Peeter Paal Helsinki University of Technology Telecommunications Software and Multimedia Laboratory opaal@cc.hut.fi
Abstract The third generation mobile devices will provide more and more features and as well, more and more security considerations. Sun Microsystems has announced their platform for such devices: Java 2 Micro Edition. J2ME provides portable application environment for the customer and embedded systems, including mobile devices. A user having a J2ME mobile device can download applications from open network and run them on his/her mobile device. A open network is also untrusted network. What happens if a user downloads a malicious application that reads all the users personal data and sends it to a specied network server. Is this possible in the J2ME environments? This paper represents the new environments and discusses security risks related to them. Keywords: Java 2 Micro Edition (J2ME), Java 2 Security, Conguration, Prole, SecurityManager, Sandbox, CLD, CLDC, MIDP
1 Introduction
Due to the large of range devices, Sun has split the Java 2 Platform in three. Java 2 Micro Edition (J2ME) is the newest edition in the Java 2 family. J2ME is targeted at consumer and embedded systems. The mobile device manufacturers are the rst advantage of the J2ME rst. This paper analyses the J2ME security features and suitability for the mobile devices.
Table 1: The general elements of Java 2 Platform Security Model. Element Description Real computer system resources Protected computer system resource, e.g. le system and networking. Permission objects The Permission objects represent access rights to the computer system resources. Each protected computer system resource has a corresponding Permission class. E.g. le permissions are represented with the FilePermission class. The default Permission classes are specied in the [1]. ProtectionDomains For each set of classes, whose instances are granted the same set of permissions, their own ProtectionDomain is created. SecurityManager SecurityManager class can be used for backward compatibility. AccessController AccessController enforces specied security policy. Security policy Represents a system security policy. Security management tools JDK consists of tools which can be used to manage keys and certicates, to create security policies and to digitally sign Java archives and verify such signatures.
sists of combinations of CodeSource classes and Permission subclasses. A CodeSource class consists of information about the URL where its class was loaded from, and a set of cryptographic certicates that indicate the signatures that the class has. Each application class has a corresponding CodeSource class. Each entry in the policy le is specied in the following format:
grant [SignedBy signer_names] [, CodeBase URL] { permission permission_class_name [ target_name ] [, action] [, SignedBy signer_names]; permission ... };
For example if we grant the code that is signed by Duke and loaded from http://applications.dukecompany.com/ read and write le permission to the les which are under the temp-directory, we specify the entry the following way:
grant codeBase http://applications.dukecompany.com/* signedBy Duke { permission java.io.FilePermission /temp/*, read,write; };
The permission classes are always represented with full Java class name notation. For backward compatibility, the SecurityManager class can be used. The SecurityManager that should be used by the Java Virtual Machine (JVM) is specied on the command-line argument the following way:
java -Djava.security.manager=com.company.security.SecurityManager JavaApplication
In order to use the default SecurityManager, the command-line arguments are given the following way:
java -Djava.security.manager JavaApplication
Figure 1: The gure illustrades the execution chain between user application, the management code of a prodected resource and the AccessControllor.
application tries to access a protected resource, the protected resource management code invokes AccessControllers checkPermission method. The checkPermission method takes a Permission object as its argument. The AccessController object checks through the execution stack so that each class in the execution stack must have a permission that implies to the given permission. If each class in the execution stack has a permission that implies to the given permission, the checkPermission method returns normally. If a class which has no permission, that implies to the given permission, is found from the execution stack, an AccessControlException exception is thrown, indicating that the requested access is not allowed. The checkPermission method takes advantage of ProtectionDomains implies method. The execution chain is illustrated in Fig. 1.
small Java virtual machine named KVM and only minimum amount of Java application programming interface (Java API) libraries included it. The letter K, in the J2ME Java virtual machine name, means kilo, indicating that the J2ME runnable environment virtual machine size is measured in tens or hundreds of kilobytes, not in megabytes. This virtual machine is used only in the smallest devices. Nevertheless, a Java virtual machine, that is fully compliant with the J2SE one, is used in devices, which provide more memory and advanced operating system. How these two environments are specied and how they distinguish from each other will be described in the following subsections.
Figure 3: Relationship between J2ME congurations and Java 2 Standard Edition. [5]
Connected Device Conguration (CDC) CDC covers all the devices which have a large range of user interface capabilities and the memory budgets in range of 2 to 16 megabytes. Devices like TV set-top boxes, Internet TVs and high-end communicators are served by the CDC. CDC is intended to be used by devices requiring a complete implementation of the Java virtual machine, and an API set that may, via the addition of proles, include the entire Java 2 Platform, Standard Edition API. The proposed Java API classes for CDC can be found in [4]. Connected, Limited Device Conguration (CLDC) CLDC covers the devices which have very simple user interface and low level memory budgets as well. Devices like simple mobile phones, pagers and person organizers are served by the CLDC. The CLDC requires 160 kB to 512 kB of total memory budget. To t Java runnable environment into such small and resource-constrained devices, a lot of cut downs must have been made. The security related cut downs are discussed in later sections. The CLDC specication and Java API classes can be found in [3]. The relationship between CDC, CLDC and Java 2 Standard Edition is illustrated in Fig. 3. As shown in the gure, the main functionality in CDC and CLDC is inherited from the J2SE. All the classes which are inherited from the J2SE are precisely the same or a subsets of the corresponding classes in the J2SE and the classes which are outside the J2SE environment may not use the java.* class names. Thus, upward compatible is achieved between the different editions of Java 2 platforms. All features implemented in the CLDC are also implemented in the CDC to achieve upward compatible between J2ME congurations as well. Thus, all applications implemented for the CLDC platform can be run in the CDC platform as well.
versa. Thus, the J2ME framework provides the concept of a prole to achieve application environment portability. A prole denes the J2ME environment in the application level, as a conguration denes the J2ME environment in the virtual machine level. Thus applications are written for a specic prole and proles are build for a specic conguration. Both proles and congurations dene a set of Java API classes which can be used by the applications. A device, that is designed to support a prole or several proles, agrees to implement all features and Java API classes which are specied by the prole(s) and corresponding conguration. At the current time only one prole is specied, which is the mobile information device prole (MIDP). The JCP [8] specication for the MIDP can be found in [7]. The MIDP is designed to operate on top of the CLDC which have at least e.g. simple le system and twoway networking capabilities. The potential devices which support MID prole could be e.g. advanced mobile phones and communicators. The MIDP denes an application model for the MIDL applications. The MIDL applications are called MIDlets. All MIDlets consists of the main class which extends the javax.microedition.midlet class. The usage of the MIDlet class is quite similiar to the Applet class. The javax.microedition.midlet class methods are represented in Table 2. Table 2: javax.microedition.midlet.MIDlet class methods. Method Description protected MIDLet () Class constructor for subclasses. protected abstract void Signals MIDLet to terminate. A MIDLet destroyApp (boolean should peform all resource releasing methods unconditional) and save persistent data in this method. public final String Gets application properties from the midlet getAppProperty (String application management software. key) public final void Noties the MIDLet management application notifyDestroyed () that the MIDLet has exceeded to the exit state. public final void Noties the MIDLet management application notifyPaused () that the MIDLet has not to be in the active state. protected abstract void Signals the MIDLet to pause and release all pauseApp () shared resources. public final void Noties the MIDLet management application resumeRequested () that the MIDLet is interested in returning to the active state. protected abstract void Signals the MIDLet that it is started and has startApp () entered the active state.
to 80 kilobytes depending on the target platform and the compilation options. The KVM is implemented in the C programming language to allow easy portability to different types of platforms for which a C compiler is available.
The impact of the J2SE security classes which are undened in the CDC is discussed in section 5.
dened in the J2SE but not enabled in the CLDC, are listed in the following sections. [3, 1]
4.2.1
Bytecode Verier
The bytecode verier, which is specied in [2], ensures that the Java bytecode and other items stored in the Java classle cannot harm the Java virtual machine. However, this kind of sophisticated bytecode verier is too large for the CLDC devices. Therefore, a more compact and efcient bytecode verication solution has been specied in [3]. The bytecode verication for a CLDC Java application is done in two phases. The rst phase is executed in the Java 2 Standard Platform or higher environment. The rst phase is called pre-verication. The second phase is executed in the CLDC device. The second phase is called in-device verication. Both pre-verication and in-device verication are introduced in the following sections and the whole verication process is illustrated in Fig. 4.
4.2.2
Pre-verication
A pre-verication tool is used for pre-vering Java class les. The pre-verication tool removes a specied set of Java bytecodes. The bytecodes, which are removed by the preverication phase, are specied in [3]. The methods, containing these set of bytecodes, are replaced with semantically equivalent bytecode. After the bytecode replacement phase, the pre-verication tool inserts a special attribute named stack map into the pre-veried Java class le. The pre-veried Java class le is still a valid Java 2 Platform class le. The
attributes inserted by the pre-verication tool are ignored by the J2SE virtual machines and so the J2ME CLDC pre-vericated Java class les are fully upward compatible.
4.2.3
In-device Verication
In-device verication is carried out in the CLDC device by the KVM. The KVM bytecode verier utilizes the information generated by the pre-verication tool. The in-device verication process is specied in [3].
4.2.4
Java Native Interface (JNI) is not implemented in the CLDC. The implementation would had been too expencive in the CLDC target devices and the native function calls would have been outside the scope of the sandbox model denition [3]. The native function calls can be implemented inside the KVM by the manufacturor but then they are not in the scope of the CLDC specication or MIDP specication as well.
4.2.5
CLDC does not allow user-dened class loaders. The CLDC uses built-in class loader that cannot be overridden, replaced or recongured by the user. [3]
4.2.6
Also the following Java language features, which are dened by the J2SE, have been eliminated in J2ME CLDC in order to achieve the sandbox model [3]. Reection Features CLDC does not support java.lang.reflect classes. The java.lang.reflect package is specied in [6]. Thread groups and daemon threads CLDC supports neither java.lang.ThreadGroups nor daemon threads. To collect and manage threads in group, one must implement its own thread grouping mechanism. Finalization CLDC does not support java.lang.Object.finalize() method. In the J2SE the java.lang.Object.finalize() method is invoked by the garbage collector when it determines that there are no references to the object [6]. In the J2ME CLDC platform the java.lang.Object.finalize() method is never invoked. Weak references Weak references are not allowed in CLDC platform.
10
11
6.1.1
JNI
The JNI support elimination is obvious. It would be extremely insecure to allow CLDC applications to run their own native code. Also in order to provide application portability, the JNI support should not be provided. The third reason for not provide JNI support is virtual machine size. The JNI implementation would have been increase the size of KVM tremendously.
8 Conclusions
Understanding that one size does not t to all even in the J2ME level, Sun has split it into congurations. Since now, two congurations has been specied. CDC is fully compliant with the J2SE platform security model. However, CDC does not provide any cryptographical function. This means that the application can be run secure way in the CDC devices, 12
but they cannot communicate with other world secure way. In the scope of network applications, the elimination of cryptographical classes and functions is a disadvantage. CLDC provides a very restricted security model, a sandbox. The sandbox model is achieved by eliminating Java language features. A prole on top of CLDC, MIDP, provides application framework that is similiar to the Applet framework. MIDP provides simple data storing capabilities and HTTP network connections.
References
[1] Gong, L., Java(TM) 2 Platform Security Architecture, 2.10.1998 <http://java.sun.com/j2se/1.3/docs/guide/security/spec/security-spec.doc.html> [2] Lindholm, T. & Yellin, F., Java(TM) Virtual Machine Specication, Second Edition, Addison-Wesley, 1999, 496p <ftp://ftp.javasoft.com/docs/specs/vmspec.2nded.html.zip> [3] Sun Microsystems, Inc, Connected, Limited Device Conguration, Specication Version 1.0 <http://java.sun.com/aboutJava/communityprocess/nal/jsr030/CLDCSpecication1.0.zip> [4] Sun Microsystems, Inc, J2ME(TM) Connected Device Conguration, Proposed Final Draft, 30.08.2000 <http://java.sun.com/aboutJava/communityprocess/rst/jsr036/j2me-cdc-javadoc.zip> [5] Sun Microsystems, Inc, Java(TM) 2 Platform Micro Edition (J2ME(TM)) Technology for Creating Mobile Devices, White Paper, 19.05.2000 <http://java.sun.com/products/cldc/wp/KVMwp.pdf> [6] Sun Microsystems, Inc, Java(TM) 2 Platform, Standard Edition, v1.2.2 API Specication, API Specication, 29.06.1999 <http://www.javasoft.com/products/jdk/1.2/docs/api/index.html> [7] Sun Microsystems, Inc, Mobile Information Device Prole, JCP Specication, 1.9.2000 <http://java.sun.com/aboutJava/communityprocess/nal/jsr037/MIDPSpec_1_0.zip> [8] Sun Microsystems, Inc, The Java Community Process(SM) Program, Version 2.0, 2.6.2000 <http://java.sun.com/aboutJava/communityprocess/jcp2.html>
13