1. Java Class Loader &
Security
Bhanu Prakash Gopularam
Senior Engineer
Java Platform Group
2. Agenda
• Introduction
• Java Class Loader
• Java Class Loading Phases
• Custom Class loading
• Class Loader Exceptions
• Debugging Class loader Problems
• Questions
3. Java Language
Java Platform and Programming language introduced in 1995
• Java Language
– General purpose object oriented programming language
– Automatic storage management – GC
– Platform independent code, security and network mobility
• Few Java Language Security features
– Built in Security Architecture
– Configurable policies and domains
– Applet Sand box: Allows securely download and run untrusted Java programs
over the network
4. Java Class Loader - Introduction
ClassLoader “Reads byte code into JVM”
A class is defined by its
<class name, defining class loader>
Goals of Class Loader:
• Make first line of defense
• Guard system packages from fake classes and spoofing
attacks
• Resolve symbolic references from one class to another
8. Java Class Loaders
1. Bootstrap or Primordial Class Loader
• rt.jar
• -XbootClassPath – use judiciously
• System property sun.boot.class.path
1. Extension Class Loader
• Installed optional packages, lib/ext (in JRE) or jre/lib/ext (in JDK)
• $JRE_HOME/lib/ext
• System property java.ext.dirs
1. Application Class Loader
• Application classpath $CLASSPATH or -cp variable
• System property java.class.path
• Misleadingly it is also called as System Classloader
• Can be changed using property -Djava.system.class.loader
9. 4. SecureClassLoader
– Adds support for code security model in JDK 1.2
• Adds defineClass(String name, CodeSource)
• Adds getPermissions(CodeSource)
4. URLClassLoader
– Loads classes from specified url path (dir or jar file)
– Extends from SecureClassLoader
• Supports loading classes from URL code sources
5. Context Class Loader
– Context class loader is provided by creator of thread
– If Security Manager is present, checkPermission() is invoked with
getClassLoader() call
Java Class Loaders – contd..
11. Why to write own class loader ?
1. Alternative delegation model - Java EE web modules
Checks local repositories first, common folder in Tomcat. However loading of
system classes remain unchanged
By instantiating class loader again, a class can be reloaded
1. Hot Deployment
Support upgrade
1. Class loader and Security
Add extra code after findClass() and before defineClass(), compression,
encryption techniques
1. Modifying the class files
Add extra debugging logic
Example: BCEL (Byte code engineering library) and ASM tools
12. Example (1): Jars in same classpath
v1/version.java v2/version.java
Test.java
13. Example (2): RMI Execution Engine
Server
taskIntf.execute()
Client-2
Client-1
serverIntf.execute(taskIntf)
RMI
Registry
1. Register
2. Lookup
3. Return server stub
4. Data Comm.
common.ServerInterface
execute(TaskInterface)
common.ServerInterface
execute(TaskInterface)
Server.ServerImpl
execute(TaskInterface)
Server.ServerImpl
execute(TaskInterface)
15. Class Loader Security
• Classes are separated using namespaces
• Built-in checks for identifying malicious classes
• Encloses class into ProtectionDomain
• Verification of code for valid signature
• Class File Verifier does various checks for integrity
16. ClassLoader Exceptions
1. ClassNotFoundException
– ClassLoader.findSystemClass(), loadClass() fails
– Wrong classloader is used or Dir is not added
Figure out what class loader and parent class loader and see why class
cannot be loaded
1. NoClassDefFoundError
– Indicates linkage problem, Symbolic reference cannot be found.
– Folder or source of class is not made available to parent class loader
– Check the stacktrace to find the class name
Figure out class loader and missing symbolic link
List parent class loaders recursively
17. 3. ClassCastException
– Casting an object to an unrelated class
Check for type and classloader used
4. UnSatisfiedLinkError
– System.loadLibrary(“solaris.image_converter”), loading JNI code
JVM is unable to find proper native library of class, check references
5. ClassCircularityError
– Thrown when some class is a indirect superclass of itself, an Interface extends
itself or similar, mainly when diff versions of same library is loaded
Check for double class names in classpath
ClassLoader Exceptions – Contd.
18. Debugging Class Loading Problems
1. Use java –verbose class HelloWord
2. Use javap –private HelloWord
3. Linux check class file
– find *.jar –exec jar –tf ‘{}’ ; | grep HelloWorld
1. Use BCEL or ASM libraries, ByteCode visualizer for Eclipse
19. Questions - 1
• Difference between
Class.forName() vs classLoader.loadClass()
20. Questions - 2
• In Java, what is the need for main method?
public static void main(String args[])
21. Questions - 3
• Guess first 4 bytes of a class file!
Byte code generated by compiler need to have standard data
at beginning of the file
22. Resources
1. The Java Language Specification, Java SE 8 Edition,
https://docs.oracle.com/javase/specs/jls/se8/jls8.pdf
2. The Java Virtual Machine Specification, Java SE 8 Edition,
https://docs.oracle.com/javase/specs/jvms/se8/jvms8.pdf
3. Demystifying Java Platform Security Architecture, Ramesh Nagappan
4. Internals of Java Class Loading, Binildas Christudas, O'Reilly, OnJava.com
5. Core Security Patterns: Best Practices and Strategies for J2EE, Web Services and
Identity Management, Sun MicroSystems, Prentice Hall
6. Java and JVM security vulnerabilities and their exploitation techniques
7. http://www.blackhat.com/presentations/bh-asia-02/LSD/bh-asia-02-lsd.pdf
8. GitHub URL - https://github.com/gopularam/developer/tree/master/Classloader
9. Slideshare URL - http://www.slideshare.net/bhanugopularam/java-class-loader-
49366166
General purpose object oriented programming language (architectural neutral interpreted and executable byte code)
JVM – abstract computing engine, it insulates JVM from underlying differences
Rules-based class loading and verification of byte code.
Applet Sandbox
Responsible for locating byte code of particular class and and then transform to usable class by runtime system
To enforce security it coordinates with SecurityManager and AccessController
Protect java classes from spoofing attacks
ClassLoader recursively delegates class loading to its parent loader. Can be changed by custom class loaders
Developers have two well-known reasons for building customClassLoaders:
1. providing support for a new class repository and
2. partitioning user code in a server
Java byte code verifier:
Pass-1 – Structural check, starting bytes in class file, major minor version checks etc
Pass -2 – Semantic Check – method descriptors, context-free grammar, adherence to java specification
Pass-3 – byte code verification, improper gotos, opcodes vs operands, method arguments, local variable initialization, etc
Pass-4 – verification of symbolic references, loading referenced types, dynamic linking, binary compatibility check
It is based on data flow analysis. It does by modeling each bytecode instruction and simulates each execution path that can possibly occur
Check number of registers, stack height, types of values in register.
Class donot forge pointers
Class file format is OK
Code donot violate access privileges
Class definition is correct
---------
Security. Your ClassLoader could examine classes before they are handed off to the JVM to see if they have a proper digital signature. You can also create a kind of &quot;sandbox&quot; that disallows certain kinds of method calls by examining the source code and rejecting classes that try to do things outside the sandbox.
Encryption. It&apos;s possible to create a ClassLoader that decrypts on the fly, so that your class files on disk are not readable by someone with a decompiler. The user must supply a password to run the program, and the password is used to decrypt the code.
* Archiving. Want to distribute your code in a special format or with special compression? Your ClassLoader can pull raw class file bytes from any source it wants.
Self-extracting programs. It&apos;s possible to compile an entire Java application into a single executable class file that contains compressed and/or encrypted class file data, along with an integral ClassLoader; when the program is run, it unpacks itself entirely in memory -- no need to install first.
* Dynamic generation. They sky&apos;s the limit here. You can generate classes that refer to other classes that haven&apos;t been generated yet -- create entire classes on the fly and bring them into the JVM without missing a beat.
If class is already loaded then return it else call findClass()
Primordial class loader: java applications have capability of loading bootstrap, system and app classed
To protect from malicious attacks it uses java.security.SecureClassLoader
Load class
Finding a class using delegation
Defining the class
Link class
Happens before class initialization or before reflection API calls
Byte code verifier – bytecode is typesafe, execution paths
Checks like Verification (Semantics, type checking), Preparation (allocate JVM internal objects )
Initialize class
Happens once on “first use”
Before class first instance creation, Runs static code
Before access to static fields or methods
Class loading phases
Load class – finding the class using delegation
Link class – Runs Bytecode verifier, allocates JVM internal objects
Initialize class – Happens once on “first use”
A domain conceptually encloses a set of classes whose instances are granted the same set of permissions.
CodeSource - each piece of code has two identity-defining characteristics: origin and signature. These two characteristics are represented in the class java.security.CodeSource
the context class loader was invented to give framework code a mechanism to find the &quot;correct&quot; class loader to load application classes. In the case of the web application, the server typically applies the web application class loader as the context class loader.
AppletClassLoader
SecureClassLoader
RMIClasssLoader
Delegation works in bottom-up manner
Visbility - Classes loaded by top level classloader are visible to class loaders beneath it and not vice versa.
RMI Execution Engine
Clients can supply any tasks that implement common.TaskIntf
RMI execution engine loads code only once but executes 2 times based on requests
In client VM, separate client.TaskImpl classes are loaded, instantiated and sent to Execution Engine Server VM for execution
Each client uses different instances of FileSystem classloader.
At server side, in findClass we call defineClass internally with byte[] and class name.
RMI Execution Engine
Clients can supply any tasks that implement common.TaskIntf
RMI execution engine loads code only once but executes 2 times based on requests
In client VM, separate client.TaskImpl classes are loaded, instantiated and sent to Execution Engine Server VM for execution
Whether bytecode was generated by compliant compiler,
ClassNotFoundException
Look for code where classloader loadClass() call is involved
NoClassDefFoundException
Check why class is not available
Javap – java class file disassembler
By default it prints package, protected and public fields and methods
Class.forName() uses classloader of the callers’ classloader, it initializes the class (executes static data)
classLoader.loadClass() – is used when we need to pass on classloader name as argument. It just loads class and initialization is deferred till class is used for first time