[ :: mainpage :: register :: conference :: training :: call for papers (CFP) :: the venue ]
[ :: capture the flag (CTF) :: press/media :: conference agenda :: contact us ]
[ :: forum :: sponsors :: past conferences :: conference kit (PDF) ]

TECH TRAINING 7 - Yin and Yang of Java Security Programming

Filed under: Main Page — Administrator @ 11:21 am

April 26, 2006

Title: Yin and Yang of Java Security Programming
Trainer: Marc Schönefeld
Capacity: 24 pax
Duration: 2 days
Cost: (per pax) RM2800 (early bird) / RM3200 (non early-bird)


Opposed to the legends most white papers tell software written in Java is not secure by default. This course will provide the participants with the awareness to threats for java based software. It focuses on the current java (1.4.x , Tiger and Mustang releases) code based security features which are used to protect typical java application patterns (J2EE, Desktop Java, Applet, Servlets).

Secure Java Coding always starts from Sun’s secure programming guidelines which are presented by associating attack types and possibilities for refactoring to harden the system. Executed java classes are based on bytecode, therefore knowledge of Java bytecode is essential to understand and extend java static code analysis tools like BCEL and findbugs.

Other important terms in java code-based security are “protection domains” and “permission collections”. To reverse engineer protection domains an approach to extend the Java securitymanager is presented. A framework is presented that allows defining custom and complete permission sets when deploying java applications.

After hardening the JDK itself the java security engineer is concerned with raising the protection level of open source java middlweware components like Web servers (Jetty, Tomcat) or databases (cloudscape, pointbase).

A laptop capable of compiling java code (preinstalled Sun JDK 1.4.2_x and IBM Eclipse IDE 3.0.x).

The student should have an understanding of most of the following concepts and technologies:

* Knowledge of basic Java programming tools (java, javac, javah).
* Basic to advanced Java and java bytecode programming knowledge as well as the core Java API is beneficial for understanding the key concepts
* Knowledge of basic security concepts like least privilege and security models
* Knowledge of common C based software threats is helpful for the JNI part

Day 1:

  1. Introduction

    1. Security
      in a broader sense

    2. The
      history of Java security (Felten, LSD, …)

  2. Java
    and security

    1. J2SE
      Java 1.4 application areas

      1. Desktop
        Java (J2SE)

      2. WebServer
        Java (J2EE/JSP)

      3. BackendServer
        Java (J2EE/EJB)

      4. DatabaseServer
        Java (J2EE/JDBC)

  3. What
    to attack and protect

    1. Attacks
      on Integrity

    2. Attacks
      on Confidentiality

    3. Attacks
      on Availability

  4. Java
    security architecture

    1. Core
      java runtime environment security:

      1. JVM

      2. Java
        language security

      3. Core
        API security

      4. Classloaders
        and protection domains

    2. Application

      1. JSSE
        and SSL

      2. GSSAPI

      3. JAAS

  • Java
    Secure Coding

    1. Sun’s
      secure programming guidelines

    2. Antipatterns

      1. Static

        1. Derived

        2. Possible

        3. Precautions
          and Detection

        4. PoC
          [Covert Channels in JDK]

      2. Privileged

        1. Derived

        2. Possible

        3. Precautions
          and Detection

        4. PoC
          [The Disk filling applet]

      3. Visibilities

        1. Derived

        2. Possible

        3. Precautions
          and Detection

        4. PoC
          [XMLSniffing vulnerability in JDK 1.4.2_05]

      4. Serialisation

        1. Derived

        2. Possible

        3. Precautions
          and Detection

        4. PoC
          [Remote Attacks and Malicious Objects]

      5. Native

        1. Derived

        2. Possible

        3. Precautions
          and Detection

        4. PoC
          [The memory reading applet in the Java Media Framework]

      6. Non-Adequate
        permissions for 3rd party libraries and frameworks

        1. Derived

        2. Possible

        3. Precautions
          and Detection

        4. PoC
          [Remote code execution in JBoss 3.2.1]

      7. Java

        1. Derived

        2. Possible

        3. Precautions
          and Detection

        4. PoC
          [The Java.util.zip package and the flipping sign]

    Day 2:

    1. Java
      Bytecode Engineering

      1. Quickwalk
        thru the Java Bytecode instruction set

      2. Anatomy
        of class files

      3. Bytecode

        1. BCEL

        2. ASM

        3. Javassist

        4. Findbugs

      4. How
        to write custom detectors in with BCEL and findbugs

        1. Classwalkers

        2. Fieldwalkers

        3. Methodwalkers

    2. Finding
      adequate permission sets for java applications

      1. Permissions
        in JDK

      2. The
        jchains framework

    3. Hardening
      Java protocols

      1. JDBC

      2. RMI
        security (JRMP and RMI/IIOP)

      3. Serialisation

    4. Hardening
      Java middleware applications

      1. Tomcat

      2. Java
        databases security

    5. Security
      in the new Tiger and Mustang releases

    6. Selected
      use cases from the audience

    7. Summary,
      Q&A and farewell

  • About Marc

    Marc Schonefeld is an external PhD student at the University of Bamberg in Germany. His research covers the analysis of interdependencies between programming flaws (antipatterns) and vulnerabilities in software. By developing a framework for flaw detection he found a range of serious bugs in current java runtime environments (JDK) and other java based applications and middleware systems(like Jboss, Cloudscape database, …). Some of his findings led to the publication of a number of advisories by Sun Microsystems. In 2004 he presented at DIMVA and D-A-CH conferences and was speaker at Blackhat and RSA in 2003. Also in 2004 he was finalist for the European Information Security Award for his work on java based security antipatterns.

    Event Organizer

    Hack In The Box (M) Sdn. Bhd.

    Supported & Endorsed By

    Malaysian Communications and Multimedia Commission (MCMC)

    Malaysian Administrative Modernisation & Management Planning Unit

    Platinum Sponsors

    Foundstone - A division of McAfee Inc.

    Microsoft Corporation

    Main Sponsors

    Cisco Systems

    Lucent Technologies - Bell Labs Innovations

    Official Airline Partner

    Internet Bandwidth Sponsor

    AIMS - Malaysia's Telecommunications Hub

    Official Hotel

    Westin Kuala Lumpur

    CTF Sponsor


    CTF Prize Sponsor

    Scan Associates Berhad.

    Our Speakers Are Supported By:

    Bellua Asia Pacific

    Core Security Technologies

    Media Partners:

    InfoSec News

    (ISN) InfoSec News

    Virus Bulletin online magazine is dedicated exclusively to reporting and analysing malicious computer programs and spam. The annual Virus Bulletin conference is cited by many in the industry as the anti-malware event of the year.

    Insecure Magazine

    Phrack Magazine

    Hakin9 Magazine

    Supporting Organizations


    ISECOM - Insititue for Security and Open Methodologies

    IT Underground

    Chaos Computer Club (Germany)

    X-Focus China

    Zone-H Defacement Mirror

    Xatrix Security


    Special Interest Group in Security & Information InteGrity Singapore