Java Security & Error prevention

Question 1

Druhy utoku (6)

Answer 1

DOS - denial of service
Code injection
Code corruption
Deserialization
Sensitive data leaks
Directory traversal

Question 2

Java Security Descriptor - jmeno, co muze obsahovat(3), sample location + obsah

Answer 2

java.security
security policy files, cert keystore files, general settings

policy.url.1=file:${java.home}/conf/security/java.policy
policy.url.2=file:/someDir/java.policy

$JAVA_HOME/conf/security

Question 3

Java Security Policy Descriptor - jmeno, syntax:
povol pripojeni k localhost:7777
povol cteni a zapis do souboru abc.txt
pro kod z /lib.jar, pokud ma podpis “John and Joe”

Answer 3

grant codeBase “file:/lib.jar” signed “John and Joe” {
permission java.net.SocketPermission “localhost:7777”, “connect”;
permission java.io.FilePermission “abc.txt”, “read,write”;
}

Question 4

Vytvor povoleni pro poslech localhost:7777, programatically
Zjisti, jestli mas povoleni
Co se stane, pokud ne?

Answer 4

SocketPermission sp = new SocketPermission(“localhost:7777”, “listen”);
AccessController.checkPermission(sp);
vyhodi se AccessControlException

Question 5

Directory traversal - metody obrany (2)

Answer 5

path.normalize()
path.toRealPath(LinkOption)

Question 6

Privilegovany kod - co to je
Syntax

Answer 6

pristup se nekontroluje, je proste povolen

AccessController.doPrivileged(new PrivilegedAction<T>() {
public T run() { ... }
})</T>

Question 7

Utok pri deserializaci - obrana

Answer 7

deserializuji jen trusted data
validace objektu po deserializaci

Question 8

DOS - obrana (5)

Answer 8

validace vstupu
omezeni pristupu ke kritickym zdrojum
vzdy po sobe uzavirej zdroje
timeouty dlouheho zpracovani
sledovani velikosti filu/streamu/narustu pozadavku

Question 9

Povoleni spusteni souboru file.exe, programaticcally - vytvor a checkni

Answer 9

FilePermission fp = new FilePermission(“file.exe”, “execute”);
try { AccessController.checkPermission(fp); } catch (AccessControlPermission e) { … }

Question 10

Metoda pro numericke plus, ktere je citlive na preteceni
Jak se pozna preteceni?

Answer 10

Math.addExact(Integer.MAX, 1)
vyhodi se ArtithmeticException

Question 11

Jak poznam, ze cislo je po operaci konecne?

Answer 11

Math.isInfinite(1/Integer.MAX)

Question 12

Check, jestli je Double fakt ok po parsovani

Answer 12

!Math.isNaN(myDouble)

Question 13

Osetreni, jestli Wrapper obsahuje cislo, tedy neni null

Answer 13

Optional<Double> o = ...
if (o.isPresent) Double d = o.get();</Double>

Question 14

SQL injection - osetreni, pokud nemuzu pouzit prepared statement nebo prepared callable

Answer 14

enquoteLiteral(param)

Question 15

Scramble dat - hexadecimalni vystup - syntax pro SHA-256

Answer 15

MessageDigest md = MessageDigest.getInstance(“SHA-256”);
byte[] digest = md.digest(message.getBytes);
BigInteger hash = BigInteger.valueOf(digest).toString(16);

Question 16

Sifrovani - ziskani klice a sifrovatka pro AES
pkg

Answer 16

SecretKey key = KeyGenerator.getInstance(“AES”).generateKey();
Cipher cipher = Cipher.getInstance(“AES/GCM/NoPadding”);

Question 17

Sifrovani - mam sifrovatko, jak zasifruji “password” do byte[]?

Answer 17

cipher.init(Cipher.ENCRYPT_MODE, key);
cipher.doFinal(“password”.getBytes());

Question 18

Sifrovani - mam sifrovatko, jak rozsifruji byte[] password?

Answer 18

cipher.init(Cipher.DECRYPT_MODE, key);
cipher.doFinal(password);