Java Secure SandBox (Javass) for openjdk 7
Description:
Since the security manager wasn't cutting it for me. I decided to
create new features to the core of Java. One of the new features is the
ability to lock down the application to a specific path. Now I know you are
probably thinking that a security manager can do this as well, and the answer
is yes and no. While the security manager can stop people from reading or
writing to specific paths. It cannot change the path or overwrite the path.
Also it cannot control the storage within a given path or limit the number of
directories or the number of files that can be created. Javass can give you
control over how much storage an application can use, or how many files
or directories can be created, just by simply changing a property file.
Also I wanted the ability to control the network traffic. Yes I also know
that a security manager can control a socket as far as who connects, but it
does not have the capability to control the speed in which the traffic comes
in or out. Javass lets you control the number of bytes per second coming in
and out. This can be on a socket basis or based on all sockets coming in or
out. Get a security manager to do that!
Now you can still install and use a security manager just like you did
in the past. Javass runs with a security manager if need be. But for most of
us that don't want to write or maintain security managers. Then all you
have to do is edit a property file to use Javass. Below is a full list of
Javass's features.
Features:
- Overwrite and lock users to a specific base path
- All temporary files will be created in the base path if
java.io.tmpdir is not overridden.
- You can limit the amount of storage being used for a path or file
- You can make the base path read only or read/write.
- limit the number of files and directories created with in a path.
- allow or deny whether libraries can be loaded from a path.
- allow or deny whether native methods can be used from a path.
- You can have multiple paths to allow users to read or write to with
different limiting storage and or # or files and directories.
- limit the number of threads and thread priority.
- limit the maximum # of windows being created.
- allow or deny hosts and ports being used.
- allow or deny execution of runtime process.
- limit the socket bandwidth traffic both in and out (bytes per
second)
- Allow threads to have different paths, or to lock every new thread
with certain paths.
- Allow users to configure paths using a key
Install:
In order to install the Javass patch, you need to acquire the openjdk 7
source code. Once you have the source code, and you are in the openjdk source
directory. Then type in
patch -p0 < /path/to/openjdk_7_b24.patch
Next you can use the build script that I packaged with this patch, or use your
own. If you do decide to use my build script, then remember to change the
BASESOURCE variable to your openjdk source path, and you might need to change
the BASEARCHJDK. Once you have built the jdk, then you should have a build
directory and inside this build directory you should see a lib directory.
You could either copy or link this directory to your current running openjdk 7.
Basically I renamed my original lib in my jre
mv $JAVA_HOME/jre/lib $JAVA_HOME/jre/lib.orig
Then I linked:
ln -s /your/path/to/the/new/openjdk/build/arch/lib $JAVA_HOME/jre/lib
Or you could create a new directory and copy all the files.
mkdir $JAVA_HOME/jre/lib
cp -dpR /your/path/to/the/new/openjdk/build/arch/lib $JAVA_HOME/jre/lib
Configuration:
To configure a Javass property file, you can start with the one of the
provided examples. The following is a list of supported parameters:
ConfigErrors= Flag - Stop on path errors.
MaxThreads= int - Maximum # of threads allowed
MaxPriority= int - Maximum thread priority allowed for all threads
PathsPerThread= Flag - When set to true each thread will take on at start
all the AllowedFileX, AllowedPathX, and BasePath data. Then
it is up to the users application to change the path data,
using the Thread.setName(""). The name will no change the
if the data passed to setName is in the Javass format.
AllowAllPaths= Flag - If set then all Paths can be added. If not set,
then all paths must be equals to one of the initial paths
from start (AllowedPathX, AllowedFileX, or BasePath).
PathKey= String - A key that is used in conjuction with PathsPerThread
The key is the first parameter when passing path information
to a thread using setName("key,a,path,rw,900k,1,0");
MaxWindows= int - Maximum # of windows that can be created
AllowExecute= Flag - Allow applications to execute system commands
AllowExit= Flag - Allow applications to exit.
AllowNetworking= Flag - Basically allow or deny networking
InputSpeed= int - Maximum speed for input traffic (bytes per second)
LimitAllInput= Flag - All input traffic will be limited to the in speed
OutputSpeed= int - Maximum speed for output traffic (bytes per second)
LimitAllOutput= Flag - All output traffic will be limited to the out speed
DenyAllInHost= Flag - Deny all host traffic in (default deny all in)
DenyAllOutHost= Flag - Deny all host traffic out (default deny all out)
AllowHostIn(X)= String - Allow host:port in (You don't need the port)
AllowHostOut(X)= String - Allow host:port out (You don't need the port)
DenyHostIn(X)= String - Deny host:port in (You don't need the port)
DenyHostOut(X)= String - Deny host:port out (You don't need the port)
AllowedPath(X)= String - By using AllowedPathX, then the application can
use the specified path, with the permissions you setup.
AllowedFile(X)= String - similar to AllowedPath(X).
BasePath= String - The is the lock down directory where all paths that
don't fall under AllowedPathX, will be placed in here.
Note if the BasePath is not defined, then there is no
restrictions on the file system.
Both AllowedPathX and BasePath use the same parameters on the end. If you want
to create a BasePath that can read and write upto 10 meg, and don't allow
library and native methods to be used would like like:
BasePath=/home/sgodsell/javalockpath,1,10,0,0
You can specify the storage space in kilo bytes as well, just use the letter k
at the end of your storage requirements. To allow a directory to be read with
no write privledges, but allow libraries and native methods would look like:
AllowedPath0=/home/sgodsell/trustedlibs,0,0,1,1
Running:
To run and test your settings type in the following:
java -DJavass=/path/to/your.properties -jar yourapplication.jar
I have tested Javass with a number of applications, including tomcat.
One thing should be noted here, and that is when using a BasePath, then you
should be inside the BasePath directory when running your application. Also
if you have links to a path, then you should use an absolute path as well in
your properties file. In other words use another AllowedPathX with the
absolute path, so you should have 2 paths for the one path you are concerned
with. An example would be a path /opt/tomcat which is linked to
/opt/apache-tomcat-6.0.14. So you would have 2 directives in the properties
file. If your application uses temp files, then the files will be created in
BasePath/tmp directory. Only if the BasePath is writable, otherwise temporary
files will not be created. If your application needs temporary files and you
BasePath is not writable, then you could add an AllowedPathX line to /tmp path,
or add an AllowedPathX to the BasePath/tmp with writable permissions.
The rest of which you can try out, and play with yourself. ;-)
Security:
With Javass in place, you can run any application without any worries.
As soon as you use a BasePath, then you know the application cannot write or
read to any file. An application can access any file from the tree of
BasePath as well as any defined AllowedFileX or AllowedPathX. So any
application can run in a safe defined user environment. The application
doesn't have to be signed in order to be secure. In fact you can run any
application even if you are not sure what it does.
My Notes:
In the future I was thinking of maybe adapting this to a browsers
plugin. So plain old jars could run. But not only that, an applet or jar
doesn't have to be signed, because with Javass in place, you don't have to
worry about an application getting out of the sand box, and writing or reading
to any file you don't want accessed.
Good luck and have fun! Who knows maybe Sun will put these enhancements in the
openjdk permanently.
Sean Godsell
Download Latest Version
openjdk_7_b47_src.zip (138.2 kB)
