Expertiza_Wiki - User contributions [en]

CSC/ECE 517 Fall 2009/wiki29 VB

2009-10-11T00:24:51Z

Wolf27: /* AspectR */

== ''' Aspect Oriented Programming - An Introduction''' ==

When Object-Oriented (OO) programming was entering into the field of software development, it changed the way how software was developed. The software systems began to be viewed as groups of entities and the interaction between those entities, which allowed them to tackle larger, more complicated systems and develop them in less time than ever before. However, OO programming is static, and a thus a change in requirements could have a brought a major impact on development time lines.

Aspect-Oriented Programming (AOP) complements OO programming by allowing the developer to dynamically modify the static OO model to create a system that can grow to meet new requirements. Just as objects in the real world can change their states during their lifecycles, an application can adopt new characteristics as it develops.

For example, we develop a web application where a servlet accepts the values of an HTML form, binds them to an object, passes them into the application to be processed, and then returns a response to the user. This basic functionality of the servlet may be very simple, and can be fulfilled with minimum amount of code. But, by the time secondary requirements such as exception handling, security, and logging have been implemented , the size of the code increases to about three times of original. Having said that, it is not mandatory for the servlet to know about the logging or security mechanisms being used, and hence can be called as secondary requirements. Its primary function is to just accept input and process it.

Using AOP , we can dynamically modify our static model to include the code required to fulfill the secondary requirements without having to modify the original static model. We can also keep this additional code in a single location rather than having to scatter it across the existing model, as we would have to if we were using OO on its own. [[http://onjava.com/onjava/2004/01/14/aop.html 1]]

== Terminologies used in Aspect Oriented Programming ==

Just as the important facets of OOP are inheritance, encapsulation, and polymorphism, the components of AOP are join points, pointcut, advice, and introduction.

Here are the definitions of some of the standard terms that would be required to understand AOP concepts.

1.'''Cross-cutting concerns''':(For a definition, go to [[http://en.wikipedia.org/wiki/Cross-cutting_concern Appendix 3]].) Even though most classes in an OO model will perform a single, specific function, they often share common, secondary requirements with other classes. For example, we may want to add logging to classes within the data-access layer and also to classes in the UI layer whenever a thread enters or exits a method. Even though the primary functionality of each class is very different, the code needed to perform the secondary functionality is often identical.

2.'''Advice''': Advice is the extra code that we want to add to our already existing model.

3.'''Point-cut''': Point-cut is the point of execution in the application at which cross-cutting concern needs to be applied.

4.'''Aspect''': Aspect is the combination of the point-cut and the advice.

The other terms that appear often in AOP are introductions (where interfaces/methods/fields can be added to existing classes). These hold tremendous potential for developers. [[http://www.developer.com/design/article.php/3308941/Aspect-Oriented-Programming.htm 2]]

== AspectJ ==

AOP has been implemented in different languages, among them Smalltalk and Java. The Java implementation of AOP is called AspectJ (TM) and has been created at Xerox PARC. For a better definition, go to [[http://en.wikipedia.org/wiki/AspectJ Appendix 1]]

Like any other aspect-oriented compiler, the AspectJ compiler includes a weaving phase that unambiguously resolves the cross-cutting between classes and aspects. AspectJ implements this additional phase by first weaving aspects with regular code and then calling the standard Java compiler. [[http://www.voelter.de/data/articles/aop/aop.html 3]]

Let's consider the following example to understand this better.
source: http://www.developer.com/design/article.php/3308941/Aspect-Oriented-Programming.htm
public class TestClass {
public void sayHello () {
System.out.println ("Hello, AOP");
}
public void sayAnyThing (String s) {
System.out.println (s);
}
public static void main (String[] args) {
sayHello ();
sayAnyThing ("ok");
}
}
This is the existing Java code called TestClass.java. Now if we want to make use of aspects to make two modifications such as:
1.We would like to print a message before and after any call to the TestClass.sayHello() method.
2.We need to test that the argument of the TestClass.sayAnyThing() method is at least three characters.

Here is the AspectJ implementation
source: http://www.developer.com/design/article.php/3308941/Aspect-Oriented-Programming.htm
1: public aspect MyAspect {
2: public pointcut sayMethodCall (): call (public void TestClass.say*() );
3: public pointcut sayMethodCallArg (String str): call
(public void TestClass.sayAnyThing (String))
&& args(str);
4: before(): sayMethodCall() {
5: System.out.println("\n TestClass." +
thisJoinPointStaticPart.getSignature().getName() +
"start..." );
6: }
7: after(): sayMethodCall() {
8: System.out.println("\n TestClass." +
thisJoinPointStaticPart.getSignature().getName() +
" end...");
9: }
10: before(String str): sayMethodCallArg(str) {
11: if (str .length() < 3) {
12: System.out.println ("Error: I can't say words less than 3
characters");
13: return;
14: }
15: }
16: }

From 1, we see that an aspect is defined in the same way as a Java class. Just like any Java class, an aspect may have member variables and methods. In addition, it may include pointcuts, advices, and introductions.
In lines 2 and 3, we specify the place in the TestClass code where our modification will take place.
In AspectJ, 'join points' represent well-defined points in a program's execution. Typical join points in AspectJ include method/constructor calls, method/constructor execution, field get and set, exception handler execution, and static and dynamic initialization. In the example above, two join points are used :the call to TestClass.sayHello and TestClass.sayAnyThing methods.
Pointcut is a language construct that picks out a set of join points based on defined criteria. The criteria can be explicit function names, or function names specified by wildcards.
public pointcut sayMethodCall (): call (public void
TestClass.say*() );

In this line, we define a pointcut- sayMethodCall, which picks out any call to the TestClass.sayHello method. It also picks out any public TestClass method with zero arguments and a name that starts with 'say' (for example, TestClass.sayBye).
Pointcuts are used in the definition of advice. An advice is used to define additional code to be executed before, after, or around join points. In our example, lines 4–6 and 7–9 define two advices that will be executed before and after the first pointcut. Lines 10–15 implement an advice associated with the second pointcut and are used to set a precondition before the execution of the TestClass.sayAnyThing method.
Thus pointcuts and advice let us affect the dynamic execution of a program.
Introduction allows aspects to modify the static structure of a program. By using introduction, aspects can add new methods and variables to a class, declare that a class implements an interface, or convert checked to unchecked exceptions.

[[http://www.developer.com/design/article.php/3308941/Aspect-Oriented-Programming.htm 2]]

== AspectJ Plugin tool ==

The AspectJ Development Tools (AJDT) project provides Eclipse platform based tool with AspectJ. For a clearer definition, go to [[http://eclipse.org/ajdt/ Appendix 2]].
AspectJ is run under the same open source collective as the Eclipse project and provides the most advanced AspectJ plug-in for an IDE. The AspectJ Development Tools (AJDT) for Eclipse not only provides Eclipse users with tools to code AspectJ applications, but also includes a visualizer to show you where your aspects will be applied. To know how to install this tool AJDT, click here http://onjava.com/onjava/2004/11/24/aspect_j.pdf or http://www.eclipse.org/ajdt/EclipseCon2006/

== AspectR ==

The concepts of Aspect-oriented programming to Ruby is provided by AspectR. Inside the classes, existing methods can be wrapped around by code using AspectR.The design of the code can be improved since it separates different concerns into different parts of the code. It is similar to AspectJ. [[http://aspectr.sourceforge.net/ 5]]

Main features of AspectR:

• Join points.

• Object receives method/constructor call.

• Field accessed (if access is via getter/setter method).

Advices can access:

• Object and method receiving call.

• Arguments to call.

• Return value.

• exceptions raised.

Aspects:

• Supports "abstract" Aspects and overriding between advices.

• Wildcards (really regexps) can be used in pointcut designators, ie. to specify classes and methods to wrap advices to

• Pointcut parameters.

AspectR lets a module wrap any number of methods in other classes (or objects) with the "advice" methods (in the lingo of Aspect/J) of the module.

source: http://aspectr.sourceforge.net/
require 'aspectr'
include AspectR
class MyAspect < Aspect
def someAdviceMethod(method, object, exitstatus, *args)
...
end
... some other advice methods ...
end
ma = MyAspect.new
ma.wrap(someClassorObject, :preAdvice, :postAdvice, ... methods to wrap...) or
ma.wrap(someClassorObject, :preAdvice, :postAdvice, /patternToWrap/) or
AspectR.wrap_classes(ma, :preAdvice, :postAdvice,
[Class1, Class2], ...methods to wrap...)

Advice methods are passed a variable number of parameters: the first is the name of the method currently being wrapped the second is the object receiving the method call the third is the exit/return status:

source:http://aspectr.sourceforge.net/
Array with return value(s) if the method exited normally
true if the method exited with an exception
nil if the method hasn't yet exited (for preAdvice)
The rest are the arguments that were passed to the wrapped method.[[http://aspectr.sourceforge.net/ 5]]

Aquarium is a framework that implements Aspect-Oriented Programming (AOP) for Ruby.
Domain Specific Language is one of the features provided by Aquarium, which helps you to build your code in a modular way i.e using minimal language possible without repeating yourself all over the code.[[http://aquarium.rubyforge.org/index.html 6]]

For example if you want to implement a behavior in Aquarium where you want to trace all invocations of public,instance methods in classes whose name ends wit "service". This is how it is done.

source: http://aquarium.rubyforge.org/index.html
class ServiceTracer
include Aquarium::DSL before :calls_to => :all_methods, :in_types => /Service$/ do |join_point, object, *args log "Entering:
#{join_point.target_type.name}##{join_point.method_name}: object = #{object}, args = #{args}"
end
after :calls_to => :all_methods, :in_types => /Service$/ do |join_point, object, *args|log "Leaving:
#{join_point.target_type.name}##{join_point.method_name}: object = #{object}, args = #{args}"
end
end

The #before advice adds behavior that is invoked before each method is invoked, in this case, it logs a message with the name of the executing class and method, followed by the list of arguments passed to the method.
The #after advice adds similar behavior the is invoked after each method is invoked.

A better implementation of this can be written as follows:

source: http://aquarium.rubyforge.org/index.html
class ServiceTracer
include Aquarium::DSL around :calls_to => :all_methods, :in_types => /Service$/ do |join_point, object, *args| log "Entering:
{join_point.target_type.name}##{join_point.method_name}: object = #{object}, args = #{args}"
result = join_point.proceed
log "Leaving: #{join_point.target_type.name}##{join_point.method_name}: object = #{object}, args = #{args}"
result # block needs to return the result of the "proceed"!
end
end

The special method #proceed invokes the advised method, passing it the args list (by default). For #around advice, you must call#proceed unless you specifically don’t want the original method called.[[http://aquarium.rubyforge.org/index.html 6]]

== Appendix ==

'''1'''. AspectJ is an aspect-oriented extension created at PARC for the Java programming language. It is available in Eclipse Foundation open-source projects, both stand-alone and integrated into Eclipse. For more information refer to: http://en.wikipedia.org/wiki/AspectJ

'''2'''. For more information on AJDT, click here : http://eclipse.org/ajdt/

'''3'''. cross cutting concerns - http://en.wikipedia.org/wiki/Cross-cutting_concern

== References & Resources ==

[1] http://onjava.com/onjava/2004/01/14/aop.html

[2] http://www.developer.com/design/article.php/3308941/Aspect-Oriented-Programming.htm

[3] http://www.voelter.de/data/articles/aop/aop.html

[4]http://rubyforge.org/projects/aquarium/

[5]http://aspectr.sourceforge.net/

[6]http://aquarium.rubyforge.org/examples.html

CSC/ECE 517 Fall 2009/wiki1a 10 wolf27-Manhattan

2009-09-11T04:23:08Z

Wolf27: /* References */

Ruby and Java from a Security Perspective 
Students: wolf 27 and Manhattan

----

== Introduction ==
It is widely held that the three “pillars” of a secure system are confidentiality, availability, and integrity. That is, is a users data safe from unauthorized viewing/disclosure; is the users data available when they want it; and is the data the same as what they expected. There are many techniques, algorithms, and methods available to ensure these three pillars. The language used to develop the software on a secure system can play a major role in how effective in how algorithms, etc. help protect the confidentiality, availability, and integrity of secure data. This article compares two popular languages, Ruby and Java with respect to some of features of each language that aid in developing a secure software system.

In Java, Security can be considered in three contexts : 
1) Virtual Machine Security 
2) Application Security 
3) Network Security 

Some of the key features regarding the above security issues are discussed in this article.

== Ruby ==

'''''“Safe Levels” in Ruby''''' 
Arguable one of Ruby’s features with respect to security is its “Safe Levels”. Ruby implements five levels of data checking to help prevent what its calls “tainted” variables from being used in other parts of the code where the system could be exploited.

All objects in Ruby are marked as “tainted” if they are derived from some external source. For example, an object is tainted if it read using ‘gets’, read from a file, is an environment variable, etc. Each Ruby object contains a method named, ‘tainted?’ as well as methods named ‘taint’ and ‘untaint’.

The ‘tainted?’ method is used to return a boolean value to indicate if the variable is tainted or not. Likewise, the ‘taint’ method is used to taint an untainted object and ‘untaint’ is used to remove a tainted label from an object. The code below shows a simple example of a String object becoming tainted.

#Tainted vs. Untainted
>> my_string = String.new # A new string is created
=> ""
>> my_string.tainted? # The string is not tainted; there has been no external influence
=> false
>> my_string = "Hello" # Still no external influence
=> "Hello"
>> my_string.tainted?
=> false
>> my_string = my_string + gets #Since part of the string now came from the console, it is tainted
World!
=> "Hello World!\n"
>> my_string.tainted?
=> true

To help manage tainted and untainted objects, Ruby define a built in constant named $SAFE that allows the user to define what “safe level”. The $SAFE variable is simply set at the beginning of the program in the way any other variable would be. For example,
$SAFE = 3
sets Ruby’s “safe level” to 3.

Each safe level allows (or disallows) certain actions, primarily based on whether an object is tainted or untainted. There are a few other operations that are also disallowed by Ruby at the various safe levels. Note that Ruby’s default safe level is 0, which means there all operates are allowed regardless of the the tainted status of the object. The books “Programming Ruby” [1] provides an excellent table to use as reference for the actives allowed and disallows at each safe level. Below are some highlight of each safe level.

$SAFE = 0
Default “Safe Level”
No additional security features
All operations allowed on all untainted and tainted variables
$SAFE >= 1
Calling the ‘glob’ or ‘eval’ methods on tainted strings is disallowed.
Loading a file using a string that is tainted is disallowed.
Executing system commands using a tainted string is disallowed.
$SAFE >= 2
Loading a file from a source that is writable by ‘world’ is disallowed.
$SAFE >= 3
All object created are tainted and no object may not be untainted using the untaint method.
$SAFE >= 4
Essentially creates a Sandbox (an isolated, safe, place to run untrused code)
Writing to files is disallowed
Modifying global variable is disallowed.

'''''Ruby’s Unbounded Polymorphism (a.k.a. Duck Typing) and Security''''' 
Ruby’s unbounded polymorphism functionally is arguably very powerful. However this power functionally could also create a potential problem with code developed. Since Ruby is a dynamically typed language, it is not possible to check and ensure that objects being used are of the expected type. If that object looks like another object, it can be treated as that object.

If not managed properly, an adversary or malicious piece of code could be executed unintentionally because of Ruby’s unbounded polymorphism. Consider the code below.

Class Good_code
def good_method
... # some good code
end 
def another_good_method
... # some more good code
end
end 
Class Bad_code
def good_method
... #some BAD code, that looks good
end 
def another_good_method
... #some more bad code
end
end 
def my_method(good_code)
good_code.good_method
good_code.another_good_method
end 
my_method(Bad_code.new)

In the example above, the malicious code will run, even though the developer of my_method thought and intended to only run code from the ‘good_code’ object. The developer must take greater caution when implementing code that takes another objects as to unintentionally execute a different object.

'''''Automatic Bounds Checking''''' 
Ruby automatically checks bounds of data structures such as arrays. Bounds checking is very important to creating a secure system. If a user, intentionally or unintentionally, is able cause code to access an array index outside of the array, the system may crash, other data in memory may be overwritten, or unexpected (possibly private) data may be returned.

'''''Cryptographic Libraries''''' 
The ability to perform basic cryptographic functions is necessary to help ensure the confidentially of data stored on a system (thought encryption) and the integrity of data (by cryptographic signature/hash). Ruby provides, built in, only a very limited set of cryptographic functionally. One such function is the String classes crypt method.

There are several open source library for performing cryptographic functions on objects available for Ruby such as crypt [2]. The crypt library provides access to such encryption algorithms AES, Blowfish, and IDEA.

'''''Survey of Current and Past Publish Security Vulnerabilities''''' 
The official Ruby site [3] contains a security section that list a number of current and past security vulnerabilities found.

== Java Security Features ==

'''''Java language security constructs''''' 
Within a Java program, every entity −− that is, every object reference and every primitive data
element −− has an access level associated with it. 
Private : The entity can only be accessed by code that is contained within the class that defines the entity. 
Protected : The entity can only be accessed by code that is contained within the class that defines the entity, by
classes within the same package as the defining class, or by a subclass of the defining class. 
Public : The entity can be accessed by code in any class. 

'''''Programs are not allowed to access arbitrary memory locations''''' 
For example, casting between an
int and an Object is strictly illegal in Java. 

'''''Variables may not be used before they are initialized''''' 
If a program were able to read the value of an uninitialized variable, the effect would be the same as if
it were able to read random memory locations. A Java class wishing to exploit this defect might then
declare a huge uninitialized section of variables in an attempt to snoop the memory contents of the
user's machine. To prevent this type of attack, all local variables in Java must be initialized before
they are used, and all instance variables in Java are automatically initialized to a default value.

'''''Objects cannot be arbitrarily cast into other objects''''' 
Consider the below example.

public class CreditCard { 
private String acctNo; 
}
public class CreditCardSnoop { 
public String acctNo; 
} 

Then the following code will not be allowed execute:

CreditCard cc = Wallet.getCreditCard( ); 
CreditCardSnoop snoop = (CreditCardSnoop) cc; 
System.out.println("Ha! Your account number is " + snoop.acctNo); 

Java does not allow arbitrary casting between objects; an object can only be cast to one of its
superclasses or its subclasses. 

To satisfy the compiler code can be changed as follows: 
Object cc = Wallet.getCreditCard( ); 
CreditCardSnoop snoop = (CreditCardSnoop) cc; 

In this case, the virtual machine will throw a ClassCastException when the
snoop variable is assigned to thwart the attack.

'''''The Bytecode Verifier''''' 
This is used to check whether the code compiled by the compiler is a legal java code. The Java verifier examines all such application byte code and, using a fancy set of heuristics, identifies code that doesn't play by the rules. Once byte code is verified, the virtual machine knows that it's safe to execute.

For example, consider the following classes

public class CreditCard { 
public String acctNo = "0001 0002 0003 0004"; 
} 

public class Test { 
public static void main(String args[]) { 
CreditCard cc = new CreditCard( ); 
System.out.println("Your account number is " + cc.acctNo); 
} 
} 

If we run this code, we'll create a CreditCard object and print out its account number. If we change the definition of
acctNo to be private and recompile only the CreditCard class. We then have two class files and the
Test class file contains Java code that illegally accesses the private instance variable acctNo of the
CreditCard class and hence will not be allowed to execute.

'''''Java Cryptographic Extension(JCE)''''' 
JCE provides a framework and implementations for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms. Support for encryption includes symmetric, asymmetric, block, and stream ciphers.

'''''Java Authentication and Authorization Service (JAAS)''''' 
JAAS , as the name suggests is used for 
1) For authentication of users, to reliably and securely determine who is currently executing Java code, regardless of whether the code is running as an application, an applet, a bean, or a servlet. 
2) For authorization of users, to ensure they have the access control rights (permissions) required to perform the actions.

'''''Java Secure Socket Extension (JSSE)''''' 
JSSE enables secure Internet communications.It provides a framework and an implementation for the Socket Security Layer(SSL) and Transport Layer Security(TLS) protocols and includes functionality for data encryption, server authentication, message integrity, and optional client authentication.

The Secure Sockets Layer(SSL) and Transport Layer Security(TLS) protocols are used to protect the privacy and integrity of data while it is transferred across a network.

== References ==
[1] Hunt, Andrew and Thomas David. "Programming Ruby,The Pragmatic Programmer's Guide". 
[2] "Crypt" Library Website: http://crypt[dot]rubyforge[dot]org/ 
[3] Ruby Website, Security Sections: http://www[dot]ruby-lang[dot]org/en/security/ 
[4] Scott Oaks. "Java Security". 
[5] Sun website, Security Sections: http://java[dot]sun[dot]com/javase/technologies/security/

Talk:CSC/ECE 517 Fall 2009/wiki1a 10 wolf27-Manhattan

2009-09-11T04:17:35Z

Wolf27:

CSC/ECE 517 Fall 2009/wiki1a 10 wolf27-Manhattan

2009-09-06T00:48:33Z

Wolf27: /* Java Security Features */

Ruby and Java from a Security Perspective 
Students: wolf 27 and Manhattan

----

== Introduction ==
It is widely held that the three “pillars” of a secure system are confidentiality, availability, and integrity. That is, is a users data safe from unauthorized viewing/disclosure; is the users data available when they want it; and is the data the same as what they expected. There are many techniques, algorithms, and methods available to ensure these three pillars. The language used to develop the software on a secure system can play a major role in how effective in how algorithms, etc. help protect the confidentiality, availability, and integrity of secure data. This article compares two popular languages, Ruby and Java with respect to some of features of each language that aid in developing a secure software system.

In Java, Security can be considered in three contexts : 
1) Virtual Machine Security 
2) Application Security 
3) Network Security 

Some of the key features regarding the above security issues are discussed in this article.

== Ruby ==

'''''“Safe Levels” in Ruby''''' 
Arguable one of Ruby’s features with respect to security is its “Safe Levels”. Ruby implements five levels of data checking to help prevent what its calls “tainted” variables from being used in other parts of the code where the system could be exploited.

All objects in Ruby are marked as “tainted” if they are derived from some external source. For example, an object is tainted if it read using ‘gets’, read from a file, is an environment variable, etc. Each Ruby object contains a method named, ‘tainted?’ as well as methods named ‘taint’ and ‘untaint’.

The ‘tainted?’ method is used to return a boolean value to indicate if the variable is tainted or not. Likewise, the ‘taint’ method is used to taint an untainted object and ‘untaint’ is used to remove a tainted label from an object. The code below shows a simple example of a String object becoming tainted.

#Tainted vs. Untainted
>> my_string = String.new # A new string is created
=> ""
>> my_string.tainted? # The string is not tainted; there has been no external influence
=> false
>> my_string = "Hello" # Still no external influence
=> "Hello"
>> my_string.tainted?
=> false
>> my_string = my_string + gets #Since part of the string now came from the console, it is tainted
World!
=> "Hello World!\n"
>> my_string.tainted?
=> true

To help manage tainted and untainted objects, Ruby define a built in constant named $SAFE that allows the user to define what “safe level”. The $SAFE variable is simply set at the beginning of the program in the way any other variable would be. For example,
$SAFE = 3
sets Ruby’s “safe level” to 3.

Each safe level allows (or disallows) certain actions, primarily based on whether an object is tainted or untainted. There are a few other operations that are also disallowed by Ruby at the various safe levels. Note that Ruby’s default safe level is 0, which means there all operates are allowed regardless of the the tainted status of the object. The books “Programming Ruby” [1] provides an excellent table to use as reference for the actives allowed and disallows at each safe level. Below are some highlight of each safe level.

$SAFE = 0
Default “Safe Level”
No additional security features
All operations allowed on all untainted and tainted variables
$SAFE >= 1
Calling the ‘glob’ or ‘eval’ methods on tainted strings is disallowed.
Loading a file using a string that is tainted is disallowed.
Executing system commands using a tainted string is disallowed.
$SAFE >= 2
Loading a file from a source that is writable by ‘world’ is disallowed.
$SAFE >= 3
All object created are tainted and no object may not be untainted using the untaint method.
$SAFE >= 4
Essentially creates a Sandbox (an isolated, safe, place to run untrused code)
Writing to files is disallowed
Modifying global variable is disallowed.

'''''Ruby’s Unbounded Polymorphism (a.k.a. Duck Typing) and Security''''' 
Ruby’s unbounded polymorphism functionally is arguably very powerful. However this power functionally could also create a potential problem with code developed. Since Ruby is a dynamically typed language, it is not possible to check and ensure that objects being used are of the expected type. If that object looks like another object, it can be treated as that object.

If not managed properly, an adversary or malicious piece of code could be executed unintentionally because of Ruby’s unbounded polymorphism. Consider the code below.

Class Good_code
def good_method
... # some good code
end 
def another_good_method
... # some more good code
end
end 
Class Bad_code
def good_method
... #some BAD code, that looks good
end 
def another_good_method
... #some more bad code
end
end 
def my_method(good_code)
good_code.good_method
good_code.another_good_method
end 
my_method(Bad_code.new)

In the example above, the malicious code will run, even though the developer of my_method thought and intended to only run code from the ‘good_code’ object. The developer must take greater caution when implementing code that takes another objects as to unintentionally execute a different object.

'''''Automatic Bounds Checking''''' 
Ruby automatically checks bounds of data structures such as arrays. Bounds checking is very important to creating a secure system. If a user, intentionally or unintentionally, is able cause code to access an array index outside of the array, the system may crash, other data in memory may be overwritten, or unexpected (possibly private) data may be returned.

'''''Cryptographic Libraries''''' 
The ability to perform basic cryptographic functions is necessary to help ensure the confidentially of data stored on a system (thought encryption) and the integrity of data (by cryptographic signature/hash). Ruby provides, built in, only a very limited set of cryptographic functionally. One such function is the String classes crypt method.

There are several open source library for performing cryptographic functions on objects available for Ruby such as crypt [2]. The crypt library provides access to such encryption algorithms AES, Blowfish, and IDEA.

'''''Survey of Current and Past Publish Security Vulnerabilities''''' 
The official Ruby site [3] contains a security section that list a number of current and past security vulnerabilities found.

== Java Security Features ==

'''''Java language security constructs''''' 
Within a Java program, every entity −− that is, every object reference and every primitive data
element −− has an access level associated with it. 
Private : The entity can only be accessed by code that is contained within the class that defines the entity. 
Protected : The entity can only be accessed by code that is contained within the class that defines the entity, by
classes within the same package as the defining class, or by a subclass of the defining class. 
Public : The entity can be accessed by code in any class. 

'''''Programs are not allowed to access arbitrary memory locations''''' 
For example, casting between an
int and an Object is strictly illegal in Java. 

'''''Variables may not be used before they are initialized''''' 
If a program were able to read the value of an uninitialized variable, the effect would be the same as if
it were able to read random memory locations. A Java class wishing to exploit this defect might then
declare a huge uninitialized section of variables in an attempt to snoop the memory contents of the
user's machine. To prevent this type of attack, all local variables in Java must be initialized before
they are used, and all instance variables in Java are automatically initialized to a default value.

'''''Objects cannot be arbitrarily cast into other objects''''' 
Consider the below example.

public class CreditCard { 
private String acctNo; 
}
public class CreditCardSnoop { 
public String acctNo; 
} 

Then the following code will not be allowed execute:

CreditCard cc = Wallet.getCreditCard( ); 
CreditCardSnoop snoop = (CreditCardSnoop) cc; 
System.out.println("Ha! Your account number is " + snoop.acctNo); 

Java does not allow arbitrary casting between objects; an object can only be cast to one of its
superclasses or its subclasses. 

To satisfy the compiler code can be changed as follows: 
Object cc = Wallet.getCreditCard( ); 
CreditCardSnoop snoop = (CreditCardSnoop) cc; 

In this case, the virtual machine will throw a ClassCastException when the
snoop variable is assigned to thwart the attack.

'''''The Bytecode Verifier''''' 
This is used to check whether the code compiled by the compiler is a legal java code. The Java verifier examines all such application byte code and, using a fancy set of heuristics, identifies code that doesn't play by the rules. Once byte code is verified, the virtual machine knows that it's safe to execute.

For example, consider the following classes

public class CreditCard { 
public String acctNo = "0001 0002 0003 0004"; 
} 

public class Test { 
public static void main(String args[]) { 
CreditCard cc = new CreditCard( ); 
System.out.println("Your account number is " + cc.acctNo); 
} 
} 

If we run this code, we'll create a CreditCard object and print out its account number. If we change the definition of
acctNo to be private and recompile only the CreditCard class. We then have two class files and the
Test class file contains Java code that illegally accesses the private instance variable acctNo of the
CreditCard class and hence will not be allowed to execute.

'''''Java Cryptographic Extension(JCE)''''' 
JCE provides a framework and implementations for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms. Support for encryption includes symmetric, asymmetric, block, and stream ciphers.

'''''Java Authentication and Authorization Service (JAAS)''''' 
JAAS , as the name suggests is used for 
1) For authentication of users, to reliably and securely determine who is currently executing Java code, regardless of whether the code is running as an application, an applet, a bean, or a servlet. 
2) For authorization of users, to ensure they have the access control rights (permissions) required to perform the actions.

'''''Java Secure Socket Extension (JSSE)''''' 
JSSE enables secure Internet communications.It provides a framework and an implementation for the Socket Security Layer(SSL) and Transport Layer Security(TLS) protocols and includes functionality for data encryption, server authentication, message integrity, and optional client authentication.

The Secure Sockets Layer(SSL) and Transport Layer Security(TLS) protocols are used to protect the privacy and integrity of data while it is transferred across a network.

== References ==
[1] Hunt, Andrew and Thomas David. "Programming Ruby, The Pragmatic Programmer's Guide". 
[2] "Crypt" Library Website: http://crypt[dot]rubyforge[dot]org/ 
[3] Ruby Website, Security Sections: http://www[dot]ruby-lang[dot]org/en/security/ 
[4] Scott Oaks. "Java Security". 
[5] Sun website, Security Sections: http://java[dot]sun[dot]com/javase/technologies/security/

CSC/ECE 517 Fall 2009/wiki1a 10 wolf27-Manhattan

2009-09-06T00:46:54Z

Wolf27: /* Java Security Features */

Ruby and Java from a Security Perspective 
Students: wolf 27 and Manhattan

----

== Introduction ==
It is widely held that the three “pillars” of a secure system are confidentiality, availability, and integrity. That is, is a users data safe from unauthorized viewing/disclosure; is the users data available when they want it; and is the data the same as what they expected. There are many techniques, algorithms, and methods available to ensure these three pillars. The language used to develop the software on a secure system can play a major role in how effective in how algorithms, etc. help protect the confidentiality, availability, and integrity of secure data. This article compares two popular languages, Ruby and Java with respect to some of features of each language that aid in developing a secure software system.

In Java, Security can be considered in three contexts : 
1) Virtual Machine Security 
2) Application Security 
3) Network Security 

Some of the key features regarding the above security issues are discussed in this article.

== Ruby ==

'''''“Safe Levels” in Ruby''''' 
Arguable one of Ruby’s features with respect to security is its “Safe Levels”. Ruby implements five levels of data checking to help prevent what its calls “tainted” variables from being used in other parts of the code where the system could be exploited.

All objects in Ruby are marked as “tainted” if they are derived from some external source. For example, an object is tainted if it read using ‘gets’, read from a file, is an environment variable, etc. Each Ruby object contains a method named, ‘tainted?’ as well as methods named ‘taint’ and ‘untaint’.

The ‘tainted?’ method is used to return a boolean value to indicate if the variable is tainted or not. Likewise, the ‘taint’ method is used to taint an untainted object and ‘untaint’ is used to remove a tainted label from an object. The code below shows a simple example of a String object becoming tainted.

#Tainted vs. Untainted
>> my_string = String.new # A new string is created
=> ""
>> my_string.tainted? # The string is not tainted; there has been no external influence
=> false
>> my_string = "Hello" # Still no external influence
=> "Hello"
>> my_string.tainted?
=> false
>> my_string = my_string + gets #Since part of the string now came from the console, it is tainted
World!
=> "Hello World!\n"
>> my_string.tainted?
=> true

To help manage tainted and untainted objects, Ruby define a built in constant named $SAFE that allows the user to define what “safe level”. The $SAFE variable is simply set at the beginning of the program in the way any other variable would be. For example,
$SAFE = 3
sets Ruby’s “safe level” to 3.

Each safe level allows (or disallows) certain actions, primarily based on whether an object is tainted or untainted. There are a few other operations that are also disallowed by Ruby at the various safe levels. Note that Ruby’s default safe level is 0, which means there all operates are allowed regardless of the the tainted status of the object. The books “Programming Ruby” [1] provides an excellent table to use as reference for the actives allowed and disallows at each safe level. Below are some highlight of each safe level.

$SAFE = 0
Default “Safe Level”
No additional security features
All operations allowed on all untainted and tainted variables
$SAFE >= 1
Calling the ‘glob’ or ‘eval’ methods on tainted strings is disallowed.
Loading a file using a string that is tainted is disallowed.
Executing system commands using a tainted string is disallowed.
$SAFE >= 2
Loading a file from a source that is writable by ‘world’ is disallowed.
$SAFE >= 3
All object created are tainted and no object may not be untainted using the untaint method.
$SAFE >= 4
Essentially creates a Sandbox (an isolated, safe, place to run untrused code)
Writing to files is disallowed
Modifying global variable is disallowed.

'''''Ruby’s Unbounded Polymorphism (a.k.a. Duck Typing) and Security''''' 
Ruby’s unbounded polymorphism functionally is arguably very powerful. However this power functionally could also create a potential problem with code developed. Since Ruby is a dynamically typed language, it is not possible to check and ensure that objects being used are of the expected type. If that object looks like another object, it can be treated as that object.

If not managed properly, an adversary or malicious piece of code could be executed unintentionally because of Ruby’s unbounded polymorphism. Consider the code below.

Class Good_code
def good_method
... # some good code
end 
def another_good_method
... # some more good code
end
end 
Class Bad_code
def good_method
... #some BAD code, that looks good
end 
def another_good_method
... #some more bad code
end
end 
def my_method(good_code)
good_code.good_method
good_code.another_good_method
end 
my_method(Bad_code.new)

In the example above, the malicious code will run, even though the developer of my_method thought and intended to only run code from the ‘good_code’ object. The developer must take greater caution when implementing code that takes another objects as to unintentionally execute a different object.

'''''Automatic Bounds Checking''''' 
Ruby automatically checks bounds of data structures such as arrays. Bounds checking is very important to creating a secure system. If a user, intentionally or unintentionally, is able cause code to access an array index outside of the array, the system may crash, other data in memory may be overwritten, or unexpected (possibly private) data may be returned.

'''''Cryptographic Libraries''''' 
The ability to perform basic cryptographic functions is necessary to help ensure the confidentially of data stored on a system (thought encryption) and the integrity of data (by cryptographic signature/hash). Ruby provides, built in, only a very limited set of cryptographic functionally. One such function is the String classes crypt method.

There are several open source library for performing cryptographic functions on objects available for Ruby such as crypt [2]. The crypt library provides access to such encryption algorithms AES, Blowfish, and IDEA.

'''''Survey of Current and Past Publish Security Vulnerabilities''''' 
The official Ruby site [3] contains a security section that list a number of current and past security vulnerabilities found.

== Java Security Features ==

'''''Java language security constructs''''' 
Within a Java program, every entity −− that is, every object reference and every primitive data
element −− has an access level associated with it. 
Private : The entity can only be accessed by code that is contained within the class that defines the entity. 
Protected : The entity can only be accessed by code that is contained within the class that defines the entity, by
classes within the same package as the defining class, or by a subclass of the defining class. 
Public : The entity can be accessed by code in any class. 

'''''Programs are not allowed to access arbitrary memory locations''''' 
For example, casting between an
int and an Object is strictly illegal in Java. 

'''''Variables may not be used before they are initialized''''' 
If a program were able to read the value of an uninitialized variable, the effect would be the same as if
it were able to read random memory locations. A Java class wishing to exploit this defect might then
declare a huge uninitialized section of variables in an attempt to snoop the memory contents of the
user's machine. To prevent this type of attack, all local variables in Java must be initialized before
they are used, and all instance variables in Java are automatically initialized to a default value.

'''''Objects cannot be arbitrarily cast into other objects''''' 
Consider the below example.

public class CreditCard { 
private String acctNo; 
}
public class CreditCardSnoop { 
public String acctNo; 
} 

Then the following code will not be allowed execute:

CreditCard cc = Wallet.getCreditCard( ); 
CreditCardSnoop snoop = (CreditCardSnoop) cc; 
System.out.println("Ha! Your account number is " + snoop.acctNo); 

Java does not allow arbitrary casting between objects; an object can only be cast to one of its
superclasses or its subclasses. 

To satisfy the compiler code can be changed as follows: 
Object cc = Wallet.getCreditCard( ); 
CreditCardSnoop snoop = (CreditCardSnoop) cc; 

In this case, the virtual machine will throw a ClassCastException when the
snoop variable is assigned to thwart the attack.

'''''The Bytecode Verifier''''' 
This is used to check whether the code compiled by the compiler is a legal java code. The Java verifier examines all such application byte code and, using a fancy set of heuristics, identifies code that doesn't play by the rules. Once byte code is verified, the virtual machine knows that it's safe to execute.

For example, consider the following classes

public class CreditCard { 
public String acctNo = "0001 0002 0003 0004"; 
} 

public class Test { 
public static void main(String args[]) { 
CreditCard cc = new CreditCard( ); 
System.out.println("Your account number is " + cc.acctNo); 
} 
} 

If we run this code, we'll create a CreditCard object and print out its account number. If we change the definition of
acctNo to be private and recompile only the CreditCard class. We then have two class files and the
Test class file contains Java code that illegally accesses the private instance variable acctNo of the
CreditCard class and hence will not be allowed to execute.

'''''Java Cryptographic Extension(JCE)''''' 
JCE provides a framework and implementations for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms. Support for encryption includes symmetric, asymmetric, block, and stream ciphers.

'''''Java Authentication and Authorization Service (JAAS)''''' 
JAAS , as the name suggests is used for 
1) For authentication of users, to reliably and securely determine who is currently executing Java code, regardless of whether the code is running as an application, an applet, a bean, or a servlet. 
2) For authorization of users, to ensure they have the access control rights (permissions) required to perform the actions.

'''''Java Secure Socket Extension (JSSE)''''' 
JSSE enables secure Internet communications.It provides a framework and an implementation for the Socket Security Layer(SSL) and Transport Layer Security(TLS) protocols and includes functionality for data encryption, server authentication, message integrity, and optional client authentication.

The Secure Sockets Layer(SSL) and Transport Layer Security(TLS) protocols are used to protect the privacy and integrity of data while it is transferred across a network.

== References ==
[1] Hunt, Andrew and Thomas David. "Programming Ruby, The Pragmatic Programmer's Guide". 
[2] "Crypt" Library Website: http://crypt[dot]rubyforge[dot]org/ 
[3] Ruby Website, Security Sections: http://www[dot]ruby-lang[dot]org/en/security/ 
[4] Scott Oaks. "Java Security". 
[5] Sun website, Security Sections: http://java[dot]sun[dot]com/javase/technologies/security/

CSC/ECE 517 Fall 2009/wiki1a 10 wolf27-Manhattan

2009-09-06T00:40:46Z

Wolf27: /* Introduction */

Ruby and Java from a Security Perspective 
Students: wolf 27 and Manhattan

----

== Introduction ==
It is widely held that the three “pillars” of a secure system are confidentiality, availability, and integrity. That is, is a users data safe from unauthorized viewing/disclosure; is the users data available when they want it; and is the data the same as what they expected. There are many techniques, algorithms, and methods available to ensure these three pillars. The language used to develop the software on a secure system can play a major role in how effective in how algorithms, etc. help protect the confidentiality, availability, and integrity of secure data. This article compares two popular languages, Ruby and Java with respect to some of features of each language that aid in developing a secure software system.

In Java, Security can be considered in three contexts : 
1) Virtual Machine Security 
2) Application Security 
3) Network Security 

Some of the key features regarding the above security issues are discussed in this article.

== Ruby ==

'''''“Safe Levels” in Ruby''''' 
Arguable one of Ruby’s features with respect to security is its “Safe Levels”. Ruby implements five levels of data checking to help prevent what its calls “tainted” variables from being used in other parts of the code where the system could be exploited.

All objects in Ruby are marked as “tainted” if they are derived from some external source. For example, an object is tainted if it read using ‘gets’, read from a file, is an environment variable, etc. Each Ruby object contains a method named, ‘tainted?’ as well as methods named ‘taint’ and ‘untaint’.

The ‘tainted?’ method is used to return a boolean value to indicate if the variable is tainted or not. Likewise, the ‘taint’ method is used to taint an untainted object and ‘untaint’ is used to remove a tainted label from an object. The code below shows a simple example of a String object becoming tainted.

#Tainted vs. Untainted
>> my_string = String.new # A new string is created
=> ""
>> my_string.tainted? # The string is not tainted; there has been no external influence
=> false
>> my_string = "Hello" # Still no external influence
=> "Hello"
>> my_string.tainted?
=> false
>> my_string = my_string + gets #Since part of the string now came from the console, it is tainted
World!
=> "Hello World!\n"
>> my_string.tainted?
=> true

To help manage tainted and untainted objects, Ruby define a built in constant named $SAFE that allows the user to define what “safe level”. The $SAFE variable is simply set at the beginning of the program in the way any other variable would be. For example,
$SAFE = 3
sets Ruby’s “safe level” to 3.

Each safe level allows (or disallows) certain actions, primarily based on whether an object is tainted or untainted. There are a few other operations that are also disallowed by Ruby at the various safe levels. Note that Ruby’s default safe level is 0, which means there all operates are allowed regardless of the the tainted status of the object. The books “Programming Ruby” [1] provides an excellent table to use as reference for the actives allowed and disallows at each safe level. Below are some highlight of each safe level.

$SAFE = 0
Default “Safe Level”
No additional security features
All operations allowed on all untainted and tainted variables
$SAFE >= 1
Calling the ‘glob’ or ‘eval’ methods on tainted strings is disallowed.
Loading a file using a string that is tainted is disallowed.
Executing system commands using a tainted string is disallowed.
$SAFE >= 2
Loading a file from a source that is writable by ‘world’ is disallowed.
$SAFE >= 3
All object created are tainted and no object may not be untainted using the untaint method.
$SAFE >= 4
Essentially creates a Sandbox (an isolated, safe, place to run untrused code)
Writing to files is disallowed
Modifying global variable is disallowed.

'''''Ruby’s Unbounded Polymorphism (a.k.a. Duck Typing) and Security''''' 
Ruby’s unbounded polymorphism functionally is arguably very powerful. However this power functionally could also create a potential problem with code developed. Since Ruby is a dynamically typed language, it is not possible to check and ensure that objects being used are of the expected type. If that object looks like another object, it can be treated as that object.

If not managed properly, an adversary or malicious piece of code could be executed unintentionally because of Ruby’s unbounded polymorphism. Consider the code below.

Class Good_code
def good_method
... # some good code
end 
def another_good_method
... # some more good code
end
end 
Class Bad_code
def good_method
... #some BAD code, that looks good
end 
def another_good_method
... #some more bad code
end
end 
def my_method(good_code)
good_code.good_method
good_code.another_good_method
end 
my_method(Bad_code.new)

In the example above, the malicious code will run, even though the developer of my_method thought and intended to only run code from the ‘good_code’ object. The developer must take greater caution when implementing code that takes another objects as to unintentionally execute a different object.

'''''Automatic Bounds Checking''''' 
Ruby automatically checks bounds of data structures such as arrays. Bounds checking is very important to creating a secure system. If a user, intentionally or unintentionally, is able cause code to access an array index outside of the array, the system may crash, other data in memory may be overwritten, or unexpected (possibly private) data may be returned.

'''''Cryptographic Libraries''''' 
The ability to perform basic cryptographic functions is necessary to help ensure the confidentially of data stored on a system (thought encryption) and the integrity of data (by cryptographic signature/hash). Ruby provides, built in, only a very limited set of cryptographic functionally. One such function is the String classes crypt method.

There are several open source library for performing cryptographic functions on objects available for Ruby such as crypt [2]. The crypt library provides access to such encryption algorithms AES, Blowfish, and IDEA.

'''''Survey of Current and Past Publish Security Vulnerabilities''''' 
The official Ruby site [3] contains a security section that list a number of current and past security vulnerabilities found.

== Java Security Features ==

'''''Programs are not allowed to access arbitrary memory locations''''' 
For example, casting between an
int and an Object is strictly illegal in Java. 

'''''Variables may not be used before they are initialized''''' 
If a program were able to read the value of an uninitialized variable, the effect would be the same as if
it were able to read random memory locations. A Java class wishing to exploit this defect might then
declare a huge uninitialized section of variables in an attempt to snoop the memory contents of the
user's machine. To prevent this type of attack, all local variables in Java must be initialized before
they are used, and all instance variables in Java are automatically initialized to a default value.

'''''Objects cannot be arbitrarily cast into other objects''''' 
Consider the below example.

public class CreditCard { 
private String acctNo; 
}
public class CreditCardSnoop { 
public String acctNo; 
} 

Then the following code will not be allowed execute:

CreditCard cc = Wallet.getCreditCard( ); 
CreditCardSnoop snoop = (CreditCardSnoop) cc; 
System.out.println("Ha! Your account number is " + snoop.acctNo); 

Java does not allow arbitrary casting between objects; an object can only be cast to one of its
superclasses or its subclasses. 

To satisfy the compiler code can be changed as follows: 
Object cc = Wallet.getCreditCard( ); 
CreditCardSnoop snoop = (CreditCardSnoop) cc; 

In this case, the virtual machine will throw a ClassCastException when the
snoop variable is assigned to thwart the attack.

'''''The Bytecode Verifier''''' 
This is used to check whether the code compiled by the compiler is a legal java code. The Java verifier examines all such application byte code and, using a fancy set of heuristics, identifies code that doesn't play by the rules. Once byte code is verified, the virtual machine knows that it's safe to execute.

For example, consider the following classes

public class CreditCard { 
public String acctNo = "0001 0002 0003 0004"; 
} 

public class Test { 
public static void main(String args[]) { 
CreditCard cc = new CreditCard( ); 
System.out.println("Your account number is " + cc.acctNo); 
} 
} 

If we run this code, we'll create a CreditCard object and print out its account number. If we change the definition of
acctNo to be private and recompile only the CreditCard class. We then have two class files and the
Test class file contains Java code that illegally accesses the private instance variable acctNo of the
CreditCard class and hence will not be allowed to execute.

'''''Java Cryptographic Extension(JCE)''''' 
JCE provides a framework and implementations for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms. Support for encryption includes symmetric, asymmetric, block, and stream ciphers.

'''''Java Authentication and Authorization Service (JAAS)''''' 
JAAS , as the name suggests is used for 
1) For authentication of users, to reliably and securely determine who is currently executing Java code, regardless of whether the code is running as an application, an applet, a bean, or a servlet. 
2) For authorization of users, to ensure they have the access control rights (permissions) required to perform the actions.

'''''Java Secure Socket Extension (JSSE)''''' 
JSSE enables secure Internet communications.It provides a framework and an implementation for the Socket Security Layer(SSL) and Transport Layer Security(TLS) protocols and includes functionality for data encryption, server authentication, message integrity, and optional client authentication.

The Secure Sockets Layer(SSL) and Transport Layer Security(TLS) protocols are used to protect the privacy and integrity of data while it is transferred across a network.

== References ==
[1] Hunt, Andrew and Thomas David. "Programming Ruby, The Pragmatic Programmer's Guide". 
[2] "Crypt" Library Website: http://crypt[dot]rubyforge[dot]org/ 
[3] Ruby Website, Security Sections: http://www[dot]ruby-lang[dot]org/en/security/ 
[4] Scott Oaks. "Java Security". 
[5] Sun website, Security Sections: http://java[dot]sun[dot]com/javase/technologies/security/

CSC/ECE 517 Fall 2009/wiki1a 10 wolf27-Manhattan

2009-09-06T00:30:55Z

Wolf27: /* References */

Ruby and Java from a Security Perspective 
Students: wolf 27 and Manhattan

----

== Introduction ==
It is widely held that the three “pillars” of a secure system are confidentiality, availability, and integrity. That is, is a users data safe from unauthorized viewing/disclosure; is the users data available when they want it; and is the data the same as what they expected. There are many techniques, algorithms, and methods available to ensure these three pillars. The language used to develop the software on a secure system can play a major role in how effective in how algorithms, etc. help protect the confidentiality, availability, and integrity of secure data. This article compares two popular languages, Ruby and Java with respect to some of features of each language that aid in developing a secure software system.

In Java, Security can be considered in three contexts :
1) Virtual Machine Security
2) Application Security
3) Network Security

== Ruby ==

'''''“Safe Levels” in Ruby''''' 
Arguable one of Ruby’s features with respect to security is its “Safe Levels”. Ruby implements five levels of data checking to help prevent what its calls “tainted” variables from being used in other parts of the code where the system could be exploited.

All objects in Ruby are marked as “tainted” if they are derived from some external source. For example, an object is tainted if it read using ‘gets’, read from a file, is an environment variable, etc. Each Ruby object contains a method named, ‘tainted?’ as well as methods named ‘taint’ and ‘untaint’.

The ‘tainted?’ method is used to return a boolean value to indicate if the variable is tainted or not. Likewise, the ‘taint’ method is used to taint an untainted object and ‘untaint’ is used to remove a tainted label from an object. The code below shows a simple example of a String object becoming tainted.

#Tainted vs. Untainted
>> my_string = String.new # A new string is created
=> ""
>> my_string.tainted? # The string is not tainted; there has been no external influence
=> false
>> my_string = "Hello" # Still no external influence
=> "Hello"
>> my_string.tainted?
=> false
>> my_string = my_string + gets #Since part of the string now came from the console, it is tainted
World!
=> "Hello World!\n"
>> my_string.tainted?
=> true

To help manage tainted and untainted objects, Ruby define a built in constant named $SAFE that allows the user to define what “safe level”. The $SAFE variable is simply set at the beginning of the program in the way any other variable would be. For example,
$SAFE = 3
sets Ruby’s “safe level” to 3.

Each safe level allows (or disallows) certain actions, primarily based on whether an object is tainted or untainted. There are a few other operations that are also disallowed by Ruby at the various safe levels. Note that Ruby’s default safe level is 0, which means there all operates are allowed regardless of the the tainted status of the object. The books “Programming Ruby” [1] provides an excellent table to use as reference for the actives allowed and disallows at each safe level. Below are some highlight of each safe level.

$SAFE = 0
Default “Safe Level”
No additional security features
All operations allowed on all untainted and tainted variables
$SAFE >= 1
Calling the ‘glob’ or ‘eval’ methods on tainted strings is disallowed.
Loading a file using a string that is tainted is disallowed.
Executing system commands using a tainted string is disallowed.
$SAFE >= 2
Loading a file from a source that is writable by ‘world’ is disallowed.
$SAFE >= 3
All object created are tainted and no object may not be untainted using the untaint method.
$SAFE >= 4
Essentially creates a Sandbox (an isolated, safe, place to run untrused code)
Writing to files is disallowed
Modifying global variable is disallowed.

'''''Ruby’s Unbounded Polymorphism (a.k.a. Duck Typing) and Security''''' 
Ruby’s unbounded polymorphism functionally is arguably very powerful. However this power functionally could also create a potential problem with code developed. Since Ruby is a dynamically typed language, it is not possible to check and ensure that objects being used are of the expected type. If that object looks like another object, it can be treated as that object.

If not managed properly, an adversary or malicious piece of code could be executed unintentionally because of Ruby’s unbounded polymorphism. Consider the code below.

Class Good_code
def good_method
... # some good code
end 
def another_good_method
... # some more good code
end
end 
Class Bad_code
def good_method
... #some BAD code, that looks good
end 
def another_good_method
... #some more bad code
end
end 
def my_method(good_code)
good_code.good_method
good_code.another_good_method
end 
my_method(Bad_code.new)

In the example above, the malicious code will run, even though the developer of my_method thought and intended to only run code from the ‘good_code’ object. The developer must take greater caution when implementing code that takes another objects as to unintentionally execute a different object.

'''''Automatic Bounds Checking''''' 
Ruby automatically checks bounds of data structures such as arrays. Bounds checking is very important to creating a secure system. If a user, intentionally or unintentionally, is able cause code to access an array index outside of the array, the system may crash, other data in memory may be overwritten, or unexpected (possibly private) data may be returned.

'''''Cryptographic Libraries''''' 
The ability to perform basic cryptographic functions is necessary to help ensure the confidentially of data stored on a system (thought encryption) and the integrity of data (by cryptographic signature/hash). Ruby provides, built in, only a very limited set of cryptographic functionally. One such function is the String classes crypt method.

There are several open source library for performing cryptographic functions on objects available for Ruby such as crypt [2]. The crypt library provides access to such encryption algorithms AES, Blowfish, and IDEA.

'''''Survey of Current and Past Publish Security Vulnerabilities''''' 
The official Ruby site [3] contains a security section that list a number of current and past security vulnerabilities found.

== Java Security Features ==

'''''Programs are not allowed to access arbitrary memory locations''''' 
For example, casting between an
int and an Object is strictly illegal in Java. 

'''''Variables may not be used before they are initialized''''' 
If a program were able to read the value of an uninitialized variable, the effect would be the same as if
it were able to read random memory locations. A Java class wishing to exploit this defect might then
declare a huge uninitialized section of variables in an attempt to snoop the memory contents of the
user's machine. To prevent this type of attack, all local variables in Java must be initialized before
they are used, and all instance variables in Java are automatically initialized to a default value.

'''''Objects cannot be arbitrarily cast into other objects''''' 
Consider the below example.

public class CreditCard { 
private String acctNo; 
}
public class CreditCardSnoop { 
public String acctNo; 
} 

Then the following code will not be allowed execute:

CreditCard cc = Wallet.getCreditCard( ); 
CreditCardSnoop snoop = (CreditCardSnoop) cc; 
System.out.println("Ha! Your account number is " + snoop.acctNo); 

Java does not allow arbitrary casting between objects; an object can only be cast to one of its
superclasses or its subclasses. 

To satisfy the compiler code can be changed as follows: 
Object cc = Wallet.getCreditCard( ); 
CreditCardSnoop snoop = (CreditCardSnoop) cc; 

In this case, the virtual machine will throw a ClassCastException when the
snoop variable is assigned to thwart the attack.

'''''The Bytecode Verifier''''' 
This is used to check whether the code compiled by the compiler is a legal java code. The Java verifier examines all such application byte code and, using a fancy set of heuristics, identifies code that doesn't play by the rules. Once byte code is verified, the virtual machine knows that it's safe to execute.

For example, consider the following classes

public class CreditCard { 
public String acctNo = "0001 0002 0003 0004"; 
} 

public class Test { 
public static void main(String args[]) { 
CreditCard cc = new CreditCard( ); 
System.out.println("Your account number is " + cc.acctNo); 
} 
} 

If we run this code, we'll create a CreditCard object and print out its account number. If we change the definition of
acctNo to be private and recompile only the CreditCard class. We then have two class files and the
Test class file contains Java code that illegally accesses the private instance variable acctNo of the
CreditCard class and hence will not be allowed to execute.

'''''Java Cryptographic Extension(JCE)''''' 
JCE provides a framework and implementations for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms. Support for encryption includes symmetric, asymmetric, block, and stream ciphers.

'''''Java Authentication and Authorization Service (JAAS)''''' 
JAAS , as the name suggests is used for 
1) For authentication of users, to reliably and securely determine who is currently executing Java code, regardless of whether the code is running as an application, an applet, a bean, or a servlet. 
2) For authorization of users, to ensure they have the access control rights (permissions) required to perform the actions.

'''''Java Secure Socket Extension (JSSE)''''' 
JSSE enables secure Internet communications.It provides a framework and an implementation for the Socket Security Layer(SSL) and Transport Layer Security(TLS) protocols and includes functionality for data encryption, server authentication, message integrity, and optional client authentication.

The Secure Sockets Layer(SSL) and Transport Layer Security(TLS) protocols are used to protect the privacy and integrity of data while it is transferred across a network.

== References ==
[1] Hunt, Andrew and Thomas David. "Programming Ruby, The Pragmatic Programmer's Guide". 
[2] "Crypt" Library Website: http://crypt[dot]rubyforge[dot]org/ 
[3] Ruby Website, Security Sections: http://www[dot]ruby-lang[dot]org/en/security/ 
[4] Scott Oaks. "Java Security". 
[5] Sun website, Security Sections: http://java[dot]sun[dot]com/javase/technologies/security/

CSC/ECE 517 Fall 2009/wiki1a 10 wolf27-Manhattan

2009-09-06T00:25:22Z

Wolf27: /* Java Security Features */

Ruby and Java from a Security Perspective 
Students: wolf 27 and Manhattan

----

== Introduction ==
It is widely held that the three “pillars” of a secure system are confidentiality, availability, and integrity. That is, is a users data safe from unauthorized viewing/disclosure; is the users data available when they want it; and is the data the same as what they expected. There are many techniques, algorithms, and methods available to ensure these three pillars. The language used to develop the software on a secure system can play a major role in how effective in how algorithms, etc. help protect the confidentiality, availability, and integrity of secure data. This article compares two popular languages, Ruby and Java with respect to some of features of each language that aid in developing a secure software system.

In Java, Security can be considered in three contexts :
1) Virtual Machine Security
2) Application Security
3) Network Security

== Ruby ==

'''''“Safe Levels” in Ruby''''' 
Arguable one of Ruby’s features with respect to security is its “Safe Levels”. Ruby implements five levels of data checking to help prevent what its calls “tainted” variables from being used in other parts of the code where the system could be exploited.

All objects in Ruby are marked as “tainted” if they are derived from some external source. For example, an object is tainted if it read using ‘gets’, read from a file, is an environment variable, etc. Each Ruby object contains a method named, ‘tainted?’ as well as methods named ‘taint’ and ‘untaint’.

The ‘tainted?’ method is used to return a boolean value to indicate if the variable is tainted or not. Likewise, the ‘taint’ method is used to taint an untainted object and ‘untaint’ is used to remove a tainted label from an object. The code below shows a simple example of a String object becoming tainted.

#Tainted vs. Untainted
>> my_string = String.new # A new string is created
=> ""
>> my_string.tainted? # The string is not tainted; there has been no external influence
=> false
>> my_string = "Hello" # Still no external influence
=> "Hello"
>> my_string.tainted?
=> false
>> my_string = my_string + gets #Since part of the string now came from the console, it is tainted
World!
=> "Hello World!\n"
>> my_string.tainted?
=> true

To help manage tainted and untainted objects, Ruby define a built in constant named $SAFE that allows the user to define what “safe level”. The $SAFE variable is simply set at the beginning of the program in the way any other variable would be. For example,
$SAFE = 3
sets Ruby’s “safe level” to 3.

Each safe level allows (or disallows) certain actions, primarily based on whether an object is tainted or untainted. There are a few other operations that are also disallowed by Ruby at the various safe levels. Note that Ruby’s default safe level is 0, which means there all operates are allowed regardless of the the tainted status of the object. The books “Programming Ruby” [1] provides an excellent table to use as reference for the actives allowed and disallows at each safe level. Below are some highlight of each safe level.

$SAFE = 0
Default “Safe Level”
No additional security features
All operations allowed on all untainted and tainted variables
$SAFE >= 1
Calling the ‘glob’ or ‘eval’ methods on tainted strings is disallowed.
Loading a file using a string that is tainted is disallowed.
Executing system commands using a tainted string is disallowed.
$SAFE >= 2
Loading a file from a source that is writable by ‘world’ is disallowed.
$SAFE >= 3
All object created are tainted and no object may not be untainted using the untaint method.
$SAFE >= 4
Essentially creates a Sandbox (an isolated, safe, place to run untrused code)
Writing to files is disallowed
Modifying global variable is disallowed.

'''''Ruby’s Unbounded Polymorphism (a.k.a. Duck Typing) and Security''''' 
Ruby’s unbounded polymorphism functionally is arguably very powerful. However this power functionally could also create a potential problem with code developed. Since Ruby is a dynamically typed language, it is not possible to check and ensure that objects being used are of the expected type. If that object looks like another object, it can be treated as that object.

If not managed properly, an adversary or malicious piece of code could be executed unintentionally because of Ruby’s unbounded polymorphism. Consider the code below.

Class Good_code
def good_method
... # some good code
end 
def another_good_method
... # some more good code
end
end 
Class Bad_code
def good_method
... #some BAD code, that looks good
end 
def another_good_method
... #some more bad code
end
end 
def my_method(good_code)
good_code.good_method
good_code.another_good_method
end 
my_method(Bad_code.new)

In the example above, the malicious code will run, even though the developer of my_method thought and intended to only run code from the ‘good_code’ object. The developer must take greater caution when implementing code that takes another objects as to unintentionally execute a different object.

'''''Automatic Bounds Checking''''' 
Ruby automatically checks bounds of data structures such as arrays. Bounds checking is very important to creating a secure system. If a user, intentionally or unintentionally, is able cause code to access an array index outside of the array, the system may crash, other data in memory may be overwritten, or unexpected (possibly private) data may be returned.

'''''Cryptographic Libraries''''' 
The ability to perform basic cryptographic functions is necessary to help ensure the confidentially of data stored on a system (thought encryption) and the integrity of data (by cryptographic signature/hash). Ruby provides, built in, only a very limited set of cryptographic functionally. One such function is the String classes crypt method.

There are several open source library for performing cryptographic functions on objects available for Ruby such as crypt [2]. The crypt library provides access to such encryption algorithms AES, Blowfish, and IDEA.

'''''Survey of Current and Past Publish Security Vulnerabilities''''' 
The official Ruby site [3] contains a security section that list a number of current and past security vulnerabilities found.

== Java Security Features ==

'''''Programs are not allowed to access arbitrary memory locations''''' 
For example, casting between an
int and an Object is strictly illegal in Java. 

'''''Variables may not be used before they are initialized''''' 
If a program were able to read the value of an uninitialized variable, the effect would be the same as if
it were able to read random memory locations. A Java class wishing to exploit this defect might then
declare a huge uninitialized section of variables in an attempt to snoop the memory contents of the
user's machine. To prevent this type of attack, all local variables in Java must be initialized before
they are used, and all instance variables in Java are automatically initialized to a default value.

'''''Objects cannot be arbitrarily cast into other objects''''' 
Consider the below example.

public class CreditCard { 
private String acctNo; 
}
public class CreditCardSnoop { 
public String acctNo; 
} 

Then the following code will not be allowed execute:

CreditCard cc = Wallet.getCreditCard( ); 
CreditCardSnoop snoop = (CreditCardSnoop) cc; 
System.out.println("Ha! Your account number is " + snoop.acctNo); 

Java does not allow arbitrary casting between objects; an object can only be cast to one of its
superclasses or its subclasses. 

To satisfy the compiler code can be changed as follows: 
Object cc = Wallet.getCreditCard( ); 
CreditCardSnoop snoop = (CreditCardSnoop) cc; 

In this case, the virtual machine will throw a ClassCastException when the
snoop variable is assigned to thwart the attack.

'''''The Bytecode Verifier''''' 
This is used to check whether the code compiled by the compiler is a legal java code. The Java verifier examines all such application byte code and, using a fancy set of heuristics, identifies code that doesn't play by the rules. Once byte code is verified, the virtual machine knows that it's safe to execute.

For example, consider the following classes

public class CreditCard { 
public String acctNo = "0001 0002 0003 0004"; 
} 

public class Test { 
public static void main(String args[]) { 
CreditCard cc = new CreditCard( ); 
System.out.println("Your account number is " + cc.acctNo); 
} 
} 

If we run this code, we'll create a CreditCard object and print out its account number. If we change the definition of
acctNo to be private and recompile only the CreditCard class. We then have two class files and the
Test class file contains Java code that illegally accesses the private instance variable acctNo of the
CreditCard class and hence will not be allowed to execute.

'''''Java Cryptographic Extension(JCE)''''' 
JCE provides a framework and implementations for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms. Support for encryption includes symmetric, asymmetric, block, and stream ciphers.

'''''Java Authentication and Authorization Service (JAAS)''''' 
JAAS , as the name suggests is used for 
1) For authentication of users, to reliably and securely determine who is currently executing Java code, regardless of whether the code is running as an application, an applet, a bean, or a servlet. 
2) For authorization of users, to ensure they have the access control rights (permissions) required to perform the actions.

'''''Java Secure Socket Extension (JSSE)''''' 
JSSE enables secure Internet communications.It provides a framework and an implementation for the Socket Security Layer(SSL) and Transport Layer Security(TLS) protocols and includes functionality for data encryption, server authentication, message integrity, and optional client authentication.

The Secure Sockets Layer(SSL) and Transport Layer Security(TLS) protocols are used to protect the privacy and integrity of data while it is transferred across a network.

== References ==
[1] Hunt, Andrew and Thomas David. "Programming Ruby, The Pragmatic Programmer's Guide". 
[2] "Crypt" Library Website: http://crypt[dot]rubyforge[dot]org/ 
[3] Ruby Website, Security Sections: http://www[dot]ruby-lang[dot]org/en/security/

CSC/ECE 517 Fall 2009/wiki1a 10 wolf27-Manhattan

2009-09-05T09:26:30Z

Wolf27: /* Ruby */

Ruby and Java from a Security Perspective 
Students: wolf 27 and Manhattan

----

== Introduction ==
It is widely held that the three “pillars” of a secure system are confidentiality, availability, and integrity. That is, is a users data safe from unauthorized viewing/disclosure; is the users data available when they want it; and is the data the same as what they expected. There are many techniques, algorithms, and methods available to ensure these three pillars. The language used to develop the software on a secure system can play a major role in how effective in how algorithms, etc. help protect the confidentiality, availability, and integrity of secure data. This article compares two popular languages, Ruby and Java with respect to some of features of each language that aid in developing a secure software system.

In Java, Security can be considered in three contexts :
1) Virtual Machine Security
2) Application Security
3) Network Security

== Ruby ==

'''''“Safe Levels” in Ruby''''' 
Arguable one of Ruby’s features with respect to security is its “Safe Levels”. Ruby implements five levels of data checking to help prevent what its calls “tainted” variables from being used in other parts of the code where the system could be exploited.

All objects in Ruby are marked as “tainted” if they are derived from some external source. For example, an object is tainted if it read using ‘gets’, read from a file, is an environment variable, etc. Each Ruby object contains a method named, ‘tainted?’ as well as methods named ‘taint’ and ‘untaint’.

The ‘tainted?’ method is used to return a boolean value to indicate if the variable is tainted or not. Likewise, the ‘taint’ method is used to taint an untainted object and ‘untaint’ is used to remove a tainted label from an object. The code below shows a simple example of a String object becoming tainted.

#Tainted vs. Untainted
>> my_string = String.new # A new string is created
=> ""
>> my_string.tainted? # The string is not tainted; there has been no external influence
=> false
>> my_string = "Hello" # Still no external influence
=> "Hello"
>> my_string.tainted?
=> false
>> my_string = my_string + gets #Since part of the string now came from the console, it is tainted
World!
=> "Hello World!\n"
>> my_string.tainted?
=> true

To help manage tainted and untainted objects, Ruby define a built in constant named $SAFE that allows the user to define what “safe level”. The $SAFE variable is simply set at the beginning of the program in the way any other variable would be. For example,
$SAFE = 3
sets Ruby’s “safe level” to 3.

Each safe level allows (or disallows) certain actions, primarily based on whether an object is tainted or untainted. There are a few other operations that are also disallowed by Ruby at the various safe levels. Note that Ruby’s default safe level is 0, which means there all operates are allowed regardless of the the tainted status of the object. The books “Programming Ruby” [1] provides an excellent table to use as reference for the actives allowed and disallows at each safe level. Below are some highlight of each safe level.

$SAFE = 0
Default “Safe Level”
No additional security features
All operations allowed on all untainted and tainted variables
$SAFE >= 1
Calling the ‘glob’ or ‘eval’ methods on tainted strings is disallowed.
Loading a file using a string that is tainted is disallowed.
Executing system commands using a tainted string is disallowed.
$SAFE >= 2
Loading a file from a source that is writable by ‘world’ is disallowed.
$SAFE >= 3
All object created are tainted and no object may not be untainted using the untaint method.
$SAFE >= 4
Essentially creates a Sandbox (an isolated, safe, place to run untrused code)
Writing to files is disallowed
Modifying global variable is disallowed.

'''''Ruby’s Unbounded Polymorphism (a.k.a. Duck Typing) and Security''''' 
Ruby’s unbounded polymorphism functionally is arguably very powerful. However this power functionally could also create a potential problem with code developed. Since Ruby is a dynamically typed language, it is not possible to check and ensure that objects being used are of the expected type. If that object looks like another object, it can be treated as that object.

If not managed properly, an adversary or malicious piece of code could be executed unintentionally because of Ruby’s unbounded polymorphism. Consider the code below.

Class Good_code
def good_method
... # some good code
end 
def another_good_method
... # some more good code
end
end 
Class Bad_code
def good_method
... #some BAD code, that looks good
end 
def another_good_method
... #some more bad code
end
end 
def my_method(good_code)
good_code.good_method
good_code.another_good_method
end 
my_method(Bad_code.new)

In the example above, the malicious code will run, even though the developer of my_method thought and intended to only run code from the ‘good_code’ object. The developer must take greater caution when implementing code that takes another objects as to unintentionally execute a different object.

'''''Automatic Bounds Checking''''' 
Ruby automatically checks bounds of data structures such as arrays. Bounds checking is very important to creating a secure system. If a user, intentionally or unintentionally, is able cause code to access an array index outside of the array, the system may crash, other data in memory may be overwritten, or unexpected (possibly private) data may be returned.

'''''Cryptographic Libraries''''' 
The ability to perform basic cryptographic functions is necessary to help ensure the confidentially of data stored on a system (thought encryption) and the integrity of data (by cryptographic signature/hash). Ruby provides, built in, only a very limited set of cryptographic functionally. One such function is the String classes crypt method.

There are several open source library for performing cryptographic functions on objects available for Ruby such as crypt [2]. The crypt library provides access to such encryption algorithms AES, Blowfish, and IDEA.

'''''Survey of Current and Past Publish Security Vulnerabilities''''' 
The official Ruby site [3] contains a security section that list a number of current and past security vulnerabilities found.

Java Security Features 

Programs are not allowed to access arbitrary memory locations. 
For example, casting between an
int and an Object is strictly illegal in Java. 

Variables may not be used before they are initialized. 
If a program were able to read the value of an uninitialized variable, the effect would be the same as if
it were able to read random memory locations. A Java class wishing to exploit this defect might then
declare a huge uninitialized section of variables in an attempt to snoop the memory contents of the
user's machine. To prevent this type of attack, all local variables in Java must be initialized before
they are used, and all instance variables in Java are automatically initialized to a default value.

Objects cannot be arbitrarily cast into other objects. 
Consider the below example.

public class CreditCard { 
private String acctNo; 
} 

public class CreditCardSnoop { 
public String acctNo; 
} 

Then the following code will not be allowed execute:

CreditCard cc = Wallet.getCreditCard( ); 
CreditCardSnoop snoop = (CreditCardSnoop) cc; 
System.out.println("Ha! Your account number is " + snoop.acctNo); 

Java does not allow arbitrary casting between objects; an object can only be cast to one of its
superclasses or its subclasses. 

To satisfy the compiler code can be changed as follows: 
Object cc = Wallet.getCreditCard( ); 
CreditCardSnoop snoop = (CreditCardSnoop) cc; 

In this case, the virtual machine will throw a ClassCastException when the
snoop variable is assigned to thwart the attack.

The Bytecode Verifier 
This is used to check whether the code compiled by the compiler is a legal java code. The Java verifier examines all such application byte code and, using a fancy set of heuristics, identifies code that doesn't play by the rules. Once byte code is verified, the virtual machine knows that it's safe to execute.

For example, consider the following classes

public class CreditCard { 
public String acctNo = "0001 0002 0003 0004"; 
} 

public class Test { 
public static void main(String args[]) { 
CreditCard cc = new CreditCard( ); 
System.out.println("Your account number is " + cc.acctNo); 
} 
} 

If we run this code, we'll create a CreditCard object and print out its account number. If we change the definition of
acctNo to be private and recompile only the CreditCard class. We then have two class files and the
Test class file contains Java code that illegally accesses the private instance variable acctNo of the
CreditCard class and hence will not be allowed to execute.

== References ==
[1] Hunt, Andrew and Thomas David. "Programming Ruby, The Pragmatic Programmer's Guide". 
[2] "Crypt" Library Website: http://crypt[dot]rubyforge[dot]org/ 
[3] Ruby Website, Security Sections: http://www[dot]ruby-lang[dot]org/en/security/

CSC/ECE 517 Fall 2009/wiki1a 10 wolf27-Manhattan

2009-09-05T07:39:42Z

Wolf27: /* Ruby */

Ruby and Java from a Security Perspective 
Students: wolf 27 and Manhattan

----

== Introduction ==
It is widely held that the three “pillars” of a secure system are confidentiality, availability, and integrity. That is, is a users data safe from unauthorized viewing/disclosure; is the users data available when they want it; and is the data the same as what they expected. There are many techniques, algorithms, and methods available to ensure these three pillars. The language used to develop the software on a secure system can play a major role in how effective in how algorithms, etc. help protect the confidentiality, availability, and integrity of secure data. This article compares two popular languages, Ruby and Java with respect to some of features of each language that aid in developing a secure software system.

In Java, Security can be considered in three contexts :
1) Virtual Machine Security
2) Application Security
3) Network Security

== Ruby ==

'''''“Safe Levels” in Ruby''''' 
Arguable one of Ruby’s features with respect to security is its “Safe Levels”. Ruby implements five levels of data checking to help prevent what its calls “tainted” variables from being used in other parts of the code where the system could be exploited.

All objects in Ruby are marked as “tainted” if they are derived from some external source. For example, an object is tainted if it read using ‘gets’, read from a file, is an environment variable, etc. Each Ruby object contains a method named, ‘tainted?’ as well as methods named ‘taint’ and ‘untaint’.

The ‘tainted?’ method is used to return a boolean value to indicate if the variable is tainted or not. Likewise, the ‘taint’ method is used to taint an untainted object and ‘untaint’ is used to remove a tainted label from an object. The code below shows a simple example of a String object becoming tainted.

#Tainted vs. Untainted
>> my_string = String.new # A new string is created
=> ""
>> my_string.tainted? # The string is not tainted; there has been no external influence
=> false
>> my_string = "Hello" # Still no external influence
=> "Hello"
>> my_string.tainted?
=> false
>> my_string = my_string + gets #Since part of the string now came from the console, it is tainted
World!
=> "Hello World!\n"
>> my_string.tainted?
=> true

To help manage tainted and untainted objects, Ruby define a built in constant named $SAFE that allows the user to define what “safe level”. The $SAFE variable is simply set at the beginning of the program in the way any other variable would be. For example,
$SAFE = 3
sets Ruby’s “safe level” to 3.

Each safe level allows (or disallows) certain actions, primarily based on whether an object is tainted or untainted. There are a few other operations that are also disallowed by Ruby at the various safe levels. Note that Ruby’s default safe level is 0, which means there all operates are allowed regardless of the the tainted status of the object. The books “Programming Ruby” [1] provides an excellent table to use as reference for the actives allowed and disallows at each safe level. Below are some highlight of each safe level.

$SAFE = 0
Default “Safe Level”
No additional security features
All operations allowed on all untainted and tainted variables
$SAFE >= 1
Calling the ‘glob’ or ‘eval’ methods on tainted strings is disallowed.
Loading a file using a string that is tainted is disallowed.
Executing system commands using a tainted string is disallowed.
$SAFE >= 2
Loading a file from a source that is writable by ‘world’ is disallowed.
$SAFE >= 3
All object created are tainted and no object may not be untainted using the untaint method.
$SAFE >= 4
Essentially creates a Sandbox (an isolated, safe, place to run untrused code)
Writing to files is disallowed
Modifying global variable is disallowed.

'''''Ruby’s Unbounded Polymorphism (a.k.a. Duck Typing) and Security''''' 
Ruby’s unbounded polymorphism functionally is arguably very powerful. However this power functionally could also create a potential problem with code developed. Since Ruby is a dynamically typed language, it is not possible to check and ensure that objects being used are of the expected type. If that object looks like another object, it can be treated as that object.

If not managed properly, an adversary or malicious piece of code could be executed unintentionally because of Ruby’s unbounded polymorphism. Consider the code below.

Class Good_code
def good_method
... # some good code
end 
def another_good_method
... # some more good code
end
end 
Class Bad_code
def good_method
... #some BAD code, that looks good
end 
def another_good_method
... #some more bad code
end
end 
def my_method(good_code)
good_code.good_method
good_code.another_good_method
end 
my_method(Bad_code.new)

In the example above, the malicious code will run, even though the developer of my_method thought and intended to only run code from the ‘good_code’ object. The developer must take greater caution when implementing code that takes another objects as to unintentionally execute a different object.

'''''Automatic Bounds Checking''''' 
Ruby automatically checks bounds of data structures such as arrays. Bounds checking is very important to creating a secure system. If a user, intentionally or unintentionally, is able cause code to access an array index outside of the array, the system may crash, other data in memory may be overwritten, or unexpected (possibly private) data may be returned.

'''''Cryptographic Libraries''''' 
The ability to perform basic cryptographic functions is necessary to help ensure the confidentially of data stored on a system (thought encryption) and the integrity of data (by cryptographic signature/hash). Ruby provides, built in, only a very limited set of cryptographic functionally. One such function is the String classes crypt method.

There are several open source library for performing cryptographic functions on objects available for Ruby such as crypt [2]. The crypt library provides access to such encryption algorithms AES, Blowfish, and IDEA.

'''''Survey of Current and Past Publish Security Vulnerabilities''''' 
The official Ruby site [3] contains a security section that list a number of current and past security vulnerabilities found.

Java Security Features 

Programs are not allowed to access arbitrary memory locations. 
For example, casting between an
int and an Object is strictly illegal in Java. 

Variables may not be used before they are initialized. 
If a program were able to read the value of an uninitialized variable, the effect would be the same as if
it were able to read random memory locations. A Java class wishing to exploit this defect might then
declare a huge uninitialized section of variables in an attempt to snoop the memory contents of the
user's machine. To prevent this type of attack, all local variables in Java must be initialized before
they are used, and all instance variables in Java are automatically initialized to a default value.

Objects cannot be arbitrarily cast into other objects. 
Consider the below example.

public class CreditCard { 
private String acctNo; 
} 

public class CreditCardSnoop { 
public String acctNo; 
} 

Then the following code will not be allowed execute:

CreditCard cc = Wallet.getCreditCard( ); 
CreditCardSnoop snoop = (CreditCardSnoop) cc; 
System.out.println("Ha! Your account number is " + snoop.acctNo); 

Java does not allow arbitrary casting between objects; an object can only be cast to one of its
superclasses or its subclasses. 

To satisfy the compiler code can be changed as follows: 
Object cc = Wallet.getCreditCard( ); 
CreditCardSnoop snoop = (CreditCardSnoop) cc; 

In this case, the virtual machine will throw a ClassCastException when the
snoop variable is assigned to thwart the attack.

== References ==
[1] Hunt, Andrew and Thomas David. "Programming Ruby, The Pragmatic Programmer's Guide". 
[2] "Crypt" Library Website: http://crypt[dot]rubyforge[dot]org/ 
[3] Ruby Website, Security Sections: http://www[dot]ruby-lang[dot]org/en/security/

Talk:CSC/ECE 517 Fall 2009/wiki1a 10 wolf27-Manhattan

2009-09-05T07:13:12Z

Wolf27: Java Security Features

Programs are not allowed to access arbitrary memory locations. 
For example, casting between an
int and an Object is strictly illegal in Java. 

Variables may not be used before they are initialized. 
If a program were able to read the value of an uninitialized variable, the effect would be the same as if
it were able to read random memory locations. A Java class wishing to exploit this defect might then
declare a huge uninitialized section of variables in an attempt to snoop the memory contents of the
user's machine. To prevent this type of attack, all local variables in Java must be initialized before
they are used, and all instance variables in Java are automatically initialized to a default value.

Objects cannot be arbitrarily cast into other objects. 
Consider the below example.

public class CreditCard { 
private String acctNo; 
} 

public class CreditCardSnoop { 
public String acctNo; 
} 

Then the following code will not be allowed execute:

CreditCard cc = Wallet.getCreditCard( ); 
CreditCardSnoop snoop = (CreditCardSnoop) cc; 
System.out.println("Ha! Your account number is " + snoop.acctNo); 

Java does not allow arbitrary casting between objects; an object can only be cast to one of its
superclasses or its subclasses. 

To satisfy the compiler code can be changed as follows: 
Object cc = Wallet.getCreditCard( ); 
CreditCardSnoop snoop = (CreditCardSnoop) cc; 

In this case, the virtual machine will throw a ClassCastException when the
snoop variable is assigned to thwart the attack.

CSC/ECE 517 Fall 2009/wiki1a 10 wolf27-Manhattan

2009-09-04T17:12:58Z

Wolf27: /* Introduction */