tag:blogger.com,1999:blog-9162692450121869291.post8364813598985053242..comments2010-04-28T07:53:54.315-07:00Comments on Infrequently updated blog!: Simple JVM sandboxingCalumhttp://www.blogger.com/profile/10640889759221203494noreply@blogger.comBlogger19125tag:blogger.com,1999:blog-9162692450121869291.post-40458375745332970052009-11-09T05:25:26.291-08:002009-11-09T05:25:26.291-08:00It seems like so little work to construct that I&#...It seems like so little work to construct that I'm almost loathe to make it a project, if I'm honest Annie. The other issue I found was that different language interpreters require different "basic" sets of permissions.<br /><br />More than anything though, my hands re: open source hackery are pretty tied by my employer. There's a "process", you see.Calumhttps://www.blogger.com/profile/10640889759221203494noreply@blogger.comtag:blogger.com,1999:blog-9162692450121869291.post-4357057500327145032009-11-06T16:52:30.312-08:002009-11-06T16:52:30.312-08:00Hey, I'm trying to do almost the same thing fo...Hey, I'm trying to do almost the same thing for Clojure. It sounds like this almost might be a good opensource project, a nice canned sandbox, insert your interpreter here. If you decide to do this I'm annie66us at that yodeling companyAnniehttps://www.blogger.com/profile/07129175854923107447noreply@blogger.comtag:blogger.com,1999:blog-9162692450121869291.post-83871743440527031542009-10-19T05:21:43.640-07:002009-10-19T05:21:43.640-07:00Actually, to append to this, I believe you can use...Actually, to append to this, I believe you can use ThreadGroups to impede thread creation. I just read the docs wrongly when I looked into them. Oh well!Calumhttps://www.blogger.com/profile/10640889759221203494noreply@blogger.comtag:blogger.com,1999:blog-9162692450121869291.post-60760404920131625962009-08-10T01:52:48.430-07:002009-08-10T01:52:48.430-07:00CyberQat: I'm glad this was useful to you, but...CyberQat: I'm glad this was useful to you, but please bear in mind that you cannot use the SecurityManager API to stop people spawning threads (I don't know why this option isn't there but that's the case). If someone keeps spawning threads it will result in something like a DOS attack and can slow the machine down, although eventually it'll all collapse with an OutOfMemoryError (this is thrown when you run out of threads, not sure why it's not got its own exception).<br /><br />In general, in any case, be weary of people spawning threads.Calumhttps://www.blogger.com/profile/10640889759221203494noreply@blogger.comtag:blogger.com,1999:blog-9162692450121869291.post-42327594763095558942009-08-07T13:55:31.111-07:002009-08-07T13:55:31.111-07:00This was VERY helpful, thank you.
Im also working...This was VERY helpful, thank you.<br /><br />Im also working on an app that has to run sandboxed script code and Id prefer it be in an arbitrary script engine.<br /><br />I've been beating my head against the problem for a few days, but learned a few things here I didnt realize before that should help alot!Anonymoushttps://www.blogger.com/profile/01602248161038082454noreply@blogger.comtag:blogger.com,1999:blog-9162692450121869291.post-2567381458572237192008-06-30T10:53:00.000-07:002008-06-30T10:53:00.000-07:00I believe this is quite true, yes. I'm not convinc...I believe this is quite true, yes. I'm not convinced that the "null" protection domain is considered trusted, however, I think those finalizers may be run with no permissions at all. Which is quite possibly not desired in itself.Calumhttps://www.blogger.com/profile/10640889759221203494noreply@blogger.comtag:blogger.com,1999:blog-9162692450121869291.post-9746117896132529612008-06-30T05:17:00.000-07:002008-06-30T05:17:00.000-07:00jeff, the correct way to load bytecode that is no ...jeff, the correct way to load bytecode that is no to be trusted is to give it an untrusted protecton domain when it is loaded. So, untrusted bytecode getting around the technique presented in this weblog entry is clearly not a vulnerability.<BR/><BR/>As an example of how code might escape, finalizers will be execute ina finalizer thread. This is a different thread and hence the doPivileged will not be on the stack. The permissions in effect will just be the intersection of the protection domains on the finalizer stack. So if the protection domain is not set for the untrusted bytecode, you will in effect be trusting it.Unknownhttps://www.blogger.com/profile/12211337895721178194noreply@blogger.comtag:blogger.com,1999:blog-9162692450121869291.post-90692286772447892632008-06-26T17:16:00.000-07:002008-06-26T17:16:00.000-07:00Not as far as I'm aware, but remember the code I'm...Not as far as I'm aware, but remember the code I'm sanboxing assumes that null is an "unknown" domain — there's any number of reasons why null might be trusted by default. It seem silly to me, but still.Calumhttps://www.blogger.com/profile/10640889759221203494noreply@blogger.comtag:blogger.com,1999:blog-9162692450121869291.post-29656467936773902202008-06-26T11:59:00.000-07:002008-06-26T11:59:00.000-07:00So...are there KNOWN unpatched security vulnerabil...So...are there KNOWN unpatched security vulnerabilities in the sun JVM (on platform xyz) that can allow 'escape' of untusted code?jeffhttps://www.blogger.com/profile/00022685831114372972noreply@blogger.comtag:blogger.com,1999:blog-9162692450121869291.post-47475051428872260792008-06-26T10:11:00.000-07:002008-06-26T10:11:00.000-07:00I think that might've been the implication, jeff. ...I think that might've been the implication, jeff. It might've bytecode derived from non-Java sources, of course.Calumhttps://www.blogger.com/profile/10640889759221203494noreply@blogger.comtag:blogger.com,1999:blog-9162692450121869291.post-40466406854697975182008-06-26T08:04:00.000-07:002008-06-26T08:04:00.000-07:00"However, in general untrusted bytecode can escape..."However, in general untrusted bytecode can escape" <BR/><BR/>Hmmm...what is being implied here? That untrusted bytecode can escape or 'take over' the VM and execute arbitrary code?jeffhttps://www.blogger.com/profile/00022685831114372972noreply@blogger.comtag:blogger.com,1999:blog-9162692450121869291.post-44531029617006776432008-06-26T05:33:00.000-07:002008-06-26T05:33:00.000-07:00Alrighty Ricky, I'll look into whacking it up ther...Alrighty Ricky, I'll look into whacking it up there at some point, tomorrow is the earliest likely time though!Calumhttps://www.blogger.com/profile/10640889759221203494noreply@blogger.comtag:blogger.com,1999:blog-9162692450121869291.post-2623446556539374572008-06-26T02:18:00.000-07:002008-06-26T02:18:00.000-07:00Calum: How about #scala on freenode? I'm 'mapredu...Calum: How about #scala on freenode? I'm 'mapreduce' there, if you want to mention it to me when it's there.Ricky Clarksonhttps://www.blogger.com/profile/13845104548520132930noreply@blogger.comtag:blogger.com,1999:blog-9162692450121869291.post-31668309247363655982008-06-26T01:50:00.000-07:002008-06-26T01:50:00.000-07:00Interesting, Tom! Part of the reason I posted this...Interesting, Tom! Part of the reason I posted this article was to see if my approach had flaws that people could enlighten me to, since I'm really not completely familiar with the intricacies of the Java security model. Could you elaborate a little on the specific problems here, I'm very interested :)<BR/><BR/>For what it's worth there are problems with this approach even the way I'm using it; most of the interpreters (unless you instantiate them more directly, i.e. not through the javax.script mechanism) require the createClassLoader RuntimePermission, which is a pretty risky one in general; it's not great.Calumhttps://www.blogger.com/profile/10640889759221203494noreply@blogger.comtag:blogger.com,1999:blog-9162692450121869291.post-52299487987415746892008-06-26T00:26:00.000-07:002008-06-26T00:26:00.000-07:00That's a very useful technique. However, in genera...That's a very useful technique. However, in general untrusted bytecode can escape. Bytecode really needs an appropriate protection domain set when loaded. Interpreters are more difficult.Unknownhttps://www.blogger.com/profile/12211337895721178194noreply@blogger.comtag:blogger.com,1999:blog-9162692450121869291.post-36787249674031666132008-06-25T11:35:00.000-07:002008-06-25T11:35:00.000-07:00I tend not to run it persistently, it's still very...I tend not to run it persistently, it's still very much under development. If you like I can drop it into a channel for a while, though.Calumhttps://www.blogger.com/profile/10640889759221203494noreply@blogger.comtag:blogger.com,1999:blog-9162692450121869291.post-22180056498745815682008-06-25T10:21:00.000-07:002008-06-25T10:21:00.000-07:00I'd like to try out your bot. Which network and c...I'd like to try out your bot. Which network and channel can I find it on?Ricky Clarksonhttps://www.blogger.com/profile/13845104548520132930noreply@blogger.comtag:blogger.com,1999:blog-9162692450121869291.post-90307742535867550222008-06-23T12:06:00.000-07:002008-06-23T12:06:00.000-07:00Thanks :)Thanks :)Calumhttps://www.blogger.com/profile/10640889759221203494noreply@blogger.comtag:blogger.com,1999:blog-9162692450121869291.post-16346272220957468052008-06-22T21:46:00.000-07:002008-06-22T21:46:00.000-07:00Nice blog, it will help for sure.Nice blog, it will help for sure.Vaibhav Choudharyhttps://www.blogger.com/profile/11145353943937580111noreply@blogger.com