow private static field, B.sharedSecret Wheever B tries to access AÕs private field it passes itõs shared secret key for autheticatio
New Implemetatio of Ier Classes Iitializatio Phase A allocates a ew object ad stores it i A.sharesSecret B wats to access AÕs private Field B ivokes AÕs access method with B.sharedSecret as a argumet A passes the secret key object to B B passes the secret key for verificatio B stores the secret key passed by A i B.sharedSecret A throws security exceptio if secret keys ot match I access method A verifies BÕs secret key A grats access if BÕs secret key matches with AÕs
Class A { static private fial Object sharedsecret = ew Object(); static { A$B.receiveSecretForA(sharedSecret); private it x; it access$1(object secretfora) { if (secretfora!=sharedsecret) throw retur x; ew SecurityExceptio(); Class A$B { private A this$0; static private Object sharedsecret; static void receivesecretfora(object secretkey) { if (sharedsecret!= ull) throw ew VerifyError(); sharedsecret = secretkey; É ivoke this$0.access$1(sharedsecret)é
Advatages of the New Implemetatio Access is permitted oly to the desired classes No eed to chage the existig JVMs The secret key value is a poiter to memory, allocated dyamically Ð Absolutely impossible to forge The additioal overhead for iitializatio ad validatio of the secret keys are small Very small icrease i the size of the class files
Overhead Due to Modificatio For each class allowig/eedig access Ð Oe static field For each set of objects eedig mutual access Ð Oe object created All iitializatios are doe i static iitializer Oe additioal argumet i each access$ method Few additioal istructios are executed for each access call to Ð pass the extra argumet Ð verify the secret key
A Rewritig Tool For Jar Files Developed a tool to trasform the byte codes Takes a jar file, examies the class files ad fids out the sets of classes which eed mutual access modify all the class files which are either defiig access$ methods or ivokig access$ methods All the classes i the jar file are made safe i the presece of ier classes Used our tool to modify several jar files - rt.jar, swig.jar etc.
Experimetal Result for swig.jar Static Evaluatio: % icrease i the code size - 2.9% # of class files i swig.jar - 1498 # of ier classes - 898 # of ier classes eedig access - 139 # of objects created - 53 # of ew fields added - 195 # of access methods - 145 # of places access methods are ivoked - 439
Experimetal Result for swig.jar Rutime Performace For a trial ru of SwigSet demo, which tests all the fuctioalities Total umber of calls to access$ fuctios - 46,638 Total user time - 59.44 sec Total system time - 3.91 sec Note: The user ad system times are comparable whe we ru the demo with origial swig.jar file. Although it is ot possible to ru the demo exactly the same way ad compare precisely
Eve Better Security Before A gives the secret to A$B Ð Check sigatures o A$B imply the sigatures o A Prevets situatio where a attacker tries to combie a siged versio of A with a modified ( ad usiged ) versio of A$B
Coclusio Desiged a ew implemetatio for ier classes to fix the security hole of the curret implemetatio Little additioal overhead Ð regardig both code size ad executio time Implemeted a byte code rewriter to icorporate the chages by trasformig the byte code Ca be implemeted i the compiler Ca exted this idea to have fried classes like C++