All geek questions in one place

What are the security risks that I must protect myself when I run the user supplied Java code?

Is there an exhaustive list of security issues with Java running Java code on the server? I'm already

  • using timeouts of 10 seconds
  • current code in a separate process with limited available memory
  • using SecurityMangager to prevent access to files and the IO network
  • running code under an account with extremely limited file system permissions

I run this on a FreeBSD server, if that matters.

+3
source share
2 answers

The question I asked myself is: "How much do I trust people, and how much do I trust that their code will not violate my system?" In general, my answer would not be many, and not as much as I could leave them. But, from my head, here are some things that I would like to protect from.

  • Infinite loops (timeout help)
  • I / O operations (attempts to read / write from / to directories to which they do not have access)
  • Privilege escalation code (limiting an account to run only in a specific context or with specific permissions is a huge plus)
  • Creating too many objects / deleting memory (limiting available memory and / or resources is a plus here)
  • Read / write from / to the socket and not freeing the resource
  • Waiting for input from STDIN, which can be problematic if the server is headless

There are many more reasons to be careful, so I will walk carefully. Protect each account and /home directory from each other as much as possible (a simple chmod 700 $HOME often does), and experiment with code that you consider a trick before deploying publicly. Once it’s convenient for you how well the server will delay, let others test your server and see how good it is.

+1
source

It seems like a very good start - the security manager is necessary for the sandbox of the whole set of other things that you do not explicitly mention (for example, prevent the user from disabling the security manager, of course, and be able to call arbitrary commands, or use native code or get the OS for exec files and etc.). I assume that you start with zero permissions and just provide explicit permissions.

A security manager cannot deal with denial of service due to overuse of resources, but your other controls are likely to address this (prevent network connections, use of a control disk, timeouts to prevent a processor from freezing - if that's what you mean my timeouts).

You say "extremely limited file system permissions" - I hope this also includes disk quotas? Do you use several untrusted processes and do they share disk space? Perhaps the problem with processing the files may be a problem (not sure how they are managed for a limited account).

Separate JVM vulnerabilities still exist, so the risk depends on what is still on the server and what are the real consequences of the problem (how bad is it if you need to erase the server?).

See also: Sandbox against malicious code in a Java application and Running external Java source code on a server - security and resource limitation?

+1
source

Source: https://habr.com/ru/post/910029/

More articles:


All Articles