Run-time configurable sandboxes

Michael Maass mmaass at andrew.cmu.edu
Tue May 26 20:19:59 UTC 2015


I've been working on addressing similar issues as part of my PhD thesis 
and have noted many of the same challenges, although I've taken a 
different approach. Some points I can add from a recent but currently 
unpublished study of actual usage of the Java sandbox (I can send a 
draft to individuals on request):

1. Almost no one uses the Java sandbox, and out of those that do, quite 
a few are using it for reasons that have nothing to do with security. We 
factored out applets because applets are dead (see builtwith stats on 
applets) and did not directly use the sandbox themselves. While we did 
look at web start applications, in practice, vendors seem to always sign 
them and request all permissions. I personally believe the latter is 
common because it's currently too hard to figure out what permissions a 
non-trivial set of Java code needs.

2. Almost everyone using the Java sandbox that cares about security is 
using it incorrectly, often in ways that ensure using the sandbox is 
entirely ineffective. The most common issue is completely 
misunderstanding the permission model (i.e. believing it's a blacklist 
instead of a whitelist). This often leads people to accidentally use one 
of several Java permissions that are so powerful you might as well not 
use the sandbox if you grant them.

3. Common security reasons to use the sandbox: (a) using a third party 
library that isn't fully trusted (convenience often trumps security) and 
(b) frameworks loading third party plugins.

My solution has been to create tooling to let software deal with the 
complexity while letting the user deal with higher level concerns. I 
have a full prototype tool suite that let's users pick a specific set of 
classes and JAR's in an application to sandbox. The tools then use 
static and dynamic analysis to develop a starter policy for the selected 
subset that contains all of the permissions required by every execution 
of the subset. Finally, the tools let the user review the policy and 
edit it in a little IDE that warns them if they do something dangerous 
to establish the final policy. The tools then impose the final policy on 
the application by re-writing the bytecode. The basic approach the 
bytecode re-writing implements is very similar to what you described and 
for the same reasons.

I went with a tooling approach in acknowledgment of the fact that the 
Java sandbox is hard to use because it's quite flexible in many ways. 
Instead of losing that flexibility, I feel it is better to separate 
complexity a human must deal with from that a machine can deal with and 
let each deal with their own concerns. Tooling also has the advantage 
that it can be adopted without the potentially lengthy process required 
to change the sandbox in the JVM itself. What I've learned is that the 
Java sandbox is, for most practical intents and purposes, impossible to 
use manually without causing problems, but that it's extremely handy 
when tools do most of the heavy lifting for you.

Michael

On 05/25/2015 11:41 AM, org.openjdk at io7m.com wrote:
> Hello!
>
> I am a security-conscious Java developer and am interested in using the
> JVMs built-in security features to run code in separated and run-time
> configured sandboxes. I'm writing to the list to explain some of the
> issues I've come up against and am hoping to either elicit suggestions
> or at least provoke some discussion about how the JVM might better
> support this.
>
> I've been working on a small experimental system for sandboxing
> due to dissatisfaction with the existing sandboxing packages.
> The existing sandboxing packages appear to be overly complicated,
> fragile, and unmaintained. They almost all implement a complicated
> and error-prone custom security manager and seem to more or less
> ignore everything else the JVM has in terms of security features.
> I'm hoping that I can do better!
>
> My own use case will be running code that is sandbox-aware and that
> only uses a few classes from java.lang and talks to an API that I
> provide to each sandbox. I would expect to restrict arbitrary file
> I/O (with sandboxed code persisting state via provided key/value
> interface), restrict network I/O, restrict access to native code,
> restrict access to reflection, restrict thread creation, and restrict
> exiting the VM. About the only thing I cannot protect against is
> heap exhaustion (but the JVM does a decent job of enforcing a global
> limit anyway, so it's not as if malicious code would end up killing
> the user's machine or running afoul of operating system limits).
>
> It seems that others have somewhat similar use cases, often using
> some sort of sandbox to provide security to embedded languages that
> have been compiled to JVM bytecode at run-time.
>
> I won't bore anyone here with the details of how the JVM applies
> security policy because I'd assume everyone on this list already
> understands it.
>
> My basic approach has been to use a custom implementation of
> java.security.Policy[0] and a custom classloader. The program
> creates one classloader C per application sandbox S and assigns
> all classes loaded by C a protection domain P. My assumption is
> that for a particular sandbox, we no longer care about fine-grained
> per-CodeSource control of classes inside the sandbox as we're more
> likely to be applying a coarse sandbox-wide set of restrictions. This
> then means that that the custom Policy implementation can assign
> permissions on a per-sandbox basis by simply checking the CodeSource
> URL and returning any permissions defined for that URL.
>
> As a concrete example, I create a sandbox that I then assign
> a URL of http://sandbox.io7m.com/1. The classloader for that
> sandbox assigns every loaded class a CodeSource with location
> http://sandbox.io7m.com/1. Now, whenever the AccessController consults
> the policy's checkPermission function, the policy simply uses the
> set of permissions defined for http://sandbox.io7m.com/1.
>
> As an aside, I do use a custom SecurityManager but only to add a couple
> of extra checks for Thread and ThreadGroup creation/modification,
> because the default SecurityManager is not strict enough.
>
> This appears to work well. I've been unable to subvert the sandbox and
> am reasonably confident in its security simply due to the fact that it
> does absolutely nothing clever whatsoever and uses the basic provided
> JVM security features to achieve it. The code is less than 150 lines
> and is not exciting in any way. The bulk of a real implementation
> would be providing a pleasant API and a nice way to configure policies
> at run-time.
>
> My main gripes:
>
> 1. The ClassLoader and SecureClassLoader classes are not very nice. It
> seems that I cannot take an existing classloader and preserve all
> of the semantics with regards to mapping names to byte arrays (such
> as looking through the classpath for class files, contacting remote
> servers for classes, etc) if I want to maintain my own control over
> the resulting ProtectionDomains of those classes. It is likely that
> ProtectionDomains and CodeSources were never intended to be used in
> the slightly abusive way I'm using them in the above system. I'm
> guessing also that the implementations carry a ton of historical
> baggage and would likely not have their interfaces presented in the
> way they currently are if they were written/designed today!
>
> There is a tempting package-private method in java.lang.Class called
> setProtectionDomain that I'm not allowed to call. Having access to this
> would allow me use any existing class loader and simply overwrite the
> protection domains of the resulting classes without having to modify
> any code.
>
> 2. I feel like I should not have to do any of the things I have done!
> I realize this sounds silly, but if it were possible to label classes
> with a simple immutable opaque tag indicating their confinement, and
> the Policy could refer to this tag... I'd already be done. I would
> assume that setting a confinement label on a class would require
> security checks and that it could only be set once. This seems
> almost too good/simple an approach to be true - would it require
> an unlimited amount of bureaucracy to get something like this into
> the standard library? It obviously exists to support a specific use
> case, but I could see how the same approach could be used to provide
> a generalized sandbox for anything compiled to JVM bytecode running
> inside a scripting engine, for example.
>
> I'm open to flames and/or suggestions on better approaches.
>
> Mark
>
> --
>
> [0] Not essential for sandboxing, but essential for run-time
> configuration, because the default Policy is obviously loaded from a
> file on JVM startup, can't be easily/pleasantly updated, and likely
> references a policy file that contains system-specific defaults that
> I'd like to ignore!
>
>



More information about the security-dev mailing list