Thursday, April 10, 2014

Spotlight on Java SE 8 Security

March 18, 2014 was the long anticipated release of Java SE 8.  I though I would spotlight some of the key security features of Java 8 for readers.  First, many are not aware of security improvements made to Java 7.


Java 7 Security Review

Let’s begin with a quick review the Java SE 7 security features that were rolled into Java SE 8.  I only cover the key features but the details are available at, Java Rich Internet Applications Enhancements in JDK 7.

UI control to enable and disable Java (Area: Java Control Panel, Java 7 Update 10)
Quickly disable or enable Java when run as a Rich Internet Application (RIA) like Applets and Web Start plugins in the web browser.  This allows individuals to quickly disable Applets if concerned about exploitation.  Essentially this is the Java Kill Switch for the browser.  It’s a good feature to have but there are better features to mitigate risk as I will describe (e.g., Security Slider, DRS, Site Exception List).

Java Security Slider (Area: Java Control Panel, Java 7 Update 10)
Allow end-users and enterprises to change the security slider settings from Medium to Very High to balance security vs. operational concerns.  Since the slider was introduced “Low” and “Custom” levels have been removed.

Java Expiration (Area: JRE, Java 7 Update 10)
Oracle has 4 Critical Patch Updates (CPU) per year or security patches.  When the CPU is released, outdated versions of Java may behave differently depending upon how Java is used.  Some activities performed on outdated RIAs carry more risk.  In such cases, some activities that carry more risk may issue security warnings to end-users or be blocked entirely depending upon configuration.  A specific example is running unsigned Applet code which is not allowed by default in Java 7 Update 51 and later.

Expanded Black Listing Support (Area: JRE, Java 7 Update 21)
Each version of Java includes a trust store with approved roots of those participating in the Java SE Root Certificate Program.  Black Listing is a product safety feature designed to augment standard PKI community processes for certificate management and maintaining confidence in signed code.  From a functional perspective, individual certificates or code modules (e.g., both signed and unsigned JARs) may be black listed.  The Black List is checked daily on Java clients where not prohibited by network firewall rules.

Security Model Improvement (Area: JRE, Java 7 Update 21)
Signing code no longer grants plugin privileges.  Signing establishes identity of the code author.  The Permissions attribute establishes application privileges.

Revocation Services on by Default (Area: JRE, Java 7 Update 25)
OCSP and CRL revocation services are active by default for Java deployments.  Operation revocation services is very important preparation work establishing code-signing as a standard.

Code Repurposing (Area: Plugins, Java 7 Update 25)
New attribute was added to discourage JARs from being repurposed by other web sites.  Use the Codebase attribute to bind the code module to a particular site.

Deployment Rule Set (Area: Plugins, Java 7 Update 40)
An enterprise class feature to create security policies in Java that reflect organization IT policies.  For example, it’s possible to block all Applets by default then allow access to corporate or partner applications.  Deployment Rule Sets (DRS) are an important control to discourage Java’s use as a vector for exploitation by 3rd party malware commonly found in advertisements and emails.

Control of Security Warnings (Area: Plugins, Java 7 Update 40)
When Java is outdated and operating below the baseline a warning is presented to end-users communicating increased risks and encouraging them to upgrade.  The configuration setting (e.g., deployment.expiration.check.enabled=false) allows enterprises to take responsibility for their own deployment processes and mitigate interim risks.

Code-Signing is Default (Area: Plugins, Java 7 Update 51)
Since Java 7 Update 51 (Jan 2014) signed RIA code is now the default.  Unsigned and self-signed legacy code is supported but requires additional configuration to work.

Site Exception List (Area: Java Control Panel\ Plugins, Java 7 Update 51)
The Site Exception List is the consumer analogue for DRS.  Exceptions can be added easily by consumers to support legacy RIAs.

Permissions Attribute (Area: Plugins, Java 7 Update 51)
All Applets must include the Permissions attribute in the manifest to specify if the code is executing with or without security privileges, outside or inside the sandbox respectively.  Including this feature was a subtle but significant change to the Java security model.  Previously, signing RIA code provided implicit privileges.  Now permissions must be provided explicitly.

Uninstaller (Area: JRE, ongoing)
Cleaning up outdated versions of Java where no longer used is important for improving security posture.

That wraps up the high points for Java SE 7.  For more information on Java SE 7 security see, Java Rich Internet Applications Enhancements in JDK 7.  Let's move on to security features of Java SE 8.

Java 8 Security

Java SE 8 includes all the security features of Java SE 7.  Plus Java SE 8 includes new features, algorithm improvements, and support for features that are not identified as security features but provide security benefits just the same.  The following presents the highlights but for details see, JDK 8 Security Enhancements.

Client-side TLS 1.2 Enabled by Default (Area: Plugins)
TLS 1.2 is a security standard implemented in some web servers and web browsers and enabled by default in Java.

Enhanced Revocation Certificate Checking (Area: JRE, JEP 124)
Use the PKIXRevocationChecker class to lookup revocation status of certificates of interest.  Supports OCSP (RFC 2560)  and CRL  (RFC 5280) revocation protocol specifications.  See Check Revocation Status of Certificates with PKIXRevocationChecker Class.

Java Dependency Analyzer (Area: JRE tools)
jdeps is used to identify library(JAR) dependencies.  jdeps is useful from a security perspective since it identifies dependencies in 3rd party libraries that may negatively impact ability to upgrade.  An aside, while it’s not an Oracle product, OWASP has a free and complimentary tool, DependencyCheck for finding published vulnerabilities in 3rd party Java libraries.

Type Annotations (Area: JRE, JSR 308)
Like jdeps, type annotations are not a security feature in the strictest sense.  Type annotations provide ancillary benefit to security since they help ensure data is consistent with business requirements.  University of Washington (search for taint) provides some excellent examples of type annotations in action to discourage injection attacks.

SSL\TLS Server Name Indication Extension (Area: JRE, JEP 114)
Server Name Indication (SNI) Extension has been added to TLS for supporting virtual hosting.  This improvement is useful in the situation where a single host supports multiple HTTPS web applications on a single IP address.

Many Cryptographic Algorithm Improvements (Area: JRE)
  • Improvements to high entropy random number generation.  See SecureRandom API Specification.  (JEP 123)
  • Support for AEAD JSSE CipherSuites (JEP 115)
  • Improved support for NSA Suite B  (JEP 129)
  • PKCS 11 provider expanded to include 64-bit (JEP 131)
  • Overhauled JKS-JCEKS-PKCS12 keystore (JEP 166)
  • Restrict Use of Certs with RSA keys < 1024 bits
  • and more
For additional information about Java SE 7 and Java SE Security features please refer to the following Oracle resources.

Security features for Java 7, Java Rich Internet Applications Enhancements in JDK 7
Security features for Java 8, JDK 8 Security Enhancements
Java PM blog (which includes security), https://blogs.oracle.com/java-plamorm-group/
New security requirements for RIAs in 7u51, https://blogs.oracle.com/java-platform-group/entry/new_security_requirements_for_rias
Oracle CPU and Security Alerts, http://www.oracle.com/technetwork/topics/security/alerts-086861.html

Share It!