# merged Security branch back to main branch. had to do WVM, WVM_RMI_Transporter, and WVM_RMI_Transporter by hand. No problems otherwise. WVM.java was the only file with many changes with the WVMRSL stuff and Security.

dp2041 [2002-09-20 15:33:13]
merged Security branch back to main branch.  had to do WVM, WVM_RMI_Transporter, and WVM_RMI_Transporter by hand.  No problems otherwise.  WVM.java was the only file with many changes with the WVMRSL stuff and Security.

% CVS version control block - do not edit manually% $RCSfile$% $Revision$% $Date$% $Source$ % to compile this file into a pdf or ps use the following% 1) latex WorkletSecurity.tex% for ps: 2) dvips -K WorkletSecurity -o% for pdf: 2) ps2pdf WorkletSecurity.ps WorkletSecurity.pdf \documentclass[10pt]{article}\usepackage{doublespace}% \usepackage{geometry}% \geometry{verbose,letterpaper,lmargin=45mm,rmargin=45mm} \title{Worklet Security}\author{Dan Phung (dp2041@cs.columbia.edu)}\date{Draft of \today} % \textheight=9.3in% \topmargin=.2in\renewcommand{\baselinestretch}{1.5} \begin{document} % \begin{singlespace}\maketitle% \end{singlespace} \section{Abstract} The goal of this project was to add security features to the Workletssystem while leaving previous functionality intact where it wasfeasible.  I found possible communication related security risks to bewithin the RMI transport layer, the WVM transporter layer and theirassociated class loaders.  Intrusions are now minimized through theaddition of SSL (Secure Socket Layer) sockets to the RMI Registry, RMIsockets, WVM Transporter and associated class loaders. and aHostnameVerifier.  These security features require Java 1.4, whichincludes JSSE (Java Secure Sockets Extension) and JCE (JavaCryptography Extension).  With all previous functionally retained,communication between WVMs can now be authenticated to ensure peervalidity and encrypted to uphold packet integrity.  These securityparameters can also be tailored according to the security needs ateach site. \section{Intro} The goal of the Worklet Security project was to analyze the Workletsystem to determine the security hazards and to implement provisionsfor secure methods of communication that minimize those hazards.  TheWorklet system previously had no ability to authenticate the local orremote WVM hosts, nor were the packets encrypted.  Without thesefeatures there is the possibility for the transmission and execution ofmalicious Worklets. % SYMMETRIC and ASYMMETRIC keys.\section{Background} As stated in the JSSE documentation: \begin{quote}Integrity meansthat the data has not been modified or tampered with, and authenticitymeans the data indeed comes from whoever claims to have created andsigned it.''\end{quote} Therefore, to secure the Worklet system we must validate the local andremote hosts and encrypt the Worklet code being sent.  The Workletsecurity system is based off of public/private keys.  One of theconsiderations in the implementation of a security architecture iswhether to use symmetric and asymmetric keys. Symmetric algorithms involve the sharing of keys for encryption anddecryption.  A different set of keys must be kept for each pair ofusers.  The weakness of these algorithms is that once the key isintercepted the security of the system is no longer viable.  Theadvantage of these algorithms is that they do not consume too muchcomputing power and are faster than asymmetric algorithms.  Typicalsymmetric algorithm are DES (Data Encryption Standard), 3DES, andBLOWFISH. Asymmetric algorithms use pairs of public/private keys. The public keyis used for encryption and the private key, or secret key, is used fordecryption.  Usually the public key is shared to anyone that wants toencrypt data, and only the receiver keeps the private key.  Becausethe private key is kept secret the risk of the system is less thanwith symmetric keys.  A typical set of keys for a single user is thusa private key to decrypt incoming data and a set of public keys thatis used to send data to peers.  Public keys are also usually digitallysigned by third party certificate authorities (but they can beself-signed) to ensure their validity upon distribution.  The strengthof this algorithm is the higher reliability in key integrity.  Thedisadvantages are that these algorithms are more complex to handle andusually take higher computing power and are thus much slower.  Typicalasymmetric algorithms are RSA (Rivest, Shamir, and Adelman) and DSA(Digital Signature Algorithm). The JSSE implementation used in the Worklet system is a combination ofsymmetric and asymmetricalgorithms\footnote{http://java.sun.com/j2se/1.4/docs/guide/security/jsse/JSSERefGuide.html\#HowSSLWorks}.It uses asymmetric key algorithms in the authentication phase ofcommunication and symmetric keys to encrypt the data in the transportphase.  The use of both algorithms allows the advantages of bothalgorithms can be used. % this section to be the distributed Worklet Security documentation.\section{Program Documentation}The Worklet security system provides methods for securing Worklettransmission.  The vulnerable objects are the RMI (Remote MethodInvocation) transport layer, the WVM (Worklet Virtual Machine)transport layer and the class loaders.  Other objects that have orprovide methods for security measures are HostnameVerifier andWorkletJunctions. The RMI Transport layer involves an RMI registry, associated RMIservers and class loaders.  Only one registry can be created on aspecific host:port to which many RMI servers can be bound.  A secureregistry authenticates all registry calls such as server lookups,binds, and unbinds.  A secure RMI server uses custom secure sockets toauthenticate and encrypt all communication.  In the instance of asecure server, the default RMI class loader is set to our ownimplementation that uses a class loader with secure sockets.  Bothplain and secure RMI servers can be bound to plain registries but onlysecure RMI servers can be bound to secure registries.  Communicationbetween RMI servers can only proceed plain-plain or secure-secure.Depending on the security level (described in the Usage section) theRMI server could have either only plain, only secure, or both classloaders available to load classes. The WVM transport layer includes server sockets and class loaders.Depending on the level of security the transport layer can be createdwith plain, secure, or both types of server sockets and associatedclass loaders. A HostnameVerifier is also implemented and is used on the remote(receiving) end.  This object is used by the remote host if thehostname of the sending WVM is not recognized from the CA certificatefile.  The specification of the hosts that are allowed and denied isdescribed in the usage section. There are situations where the user of the WorkletJunctions could beuncertain of the security specifications at a certain WVM.  The usercan now specify parameters that allow the users to specify whichmethods of transport (plain RMI, secure RMI, plain socket, securesocket) the WorkletJunction should try and in what order.  The RMIrelated methods specify what type of communication to try when lookingup the recipient RMI server, not the actual RMI server.  The socketrelated features specify the type of socket to try connecting on.  Theability to specify transport methods contributes to the robustness ofWorkletJunction communication. \subsection{Usage} Note that all previous functionality is retained.  This sectiondocuments the features pertinent to Worklet Security.  I make adelineation between the remote and local hosts.  The remotehost represents the intended recipient of the Worklet while thelocal host is the entity that is sending the Worklet. \subsubsection{Remote Host}To create a plain host you need not specify any parameters, likethis: \begin{verbatim}java psl.worklets.WVM\end{verbatim} The name and port of the RMI server will default to WVM\_Host and9100.  If a remote host is created in this manner communication willnot be authenticated nor encrypted.  You can specify the RMI servername and port by using the switches -name and -port.  See javapsl.worklets.WVM -help for option details. To create secure hosts you must specify at least the keys file,password, and WVM properties file (WVM file).  Because the WVM filemust contain the keysfile and password it is usually sufficient tosimply specify the WVM file.  The keys file is the file containing thepublic/private keys of the host and the password is the passphrasespecified in the creation of the keysfile.  For more information onhow to create a keysfile see the FAQ below.  The WVM file holds thesecurity specifications.  These security specifications can bespecified by setting environment variables with the -D java switch oron the command line.  The parameter loading precedence is:\begin{enumerate}\item Environment variables\item WVM file\item command line specification\end{enumerate} The WVM file contains property=value pairs separated by white space.The important parameters in the WVM file are the keysfile andpassword as these are used by the Worklet system at different times.There is also an internally needed parameter that needs to be set inthe WVM file, namely:\begin{verbatim}java.rmi.server.RMIClassLoaderSpi=psl.worklets.WVM_RMIClassLoaderSpi\end{verbatim} It is \textbf{very} important that the security of this file is set atthe operating systems level, meaning that the permissions on this fileshould be set accordingly.  For example, for maximum security I wouldset the permission to user read-only.  This can be done under Unixwith the following: \begin{verbatim}chmod a-rwx wvm_propertieschmod u+r wvm_properties\end{verbatim} Included with the distribution should be an example WVM file namedwvm\_properties''.  It should look like this: \begin{verbatim}# this first line is needed for internal purposes.java.rmi.server.RMIClassLoaderSpi=psl.worklets.WVM_RMIClassLoaderSpi # WVM host related parametersWVM_RMI_PORT=9100	# port that the rmi registry will be created onWVM_RMI_NAME=target	# name that the RMI server will be bound to # Security related parametersWVM_KEYSFILE=testkeys	# file holding the public/private keysWVM_PASSWORD=passphrase	# password into the keysfile.WVM_SSLCONTEXT=TLS	# SSL context instance to useWVM_KEYMANAGER=SunX509	# key manager implementation typeWVM_KEYSTORE=JKS	# key store implementation typeWVM_RNG=SHA1PRNG	# random number generator algorithm to usejavax.net.ssl.trustStore=samplecacerts # location of the certified security certificates.WVM_HOSTS_ALLOW=localhost,127.0.0.1 # allowed hostsWVM_HOSTS_DENY=			    # denied hostsWVM_FILE=wvm_properties	# reference to this file # security level of the WVM.# 0: no security.# 1: low security = plain RMI Registry, secure RMI server,#     plain and secure server sockets, and#     plain and secure class loaders.# 2: medium security = same as 1 but with a secure RMI Registry# 3: high security = secure RMI Registry, secure RMI server,#    secure server socket and secure class loaders.WVM_SECURITY_LEVEL=1\end{verbatim} Notice the last parameter of WVM\_SECURITY\_LEVEL.  This parameter iswhat you would modify to tailor the security level according to theneeds at a certain WVM.  A security level of 1 is the most flexible asit creates a registry that will allow binding by both plain and secureRMI servers.  Also created with a security level of 1 are plain andsecure server sockets and class loaders.  The only difference betweensecurity level 1 and 2 is that the registry is secure in the latter.A security level of 3 creates a WVM host that has a secure RMI serverthat must be bound to a secure registry, a secure server socket, and onlysecure class loaders.  There is a plain server socket created, butthat is used only for internal purposes for robust registry upkeep. The WVM\_HOSTS\_ALLOW and WVM\_HOSTS\_DENY specify which hosts on theremote end are allowed and denied.  If no hosts are specified in bothsettings, then all hosts will be allowed.  These entries are the onlyparameters that are concatenated, meaning that if you specify theseparameters in the system environment, the WVM file, and on the commandline then all entries will be used. \subsubsection{Examples}  \begin{verbatim}java psl.worklets.WVM -name target\end{verbatim}Create a plain host with the RMI name target on port 9100. \begin{verbatim}java psl.worklets.WVM -wvmfile wvm_properties\end{verbatim}Create a host according to the parameters in the WVM file. \begin{verbatim}java -DWVM_FILE=wvm_properties psl.worklets.WVM -name target -S 2\end{verbatim}Create a host according to the parameters in the WVM file, but withthe RMI name target and a security level of 2. \subsubsection{Local Host} The sending of secure Worklets involves the creation of a local WVMhost that bootstraps the Worklet into the WVM system.  Creation ofsecure Worklets and WorkletJunctions is the same as described in theWorklet documentation except that you need to set the WVM\_FILE systemproperty to your WVM file (described above).  This can either be donewith the -D java switch or within the application with theSystem.setProperty method.  Included in the distribution should be anexample program SendSecure.java''. Here is the portion within the example program that sets the securityparameters.  Also shown is the creation of the WVM. \begin{verbatim}psl.worklets.OptionsParser op = new psl.worklets.OptionsParser();op.loadWVMFile(System.getProperty("WVM_FILE"));op.setWVMProperties(); wvm = new psl.worklets.WVM(new Object(), InetAddress.getLocalHost().getHostAddress(),                           "SendSecure", op.port, op.keysfile, op.password,                           op.ctx, op.kmf, op.ks, op.rng, op.securityLevel);\end{verbatim} The WVM\_FILE system property was set on the command line like this: \\\begin{verbatim}java -DWVM_FILE=wvm_properties SendSecure localhost target 9101 Apps.Face 1 0 mysend\end{verbatim} You can also manage the WorkletJunction transport methods by settingthe transportMethods to a combination of plainRMI, secureRMI,plainSocket, and secureSocket.  The plainRMI and secureRMI keywordsspecify the type of registry used by that server.  The type of servercannot be specified because the parameters for which type of socket touse is set at creation time.  The plainSocket and secureSocketkeywords specify which type of socket to communicate with.  Thesecurity will always default to the parent'' if not set.  So if theWorklet.isSecure and the WorkletJunction.isSecure have not beenspecified, then the WorkletJunction will default to the security ofthe current WVM system.  The default for plain systems is plainRMI andplainSocket and the default for secure systems is secureRMI andsecureSocket.  If WorkletJunction.isSecure is set and theWorkletJunction.isSecure has not been set then those WorkletJunctionswill default to the security level of the Worklet.  The last, andhighest priority level is at the WorkletJunction.  You can either usethe isSecure method or specify the methods through thetransportMethods function.  Using the transportMethods function aloneis sufficient, and will override the isSecure method.  Here's anexample of how to set the methods: \begin{verbatim}String[] tm = {"secureRMI", "plainRMI", "secureSocket", "plainSocket"};wjxn.setTransportMethods(tm);\end{verbatim} \section{Program Documentation - Internal}% need to talk about registry blah through sockets.This section describes added and modified features in the Workletsystem.  These features include an SSL socket factory, robust RMIregistry handling, an implementation of RMIClassLoaderSpi andHostnameVerifier, and an OptionsParser. The SSL socket factory, WVM\_SSLSocketFactory, implemented inthe Worklet system was derived from the JSSE sample included in theJ2SDK 1.4 distribution.  I packaged the functionality of the JSSEsample code together in one class and gave the user access to modifythe security parameters.  I also have WVM\_SSLSocketFactoryextending RMISocketFactory and implementing RMIServerSocketFactory,RMIClientSocketFactory, and Serializable so that this factory can alsobe used as our custom RMI socket factory.  The available methods are:createSocket(), createServerSocket(), getSSLSocketFactory(), andgetSSLServerSocketFactory().  The reason why I have a privateinitFactories() method is because when the object serialized, all themembers are instantiated as null, so they must be reinstantiated on theremote side. For robust registry maintenance I modified theWVM\_RMI\_Transporter.shutdown() method and added aWVM\_Registry and RTU\_Registrar.  During WVMinstantiation a plain socket will always be created.  This socket willbe used by the RMI registry and server to broadcast registry creationand rebinding requests during shutdown, along with the normal WVMoperations.  If the security level is 3, or high security, then theplain socket will only accept RMI registry and server relatedrequests.  This implementation allows plain and secure RMI servers tobind onto a registry and communicate events related to the registry.The hostname, socket port number, and RMI name along with a randomlycreated key comprise the registration information needed by ourregistry to keep track of the bound servers.  I subclassed the defaultRMI Registry in WVM\_Registry to add the features ofmaintaining bound servers and restricting the rebinding method.  TheRTU\_RegistrarImpl, an implementation of theRTU\_Registrar, acts as an intermediate between the registryand the RTU (our RMI server.)  It creates and manages the registrationinformation for each server and negotiates the binding of the serverto our registry. % need to talk about hostname verifierA WVM\_HostnameVerifier was also added to the Worklets system as asecurity extension.  This class was needed internally to verify hostsnot included in the CA certs file.  This object uses theWVM\_HOSTS\_ALLOW and WVM\_HOSTS\_DENY system properties.  See theProgram Documentation '' section for details on how toset these. % WVM_RMIClassLoaderSpiThe WVM\_RMIClassLoaderSpi allows us to specify the use of our ownclass loader.  The default RMI class loader and system class loaderdoes not use secure sockets, nor are there ways to specify the use ofour sockets or socket factories.  The WVM\_RMIClassLoaderSpi specifiesour WVM\_ClassLoader which can be instructed to use secure sockets.The specification to the system to use our RMI class loader is done bysetting the system environment variable as such:\begin{verbatim}java.rmi.server.RMIClassLoaderSpi=psl.worklets.WVM_RMIClassLoaderSpi.\end{verbatim}This parameter is usually put in the WVM file.  To ease the load ofour class loader and to maintain the speed of the Worklets system, theWVM\_RMIClassLoaderSpi does not load the following classes: java.*,javax.*, sun.*, sunw.*, and psl.* I added an OptionsParser to ease the handling of the multitudeof added parameters that can be specified.  The OptionsParserparses the command line as well as related environment variables andthe WVM file.  An OptionsParser has public access and can beused to load in the security parameters in user programs.  For exampleof this procedure see the Local side'' section in the ProgramDocumentation''. \subsection{Possible errors}\begin{itemize} \item The most common errors pertain to the keysfile and the fileholding the CA certificates.  Either these files are spelledincorrectly when specified or the password is incorrect.  Anotherthing to check is that the permissions for the files at least giveuser read rights. \item RMI server cannot bind to registry. Upon trying to bind a RMI server, if you get this error:\begin{verbatim}Shutting down; cannot bind to a non-local host: 128.59.23.10java.rmi.ServerException: RemoteException occurred in server thread; nested exception is:	java.rmi.UnmarshalException: Transport return code invalid\end{verbatim} Check that the security level of the server and registry arecompliant.  If it is secure, then it is expecting the registry to besecure as well, and is thus communicating through secure protocols.Security levels of 0 and 1 (none, and low) can bind on the sameregistry.  Security levels of 2 and 3 (medium and high) can also bindtogether on the same registry, but cannot be matched with levels 0 and1.  Another issue to be aware of is the RMI class loader of theRegistry.  If the Registry is created with a secure RMI server, theinstatiation of the server sets the RMI class loader to our secureimplementation and essentially sets the RMI class loader for that JVM.Therefore when other non-secure servers try to bind, the registryinteracts with the secure RMI class loader, and a remote exception isthrown.  To prevent this from happening you should create the registrywith a plain server. \end{itemize} \subsection{Frequently Asked Questions (FAQ)}\begin{itemize} \item How do I create my own public/private keystore and howdo I self certify it? Here is an example of how to create a keystore named testkeys with thepassword asd123.  In general you do not want to specify the passwordin the command used.  When not specified on the command line thekeytool program will prompt you for a password.  The followingcommand line should all be on the same line. keytool -genkey -dname "cn=Foo Bar, ou=Columbia University, o=PSL, \        c=US" -alias foobar -keypass asd123 -keystore testkeys \        -storepass asd123 -validity 180 The example also self-certifies the keystore with a validity time of180 days.  A better way to certify the keystore would be to create acertificate request and then send it to a third party certifier (seeJava JSSE docs).  The entries that reside in the WVM file that arerelated to the file that was just created are:\begin{verbatim}WVM_KEYSFILE=testkeysWVM_PASSWORD=asd123javax.net.ssl.trustStore=testkeys\end{verbatim} to view details about the keystore you can do:\begin{verbatim}keytool -list -keystore testkeys\end{verbatim} For for information see:  \\http://java.sun.com/j2se/1.4/docs/guide/security/SecurityToolsSummary.html \item Where do I find out more information about the availablealgorithms that I can use? See the Java documentation about security.  Specifically, look at theJSSE and JCE docs. \item What about java policies? In my implementation the java policies do not play a role. \end{itemize} % DONE\section{Conclusion} The security features implemented for the Worklet Security projectprovides the methods for secure Worklet communication.  Securitymeasurements can only at best minimize the risks inherent in networkcommunication and is only as effective as the awareness of the user. \section{Future Enhancements}\begin{itemize}\item have a better way to pass in the password to the WVM\_RMIClassLoaderSpi.\end{itemize} \end{document} DEMOoverview the Worklets system.  show that the holes are at:RMI: registry-RMI server, RMI server-RMI server, RMI Class Loadersockets: socket-socket, ClassLoader. First we should talk about the different transports used in theWorklet system. RMI:- true -,- true +/no class loading- true +/with class loading sockets:- true -,- true +/no class loading- true +/with class loading Registry- creation of plain registry > bind to registry- creation of secure registry > bind to plain and secure registry- RMI send to plain- RMI send to secure power point presentationbefore security- danger to WVM- danger to worklet- no RMI authentication- no socket authetication- anyone can see the code being sent between sockets demo: 1) <RMI REGISTRIES> we should show that plain communication still works bring up a plainexternal registry bind both a secure and plain server to those.explain that these are both communicating with plain communicationthrough Naming. create a secure external registry.  show how only secureWVM's can bind to it. explain the plain server contacting secure server problem, andhow if security is downgraded, it will be lost in that registrysystem. it was possible to kill a RMI host, binded to a certain name, then tobind another host to that name.  now the servers are authenticatedthrough the registry before binding can occur (or even a lookup).also, only psl.worklets.WVM_RMI_Transporters can rebind. <WVM> security levels.  level 1 is everything is secure except for theregistry.  the registry is still plain to allow binding with othernon-secure RMI servers, also, plain sockets are still up.  level 2 isall secure, with the secure registry.  also, plain sockets are stillup. level 3 is secure only. only secure rmi and sockets are available,along with only secure codebases. <CLASSLOADING, CODEBASE>if security is set, then we have a https class server, but wealso still the normal http server.  only if the securitylevel is at 3, secure only, is only the https server up. <WVMFILE>explain all the fieldsshow java psl.worklets.WVM --helpexplain the scaffolding of the parameters, environment, wvmfile,command line. <RMIClassLoaderSpi> --needs the wvmfile.  security on the file must be at the OS level,setting of file permissions.  ask for other suggestions on how do this. <HOSTNAME VERIFIER>the HostnameVerifier is for the remote host to allow class loading. <WORLETJUNCTION>ability to set the transport methods. so there are ways to go between secure and plain WVM's RMI -/-> sRMI host-remoteWVM-WVM: only plain transports are available.WVM-sWVM: cannot send through RMIdepends: securityLevel 1,2: can send through plain socket.         if securityLevel 3, then cannot send through sockets. sWVM    WVM: sWVM    sWVM: dependsRMI, so security is not at the workletJunction level.  it is between hosts. <KEYSFILE, CA CERTS's> So we are going to use symmteric keys.  The creation and management ofthese keys and certificates are discussed in detail with the JSSEdocumentation that is a part of Java SDK 1.4.  The tool used to createand manage the keystore is keytool.''  Here I will briefly gothrough an example of key and certificate creation.  The keystore andits password are the required parameters for Worklet Security thatneed to reside in the WVM file. Here is an example of how to create a keystore named testkeyswith the password asd123.  In general you do not want to specifythe password in the command used.  Rather, when not specifiedon the command line the keytool program will prompt you for apassword. keytool -genkey -dname "cn=Foo Bar, ou=PSL, o=PSL, c=US" \      -alias foobar -keypass asd123 -keystore testkeys \      -storepass asd123 -validity 180 The example also self-certifies the keystore with a validity time of180 days.  A better way to certify the keystore would be to create acertificate request and then send it to a third party certifier (seejava jssse docs).  The entries that reside in the WVM file are thatare related to the file that was just created are:WVM_KEYSFILE=testkeysWVM_PASSWORD=asd123javax.net.ssl.trustStore=/home/mrgray/src/psl/worklets/testkeys to view details about the keystore you can do:keytool -list -keystore testkeys   - The (WVM) has its own method of contacting peers to broadcast the RMIregistry shutdown.