Securing
Class Initialization in Java-like Languages
ABSTRACT:
Language-based information-flow security is
concerned with specifying and enforcing security policies for information flow
via language constructs. Although much progress has been made on understanding
information flow in object-oriented programs, little attention has been given
to the impact of class initialization on information flow. This paper turns the
spotlight on security implications of class initialization. We reveal the
subtleties of information propagation when classes are initialized, and
demonstrate how these flows can be exploited to leak information through error
recovery. Our main contribution is a type-and-effect system which tracks these
information flows. The type system is parameterized by an arbitrary lattice of
security levels. Flows through the class hierarchy and dependencies in field
initializers are tracked by typing class initializers wherever they could be
executed. The contexts in which each class can be initialized are tracked to
prevent insecure flows of out-of-scope contextual information through class
initialization statuses and error recovery. We show that the type system
enforces termination-insensitive noninterference.
EXISTING SYSTEM:
Language-based concepts and techniques
are becoming increasingly popular in the context of security because they
provide an appropriate level of abstraction for specifying and enforcing
application and language-sensitive security policies. Popular examples include:
1) Java stack inspection, which enforces a stack-based access-control
discipline, 2) Java byte code verification, which traverses byte code to verify
type safety, and 3) web languages such as Caja, ADsafe and FBJS which use
program transformation and language subsets to enforce sandboxing and
separation properties.
Language-based information-flow security
is concerned with specifying and enforcing security policies for information
flow via language constructs. There has been much recent progress on
understanding information flow in languages of increasing complexity, and,
consequently, information-flow security tools for languages such as Java, ML,
and Ada have emerged. In particular, information flow in object-oriented
languages has been an area of intensive development. However, it is surprising
that the impact of class initialization, being an important aspect of
object-oriented programs, has received scarce attention in the context of
security.
DISADVANTAGES
OF EXISTING SYSTEM:
·
Complexity is introduced by exceptions
raised during initialization, as these can be exploited to leak secret
information.
·
The key issue is that class
initialization may perform side effects (such as opening a file or updating the
memory). The side effects may be exploited by the attacker who may deduce from
these side effects which classes have (not) been initialized, which is
sometimes sufficient to learn secret information.
PROPOSED SYSTEM:
We propose a formalization that
illustrates how to track information flow in presence of class initialization
by a type-and-effect system for a simple language. By ensuring that the
initialization (or success thereof) of a class containing public fields in no
way depends on the evaluation of an expression (or success thereof) containing
secret data, the type-and-effect system guarantees security in a form of noninterference.
Informally, noninterference guarantees that a program’s public outputs are
independent of secret inputs. A key intricacy here is that of class
dependencies: An initialization of one class can cause the initialization of
other classes. The only approach we are aware of that actually considers class
initialization in the context of information-flow security is Jif
ADVANTAGES
OF PROPOSED SYSTEM:
Jif’s restrictions on initialization
code are rather severe: only simple constant manipulations, which cannot raise
exceptions, are allowed. Our treatment of class initialization is more liberal
than Jif’s and yet we demonstrate that it is secure. We argue that this liberty
is desirable in scenarios such as server-side code.
SYSTEM CONFIGURATION:-
HARDWARE CONFIGURATION:-
ü Processor - Pentium –IV
ü Speed - 1.1
Ghz
ü RAM - 256
MB(min)
ü Hard Disk -
20 GB
ü Key Board -
Standard Windows Keyboard
ü Mouse - Two
or Three Button Mouse
ü Monitor - SVGA
SOFTWARE CONFIGURATION:-
ü Operating System : Windows XP
ü Programming Language :
JAVA
ü Java Version :
JDK 1.6 & above.
REFERENCE:
Willard Rafnsson, Keiko Nakata, and
Andrei Sabelfeld-“Securing Class Initialization in Java-like Languages”-IEEE
TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 10, NO. 1,
JANUARY/FEBRUARY 2013
