Security Laboratory

Security Laboratory


An approach to Audit Java for Security


Stephen Northcutt and Jim Manico
Java is a popular and powerful programming language and is often the choice for large enterprise coding projects. Programming projects designed properly and executed with security in mind are robust, but if the programmers take short cuts they probably produce unsafe code. As we will see, security is certainly possible to achieve with Java and has been since the beginning, consider the well known Joseph A. Bank paper from 1995:

The Java language is also designed to be a type-safe language. This means that the compile time type and the runtime type of variables are guaranteed to be compatible. This ensures that casts (operations that coerce a runtime type to a given compile time type) are checked at either compile time or runtime to make sure that they are valid. This prevents the forging of access to objects to get around access control. Using our File example from before, this prevents the malicious code from casting a File object to the malicious code's MyFile type which has the same layout as the File type, but with all methods public. Another safety feature is the elimination of pointers as a data type. This means that pointers cannot be directly manipulated by user code (no pointer arithmetic). This prevents both malicious and accidental misuse of pointers (running off the end of an array for example). Again using our File example, this prevents the malicious code from simply accessing the private method directly by using pointer arithmetic starting with the File object's pointer. Clearly this type-safety is a necessary part of the access control facilities of objects, preventing forging (note that this safety is clearly lacking in C++).[1]

And Sun Microsystems has a web site devoted to security: "Java security technology includes a large set of APIs, tools, and implementations of commonly used security algorithms, mechanisms, and protocols. The Java security APIs span a wide range of areas, including cryptography, public key infrastructure, secure communication, authentication, and access control. Java security technology provides the developer with a comprehensive security framework for writing applications, and also provides the user or administrator with a set of tools to securely manage applications."[2]

Java is the number one programming language in the world by many counts, certainly it is in the top three. If you feel you have a lock on which is number one, please read David Welton's study on the topic. In his unique approach he examines four sources of information. "First, the raw number of results found with Google's search engine. We also look at dollars per click information gleaned from an online advertising service (Overture). In other words, how much it costs you, the advertiser, per click for ads placed with search terms such as "java consulting" or "perl training". In addition, to examine the open source community's take on the situation, we look at projects registered with freshmeat. In addition, we also use the Craig's List (http://www.craigslist.org) job search board as a source for rough job statistics."[3] We can use the same approach to study the IT compensation offered for Java programmers and determine this is a well respected language as a six figure salary is certainly attainable.[4]

So, we have expensive programmers using a popular language, how does a manager ensure that a quality product is being developed? The popular axiom of any business school is "that which gets audited gets done". In order to audit java for quality and security there are manual and automated processes. In terms of a manual audit, this requires know-how, but if a manager or auditor is willing to learn, an excellent two day class is SANS Java Security Auditing - Security Audit for Enterprise Java Applications [5] which will help even a non-programmer risk manager or auditor effectively lead the process.
http://www.sans.org/training/description.php?tid=447

The SANS promise is that you will be able to use what you learn in class the day you get back to the organization. The best way to put that training to use is to test the promise, after all, the human memory, unlike wine, does not improve with age. If you attend the class, have a Java audit project ready to start on the week you get back and you will reinforce the knowledge and concepts that you have just learned. One of the best ways to apply what you learn in a class like this is the peer review process, that way all of the coders on the team can learn together, there are three primary approaches to peer review:[6]

  • The formal review is structured with assigned roles and participants prepared in advance and involves a meeting.
  • The informal review had less structure but participants were expected to review the product on their own, identify defects and provide feedback to the author. Some meetings may be conducted.
  • Desk check is where individuals review each others work and record results.
There are three primary strategies for all code auditing, not just Java:[7]
  • Cole comprehension (CC), where you directly analyze the code, one tool to help with this is Juliet.[8]
  • Candidate point (CP), where you create a list of issues or concerns, then examine the source code against those concerns,
  • Design Generalization (DG), this approach focuses on the overall design, not the nitty gritty source code details

Automated audit tools include the Fortify Audit Workbench IDE plugin. Free tools include the FindBugs project and the Lint4j plugin. These tools are built directly into development environments and let you easily scan your code for security vulnerabilities. This lets developers build it right from the beginning and the code quality is a given, reducing the need for manual review.

What should an audit of Java Software Accomplish?

  • Assure the software development team is doing all the things they should be doing to produce quality software including reviewing their source code against their charter and design standards.
  • Randomly test Java applets for compliance, not just with code review, but also with the quality and test and evaluation functions.
  • Randomly query programmers for knowledge of coding standards, policies and practices. This helps evaluate the education program and provides assurance the education programs are working.
  • Report to management balancing the findings with the organization's risk tolerance and value of the Java software being developed.

IT compensation studies show the costs for Java architects and senior programmers are continuing to rise. This can lead to outsourcing, which while potentially an economic advantage, until organizations develop the know how to outsource well, they often do not achieve the benefits they hoped for. Done well, outsourcing can save costs, allow you to assemble a team rapidly with experienced engineers, allow you to focus on managing the project, not the various engineers, and let you focus your energies and time on the quality.[9] However these benefits are only available if your organization can manage the project well. "With additional hurdles such as differences in time zones, languages, and culture, the actual management of the project team, both at the business level and the technical level, becomes the single most important factor to the project's success."[10] The ability to audit Java code under development is a key to managing quality and security with outsourced code. The old saw really is true, that which gets audited, gets done.

References

1. http://www-swiss.ai.mit.edu/~jbank/javapaper/javapaper.html
2. http://java.sun.com/javase/technologies/security/index.jsp
3. http://www.dedasys.com/articles/language_popularity.html
4. http://www.itjobswatch.co.uk/jobs/uk/java%20programmer.do
5. http://www.sans.org/training/description.php?tid=447
6. http://www.sasqag.org/QAIImplementing_Peer_Reviews.doc
7. Art of Software Security Assessment, Dowd, McDonald, Schuh
8. http://infotectonica.com/juliet/tour
9. http://www.sans.edu/resources/leadershiplab/352.php
10. http://www.javaworld.com/javaworld/jw-07-2001/jw-0720-offshore.html?page=4