restricted privileges for untrusted code called from trusted code

Discussion in 'Java' started by Tomas Mikula, Nov 21, 2009.

  1. Tomas Mikula

    Tomas Mikula Guest

    I can't figure out how to temporarily restrict code privileges. My code
    goes like this:

    // trusted code
    // untrusted code
    // trusted code

    I would like to run untrusted code with restricted privileges and then
    continue with full privileges again.

    Thanks in advance!

    My idea was to set a custom SecurityManager with System.setSecurityManager(s),
    but then I would not be able to restore the original one. My other idea was
    to use AccessController.doPrivileged(action, context), but I'm not able to
    get an instance of AccessControlContext with custom permissions, and
    AccessControlContext is final, so I can't implement my own.
     
    Tomas Mikula, Nov 21, 2009
    #1
    1. Advertising

  2. On 21 Lis, 05:55, Tomas Mikula <> wrote:
    > I can't figure out how to temporarily restrict code privileges. My code
    > goes like this:
    >
    > // trusted code
    > // untrusted code
    > // trusted code
    >
    > I would like to run untrusted code with restricted privileges and then
    > continue with full privileges again.
    >
    > Thanks in advance!
    >
    > My idea was to set a custom SecurityManager with System.setSecurityManager(s),
    > but then I would not be able to restore the original one. My other idea was
    > to use AccessController.doPrivileged(action, context), but I'm not able to
    > get an instance of AccessControlContext with custom permissions, and
    > AccessControlContext is final, so I can't implement my own.


    Hi
    Untrusted code is run with restricted privileges (those you
    configured) by default. There is nothing you need to do to untrusted
    code, its effective permission set is the intersection of all
    permission sets of its callers including its own. To regain permission
    when untrusted code is calling trusted code you should use privileged
    action - with (a) no additional context if trusted code has full-
    trust, or with (b) some context if you want to restrict permission of
    privileged code. So it may well be that you need no further work if
    (a) holds. If it does not you should, in my opinion, encapsulate the
    "calling of untrusted/trusted code" concept into separate class (or
    two coupled classes) which captures relevant security context from
    AccessController.getContext() when calling untrusted code from trusted
    code and then restores it (using doPrivileged) when being called in
    the untrusted->trusted direction. So it should really be an interface
    for untrusted code to call trusted code. If untrusted call may only
    call few trusted methods than you might not expose this interface to
    untrusted code explicitly but rather make these few trusted methods
    use it under the hood.
     
    Marcin Rzeźnicki, Nov 21, 2009
    #2
    1. Advertising

  3. Tomas Mikula

    Tomas Mikula Guest

    Re: restricted privileges for untrusted code called from trustedcode

    On Sat, 21 Nov 2009 09:52:24 +0000, Steven Simpson wrote:

    > Hi!
    >
    > Tomas Mikula wrote:
    >> I can't figure out how to temporarily restrict code privileges. My code
    >> goes like this:
    >>
    >> // trusted code
    >> // untrusted code
    >> // trusted code
    >>
    >>

    > In what way is the middle code untrusted? Are you invoking code unknown
    > at compile time, e.g. some sort of plug-in dynamically loaded from an
    > arbitrary location?


    The untrusted code is an interpreter of user's script. So the Java code is
    known at compile time, but the script it interprets is not. The script is
    intended for custom preprocessing of data. Currently, it may be XSLT
    (this should be safe without any additional restrictions) or JavaScript,
    but others may be added in the future. I have an interface

    interface Preprocessor {
    void preprocess(Reader, Writer);
    }

    and the implementing classes will be JavaScriptPreprocessor,
    XSLTPreprocessor, ... They will be part of my application (same JAR/WAR).
    I could have some SecurePreprocessor to wrap any other preprocessor and
    restrict permissions for this SecurePreprocessor (but I don't know how to
    do it).

    >> I would like to run untrusted code with restricted privileges and then
    >> continue with full privileges again.
    >>
    >>

    > A basic way is to run java with a static security policy, and grant
    > AllPermission only to your own code:
    >
    > # java.policy
    > grant codeBase "file:/place/where/my/code/is/stored/-" {
    > permission java.security.AllPermission;
    > };
    >
    > java -Djava.security.manager -Djava.security.policy=java.policy ...


    I see 2 problems for me:
    1. The untrusted code (interpreter) is in the same JAR as the trusted
    code. I would need per-class permissions (e.g. to restrict permissions of
    the SecurePreprocessor).
    2. The application will run in Tomcat. I don't have control over how
    Tomcat is launched.
     
    Tomas Mikula, Nov 21, 2009
    #3
  4. Tomas Mikula

    Tomas Mikula Guest

    Re: restricted privileges for untrusted code called from trustedcode

    On Sat, 21 Nov 2009 04:04:41 -0800, Marcin Rzeźnicki wrote:

    > Hi
    > Untrusted code is run with restricted privileges (those you configured)
    > by default.


    That is my problem - how to configure the privileges. See my reply to
    Steven Simpson's reply.

    Tomas
     
    Tomas Mikula, Nov 21, 2009
    #4
  5. On 21 Lis, 17:07, Tomas Mikula <> wrote:
    > On Sat, 21 Nov 2009 04:04:41 -0800, Marcin Rzeźnicki wrote:
    > > Hi
    > > Untrusted code is run with restricted privileges (those you configured)
    > > by default.

    >
    > That is my problem - how to configure the privileges. See my reply to
    > Steven Simpson's reply.
    >
    > Tomas


    If that's the problem you can implement your own Policy (http://
    java.sun.com/javase/6/docs/technotes/guides/security/spec/security-
    spec.doc3.html#27428)
     
    Marcin Rzeźnicki, Nov 21, 2009
    #5
  6. Tomas Mikula

    Tomas Mikula Guest

    Re: restricted privileges for untrusted code called from trustedcode

    On Sat, 21 Nov 2009 08:29:22 -0800, Marcin Rzeźnicki wrote:

    > On 21 Lis, 17:07, Tomas Mikula <> wrote:
    >> On Sat, 21 Nov 2009 04:04:41 -0800, Marcin Rzeźnicki wrote:
    >> > Hi
    >> > Untrusted code is run with restricted privileges (those you
    >> > configured) by default.

    >>
    >> That is my problem - how to configure the privileges. See my reply to
    >> Steven Simpson's reply.
    >>
    >> Tomas

    >
    > If that's the problem you can implement your own Policy (http://
    > java.sun.com/javase/6/docs/technotes/guides/security/spec/security-
    > spec.doc3.html#27428)


    The problem is that it doesn't allow me to specify permissions for a
    certain class in a JAR file, only for the JAR file as a whole.
     
    Tomas Mikula, Nov 21, 2009
    #6
  7. On 21 Lis, 19:56, Tomas Mikula <> wrote:
    > On Sat, 21 Nov 2009 08:29:22 -0800, Marcin Rzeźnicki wrote:
    > > On 21 Lis, 17:07, Tomas Mikula <> wrote:
    > >> On Sat, 21 Nov 2009 04:04:41 -0800, Marcin Rzeźnicki wrote:
    > >> > Hi
    > >> > Untrusted code is run with restricted privileges (those you
    > >> > configured) by default.

    >
    > >> That is my problem - how to configure the privileges. See my reply to
    > >> Steven Simpson's reply.

    >
    > >> Tomas

    >
    > > If that's the problem you can implement your own Policy (http://
    > > java.sun.com/javase/6/docs/technotes/guides/security/spec/security-
    > > spec.doc3.html#27428)

    >
    > The problem is that it doesn't allow me to specify permissions for a
    > certain class in a JAR file, only for the JAR file as a whole.


    I am not sure, I will have to take a look at my code, but did you try
    something like: jar:file:/a/path/to/jar!/path/to/class?
    If that does not work, what about changing your assumptions and
    placing classes in different jars?
     
    Marcin Rzeźnicki, Nov 22, 2009
    #7
  8. On Nov 21, 3:55 pm, Tomas Mikula <> wrote:
    > ..My idea was to set a custom SecurityManager with System.setSecurityManager(s),
    > but then I would not be able to restore the original one.


    Make 's' a bit less restrictive. See
    <http://forums.sun.com/thread.jspa?messageID=10773268#10773268>
    for simple (naive, easy to break) example.

    I think this has been said or implied by others,
    but it will be vital to ensure the plug-in code
    is in a different package to your own code.

    --
    Andrew T.
    pscode.org
     
    Andrew Thompson, Nov 22, 2009
    #8
  9. A basic way is to run java with a static security policy, and grant
    AllPermission only to your own code:

    # java.policy
    grant codeBase "file:/place/where/my/code/is/stored/-" {
    permission java.security.AllPermission;

    };

    java -Djava.security.manager -Djava.security.policy=java.policy ...

    When the untrusted code runs, the thread's call stack is tainted by
    unprivileged frames, which will prevent it from doing any system calls
    (basically, anything that calls AccessController.checkPermission).
    When
    control returns to your code, those unprivileged frames have been
    discarded, so you're back to AllPermission again.
     
    Teraposa Lunodas, Nov 24, 2009
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jim Washington

    Sanitizing untrusted code for eval()

    Jim Washington, Aug 22, 2005, in forum: Python
    Replies:
    9
    Views:
    523
    Alan Kennedy
    Aug 23, 2005
  2. Thomas Dybdahl Ahle

    Untrusted python code

    Thomas Dybdahl Ahle, Sep 23, 2007, in forum: Python
    Replies:
    1
    Views:
    294
    Paul Rubin
    Sep 23, 2007
  3. Emanuele D'Arrigo

    Restricted Execution of untrusted code

    Emanuele D'Arrigo, Oct 30, 2008, in forum: Python
    Replies:
    7
    Views:
    293
    Emanuele D'Arrigo
    Nov 19, 2008
  4. Emanuele D'Arrigo

    Executing untrusted code

    Emanuele D'Arrigo, Aug 7, 2009, in forum: Python
    Replies:
    6
    Views:
    362
    Emanuele D'Arrigo
    Aug 20, 2009
  5. Ruben Fonseca

    Safe sandbox for running untrusted code

    Ruben Fonseca, Jun 2, 2008, in forum: Ruby
    Replies:
    6
    Views:
    137
    Siep Korteling
    Jun 3, 2008
Loading...

Share This Page