COURSE 5050 | 2-DAY SESSION
Hands-On Creating Secure Code in Java

---

Course outline

I. Introduction

• What is Software Security?
  
• Security and the Software Development Lifecycle
  

II. Java Virtual Machine

• Java Virtual Machine Overview
  
• Bytecode
  
• Class Files
  
• Class Loaders
  

Lab 1 - Class Loading
Learning Objectives

• The concepts of class loading in practice.
  
• An example of weak encryption that can be broken or bypassed.
  
• Default Java application file system access.
  

Description
You are given broken code that extends a class loader to encrypt
classes.

1. Fix the code where it has been marked.
   
2. Try running the code on a class and comment on the output.
   
3. Analyze the overall security of the application and comment on any shortcomings.
   

III. Java Security

• Evolution of Java Security
  
• Language Security
  
  • Bytecode Verifier
    
• Cryptography
  
  • Java Cryptography Architecture (JCA)
    
  • Java Cryptography Extension (JCE)
    
  • Java Secure Socket Extension (JSSE)
    
  • Certificates
    
  • Code Signing
    

Lab 2 - Java and SSL
Learning Objectives

• The basics of securing communication in Java with SSL.
  
• Creating and using certificates.
  
• Command line options to specify a keystore to a Java application.
  

Description

1. Given some basic starting material write a client and server that use SSLto communicate.
   
2. The server should echo all input back to the client.
   
3. The client should accept user input, send it to the server,
   and echo the response to System.out.
   1. Create the server and connecting to it with a web browser.
      
   2. Connect to it with a web browser and trouble shoot any problems.
      
4. Authentication and Authorization
   
   1. Java
5. Authentication and Authorization Service (JAAS)
   Access Control
   
   1. Access Control
      
   2. Security Manager
      
6. Access Controller
   
   1. Context
      
   2. Java 2 Runtime Security Check Algorithm
      
   3. Using All Available Permissions
      
   4. Protecting Instances
      
7. Permissions
   
   1. Permission Classes
      
   2. Permission Subclasses
      
   3. Permission Objects
      
8. Policy
   
   1. Security Policy
      
   2. Policy Class
      
   3. Security Policy File
      
   4. Assigning Permissions
      

Lab 3 - Policy and permissions

Learning Objectives

• The application permissions under no and default policy
  
• How to create and manage keys
  
• How to package and sign an application
  
• How to specify your own permissions with a policy file
  
• Running an application under a custom policy
  
• How to modify an application to check for permissions
  

Description
You are given a Java application that uses reflection to gather information about a selected class.

1. Observe what restrictions exist when run
   
   1. Normally
      
   2. Under the default security policy
      
2. Package the application in a JARfile
   
3. Sign the packaged application
   
   1. Create a key pair using the keytool
      
   2. Sign the JARfile
      
   3. Create your own security policy using the policytool
      
4. Restrict the application to a particular directory
   
5. Run the application with a security manager under your new policy
   
6. Modify the code to check for permission before it attempts to access a file.
   
   1. Protection Domains
      
   2. ProtectionDomain Class
      
7. CodeSource Class
   
8. Loading Classes
   
   1. Secure Class Loader
      
   2. Loading Classes and Protection Domains
      

IV. Threat modeling

• Overview
  • What is threat modeling
    
  • Why is threat modeling so important
    
• Threat modeling process
  
  • Collecting information
    
    • Overview
      
    • Use cases
      
    • Implementation assumptions
      
    • External dependencies
      
    • Security Notes
      
  • Decomposing the application
    
    • Overview
      
    • Identifying entry points
      
    • Identifying assets
      
    • Identifying roles
      
    • Example: Online store application
      
  • Building the Activity Matrix
    
    • Overview
      
    • Mapping roles to assets
      
    • Example: Online store application
      
  • Building the Threat Profile
    
    • Overview - what are threats
      
    • Process
      
    • Identifying threats
      
    • Classifying threats
      
  • STRIDE
    
    • Building threat trees
      
    • Identifying vulnerabilities
      
    • Example: Online store applicationx
      
  • Analyzing risks
    
    • Overview: prioritization
      
    • DREAD
      
    • Example: Online store application
      

V. Best Practices

• Finalize
  
• Mutable Objects
  
• Watch Your Scopes
  
• Avoid Using Inner Classes
  
• Avoid Serialization
  
• Avoid Deserialization
  

Lab 4 - Reverse engineering
Learning Objectives

• How vulnerable java programs are to reverse engineering
  
• The basic tactics of black box penetration testing
  

Description

1. You are given a simple java program that takes a username and
   password as command line arguments. You know neither.
   
2. Bypass the credentials by any means necessary.
   

• Make Classes Uncloneable
  
• Validate Constructors
  
• Sign and Seal Code
  
• Do not Compare Classes by Name
  
• Catch All Exceptions
  
• Log Application Events
  
• Beware of Reflection
  
• Be wary of Native Function Calls
  
• Handle Sensitive Data with Care
  
• Use the Least Privilege
  

Description

1. Choose one of the Java primitive classes (e.g. java.lang.String or java.lang.Integer).
   
2. Decompile the class
   
3. Modify one of its methods in some way or add your own.
   
4. Recompile the class
   
5. Test your new Trojan code.
   

Lab 5 - Patching existing classes
Learning Objectives

• How easy it is to patch a Java runtime class.
  
• That once JVM files are compromised there is no security.