Java Security

About the training

Most trainings about Java security focus on the Security API or crypto techniques, and rarely focus the attacker perspective. This training uses both perspectives, first in focusses on the security architect/analyst PoV, and shows approaches how to identify holes in the protection infrastructure and how to close them. For this purpose we present tools like instrumenting the Java Security Manager(jChains), identify potential security bugs with static and dynamics tools, also dive into details to work efficiently with decompilers, debuggers and other tools of the trade (like JVisualVM).

The second part focusses on the attacker perspective and helps to validates protection mechanisms. First it provides knowledge about the attack surface of Java-based software and then presents the attachers mindset to break the defenders assumptions. Using runtime code expertise to identify hooks to execute own code or remote control existing code is an important skill, demonstrated with analysis of real-life OpenJDK code and malwave dissection.

Who should attend

Participants should have previous security audit experience (C,C++,Java). This includes conducting source code analysis, static analysis, overview knowledge of common exploitation techniques, runtime instrumentation, debugging post-exploitation activities. You will benefit from experience with programming in the Java Programming Language before. Students are expected to be familiar with the basic principles of Java Programming, and by that be familiar with the API of the fundamental system libraries. Participants should know to handle the standard of procedures of developing Java programs (be able to start the compiler and runtime tools using the command line). Additionally they should be comfortable configuring JRE settings and perform low-level code analysis, including reverse engineering.

The material presented throughout this course is focussed to support the theoretical fundaments with practical examples. Being exposed to real-life examples, the ability to think around the corner and even outside the box is helpful. Nevertheless, the trainer will help you to stay on track.

Prerequisite Material

For the practical parts a virtual machine environment will be provided. For that the student will need a intel based laptop (2Ghz), having at least 2GB of RAM, with a current version (4.2+) of VirtualBox installed.

What to bring

Students will be provided with a customized work environment utilizing a Virtual Machine image. Students will need to bring their own laptop with:

• Laptop with 2 GBs of RAM (4 GB preferred)
• a preconfigured VM will be provided, make sure
• to have VirtualBox installed and
• 10G free hard disk space

A G E N D A

DAY 1

• Java Security
• The View of the Defenseman
• Understanding Organizational Security Mechanisms
• Reconstruct application logic: Reverse Engineering

DAY 2

• The view of the Threat Analyst
• Attack Types
• Misusing Enterprise Frameworks
• Understanding Java Malware

Training Bio

Marc Schoenefeld came first into contact with computers by exposure to a C64. Since then he is infected by bits and bytes. He studied Business Informatics and joined a banking computer centre in 1997 where he worked as Software Security Architect. In 2007 he joined the Red Hat Security Response Team. Early 2010 he graduated with a Dr. rer. nat. degree in computer science (comparable to PhD). He spoke about Java Bytecode Security at Blackhat 2002, since then he also spoke and gave trainings at the major conferences like Blackhat, RSA, CanSecWest, HITB, PacSec, XCon, Confidence , HITB and Java One. In 2011 he first released a book about JVM security, showing defense and attack techniques on Java software and then joined the Oracle Java Vulnerability Team.