Improving Remote Method Invocation via Method Authorization and Elimination of Registry: An Exploration of Java and Haxe
Main Article Content
Keywords
Communication systems security, authorization, token networks, network servers, multiprocessor interconnection networks
Abstract
Service availability in Java RMI (Remote Method Invocation) implementations can easily be compromised in a number of ways. One of the ways is when an attacker controls a directory service and mounts an attack on a RMI client and data. Stubs in a registry can be de- registered or overwritten by the attacker. In addition, he could register his own stubs as proxies to a server implementation. This project focuses on the security pitfalls of using default RMI implementation, namely the lack of access control mechanism to manage server methods (and objects) and limitations of RMI registry. The RMI registry is a weak point that could be exploited. This work addresses this concern by investigating RMI implementation and customizing the behavior to support client/method authorization, authentication and elimination of the need for an RMI registry. The contribution of this work is that it removes inherent vulnerability in RMI, which is due to weak security in RMI registry implementation. In addition, an emerging toolkit, Haxe, for platform-agnostic application development was introduced and its realization of RMI was briefly demonstrated. Haxe exhibits virtually all the features in Java and could be exploited like it. It however presents more promising features for the next generation of applications and services.
References
Basanta-Val, P., & Garcia-Valls, M. (2010). An architecture for distributed real-time Java based on RMI and RTSJ. In Emerging Technologies and Factory Automation (ETFA), 2010 IEEE Conference on (pp. 1-8). IEEE. doi: 10.1109/ETFA.2010.5641176
Ganymede Tools (2010), Ganymede Release 2.0, http://tools.arlut.utexas.edu/gash2/CHANGES (Accessed: 10 April 2012)
Guiagoussou, M. H., Boutaba, R., & Kadoch, M. (2001). A Java API for advanced faults management. In Integrated Network Management Proceedings, 2001 IEEE/IFIP International Symposium on (pp. 483-498). IEEE. doi: 10.1109/INM.2001.918061
Hagimont, D., & Boyer, F. (2001). A configurable RMI mechanism for sharing distributed Java objects. Internet Computing, IEEE, 5(1), 36-43. doi: 10.1109/4236.895140
Haxetink/tink_core. (n.d.). Retrieved December 18, 2015, from https://github.com/haxetink/tink_core
Home - HaxeUI. (n.d.). Retrieved December 18, 2015, from http://haxeui.org/
Jiang, S., & Clements, S. (2008). Java Remote Job Execution System. In Complex, Intelligent and Software Intensive Systems, 2008. CISIS 2008. International Conference on (pp. 561-566). IEEE. 10.1109/CISIS.2008.34
Keshk, A. E. (2007). Implementation of Distributed Application using RMI Java threads. In Signal Processing and Information Technology, 2007 IEEE International Symposium on (pp. 1017-1022). IEEE. doi: 10.1109/ISSPIT.2007.4458214
Li, N., Mitchell, J. C., & Tong, D. (2004). Securing Java RMI-based distributed applications. In Computer Security Applications Conference, 2004. 20th Annual (pp. 262-271). IEEE. doi:10.1109/CSAC.2004.34
Ma, H. N. H., & Yang, L. (2006). Improvement of object serialization in Java remote method invocation. In Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing, 2006. SNPD 2006. Seventh ACIS International Conference on (pp. 35-42). IEEE. doi: 10.1109/SNPD-SAWN.2006.44
Massiveinteractive/MassiveUnit. (n.d.b). Retrieved December 18, 2015, from https://github.com/massiveinteractive/MassiveUnit/
Massiveinteractive/mlib. (n.d.). Retrieved December 18, 2015, from https://github.com/massiveinteractive/mlib
Menegotto, C. C., & Weber, T. S. (2011). Communication fault injection for multi-protocol Java applications testing. In Test Workshop (LATW), 2011 12th Latin American (pp. 1-6). IEEE.doi: 10.1109/LATW.2011.5985899
Narasimhan, N., Moser, L. E., & Melliar-Smith, P. M. (2000). Transparent consistent replication of Java RMI objects. In Distributed Objects and Applications, 2000. Proceedings. DOA'00. International Symposium on (pp. 17-26). IEEE.
Narasimhan, N., Moser, L. E., & Melliar‐Smith, P. M. (2001). Interceptors for Java remote method invocation. Concurrency and Computation: Practice and Experience, 13(8‐9), 755-774. doi: 10.1002/cpe.575
Openfl/lime. (n.d.). Retrieved December 18, 2015, from https://github.com/openfl/lime
Pistoia, M., Nagaratnam, N., Koved, L., & Nadalin, A.(2004). Enterprise Java Security: Building Secure J2EE Applications. Addison-Wesley Professional
Pitt, E., & McNiff, K. (2001). Java.RMI: The Remote Method Invocation Guide. Addison-Wesley Longman Publishing Co., Inc.. http://my.safaribooksonline.com/book/programming/java/0201700433, (Accessed: 10 April 2012).
Randonee/Basis. (n.d.). Retrieved December 18, 2015, from https://github.com/Randonee/Basis
Schulz, S., Friedrich, M., Kuchlin, W., & Huttner, T. (2003). A RMI-Security-Extension using the PERMI framework. Proceedings of 2003 Netobject Days. Retrieved from http://www.researchgate.net/publication/237462050_A_RMI-Security-Extension_using_the_PERMI_framework
Silcock, J., & Gościński, A. (1995). Message Passing, Remote Procedure Calls and Distributed Shared Memory as Communication Paradigms for Distributed Systems. Deakin University, School of Computing and Mathematics.
Smatanik, V., Dérer, R., Marek, J., & Dimitriu, A. (2011). Java RMI-Software Architecture Document. Department of Information and Computing Sciences.
Stepasyuk, S., & Paunov, Y. (2015). Evaluating the Haxe Programming Language-Performance comparison between Haxe and platform-specific languages. Available at http://hdl.handle.net/2077/38569
Stevenson, A., & MacDonald, S. (2008). Smart proxies in java rmi with dynamic aspect-oriented programming. In Parallel and Distributed Processing, 2008. IPDPS 2008. IEEE International Symposium on (pp. 1-6). IEEE. doi: 10.1109/IPDPS.2008.4536332
The Java Tutorial 1 (2011a), An Overview of RMI Applications, http://docs.oracle.com/javase/tutorial/rmi/overview.html (Accessed: 24 January 2012),
The Java Tutorial 2 (2011b), The Security Manager, http://docs.oracle.com/javase/tutorial/essential/environment/security.html, (Accessed: 24 January 2012).
Thiruvathukal, G. K., Thomas, L. S., & Korczynski, A. T. (1998). Reflective remote method invocation. doi:10.1002/(SICI)1096-9128(199809/11)10:11/13<911: AID-CPE389>3.0.CO;2-9.
Toledo, R., Nunez, A., Tanter, E., & Noyé, J. (2012). Aspectizing Java access control. Software Engineering, IEEE Transactions on, 38(1), 101-117. doi: 10.1109/TSE.2011.6
Tso, K. S., Pajevski, M. J., & Johnson, B. (2011). Access Control of Web and Java Based Applications. In Dependable Computing (PRDC), 2011 IEEE 17th Pacific Rim International Symposium on (pp. 320-325). IEEE. doi:10.1109/PRDC.2011.54
Ufront/ufront. (n.d.). Retrieved December 18, 2015, from https://github.com/ufront/ufront
Your vision, everywhere. (n.d.). Retrieved December 18, 2015, from http://openfl.org/
Wireshark.org Overview, http://www.wireshark.org/docs/wsdg_html_chunked/ChWorksOverview.html, (Accessed: 24 January 2012).
Article Sidebar
Article Details
Copyright © Australasian Association for Information and Communication Technology General permission to republish, but not for profit, all or part of this material is granted, under the Creative Commons Australian Attribution-NonCommercial-NoDerivs 4.0 Licence, provided that the copyright notice is given and that reference is made to the publication, to its date of issue, and to the fact that reprinting privileges were granted by permission of the Copyright holder.