Improving Remote Method Invocation via Method Authorization and Elimination of Registry: An Exploration of Java and Haxe

Main Article Content

Michael Adeyeye Oshin
Matthew Olusegun Ojewale
Oluyomi Olufemi Kabiawu
Romana Challans
Kauna Mufeti

Keywords

Communication systems security, authorization, token networks, network servers, multiprocessor interconnection networks

Abstract

Service availability in Java RMI (Remote Method Invocation) implementations can easily be compromised in a number of ways. One of the ways is when an attacker controls a directory service and mounts an attack on a RMI client and data. Stubs in a registry can be de- registered or overwritten by the attacker. In addition, he could register his own stubs as proxies to a server implementation. This project focuses on the security pitfalls of using default RMI implementation, namely the lack of access control mechanism to manage server methods (and objects) and limitations of RMI registry. The RMI registry is a weak point that could be exploited. This work addresses this concern by investigating RMI implementation and customizing the behavior to support client/method authorization, authentication and elimination of the need for an RMI registry. The contribution of this work is that it removes inherent vulnerability in RMI, which is due to weak security in RMI registry implementation. In addition, an emerging toolkit, Haxe, for platform-agnostic application development was introduced and its realization of RMI was briefly demonstrated. Haxe exhibits virtually all the features in Java and could be exploited like it. It however presents more promising features for the next generation of applications and services.

Abstract 628 | PDF Downloads 3

References

Bang, S., & Ahn, J. (2007). Implementation and performance evaluation of socket and RMI based java message passing systems. In Software Engineering Research, Management & Applications, 2007. SERA 2007. 5th ACIS International Conference on (pp. 153-159). IEEE. doi: 10.1109/SERA.2007.93

Basanta-Val, P., & Garcia-Valls, M. (2010). An architecture for distributed real-time Java based on RMI and RTSJ. In Emerging Technologies and Factory Automation (ETFA), 2010 IEEE Conference on (pp. 1-8). IEEE. doi: 10.1109/ETFA.2010.5641176

Ganymede Tools (2010), Ganymede Release 2.0, http://tools.arlut.utexas.edu/gash2/CHANGES (Accessed: 10 April 2012)

Guiagoussou, M. H., Boutaba, R., & Kadoch, M. (2001). A Java API for advanced faults management. In Integrated Network Management Proceedings, 2001 IEEE/IFIP International Symposium on (pp. 483-498). IEEE. doi: 10.1109/INM.2001.918061

Hagimont, D., & Boyer, F. (2001). A configurable RMI mechanism for sharing distributed Java objects. Internet Computing, IEEE, 5(1), 36-43. doi: 10.1109/4236.895140

Haxetink/tink_core. (n.d.). Retrieved December 18, 2015, from https://github.com/haxetink/tink_core
Home - HaxeUI. (n.d.). Retrieved December 18, 2015, from http://haxeui.org/

Jiang, S., & Clements, S. (2008). Java Remote Job Execution System. In Complex, Intelligent and Software Intensive Systems, 2008. CISIS 2008. International Conference on (pp. 561-566). IEEE. 10.1109/CISIS.2008.34

Keshk, A. E. (2007). Implementation of Distributed Application using RMI Java threads. In Signal Processing and Information Technology, 2007 IEEE International Symposium on (pp. 1017-1022). IEEE. doi: 10.1109/ISSPIT.2007.4458214

Li, N., Mitchell, J. C., & Tong, D. (2004). Securing Java RMI-based distributed applications. In Computer Security Applications Conference, 2004. 20th Annual (pp. 262-271). IEEE. doi:10.1109/CSAC.2004.34

Ma, H. N. H., & Yang, L. (2006). Improvement of object serialization in Java remote method invocation. In Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing, 2006. SNPD 2006. Seventh ACIS International Conference on (pp. 35-42). IEEE. doi: 10.1109/SNPD-SAWN.2006.44

Massiveinteractive/MassiveUnit. (n.d.b). Retrieved December 18, 2015, from https://github.com/massiveinteractive/MassiveUnit/

Massiveinteractive/mlib. (n.d.). Retrieved December 18, 2015, from https://github.com/massiveinteractive/mlib

Menegotto, C. C., & Weber, T. S. (2011). Communication fault injection for multi-protocol Java applications testing. In Test Workshop (LATW), 2011 12th Latin American (pp. 1-6). IEEE.doi: 10.1109/LATW.2011.5985899

Narasimhan, N., Moser, L. E., & Melliar-Smith, P. M. (2000). Transparent consistent replication of Java RMI objects. In Distributed Objects and Applications, 2000. Proceedings. DOA'00. International Symposium on (pp. 17-26). IEEE.

Narasimhan, N., Moser, L. E., & Melliar‐Smith, P. M. (2001). Interceptors for Java remote method invocation. Concurrency and Computation: Practice and Experience, 13(8‐9), 755-774. doi: 10.1002/cpe.575

Openfl/lime. (n.d.). Retrieved December 18, 2015, from https://github.com/openfl/lime

Pistoia, M., Nagaratnam, N., Koved, L., & Nadalin, A.(2004). Enterprise Java Security: Building Secure J2EE Applications. Addison-Wesley Professional

Pitt, E., & McNiff, K. (2001). Java.RMI: The Remote Method Invocation Guide. Addison-Wesley Longman Publishing Co., Inc.. http://my.safaribooksonline.com/book/programming/java/0201700433, (Accessed: 10 April 2012).

Randonee/Basis. (n.d.). Retrieved December 18, 2015, from https://github.com/Randonee/Basis

Schulz, S., Friedrich, M., Kuchlin, W., & Huttner, T. (2003). A RMI-Security-Extension using the PERMI framework. Proceedings of 2003 Netobject Days. Retrieved from http://www.researchgate.net/publication/237462050_A_RMI-Security-Extension_using_the_PERMI_framework

Silcock, J., & Gościński, A. (1995). Message Passing, Remote Procedure Calls and Distributed Shared Memory as Communication Paradigms for Distributed Systems. Deakin University, School of Computing and Mathematics.

Smatanik, V., Dérer, R., Marek, J., & Dimitriu, A. (2011). Java RMI-Software Architecture Document. Department of Information and Computing Sciences.

Stepasyuk, S., & Paunov, Y. (2015). Evaluating the Haxe Programming Language-Performance comparison between Haxe and platform-specific languages. Available at http://hdl.handle.net/2077/38569

Stevenson, A., & MacDonald, S. (2008). Smart proxies in java rmi with dynamic aspect-oriented programming. In Parallel and Distributed Processing, 2008. IPDPS 2008. IEEE International Symposium on (pp. 1-6). IEEE. doi: 10.1109/IPDPS.2008.4536332

The Java Tutorial 1 (2011a), An Overview of RMI Applications, http://docs.oracle.com/javase/tutorial/rmi/overview.html (Accessed: 24 January 2012),

The Java Tutorial 2 (2011b), The Security Manager, http://docs.oracle.com/javase/tutorial/essential/environment/security.html, (Accessed: 24 January 2012).

Thiruvathukal, G. K., Thomas, L. S., & Korczynski, A. T. (1998). Reflective remote method invocation. doi:10.1002/(SICI)1096-9128(199809/11)10:11/13<911: AID-CPE389>3.0.CO;2-9.

Toledo, R., Nunez, A., Tanter, E., & Noyé, J. (2012). Aspectizing Java access control. Software Engineering, IEEE Transactions on, 38(1), 101-117. doi: 10.1109/TSE.2011.6

Tso, K. S., Pajevski, M. J., & Johnson, B. (2011). Access Control of Web and Java Based Applications. In Dependable Computing (PRDC), 2011 IEEE 17th Pacific Rim International Symposium on (pp. 320-325). IEEE. doi:10.1109/PRDC.2011.54

Ufront/ufront. (n.d.). Retrieved December 18, 2015, from https://github.com/ufront/ufront

Your vision, everywhere. (n.d.). Retrieved December 18, 2015, from http://openfl.org/

Wireshark.org Overview, http://www.wireshark.org/docs/wsdg_html_chunked/ChWorksOverview.html, (Accessed: 24 January 2012).