jcrespec06firewall.html

JAVA CARD 开发包规格说明,版本为2.2.2

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<HTML LANG="en">
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
<META HTTP-EQUIV="Content-Style-Type" CONTENT="text/css">
<META NAME="GENERATOR" CONTENT="Adobe FrameMaker 7.0/HTML Export Filter">

<LINK REL="STYLESHEET" HREF="unx_unstr_styles.css" CHARSET="ISO-8859-1" TYPE="text/css">
<META name="DC.TITLE" content="Runtime Environment Specification for the Java Card Platform, Version 2.2.2">
<TITLE>C H A P T E R    6 - Applet Isolation and Object Sharing  
</TITLE>
</HEAD>
<BODY BGCOLOR="#ffffff">
<DIV>
<div class="navbar" align="center">
<table dir="LTR" summary="Navigation bar, includes the book title and navigation buttons" width=100% cellpadding="0" cellspacing="0" border="0"><colgroup span="2" width="100%"><col id="1" span="1" width="50%"><col id="2" span="1" width="50%">
<tr bgcolor="#cccccc">
<td class="navbartitle" align=left rowspan="1" colspan="1" abbr="ChapTitle">&nbsp;&nbsp;Runtime Environment Specification for the Java Card Platform, Version 2.2.2
</td>
<td valign="top" align="right" rowspan="1" colspan="1" abbr="NavButtons"><a href="index.html"><img src="shared/toc01.gif" title="Table Of Contents" alt="Table Of Contents" width="30" height="26" border="0"></a><a href="JCRESpec05transient.html"><img src="shared/prev01.gif" title="Previous Chapter" alt="Previous Chapter" width="30" height="26" border="0"></a><a href="JCRESpec07transact.html"><img src="shared/next01.gif" title="Next Chapter" alt="Next Chapter" width="30" height="26" border="0"></a><a href="ix.html"><img src="shared/index01.gif" title="Book Index" alt="Book Index" width="30" height="26" border="0"></a>
</td>
</tr>
</table>
<br>
<br>
</div>
</DIV>
<TABLE DIR="LTR" SUMMARY="Chapter Number" ABBR="ChapNum" WIDTH="100%" BORDER="0">
<COLGROUP SPAN="1" WIDTH="100%"><COL ID="1" SPAN="1">
<TR>
<TD ALIGN="right" CLASS="ChapNumber"><SPAN CLASS="ChapNumPrefix"><A NAME="pgfId-416586"></A>C H A P T E R    </SPAN>&nbsp;<SPAN CLASS="ChapNumNum">6</SPAN><A NAME="92454"></A>
</TD>
</TR>
</TABLE>
<TABLE DIR="LTR" SUMMARY="Chapter Title" ABBR="ChapTitle" WIDTH="100%" BORDER="0">
<COLGROUP SPAN="1" WIDTH="100%"><COL ID="1" SPAN="1" WIDTH="100%">
<TR>
<TD ALIGN="right" CLASS="ChapTitle">
<HR SIZE=7 NOSHADE><A NAME="pgfId-416588"></A><A NAME="64673"></A>Applet <A NAME="marker-416907"></A>Isolation<A NAME="marker-416909"></A> and Object Sharing 
</TD>
</TR>
</TABLE>
<P CLASS="Paragraph"><A NAME="pgfId-406471"></A>Any implementation of the Java Card RE shall support isolation of contexts and applets. Isolation means that one applet cannot access the fields or objects of an applet in another context unless the other applet explicitly provides an interface for access. The Java Card RE mechanisms for applet isolation and object sharing are detailed in the following sections.
</P><H2 CLASS="Head1"><A NAME="pgfId-406479"></A>
<DIV>
<HR ALIGN=left SIZE=6 WIDTH=15% noshade>
</DIV>6.1	<A NAME="65482"></A>Applet <A NAME="marker-416908"></A>Firewall</H2>
<P CLASS="Paragraph"><A NAME="pgfId-406481"></A>The applet firewall within Java Card technology is runtime-enforced protection and is separate from the Java technology protections. The Java programming language protections still apply to Java Card applets. The Java programming language ensures that strong typing and protection attributes are enforced. 
</P>
<P CLASS="Paragraph"><A NAME="pgfId-406483"></A>Applet firewalls are always enforced in the Java Card VM. They allow the VM to automatically perform additional security checks at runtime.
</P><H3 CLASS="Head2"><A NAME="pgfId-415348"></A>6.1.1	<A NAME="69025"></A>Firewall Protection</H3>
<P CLASS="Paragraph"><A NAME="pgfId-416602"></A>The Java Card technology-based firewall (Java Card firewall) provides protection against the most frequently anticipated security concern: developer mistakes and design oversights that might allow sensitive data to be &quot;leaked&quot; to another applet. An applet may be able to obtain an object reference from a publicly accessible location. However, if the object is owned by an applet protected by its own firewall, the requesting applet must satisfy certain access rules before it can use the reference to access the object. 
</P>
<P CLASS="Paragraph"><A NAME="pgfId-415350"></A>The firewall also provides protection against incorrect code. If incorrect code is loaded onto a card, the firewall still protects objects from being accessed by this code.
</P>
<P CLASS="Paragraph"><A NAME="pgfId-423154"></A>The <EM CLASS="Emphasis">Runtime Environment Specification, Java Card Platform, Version 2.2.2</EM> specifies the basic minimum protection requirements of contexts and firewalls because the features described in this document are not transparent to the applet developer. Developers shall be aware of the behavior of objects, APIs, and exceptions related to the firewall. 
</P>
<P CLASS="Paragraph"><A NAME="pgfId-415346"></A>Java Card RE implementers are free to implement additional security mechanisms beyond those of the applet firewall, as long as these mechanisms are transparent to applets and do not change the externally visible operation of the VM.
</P><H3 CLASS="Head2"><A NAME="pgfId-406493"></A>6.1.2	<A NAME="43635"></A>Contexts<A NAME="marker-416910"></A> and Context Switching</H3>
<P CLASS="Paragraph"><A NAME="pgfId-406495"></A>Firewalls essentially partition the Java Card platform's object system into separate protected object spaces called contexts. These are illustrated in <A HREF="JCRESpec06firewall.html#34443" CLASS="XRef">FIGURE 6-1</A>. The firewall is the boundary between one context and another. The Java Card RE shall allocate and manage a context for each Java API package containing applets<A NAME="fnote1"></A><A HREF="#pgfId-415269"  CLASS="footnote"><SUP>[1]</SUP></A>. All applet instances within a single Java API package share the same context. There is no firewall between individual applet instances within the same package. That is, an applet instance can freely access objects belonging to another applet instance that resides in the same package. 
</P>
<BR>
<P CLASS="FigureBox"><A NAME="pgfId-424672"></A><CAPTION CLASS="FigureCaption"><A NAME="pgfId-424370"></A>FIGURE 6-1 	 <A NAME="34443"></A>Contexts Within the Java Card Platform's Object System </CAPTION>
</P><IMG SRC="figures/JCRESpec06firewall-4.jpg" ALIGN="BASELINE">
<BR>
<P CLASS="Paragraph"><A NAME="pgfId-424373"></A>In addition, the Java Card RE maintains its own <A NAME="marker-424372"></A>Java Card RE context. This context is much like the context of an applet, but it has special system privileges so that it can perform operations that are denied to contexts of applets. For example, access from the Java Card RE context to any applet instance's context is allowed, but the converse, access from an applet instance's context to the Java Card RE context, is prohibited by the firewall.
</P><H4 CLASS="Head3"><A NAME="pgfId-414473"></A>6.1.2.1	Active Contexts in the VM</H4>
<P CLASS="Paragraph"><A NAME="pgfId-415389"></A>At any point in time, there is only one active context within the VM. This is called the currently <A NAME="marker-416912"></A>active context. This can be either the Java Card RE context or an applet's context. All bytecodes that access objects are checked at runtime against the currently active context in order to determine if the access is allowed. A <KBD CLASS="Filename-Command">java.lang.SecurityException</KBD> is thrown when an access is disallowed.
</P><H4 CLASS="Head3"><A NAME="pgfId-414427"></A>6.1.2.2	Context Switching<A NAME="marker-416913"></A> in the VM</H4>
<P CLASS="Paragraph"><A NAME="pgfId-415393"></A>If access is allowed, the VM determines if a context switch is required. A context switch occurs when certain well-defined conditions, as described in <A HREF="JCRESpec06firewall.html#75443" CLASS="XRef">Section 6.2.8, Class and Object Access Behavior</A>, are met during the execution of invoke-type bytecodes. For example, a context switch may be caused by an attempt to access a shareable object that belongs to an applet instance that resides in a different package. The result of a context switch is a new currently active context. 
</P>
<P CLASS="Paragraph"><A NAME="pgfId-406501"></A>During a context switch, the previous context and object owner information is pushed on an internal VM stack, a new context becomes the currently active context, and the invoked method executes in this new context. Upon exit from that method the VM performs a restoring context switch. The original context (of the caller of the method) is popped from the stack and is restored as the currently active context. Context switches can be nested. The maximum depth depends on the amount of VM stack space available.
</P>
<P CLASS="Paragraph"><A NAME="pgfId-406503"></A>Most method invocations in Java Card technology do not cause a context switch. For example, a context switch is unnecessary when an attempt is made to access an object that belongs to an applet instance that resides in the same package. Context switches only occur during invocation of and return from certain methods, as well as during exception exits from those methods (see <A HREF="JCRESpec06firewall.html#75443" CLASS="XRef">Section 6.2.8, Class and Object Access Behavior</A>). 
</P>
<P CLASS="Paragraph"><A NAME="pgfId-406507"></A>Further details of contexts and context switching are provided in later sections of this chapter. 
</P><H3 CLASS="Head2"><A NAME="pgfId-409906"></A>6.1.3	Object <A NAME="marker-416914"></A>Ownership</H3>
<P CLASS="Paragraph"><A NAME="pgfId-406525"></A>Any given object in the Java Card platform's object space has a context and an owner associated with it. When a new object is created, it is associated with the currently active context, but the object is owned by the applet instance within the currently active context when the object is instantiated. An object can be owned by an applet instance, or by the Java Card RE.
</P>
<P CLASS="Paragraph"><A NAME="pgfId-422715"></A>Following are the combined <A NAME="marker-416915"></A>rules of context and object ownership within the <A NAME="marker-416917"></A>firewall:
</P>
<UL>
<LI CLASS="Bullet1"><A NAME="pgfId-415302"></A>Every applet instance belongs to a context. All applet instances from the same package belong to the same context.
</LI>
<P CLASS="Linebreak">
</P>
<LI CLASS="Bullet1"><A NAME="pgfId-417071"></A>Every object is owned by an applet instance (or the Java Card RE). An applet instance is identified by its AID. When executing in an instance method of an object (or a static class method called from within), the object's owner must be in the currently active context.
</LI>
<P CLASS="Linebreak">
</P>
</UL>
<P CLASS="Paragraph"><A NAME="pgfId-410027"></A>For example, assume that applets A and B are in the same package, and applet C is in another package. A and B therefore belong to the same context: 1. C belongs to a different context: 2. For an illustration of this situation, see <A HREF="JCRESpec06firewall.html#31854" CLASS="XRef">FIGURE 6-2</A>.
</P>
<P CLASS="Paragraph"><A NAME="pgfId-410028"></A>If context 1 is the currently active context, and a method <KBD CLASS="Filename-Command">m1</KBD> in an object owned by applet A is invoked, no context switch occurs. If method <KBD CLASS="Filename-Command">m1</KBD> invokes a method <KBD CLASS="Filename-Command">m2</KBD> in an object owned by applet B, again no context switch occurs (in spite of the object &quot;owner&quot; change), and no firewall restrictions apply. 
</P>
<P CLASS="Paragraph"><A NAME="pgfId-415071"></A>However, if the method <KBD CLASS="Filename-Command">m2</KBD> now calls a method <KBD CLASS="Filename-Command">m0</KBD> in an object owned by applet C, firewall restrictions apply and, if access is allowed, a context switch shall occur. Upon return to method <KBD CLASS="Filename-Command">m2</KBD> from the method <KBD CLASS="Filename-Command">m0</KBD>, the context of applet B is restored.
</P>
<BR>
<P CLASS="FigureBox"><A NAME="pgfId-425504"></A><CAPTION CLASS="FigureCaption"><A NAME="pgfId-414562"></A>FIGURE 6-2 	 <A NAME="31854"></A>Context Switching and Object Access </CAPTION>
</P><IMG SRC="figures/JCRESpec06firewall-5.jpg" ALIGN="BASELINE">
<BR>
<P CLASS="Paragraph"><A NAME="pgfId-422718"></A>Keep the following points in mind:
</P>
<UL>
<LI CLASS="Bullet1"><A NAME="pgfId-414856"></A>When the <KBD CLASS="Filename-Command">m1</KBD> method in the object owned by applet A calls the method <KBD CLASS="Filename-Command">m2</KBD> in the object owned by applet B, the context does not change but the owner of the object does change. If the <KBD CLASS="Filename-Command">JCSystem.getAID</KBD> method is called from method <KBD CLASS="Filename-Command">m2</KBD> within context 1, the AID of applet B is returned.
</LI>
<P CLASS="Linebreak">
</P>
<LI CLASS="Bullet1"><A NAME="pgfId-414853"></A>When method <KBD CLASS="Filename-Command">m2</KBD> calls method <KBD CLASS="Filename-Command">m0</KBD> in an object owned by applet C, applet B is the owner of the object when the context switches from 1 to 2. Therefore, if the <KBD CLASS="Filename-Command">JCSystem.getAID</KBD> method is called from method <KBD CLASS="Filename-Command">m0</KBD> within context 2, the AID of applet C shall be returned. If the <KBD CLASS="Filename-Command">JCSystem.getPreviousContextAID</KBD> method is called, the AID of applet B shall be returned.
</LI>
<P CLASS="Linebreak">
</P>
<LI CLASS="Bullet1"><A NAME="pgfId-423274"></A>When the <KBD CLASS="Filename-Command">JCSystem.getAID</KBD> method is called from method <KBD CLASS="Filename-Command">m2</KBD> after the return from method <KBD CLASS="Filename-Command">m0</KBD> in context 2, the AID of applet B is returned. However, if the <KBD CLASS="Filename-Command">JCSystem.getPreviousContextAID</KBD> method is called, the AID of the applet which called into context 1 (or <KBD CLASS="Filename-Command">null</KBD> if Java Card RE) is returned and not the AID of applet C.
</LI>
<P CLASS="Linebreak">
</P>
</UL><H3 CLASS="Head2"><A NAME="pgfId-423277"></A>6.1.4	Object <A NAME="marker-423276"></A>Access</H3>
<P CLASS="Paragraph"><A NAME="pgfId-406537"></A>In general, an object can only be accessed by its owning context, that is, when the owning context is the currently active context. The firewall prevents an object from being accessed by another applet in a different context.
</P>
<P CLASS="Paragraph"><A NAME="pgfId-406539"></A>In implementation terms, each time an object is accessed, the object's owner context is compared to the currently active context. If these do not match, the access is not performed and a <KBD CLASS="Filename-Command">SecurityException</KBD> is thrown.
</P>
<P CLASS="Paragraph"><A NAME="pgfId-406541"></A>An object is accessed when one of the following bytecodes is executed using the object's reference:
</P>
<PRE CLASS="Codeline"><A NAME="pgfId-425632"></A>getfield, putfield, invokevirtual, invokeinterface,
</PRE>
<PRE CLASS="Codeline"><A NAME="pgfId-425633"></A>athrow, &lt;T&gt;aload, &lt;T&gt;astore, arraylength, checkcast, instanceof
</PRE>
<P CLASS="Paragraph"><A NAME="pgfId-425569"></A>&lt;T&gt; refers to the various types of array bytecodes, such as <KBD CLASS="Filename-Command">baload</KBD> and <KBD CLASS="Filename-Command">sastore</KBD>.
</P>
<P CLASS="Paragraph"><A NAME="pgfId-406553"></A>This list includes any special or optimized forms of these bytecodes implemented in the Java Card VM, such as <KBD CLASS="Filename-Command">getfield_b</KBD> and <KBD CLASS="Filename-Command">getfield_s_this</KBD>. 
</P><H3 CLASS="Head2"><A NAME="pgfId-415098"></A>6.1.5	Transient Objects and <A NAME="marker-416919"></A>Contexts</H3>
<P CLASS="Paragraph"><A NAME="pgfId-415099"></A>Transient objects of <KBD CLASS="Filename-Command">CLEAR_ON_RESET</KBD><A NAME="marker-416920"></A> type behave like persistent objects in that they can be accessed only when the currently active context is the object's owning context (the currently active context at the time when the object was created).
</P>
<P CLASS="Paragraph"><A NAME="pgfId-415100"></A>Transient objects of <KBD CLASS="Filename-Command">CLEAR_ON_DESELECT</KBD><A NAME="marker-416921"></A> type can only be created or accessed when the currently active context is the context of the currently selected applet. If any of the <KBD CLASS="Filename-Command">makeTransient</KBD> factory methods of <KBD CLASS="Filename-Command">JCSystem</KBD> class are called to create a <KBD CLASS="Filename-Command">CLEAR_ON_DESELECT</KBD> type transient object when the currently active context is not the context of the currently selected applet (even if the attempting context is that of an active applet instance on another logical channel), the method shall throw a <KBD CLASS="Filename-Command">java.lang.SystemException</KBD> with reason code of <KBD CLASS="Filename-Command">ILLEGAL_TRANSIENT</KBD>. If an attempt is made to access a transient object of <KBD CLASS="Filename-Command">CLEAR_ON_DESELECT</KBD> type when the currently active context is not the context of the currently selected applet (even if the attempting context is that of an active applet instance on another logical channel), the Java Card RE shall throw a <KBD CLASS="Filename-Command">java.lang.SecurityException</KBD>. 
</P>
<P CLASS="Paragraph"><A NAME="pgfId-415101"></A>Applets that are part of the same package share the same context. Every applet instance from a package shares all its object instances with all other instances from the same package. This includes transient objects of both <KBD CLASS="Filename-Command">CLEAR_ON_RESET</KBD> type and <KBD CLASS="Filename-Command">CLEAR_ON_DESELECT</KBD> type owned by these applet instances.
</P>
<P CLASS="Paragraph"><A NAME="pgfId-415102"></A>The transient objects of <KBD CLASS="Filename-Command">CLEAR_ON_DESELECT</KBD> type owned by any applet instance in the same package shall be accessible when any of the applet instances is the currently selected applet. 
</P><H3 CLASS="Head2"><A NAME="pgfId-415113"></A>6.1.6	Static Fields<A NAME="marker-416922"></A> and <A NAME="marker-416923"></A>Methods</H3>
<P CLASS="Paragraph"><A NAME="pgfId-415114"></A>Instances of classes (objects) are owned by contexts. Classes themselves are not. There is no runtime context check that can be performed when a class static field is accessed. Neither is there a context switch when a static method is invoked. Similarly, <KBD CLASS="Filename-Command">invokespecial</KBD> causes no context switch.
</P>
<P CLASS="Paragraph"><A NAME="pgfId-415115"></A>Public static fields and public static methods are accessible from any context: Static methods execute in the same context as their caller.