Workshop

01. Security and Hardening Concepts in Java/J2EE
Trainer Marc Schonefeld (DE)
Date 28-29 August 2006
Duration 2 Days
Price Rp. 13.500.000,-
Requirement Participants are required to bring their own laptops capable of compiling java code
(preinstalled Sun JDK 1.4.2_x, 1.5.0_x and IBM Eclipse IDE 3.0.x).

 

Overview

Opposed to the legends most white papers tell software written in Java is not secure by default. This course will provide the participants with the awareness to threats for Java-based software. It focuses on current Java (1.4.x, Tiger and Mustang releases) code based security features which are used to protect typical Java application patterns. (J2EE, Desktop Java, Applet, Servlets).

Secure Java Coding always starts from Sun's secure programming guidelines which are presented by associating attack types and possibilities for refactoring to harden the system. Executed Java classess are based on bytecode, therefore knowledge of Java bytecode is essential to understand and extend javastatic code analysis tools like BCEL and findbugs.

Other important terms in Java code-based security are protection domains and permission collections. To reverse engineer protection domains an approach to extend the Java securitymanager is presented. A framework is presented that allows defining custom and complete permission sets when deploying Java applications.

After hardening the JDK itself the Java security engineer is concerned with raising the protection level of open-source Java middleware componenets like Web servers (Jetty, Tomcat) or databases (cloudspace, pointbase).

top ^

Course Outline

DAY ONE

  1. Introduction
    1. Security in a broader sense
    2. The history of Java security (Felten, LSD, ?)
  2. Java and security - J2SE Java 1.4 application areas
    1. Desktop Java (J2SE)
    2. WebServer Java (J2EE/JSP)
    3. BackendServer Java (J2EE/EJB)
    4. DatabaseServer Java (J2EE/JDBC)
  3. What to attack and protect
    1. Attacks on Integrity
    2. Attacks on Confidentiality
    3. Attacks on Availability
  4. Java security architecture
    1. Core java runtime environment security:
      1. JVM security
      2. Java language security
      3. Core API security
      4. Classloaders and protection domains
    2. Application security:
      1. JSSE and SSL
      2. GSSAPI
      3. JAAS
  5. Java Secure Coding
    1. Sun's secure programming guidelines
    2. Antipatterns
      1. Static variables
        1. Derived Vulnerabilities
        2. Possible Attacks
        3. Precautions and Detection
        4. PoC [Covert Channels in JDK]
      2. Privileged Code
        1. Derived Vulnerabilities
        2. Possible Attacks
        3. Precautions and Detection
        4. PoC [The Disk filling applet]
      3. Visibilities
        1. Derived Vulnerabilities
        2. Possible Attacks
        3. Precautions and Detection
        4. PoC [XMLSniffing vulnerability in JDK 1.4.2_05]
      4. Serialisation
        1. Derived Vulnerabilities
        2. Possible Attacks
        3. Precautions and Detection
        4. PoC [Remote Attacks and Malicious Objects]
      5. Native Code
        1. Derived Vulnerabilities
        2. Possible Attacks
        3. Precautions and Detection
        4. PoC [The memory reading applet in the Java Media Framework]
      6. Non-Adequate permissions for 3^rd party libraries and frameworks
        1. Derived Vulnerabilities
        2. Possible Attacks
        3. Precautions and Detection
        4. PoC [Remote code execution in JBoss 3.2.1]
      7. Java Arithmetics
        1. Derived Vulnerabilities
        2. Possible Attacks
        3. Precautions and Detection
        4. PoC [The Java.util.zip package and the flipping sign]

DAY TWO

  1. Java Bytecode Engineering
    1. Quickwalk thru the Java Bytecode instruction set
    2. Anatomy of class files
    3. Bytecode frameworks
    4. BCEL
    5. ASM
    6. Javassist
    7. Findbugs
    8. How to write custom detectors in with BCEL and findbugs
    9. Classwalkers
    10. Fieldwalkers
    11. Methodwalkers
  2. Finding adequate permission sets for java applications
    1. Permissions in JDK
    2. The jchains framework
  3. Hardening Java protocols
    1. JDBC security
    2. RMI security (JRMP and RMI/IIOP)
    3. Serialisation security
  4. Hardening Java middleware applications
    1. Tomcat security
    2. Java databases security
  5. Security in the new Tiger and Mustang releases
  6. Selected use cases from the audience
  7. Summary, Q&A and farewell

top ^

About the tutor

Marc Schonefeld is an external PhD student at the University of Bamberg in Germany. His research covers the analysis of interdependencies between programming flaws (antipatterns) and vulnerabilities in software. By developing a framework for flaw detection he found a range of serious bugs in current java runtime environments (JDK) and other java based applications and middleware systems(like Jboss, Cloudscape database, ...).

Some of his findings led to the publication of a number of advisories by Sun Microsystems.

Recently he gave speech at Blackhat Federal and Websec Mexico. In 2005 he presented at RSA, BCS05, XCON and HITB and was speaker at DIMVA (2004) and D-A-CH conferences (2004), Blackhat (2003) and RSA (2003).

Also in 2004 he was finalist for the European Information Security Award which was granted to IBM labs Zurich for his work on Java based security antipatterns.

For questions regarding event registration, please call +62-21-570-5800 (Ms. Astri). For general questions, please email bcs2006@bellua.com or send an empty message to bcs-announce-subscribe@bellua.com to receive future event information.

< back top ^

This document is available at PT BELLUA ASIA PACIFIC's website and protected by the copyright laws of the Republic of Indonesia and International treaties. All use subject to "DISCLAIMER" set forth at /disclaimer/