Mandatory Access Control for the Java Virtual Machine -Security Enhanced Java (SEJava)
19 June 2013
Introduction Along C/C++, Java is one the most used language today. Java platform is deployed within over billion of devices 1: from servers to mobile phones, through desktop computers and home devices. The Java's community is very active in producing third party components and the Java learning curve is known to be short. Consequently, an application written in Java may include code from different organizations, written by people with various skills and security awareness. As a result, even if Java is resistant to memory corruption attacks, security flaws and vulnerabilities still appear and are widely exploited (e.g. Crisis malware, Apache's SOLR issue #1233). Additionally, the operating system can not observe entities (requesting or offering resources) within Java Virtual Machine, like a black box. Thus, it can not control which Java entity (i.e. Java Object) is accessing to system resources, neither control interactions between Java objects. The JVM itself can be protected using existing security technologies, but we claim none of them can offer a sufficiently global approach for solving the problem we describe: how to control ALL interactions between Java objects. More generally, to enforce security properties between Java entities inside the JVM, we claim a Mandatory Access Control (MAC) approach must be adopted. In other words, we propose to reuse SELinux concepts but adapted to the Java technology. We logically named our model and implementation SEJava: Security Enhanced Java. A MAC approach for the JVM will allow achieving privileges minimization and enforcement of security properties, such as confidentiality and integrity, between Java entities. In this paper, our contributions are: 1- formalization of a MAC Model dedicated for the Java language, 2 - definition of dedicated MAC policy language for Java (for both labeling and control), 3 - a cross platform reference monitor implementation based on JVMTI. Section 1 describes existing solutions for protecting the Java applications and their limitations. Section 2 is focused on SEJava's foundations by describing a new MAC model based on Java specifications. Then Section 3 will presents a simple implementation using JVMTI and performance results.