computers & security 25 (2006) 338–350 available at www.sciencedirect.com journal homepage: www.elsevier.com/locate/cose Comparing Java and .NET security: Lessons learned and missed Nathanael Paul*, David Evans* UniversityofVirginia,DepartmentofComputerScience,VA,USA a r t i c l e i n f o a b s t r a c t Articlehistory: Manysystemsexecuteuntrustedprogramsinvirtualmachines(VMs)tomediatetheirac- Received24February2005 cesstosystemresources.SunintroducedtheJavaVMin1995,primarilyintendedasalight- Revised27December2005 weightplatformforexecutinguntrustedcodeinsidewebpages.Morerecently,Microsoft Accepted6February2006 developed the .NET platform with similar goals. Both platforms share many design and implementation properties, but there are key differences between Java and .NET that Keywords: haveanimpactontheirsecurity.Thispaperexamineshow.NET’sdesignavoidsvulnera- Virtualmachinesecurity bilitiesandlimitationsdiscoveredinJavaanddiscusseslessonslearned(andmissed)from Javasecurity experiencewithJavasecurity. .NETsecurity ª2006ElsevierLtd.Allrightsreserved. Securitydesignprinciples Bytecodeverifier Maliciouscode Codesafety 1. Introduction .NET platform, in which no major security vulnerabilities have yet beenfound, appearsstriking. This paper considers Javaand.NETarebothplatformsforexecutinguntrustedpro- whetherornotthedifferenceinthenumberofsecurityvul- gramswithsecurityrestrictions.Althoughtheysharesimilar nerabilitiesfoundinthetwoplatformsstemsfromfundamen- goalsandtheirdesignsaresimilarinmostrespects,thereap- taldifferencesintheirdesigns. peartobesignificantdifferencesinthelikelihoodofsecurity Table1summarizesJavasecurityvulnerabilitiesreported vulnerabilitiesinthetwoplatforms. inthepast10years.Hopwood(1996),Princeton’sSecureInter- Fig.1showsthenumberofmajorsecurityvulnerabilities netProgrammingteam(Deanetal.,1996;Wallachetal.,1997; reportedforeachplatform.AsofDecember2005,theCommon WallachandFelten,1998)andMcGrawandFelten(1999)iden- Vulnerabilities and Exposures (CVE) database contains 150 tified several vulnerabilities in early Java implementations. entries concerning Java vulnerabilities (Mitre Corporation, The rest are those documented in Sun’s chronology (Sun Common Vulnerabilities), 38 of which we classify as major Microsystems, 2002; Sun Microsystems Sun Alert) and the Javaplatformsecurityvulnerabilities(wedonotincludeappli- CVEdatabase(MitreCorporation,CommonVulnerabilities). cation-specificbugsunrelatedtotheVMitself).Theremaining Bycontrast,nosecurityvulnerabilitiesinthe.NETvirtual vulnerabilitiesincludedinFig.1butnotintheCVEarefrom machineplatformhavebeenreportedtodate.Themostwidely Sun(SunMicrosystems,2002)(9vulnerabilities)andMcGraw publicizedsecurityissuein.NETwasW32.Donut,avirusthat and Felten (1999) (5 vulnerabilities). The contrast with the took control of the executable before the .NET runtime had * Correspondingauthors. E-mailaddresses:[email protected](N.Paul),[email protected](D.Evans). 0167-4048/$–seefrontmatterª2006ElsevierLtd.Allrightsreserved. doi:10.1016/j.cose.2006.02.003 Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. 1. REPORT DATE 3. DATES COVERED 2006 2. REPORT TYPE 00-00-2006 to 00-00-2006 4. TITLE AND SUBTITLE 5a. CONTRACT NUMBER Comparing Java and .NET security: Lessons learned and missed 5b. GRANT NUMBER 5c. PROGRAM ELEMENT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER 5e. TASK NUMBER 5f. WORK UNIT NUMBER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION University of Virginia,Department of Computer Science,151 Engineer’s REPORT NUMBER Way,Charlottesville,VA,22904-4740 9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S) 11. SPONSOR/MONITOR’S REPORT NUMBER(S) 12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited 13. SUPPLEMENTARY NOTES The original document contains color images. 14. ABSTRACT 15. SUBJECT TERMS 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF 18. NUMBER 19a. NAME OF ABSTRACT OF PAGES RESPONSIBLE PERSON a. REPORT b. ABSTRACT c. THIS PAGE 13 unclassified unclassified unclassified Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18 computers & security 25 (2006) 338–350 339 different Java VM implementations whereas .NET’s number 50 d is from Microsoft’s sole implementation. From the available e ort 40 information,theoneimplementationthatdidhavemanyof ep itsownuniquevulnerabilitieswasMicrosoft’sJavaimplemen- R s 30 tation, and this is largely due, in part, to 10 vulnerabilities e Java VM abiliti 20 r1e9p9o6r,tebdotihnMNoicvreomsobfetra2n0d02NbeytsPcyanpneohnaedn.lAicsenesaerdlyJaasvaM,atrwcho ner months after the 1.0 release date (Sun Microsystems, Java). Vul 10 AsJavalicensees,bothMicrosoftandNetscapeimplementa- .NET VM tions are based on the Sun implementation (Sun Microsys- 0 2 4 6 8 10 tems, 2002) so much of the code and design are shared Years Since First Release across the three implementations. The first 9 reported Java vulnerabilitiesdidaffectallthreeimplementations,including Fig.1–Majorsecurityvulnerabilitiesreported.Thevalue thefirst5of13totalverifiervulnerabilities.Althoughpopular plottedisthecumulativenumberofmajorsecurityvulner- open source .NET platform implementations exist, such as abilitiesreportedineachplatformsincethefirstofficialre- Mono, and dotGNU, neither has fully implemented code ac- lease(Java1.0inJanuary1996(SunMicrosystems,Java); cesssecuritytoenabletheexecutionofpartiallytrustedcode. .NET1.0inJanuary2002(MicrosoftCorporation,Technology Another possibility is that .NET just avoided the specific Overview)). securityvulnerabilitiesthatwerealreadyknownbecauseofpre- viousexperiencewithJava.Thismaybetrueinafewcases,but ingeneralitisnotthecase.Thereareenoughdifferencesbe- control(Szor).Sincethevulnerabilityoccursbeforethe.NET tweentheplatformsthatmostsecurityvulnerabilitieswould runtime takes control, we consider this a problem with the not have a direct analog. Further, vulnerabilities continue to way the operating system transfers control to .NET and not befoundinnewversionsofJavaevenafter.NET’srelease. withthe.NETplatform.Eightothersecurityissuesthathave In this paper we explore the more optimistic hypothesis beenidentifiedinthe.NETarelistedinMicrosoft’sKnowledge that.NET’sdesignisfundamentallymoresecurethanJava’s, Base(Farkas)andtheCVEdatabase(MitreCorporation,Com- andinparticular,thatitbenefitsfromfollowinggeneralsecu- monVulnerabilities),butnoneofthemareplatformsecurity rity principles that have been learned and reinforced from vulnerabilitiesbythestandardweuseinthispaper.Appendix experiencewithJava.Thegenerallessonstobelearnedfrom Aexplainstheseissuesandwhywedonotcountthem. experience with Java are not new. Most of them go back at There are many possible explanations for the .NET plat- least to Saltzer and Schroeder’s (1973) classic paper, and form’sapparentlackofsecurityvulnerabilities.Onepossibil- noneshouldbesurprisingtosecurityanalysts.Inparticular: ity is that .NET is a less desirable platform for attackers to economyofmechanism,leastprivilege,andfail-safedefaults compromisethanJavasoithasnotreceivedthescrutinynec- aredesignprinciplesthatenhancesecurity,butcanoftencon- essary to reveal vulnerabilities. This is unlikely, however, flict with other goals including usability and complexity. since the .NET framework is now provided as a Windows Other lists of security principles, including Viega and update.SinceWindowshasover90%ofthedesktopmarket McGraw’s (2001), include similar properties such as defense withalargenumberofmachinesusing.NET,the.NETplat- in depth and securing the weakest link. Viega and McGraw formpresentsanattractivetarget. emphasizethatsecurityprinciplesshouldbefollowedwithin Anotherpossibilityisthatmorevulnerabilitieshavebeen anapplication’scontextandfollowingtheseuniversalsecu- found in Java implementations because there are several rityprinciplesallowsaprogrammertoweighdifferentdesign Table1–Javasecurityvulnerabilities Category Count Instances APIbugs 12 CVE-2000-0676,CVE-2000-0711,CVE-2000-0563,CVE-2002-0865, CVE-2002-0866,CVE-2002-1260,CVE-2002-1293,CVE-2002-1290, CVE-2002-1288,CVE-2002-0979,CVE-2005-3905,CVE-2005-3906 Verification 13 SunChronology(4),McGrawandFelten(2),CVE-1999-0766,CVE-1999-0141, CVE-1999-0440,CVE-2000-0327,CVE-2002-0076,CVE-2003-0111,CVE-2004-2627 Classloading 8 SunChronology(5),CVE-2002-1287,CVE-2003-0896,aCVE-2004-0723 Otherorunknown 3 CVE-2001-1008,CVE-2002-1325,CVE-2005-3907 Missingpolicychecks 3 CVE-1999-0142,CVE-1999-1262,McGrawandFelten(1) Configuration 5 CVE-2000-0162,CVE-2002-0058,CVE-2005-0471,McGrawandFelten(2) DoSattacks(crash) 4 CVE-2002-0867,CVE-2002-1289,CVE-2003-0525,CVE-2004-0651 DoSattacks(consumption) 4 CVE-2002-1292,CVE-2004-2540,CVE-2005-3583,CVE-2004-1503 VulnerabilitiesreportedinJavaplatforminCVEdatabase(MitreCorporation,CommonVulnerabilities),Sun’swebsite(SunMicrosystems,2002; SunMicrosystems,SunAlert),andMcGrawandFelten(1999). Vulnerabilitiesreportedinmorethanonesourcewerecountedonce. a RevealedunderkeywordsearchforJVMvulnerabilitiesinsteadofJavavulnerabilities. 340 computers & security 25 (2006) 338–350 trade-offswhilepreparingforunknownattacksthatmaynot The .NET platform includes the .NET part of the figure fit past attack patterns (Viega and McGraw, 2001). The con- involved in executing an assembly except for the operating creteexperiencewithJavashowshowfailuretoapplythese systemandtheprotectedresource.A.NETassembly,analo- wellknownprincipleshasleadtovulnerabilitiesinaparticu- goustoJava’sJARfile,isanexecutableordynamicallylinked lar,security-criticalsystem. library containing Microsoft intermediate language instruc- Previouswork,includingPilipchuk’sarticle,hascompared tions (MSIL), some metadata about the assembly, and some securitymechanismsandfeaturesinJavaand.NETfromanop- optional resources. .NET differentiates between managed erationalperspective.Inthispaper,weconsiderhowtheydiffer (safe)andunmanaged(unsafe)codes.Sinceasecuritypolicy fromtheperspectiveofwhathasandhasnotbeenlearnedfrom cannot be enforced on unmanaged code, we only consider experiencewithJava.Theprimarycontributionsofthispaper managedcode. areasfollows:(1)anillustrationofhowthehistoryofJavasecu- Both Java and .NET have large trusted computing bases rityvulnerabilitiesrevealsfailurestofollowestablishedsecurity (TCBs)allowingmanypossiblepointsoffailure.TheTCBin- principles;(2)anidentificationofhow.NET’ssecuritymecha- cludeseverythinginFig.1exceptfortheexternaluntrusted nisms have addressed the vulnerabilities and limitations of program(theJavaclassor.NETassembly).InJava,aflawin Java;and(3)adiscussiononhowdifferencesinthedesignof thebytecodeverifier,classloader,JVMorunderlyingoperat- .NETandJavaarelikelytoimpacttheirsecurityproperties. ing system can be exploited to violate security properties. Next,weprovideanoverviewofbothplatforms.Section3 With.NET,aflawinthepolicymanager,classloader,JITver- describeslow-levelcodesafetyhighlightingtheimportanceof ifier,CLR,orunderlyingoperatingsystemcanbeexploitedto simplicity. Section4 examinespolicydefinitionandpermis- violatesecurityproperties.ThesizeoftheTCBmakesitinfea- sions emphasizing the principles of fail-safe defaults, least sibletomakeformalclaimsabouttheoverallsecurityofeither privilege,andcompletemediation.Associatingpolicieswith platform; instead, we can analyze individual components codeaccordingtothecodeattributesisdiscussedinSection5. using the assumption that other components (in particular, Next,Section6describeshowtheJVMandCLRenforcepoli- theunderlyingoperatingsystem)behavecorrectly. cies on executions evaluating them in their application of The JVML or MSIL code may be generated by a compiler the principles of least privilege, fail-safe defaults, and com- from source code written in a high-level program such as plete mediation. Section 7 discusses the shortcomings of Java or C#, but these files can be created in other ways. bothplatformswithrespecttopsychologicalacceptability. Although high-level programming languages may provide certain security properties, there is no way to ensure that thedeliveredJVMLorMSILcodewasgeneratedfromsource codeinaparticularlanguagewithatrustedcompiler.Hence, 2. Platform overview theonlysecurityprovidedagainstuntrustedcodeiswhatthe platformprovides.Thispaperdoesnotconsidertherelative BothJavaand.NETuseavirtualmachinetoenforcepolicies merits of the Java and C# programming languages but only onexecutingprogramsasdepictedinFig.2.ThetermJavais compares the security properties of the two execution usedtorefertobothahigh-levelprogramminglanguageand platforms. aplatform.WeuseJavatorefertotheplatformconsistingof SincetheJavaplatformwasintroducedin1995,Java’sse- everythingusedtoexecutetheJavaclasscontainingJavavir- curity model has evolved to incorporate additional security tualmachinelanguagecode(JVML,alsoknownas‘‘Javabytec- mechanismsincludingcodesigningandincreasinglyflexible odes’’)intheleftpartofFig.1excepttheoperatingsystemand policies.Whenspecificimplementationissuesareconsidered, theprotectedresource.AJavaarchive(JAR)fileencapsulates we address the current standard implementations of each Java classes and may also contain other resources such as platform:theJava2SoftwareDevelopmentKit1.4.2andthe a digital signature or pictures. Java was designed primarily .NETFramework1.1. to provide a trusted environment for executing small pro- BothJavaand.NETuseacombinationofstaticanalysisand gramsembeddedinwebpagesknownasapplets. dynamiccheckingtoenforcepoliciesonexecutingprograms. ThebytecodeverifierinJavaandthejust-in-time(JIT)verifier in.NETstaticallyverifysomelow-levelcodepropertiesneces- JAR Assembly sary (but not sufficient) for type safety, memory safety and ClassLoader PolicyManager control-flow safety before allowing programs to execute. Security Other properties must be checked dynamically to ensure exception ClassLoader low-levelcodesafety.Section3describestheprincipleofsim- plicity in low-level code safetyproperties.Six of the 30Java Verifier Verify JIT Verifier platformsecurityvulnerabilitiesintheCommonVulnerabil- Verify Exception Exception ities and Exposures database (Mitre Corporation, Common Vulnerabilities), and 6 of the earlier vulnerabilities (McGraw Security CLR Security Java VM exception andFelten,1999;SunMicrosystems,2002)aredirectlyattrib- exception Operating System Operating System utedtoflawsinimplementationsoftheJavabytecodeverifier. Protected Resource ProgramsthatpasstheverifierareexecutedintheJavavirtual Protected Resource machine (JVM) or .NET Common Language Runtime (CLR). Java .NET Bothvirtualmachinesuseareferencemonitortomediateac- Fig.2–Architectureoverview. cesstoprotectedsystemresources. computers & security 25 (2006) 338–350 341 Codepassingtheverifierispermittedtoruninthevirtual 3. Low-level code safety machine,butadditionalruntimechecksareneededthatcould notbecheckedstatically.Runtimechecksarerequiredtoen- Low-level code safety comprises the properties of code that sure that array stores and fetches are within the allocated makeittype,memory,andcontrol-flowsafe.Withoutthese bounds, elements stored into array have the correct type properties,applicationscouldcircumventnearlyallhigh-level (becauseofcovarianttypingofarraysinbothJVMLandMSIL securitymechanisms(Yellin,1995).Theprimarylessonlearnt this cannot be checked statically (Cook, 1989)), and down fromJava’sexperiencewithlow-levelcodesafetygoesbackto castobjectsareofthecorrecttype. oneoftheearliestsecurityprinciples:keepthingssimple. AbugintheJavabytecodeverifierorMicrosoft’sJITverifier Typesafetyensuresthatobjectsofagiventypewillbeused canbeexploitedbyahostileprogramtocircumventallsecu- inawaythatisappropriateforthattype.Inparticular,type ritymeasures,socomplexityintheverifiershouldbeavoided safetypreventsanon-pointerfrombeingdereferencedtoac- wheneverpossible. cessmemory.Withouttypesafety,aprogramcouldconstruct TheJVMLandMSILverifiersarebothrelativelysmall,but anintegervaluethatcorrespondstoatargetaddress,andthen complex, programs. Sun’s 1.4.2 verifier (Sun Microsystems, useitasapointertoreferenceanarbitrarylocationinmem- Java2SDK)is4077linesofcode(notincludingcodeforcheck- ory. Memory safety ensures that a program cannot access ingthefileformat).For.NET,weexaminedRotor,theshared memoryoutsideofproperlyallocatedobjects.Bufferoverflow sourcecodethatisabetaversionofMicrosoft’simplementa- attacks violate memory safety by overwriting other data by tionoftheECMACLIstandard(Stutz).TheJITverifierinthe writingbeyondthe allocatedstorage(AlephOne, 1996). Con- production.NETreleaseiseitherverysimilaroridenticalto trolsafetyensuresthatalljumpsaretovalidaddresses.With- the Rotor verifier (Lewin, 2004). Rotor’s integrated verifier out control safety,a program could jump directly to system andJITcompilertotalabout9400lines,roughly4300ofwhich code fragments or injected code,therebybypassingsecurity areneededforverification. checks. Javaand.NETachievelow-levelcodesafetythroughstatic 3.2. Instructionsets verificationandruntimechecks.IntypicalJavaimplementa- tions,staticverificationisdonebytheJavabytecodeverifier Sincetheverifier’scomplexityisdirectlytiedtotheinstruc- at load time. An entire class is verifiedbefore it is executed tion set of the virtual machine, examining the instruction in the virtual machine. In .NET, parts of the verification are sets provides some measure of the verifier’s complexity. doneaspartoftheJITcompilation.Allcodemustpassthever- Each platform uses about 200 opcodes, but some important ifier,however,beforeitispermittedtoexecute. differencesintheirinstructionsetsimpactonthecomplexity of their verifiers. This section considers the differences be- tweentheJVMLandMSILinstructionsetsfromtheperspec- 3.1. Verification tive of how complex it is to verify low-level code safety properties. Thefirststepintheverificationprocessisthevalidationofthe Table2summarizestheinstructionsetsforeachplatform. file format of the code (ECMA International, 2002; Lindholm One obvious difference between the instruction sets is that andYellin,1999).ThefileischeckedaccordingtotheJavaclass JVML has separate versions of instructions for each type, fileor.NETPE/COFFfilespecifications(LindholmandYellin, whereas.NETusesasingleinstructiontoperformthesame 1999; Microsoft Corporation, Microsoft Portable Executable). operationondifferenttypes.Forexample,Javahasfourdiffer- Following theverificationofthefileformat,theverifieralso entaddinstructionsdependingonthetypeofthedata(iadd checkssomestaticrulestoensurethattheobjects,methods, addsintegers,faddaddsfloats,etc.)where.NEThasonein- andclassesarewellformed. structionthatworksondifferenttypes.Usinggenericinstruc- Next,theverifiersimulateseachinstructionalongeachpo- tionstoperformanoperationwithmultipletypesinsteadof tentialexecutionpathtocheckfortypeandotherviolations. just two typesmakes verification slightly more difficult,but Since JVML and MSIL are stack-based languages, executions meansthat.NEThasmoreinstructionopcodesavailablefor aresimulatedbymodelingthestateofthestackwhiletrack- otherpurposes..NETusessomeoftheseinstructionstopro- ing information about each instruction to help ensure low- videoverflowandunsignedversionsofthearithmeticopera- level code safety. Verification fails if a type violation could tions. The overflow versions of arithmetic operations throw occur,orastackoperationcouldcauseunderfloworoverflow. exceptionsifthecalculationoverflows,enablingapplications Inaddition,control-flowsafetyisensuredbycheckingthatall tobetterhandleoverflowsandavoidsecurityvulnerabilities branchinstructionstargetvalidlocations. relatedtoarithmeticoverflows(suchastheSnortTCPStream Thegeneralproblemofverifyingtypesafetyisundecidable Reassembly Integer Overflow Vulnerability reported in Core (Pierce,1992),socertainassumptionsmustbemadetomake SecurityTechnologiesAdvisory). verificationtractable.Bothverifiersareconservative:ifapro- grampassesverificationitisguaranteedtosatisfyprescribed 3.2.1. Functioncalls safetyproperties,however,programsexistthataretypesafe Complex, multi-purpose instructions further increase verifi- butfailverification.Amoresophisticatedverifiercouldaccept cationcomplexity.Forexample,theinvokespecialinstruction moreofthesafeprograms(stillrejectingallunsafeprograms), in JVML servesthree purposes: callinga superclassmethod, butincreasingthecomplexityoftheverifierislikelytointro- invoking a private method, and invoking an initialization duceadditionalvulnerabilities. method.Themultipleusesofthisinstructionmakeitdifficult 342 computers & security 25 (2006) 338–350 Table2–Instructionsetscomparison Type JVML MSIL Number Examples Number Examples arithmetic 36 iadd,fadd,ladd,iand 21 add,add_ovf,xor stack 11 pop,dup2,swap 2 pop,dup compare 21 ifeq,ifnull,if_icmpeq 29 ceq,beq,brfalse load 51 Ldc,iload,iaload 65 Ldarg,ldftn,ldstr store 33 Istore,lstore_1,castore 27 Starg,stloc_s,stelem_R8 conversions 15 i2f,d2i,l2d 33 conv_i2,conv_ovf_u8,conv_u2 methodcalls 4 invokevirtual,invokestatic, 3 callvirt,call,calli invokespecial,invokeinterface objectcreation 4 new,newarrary,anewarray, 2 newobj,newarr multianewarray exceptions 3 athrow,jsr,ret 5 leave,leave_s,rethrow,endfilter, endfinally to verify correctly. Sun’s verifier uses 260 lines to verify the thestackbecauseofdup.InMSIL,thesinglenewobjinstruction invokespecialinstruction(counting majormethods usedfor calls a constructor, creating and initializing a new object in verification). A 2001 verifier bug involving the invokespecial one step. This sacrifices flexibility, but verification of newobj instruction (Sun Microsystems, Sun Security) affected many ismucheasierthanJava’ssequenceofinstructionssincethe implementationsoftheJVM,andcouldbeexploitedtoviolate verifierknowsthattheobjectisinitializedassoontheinstruc- typesafety(LastStageofDeliriumResearchGroup). tionisexecuted. .NEThastwomaininstructionsforcallingmethods:call AJavaverifiermustcheckwhetheranynewobjectisini- andcallvirt(anotherMSILcallinginstruction,calli,isused tialized before use (Leroy, 2001). Java’s verifier has difficulty for calling functions indirectly through a pointer to native with two areas in object creation. In cases where the new, code).ThecallinstructionissimilartoJava’sinvokespecial dupandinvokespecialinstructionsareseparatedbyinstruc- and invokestatic instructions. The callvirt instruction is tions,thiscanposeproblemsfortheverifier.Thesecondprob- similar to Java’s invokeinterface and invokevirtual instruc- lematic area is the complexity of the invokespecial tions.Themaindifferencebetweenthecallandcallvirtin- instruction. Microsoft and Netscape’s Java verifiers have structionsishowthetargetaddressiscomputed.Theaddress bothhadvulnerabilitiesrelatingtoimproperobjectinitializa- ofacallisknownatlink-timewhilecallvirtdeterminesthe tion.TheMicrosoftverifierbuginvolvedcallingaconstructor methodtocallbasedontheruntimetypeofthecallingobject. withinanexceptionhandlerinsideachildclass(LastStageof CombiningJava’sfourdifferentcallinginstructionsintotwo DeliriumResearchGroup).Oncethecodecalledtheconstruc- instructionsmaymakeiteasierforacompilerwriter(Meijer tor from inside the child class, the parent class constructor and Gough), but given Java’s history of trouble it may have would becalledto createa ClassLoader object,butthechild been better to have several single-purpose call instructions class had not been given permission to instantiate a class rather than a few instructions with multiple functions. The loader.Theresultingexceptionwascaughtbytheexception call and callvirt instructions each have their own method handlerintheconstructorofthechildclass,andtheinitializa- for JIT compilation and verification totaling approximately tionwasincorrectlyassumedtohavecompleted. 200linesintheRotorimplementation. Toefficientlysupporttailrecursion,theMSILcallinstruc- 3.2.3. Exceptionhandling tionsmayalsobeprecededbyatailprefixwhichistreated Java’s exception handling instructions impose additional as a special case by the verifier (ECMA International, 2002). complexitycomparedtoMSIL’ssimplerapproach.TheJVML Thetailprefixreusesthesameactivationrecordonthestack instruction jsr is used to implement the Java programming instead of creating a new record every time a call is made. language try-finally construct that transfers execution to a About250extralinesarerequiredforverificationandcompila- finally block (Lindholm and Yellin, 1999) and is one of the tionofthetailprefixincludingtheextralinesneededtodeal most complex instructions to verify. To jump to a finally withcall,calli,andcallvirt.Itistoosoontojudgewhether block, control transfers to an offset from the address of the theperformanceadvantagesofsupportingtailoutweighthe jsrinstruction,andthereturnaddressofthenextinstruction additionalsecurityrisksassociatedwiththeaddedcomplexity. afterthejsrinstructionispushedontothestack.Themain problem is the use of the operand stack to store the return 3.2.2. Objectcreation addresssincethismakesanattractivetargetforanattacker Sometimesacomplexsingleinstructionisbetterthanusing who may try to insert a different address while fooling the manyseparateinstructions.Forexample,aJavaprogramcre- verifier. With the return address on the operand stack, atesanewobjectbyusingnewtoallocatememoryforthenew more difficulty exists in a finally block’s verification in the object,duptoplaceanadditionalreferencetothenewlycre- multiplewaysonecouldexecuteafinallyblock:ajsrcalled ated object on the stack, and then invokespecial to call the after execution of the try clause, a jsr used upon a break/ object’sinitializingconstructor.Afterreturningfromthecon- continue within the try clause, or a return executed within structor,areferencetothe(nowinitialized)objectisontopof thetryblock. computers & security 25 (2006) 338–350 343 Several vulnerabilities have been found in Java verifiers actions code may perform. If a program attempts an action duetothecomplexityofthejsrinstruction.Onerelatingto contrarytothepolicy,asecurityexceptionisraised. subroutines in exceptionhandling was found in 1999 in the MicrosoftJVM(LastStageofDeliriumResearchGroup).Toex- 4.1. Permissions ploitthisflaw,tworeturnaddressesareplacedontopofthe stackusingdifferentjsrinstructions.Next,aswapinstruction Theamountofcontrolpossibleoversystemresourcesdepends is executed. The verifier failed to account for the change of ontheavailablepermissions.Exceptforthosepermissionsthat return addresses on the stack (ignoring the swap since the are platform specific, Java and .NET provide similar permis- returnaddressesareofthesametype).Theswitchedreturn sionsforcontrollingaccesstothefilesystem,network,display, addressisusedbytheretinstructiontoreturntotheinstruc- systempropertiesandclipboard(MicrosoftCorporation,Secu- tionthatisnowreferencedbytheaddress.Theverifiercon- rityBriefs;SunMicrosystems,Permissions).Thepermissions tinuestoverifythemethodasiftheswaphadnotexecuted, providedbyeachplatformaresummarizedinTable3. thusbreakingtypesafety. Theplatformsdifferinwhichresourcesareprotectedbyper- .NET avoids the complexity associated with Java’s jsr missions, and in the granularity of control over specific instructionbyprovidingasimplerinstruction.Theleavein- operationsandresourcestheavailablepermissionsprovide.In structionusedtoexitatryorcatchclauseclearstheoperand general,.NETandJavaprotectthesamesetofresourceswith stackand uses information storedin an exceptionhandling permissions, except for platform-specific resources. For in- clauseforcontrolflow. stance, Java must provide permissions that protect some Recently,Sunhasannouncedaradicalredesignofitsbyte- resourcesthatarenotexposedin.NETincludingtheSecurity- codeverifier. ThenewverifierthatispartofthenewJavaSE Manager and AccessControlContext (see Section 6.2). Although Mustangreleasewillhavetwoveryimportantsimplifications: .NEThasaregistrypermissiontoprotecttheWindowsregistry, the separation of the type inferencing process and the re- JavadoesnotexposethisresourcethroughtheirAPIbydefault. movalofanycodethatgeneratesajsrorretinstruction(Sun Similarly,JavahasanAudioPermissionforrestrictingaccessto Microsystems, JSR 202; Sun Microsystems, New Java SE). audiosystemresources,but.NET’sAPIprovidesnoaccessto Theverifiercannowusetype informationembeddedinthe audio resource. Microsoft’s DirectX 9.0 SDK provides access classfilerepresentedasacodeattributeinsteadofhavingto to audio resources, and adds the SoundPermission to control infer the type information. To ease this transition to the accesstothoseresources. newverifier,theverificationprocessrevertstousingtheold Ingeneral,.NETprovidespermissionswithfinergranularity verifier if a class file is not recognized as a newer version ofcontrol.Forexample,bothplatformsprovidepermissionsto 50.0classfile(SunMicrosystems,NewJavaSE). restrictaccesstothefilesystem.But,whereasinJavathesame Disabling the JVM from running older class files can be permissioncontrolsdeleting,writingto,andappendingtofiles, donebypassingaflagtotheJVM. Thisdesigncanbreakback- in.NETitispossibletoprovidejustappendaccesstoafile. wardcompatibilityforthebenefitofthesimplicityofverifica- Table3revealsthatbothplatformssufferfromthelackofa tion,butusersshouldhavemoreconfidenceinthesecurityof systematicdesignintheirpermissions.Manyofthesepermis- theJavaverifier. Thisisanencouragingsteptowardssimplic- sionsarebasedonprotectingmethodsprovidedbytheplat- ity, in contrast to nearly all of the modifications to the Java form API, rather than protecting security-critical resources. platformsince1995thatincreasedcomplexity. Forexample,Java’sSQLPermissionallowsaprogramtosetthe loggingstreamthatmaycontainprivateSQLdata;itischecked 3.2.4. Summary beforesetLogWritermethodsinseveralclasses.Java’sAWTPer- Wetested.NETtocheckthattheverifierwasbehavingcorrectly mission.createRobot permission protects java.awt.Robot ob- accordingtotheECMAspecificationandattemptedtocarryout jectsthatallowthecreationoflow-levelmouseandkeyboard exploitsthathavepreviouslyworkedontheJavaverifier,but events..NET’sPerformanceCounterPermissionprotectsdiagnos- were unable to construct any successful exploits. Of course, ticinformationexposedbytheAPI.Thesepermissionsdonot thisdoesnot mean thatthere are noexploitable bugs inthe correspondwelltosecuritypropertiesausercouldrelateto, .NET verifier, but itisencouraging that noverifierbugshave butrathercorrespondtodangerousAPImethods. beenreportedtodate..NET’sdesignersavoidedmanyofthepit- Designing permissions around API methods rather than fallsinearlyJavaimplementationsbenefitingfromJava’shis- security-criticalresourcesisdangeroussinceitmeansgrant- tory of problems with exception handling, creating objects, ingapermissionmayprovideunexpectedcapabilities.Forex- andcallingmethods.TheMSILinstructionsetdesignsimplifies ample,Java’sReflectPermissionindirectlyallowsaprogramto theverificationprocessbyavoidinginstructionssimilartothe access private methods and fields; effectively, this allows mostcomplexinstructionstoverifyinJVML. aprogramtocircumventothersecuritychecksandisequiva- lenttograntingmostotherpermissions..NETprovidesasim- ilar ReflectionPermission, but allows a finer granularity of control over what can be accessed. Other permissions pro- 4. Defining policies vided by Java that effectively grant code arbitrary access include FilePermission.execute (which allows a program to Low-level code safety mechanisms prevent hostile applets executeasystemcommand)andSecurityPermission.setPolicy fromcircumventingthehigh-levelcodesafetymechanisms, (whichallowsaprogramtochangethesecuritypolicy). but security depends on high-level mechanisms to enforce Knowingtheresultingpolicyaftergrantingcertainpermis- a policy on program executions. A policy specifies what sionsisanareaofdifficultycommontobotharchitectures.A 344 computers & security 25 (2006) 338–350 Table3–Permissionssummary(MeijerandGough;.NETFrameworkDeveloper’sGuide) Resource Restrictedoperations Javapermissions .NETpermissions Filesystem Read/write/execute/deletefiles FilePermission FileIOPermission,SecurityPermission Appendaccessinformationon Noseparatepermissions FileIOPermissionAccess(Append, pathitself (append¼write) PathDiscovery) Accessdataincurrentdirectory Canreadanyfileincurrent IsolatedStoragePermission fromexecutingprogram directoryorsub-directoryof currentdirectory Network Accept/connect/listen/resolvea SocketPermission SocketPermission hostatanoptionalportrange Display Showanapplet-createdwindow AWTPermission Eventshandleddifferentlywithout withoutwarning,restrictaccessto specialpermissions eventqueue Controllingdifferentpropertiesofa Notprovided UIPermission.Window window(e.g.,settingcaption,hiding cursor) Reflection Useofreflection ReflectPermission ReflectionPermission Reflectiononvisibleorinvisible Levelofcontrolnotprovided ReflectionPermission,differentflag membersofatype (allornothing) valuescontrolthelevelofuse Systemclipboard Read/writeclipboard(allornothing) AWTPermission UIPermission.Clipboard Readclipboard(writeunrestricted) Levelofcontrolnotprovided UIPermission.Clipboard(OwnClipboard) (allornothing) Threading Controlthreads RuntimePermission SecurityPermission Controlanythread,code’sownthreads, RuntimePermission,different Threadpoolprovidessafetythrough controlagroupofthreads targetvalues implementation controllevelofprivileges Database SettheloggingstreamofSQLactions SQLPermission Loggingcanbeconfiguredthrough registryorprovidedtools(Meieretal.) Allowblankpasswordsforadatabase SpecificdatabaseAPInotincluded OdbcPermission,OleDbPermission, user,accessdatabases bydefault OraclePermission,SqlClientPermission Printer Print RuntimePermission PrintingPermission Printingtoanyprinter(defaultonly)and Allornothingrestrictionby PrintingPermission throughrestrictedprintdialogboxes RuntimePermission Platformspecific Read/write/deleteregistrykeys/values Resourcenotexposed(no RegistryPermission permissionneeded) developermaynotunderstandthatgrantingfileexecuteorre- theoriginofthecode,thedigitalcodesigners(ifany),andthe flectionpermissionstoanycodethatasksforitisessentially principalexecutingthecode.Java’spoliciesarealsoaffected thesameasfullytrustingthecode.Anattackeralsohasanad- byasystem-widepropertiesfile,java.security,whichspecifies ditionalmethodofattacktocompromiseasystemifapermis- pathstootherpolicyfiles,asourceofrandomnessfortheran- sioncangivehigherprivilegesinadifferentway. domnumbergenerator,andotherimportantproperties. Neither platform supports complete mediation: only ac- AJavapolicyfilecontainsalistofgrantentries.Eachentry tions associated with an associated predefined permission specifies a context that determines when the grant applies are checked and many resources (for example, allocating andlistsasetofgrantedpermissionsinthatcontext.Thecon- memory)havenoassociatedpermission.Further,thereisno textmayspecifythecodesigners(alistofnames,allofwhom supporttorestricttheamountofaresourcethatisconsumed, signedthecodeforthecontexttoapply),thecodeorigin(code so many denial-of-service attacks are possible without cir- baseURL),andoneormoreprincipals(onwhosebehalfthe cumventingthesecuritypolicy.Theselimitationsareserious codeisexecuting).Ifnoprincipalsarelisted,thecontextap- (LaDue),butmorecompletemediationispossiblethroughthe pliestoallprincipals. referencemonitoringframeworkonlybysignificantlyreduc- Javaisinstalledwithonesystem-widepolicyfile,butauser ing performance. Richer policy expression and efficient en- can augment this policy with her/his own policy file. The forcementisanactiveresearcharea(Erlingsson,2003;Evans granted permission set is the union of the permissions andTwyman,1999;Walker,2000). grantedinallthepolicyfiles.Thisisdangeroussinceitmeans morepermissionsaregrantedthanthosethatappearinthe 4.2. Policies user’spolicyfile.Further,itmeansausercanmakethepolicy lessrestrictivethanthesystempolicy,butcannotmakethe Policiesassociatesetsofpermissionswithexecutions.Forse- policy more restrictive. Java users may not exclude permis- curity, policies should follow the principle of least privilege sions a system administrator allows unless they are able to andfail-safedefaults,however,theseprinciplesoftenconflict editjava.security, thePolicyimplementation,orthepolicy withconvenienceandarenotalwaysfollowed. filegrantingtheunwantedpermissions. InJava,policiesaredefinedbyspecifyingthepermissions .NETprovidespolicydefinitionmechanismsthatovercome granted in a policy file based on properties of an execution: these limitations by providing flexible, multi-level policies, computers & security 25 (2006) 338–350 345 butatthecostofgreatercomplexity.A.NETpolicyisspecified abilitytoassigndifferentpoliciestodifferentcodeswithinthe byagroupofpolicylevels:Enterprise(intendedforthesystem sameVMfollowstheprincipleofleastprivilege:everymodule administrator), Machine (machine administrator), User, and (classorassembly)canbeassignedtheminimumpermissions Application Domain (AppDomain). The permissions granted to neededtodoitsjob,butthisaddedflexibilitydoescostaddi- anassemblyaretheintersectionofthepermissionsgranted tionalcomplexityanddecreasedperformance.Section5.1ex- at the four policy levels. .NET’s policies grant permissions plains how granted permissions are associated with code. basedonevidenceswithinanassembly(seeSection5.2).The Section5.2describeshowcodepropertiesdeterminewhichpol- AppDomainpolicyiscreatedatruntime,andthereisnoassoci- icyshouldbeapplied.Thereareimportantdifferencesofhow ated configuration file for this policy level. If no AppDomain Javaand.NETaccomplishthis.Java’sinitialdesignwasasimple exists at runtime, then the policy is the intersection of the modelwherecodewaseithercompletelytrustedoruntrusted, Enterprise,Machine,andUserpolicylevels..NET’spolicylevels andalluntrustedcoderanwiththesamepermissions.Laterver- aresimilartoJavahavingasystem-widepolicyfileandauser sionsofJavaextendedthismodel,butwereconstrainedbythe policyfile,however,theyaremuchmoreflexible.Importantly, needtomaintainbackwardscompatibilitywithaspectsofthe in.NETtheprincipleoffail-safedefaultsisfollowedbysetting originaldesign..NETwasdesignedwitharichersecuritymodel thefinalpermissionsettotheintersectionofallpolicylevels, inmindfromthestart,soitincorporatesanextensiblepolicy whereasinJavaitistheunion. mechanisminaconsistentway. Typical users will execute code found on untrusted web sites,sotheInternetdefaultpolicyisextremelyimportantto 5.1. Codepermissions protect users and resources. If the policy is too permissive, thegrantedprivilegesmaybeusedtocompromisethesystem. BothJavaand.NETsupporttwotypesofpermissions:static Java’sdefaultpolicyallowsanuntrustedprocesstoreadsome and dynamic. Static permissions are known and granted at environmentproperties(e.g.,JVMversion,Javavendor),stop loadtime.Dynamicpermissionsareunknownuntilruntime. itsownthreads,listentounprivilegedports,andconnectto WhenJavaloadsaclass,aninstanceoftheabstractclass, theoriginatinghost.Allothercontrolledactions,suchasfile ClassLoader, is responsible for creating the association be- I/O,openingsockets(excepttotheoriginatinghost),andaudio tweentheloadedclassanditsprotectiondomain.Thesestatic operationsareforbidden.ThedefaultJavapolicydisallowsthe permissionsareassociatedwiththeclassatruntimethrough most security-critical operations, but does not prevent aprotectiondomain(PD).EachJavaclasswillbemappedto untrusted applets from annoying the user. Many examples onePD,andeachPDencapsulatesasetofpermissions.APD ofdisruptiveappletsexist,suchastheonethatstopsandkills is determined based on the principal running the code, the allcurrentandfutureappletsandanotheronethatconsumes code’ssigners,andthecode’sorigin.Iftwoclassessharethe theCPU(LaDue;McGrawandFelten,1999). same context (principal, signers and origin), they will be The.NETdefaultpermissionsaregivenbytheintersection assigned to the same PD, since their set of permissions will of the four policy levels expressed in three separate files bethesame.PriortoJ2SE1.4,permissionswereassignedstat- (AppDomainsexistonlyatruntime).Atruntime,theCLRlooks ically at load time by default, but dynamic security permis- for the three XML policy files representing the Enterprise, sionshavebeensupportedsinceJ2SE1.4(SunMicrosystems, Machine, and User policy levels. By default, .NET allows all 2003).Thisprovidesmoreflexibility,butincreasescomplexity code to have all the permissions in the Enterprise and User andmakesreasoningaboutsecuritypoliciesdifficult. policy levels, and the Machine policy level’s granted permis- To assign static permissions at load time in Java, a class sionsdeterminetheresultingpermissionset.Thedefaultpol- loaderwillassignpermissionstoaPDbasedonpropertiesof icygrantspermissionsbasedonthezoneevidence.Localcode thecodeanditssource,andtheloadedclasswillbeassociated isgivenfulltrustalongwithanystrong-namedMicrosoftor withthatsinglePDforthedurationoftheclass’lifetime(Sun ECMA assemblies. Code from the local intranet is granted Microsystems,2003;LindholmandYellin,1999).Severalflaws manypermissionsincludingprinting,codeexecution,assert- have been reported in Java’s class loading mechanisms, in- ing granted permissions (see Section 6.2), and reading the cluding8documentedfromSunMicrosystems,SunAlertand username.InternetassembliesaregiventheInternetpermis- MitreCorporation,CommonVulnerabilities(seeTable1).Itis sionsetwhichincludestheabilitytoconnecttotheoriginat- importanttonotethatthesestaticpermissionsdonotdepend ing host, execute (itself), open file dialogs, print through uponthedynamicpermissionsasspecifiedintheJavapolicy arestricteddialogbox,anduseitsownclipboard.Thetrusted filesbutratherdependsontheclassloaderloadingaclass. zonewillreceivetheInternetpermissionset.Nopermissions .NETusesasimilarapproachtoassociatepermissionsets are granted to the restricted zone. These defaults are more withassemblies.TheroleoftheClassLoaderinJavaisdivided consistentwiththeprincipleofleastprivilegethanJava’sde- between the PolicyManager and ClassLoader in .NET. The faults.Buttheirstrictnessmayencourageuserstoassigntoo PolicyManager first resolves the granted permission set manycodesourcestomoretrustedzones. (LaMacchiaetal.,2002,p.173–5).ThentheCLRstorestheper- missionsinacachedruntimeobjectbeforepassingthecode ontotheClassLoaderwhichloadstheclass. 5. Associating policies with code 5.2. Codeattributes Sinceprogramswithdifferenttrustlevelsmayruninthesame VM,VMsneedsecuremechanismsfordeterminingwhichpolicy BothJavaand.NETgrantpermissionsbasedonattributesof shouldbeenforcedforeachaccesstoacontrolledresource.The theexecutingcode. 346 computers & security 25 (2006) 338–350 TheJavaVMexaminestheCodeSource andPrincipal and different assemblies. The GAC acts as a trusted repository, grantspermissionsbasedonthevaluesfoundintheseobjects. similar to the bootclasspath in that an assembly within the TheCodeSourceisusedtodeterminethelocationororiginof GAC will be fully trusted (Microsoft Corporation, Security thecodeandsigningcertificates(ifused),andthePrincipal Briefs).Ifanattackercansuccessfullymodifyanassemblyin represents the entity executing the code. The associated theGAC,thentheattackermayhavefullcontrolofthema- PDofaclassencapsulatestheseobjectsalongwiththeClass chine. Sometimes fully trusted assemblies across all policy Loaderandstaticpermissionsgrantedatloadtime.Toextend levels are needed; for example, the default assemblies used thedefaultpolicyimplementation,thePolicyclassmayneed forpolicyresolutionthatisfullytrustedbydefault. toberewritten,oradifferentSecurityManagermayneedtobe Asanillustration,the.NETdefaultpolicytrustsallsigned implemented.Itisquestionableifthislevelofextensibilityis Microsoft assemblies, and this is checked by examining the actuallyagoodidea–itintroducessignificantsecurityrisks, strong name evidence of each assembly. If all four policy butthebenefitsinpracticeareunclear.Problemswithclass levels fully trust signed Microsoft assemblies, then any as- loading were found in early Java implementations (Dean semblyfromMicrosoftisfullytrustedonthatmachine. etal.,1996),andcontinuetoplagueJavatoday.Inonerecent classloadervulnerability(CVE-2003-0896inTable1),arbitrary codecouldbeexecutedbyskippingacalltoaSecurityManager 6. Enforcement method.The corresponding code characteristics in .NET are knownasevidences..NET’sPolicyManagerusestwotypesofev- Byallowingpartiallytrustedcodetoexecute,policyenforce- idences,hostevidencesandassemblyevidences,todetermine ment becomes more complicated. Policy enforcement is thepermissionsgrantedtoanassembly.Assemblyevidences chieflydoneatruntimebythevirtualmachine.UnlikeJava, are ignored by default. Evidences include the site of origin, .NET can perform some policy enforcement statically by zone (corresponding to Internet Explorer zones), publisher allowingtheprogrammertospecifystaticordynamicpolicy (X.509certificate)andstrongname(acryptographiccodesig- enforcement. Declarative security permissions are statically nature). .NET’s design incorporates the ability to extendnot knownandcontainedwithintheassemblymanifest.Impera- only the permissions that may be granted, but also to add tivesecuritypermissionsarecompiledtoMSILandevaluated newevidencesaswell.Anyserializableclasscanbeusedas atruntime.Thedeclarativepermissionscanbeclass-wideor evidence(FreemanandJones,2003). method-wide andcanbe usedforsomeactionsthatcannot Java and .NET both provide complex policy resolution beexpressedusingimperativepermissions.Whenruntimein- mechanisms and a bug in the policy resolution could open formation is needed to evaluate a request (e.g., a filename), a significant security hole. There are difficult issues to con- imperativepermissionsmustbeused. siderinintroducingnewpermissionsincludingXMLserializa- Runtime enforcement mechanisms share many similari- tion,anddeclarative/imperativetestingofanewpermission tiesacrossthetwoplatforms.Bothplatformsimplementaref- (see Section 6, LaMacchia et al., 2002, p. 534–44). Although erencemonitordesignedtofollowtheprincipleofcomplete .NETdoesnotprovidethesamelevelofextensibilityasJava mediation by checking the necessary permissions before incustomizingsecuritypolicyenforcement,adevelopercre- allowinganysensitiveoperation.InJava,theSecurityManager atinganewpermissionmuststillbecarefultoavoiderrors. checkscodepermissions.ProgrammerscanimplementSecur- ityManagersubtypestocustomizesecuritychecking,andpro- 5.3. Bootstrapping grams with sufficient permission can change the security manager.Thismakesitespeciallyeasytoexploitatypesafety Both platforms need some way of bootstrapping to install breakinJava,sincethesecuritymanagercanbesettonullto the initial classes and loading mechanisms. Java 1.0 used turnoffallaccesscontrol..NET’sdesigndoesnotallowpro- atrustedfilepaththatgavefulltrusttoanyclassstoredon grammers to implement their own SecurityManager class, thepath.CodeonthesystemCLASSPATHwasfullytrusted,so butthereducedflexibilityprovidesstrongersecurity. problems occurred when untrusted code could be installed on the CLASSPATH (Hopwood, 1996). Java 2 treats code found 6.1. Checkingpermissions ontheCLASSPATHasanyothercode,butmaintainsbackwards compatibility by using the bootclasspath to identify com- When a Java program attempts a restricted operation, the pletelytrustedcode necessary to bootstrap theclass loader. calledJavaAPImethodfirstcallstheSecurityManager’sappro- Hence,thesamerisksidentifiedwithinstallinguntrustworthy priatecheckPermissionmethodwhichcallstheAccessControl- codeontheCLASSPATHnowapplytothebootclasspath.Having lertodetermineifthenecessarypermissionisgranted.When exceptionsbasedonthelocationofcodeisnotwise,sincean decidingtograntapermissiontoexecutearequestedaction, attacker who can modify the trusted path or trick a web theAccessControllerchecksthatthecurrentexecutingthread browser into storing code in a location on the trusted path hastheneededpermission. willbeabletoexecuteaprogramwithfullpermissions. The12APIbugsinTable1illustratethedifficultyinimple- .NETusesfull-trustassembliestobreaktherecursiveload- mentingpermissioncheckscorrectly.Manyofthesevulnera- ing of policies since all referenced assemblies must also be bilities involve an API method that allows access to loaded(LaMacchiaetal.,2002,p.112)..NETdidnotcompletely a protected resource without the necessary security checks. abandonthenotionofatrustedpath,butithasaddedsome CVE-2000-0676 and CVE-2000-0711 both bypass calls using security. .NET uses a global assembly cache (GAC) where SecurityManager by exploiting the java.net.ServerSocket assembliesinthiscachearesignedandthensharedamong and netscape.net.URLInputStream classes. Another flaw,