SecurityManager for a cloud service “sandbox”

2020-07-10 03:31发布

问题:

All,

I'm working on the design of a cloud-based service that will provide the option to execute some "plugin" code submitted by clients. In order to make this work it is essential that the plugins can't threaten system integrity or have any ability to access the data of other clients.

Ideally I'd like it to be possible for clients to submit a simple jar file (containing a class conforming to some pre-defined interface) which would then be run within a sandbox.

The client code should be allowed to:

  • Take as much CPU time as it needs on a single thread
  • Perform any calculations using standard java classes (e.g. java.lang.Math, java.util.Random etc.)
  • Call any libraries bundled in the jar (but which must be subject to the same restrictions)

But I would specifically need to disallow the following:

  • Spawning new threads (so that server resource can be fairly managed!)
  • Any access to the file system / IO / network
  • Any access to native code
  • Any access to data in the JVM other than that passed to / created by the client code
  • Any access to reflection on classes other than those in the .jar sandbox
  • Any ability to call methods on objects outside the sandbox, other than the standard Java libraries

Is it be possible to achieve this with a custom ClassLoader / SecurityManager setup? Or will I need to start looking for a more sophisticated solution (e.g. launching multiple JVMs?)

回答1:

Managing resource and limiting resources is not possible in java. You can prevent malicious code to access system resources (disk/network and so) or the JVM itself but: ...

Spawning new threads (so that server resource can be fairly managed!)

  • If i wanna be malicious I am gonna do all my code in the finalizer thread and just block the VM. Same doing protected void finalize(synchronized(Thread.class) {for(;;) LockSupport.park();}} bye-bye new threads.
  • Eating all the memory, eating all direct memory and so on.
  • Accessing zip files in my own jar, and expect 'em getting moved away, so the JVM crashes (due to bug(s) in zlib)

If one purposely wants to deny resources, it is just not a feasible task to try and catch the hacker. You'd need to know what to search for and dynamically check/enhance the classes on run-time to disallow the behavior.

Any ability to call methods on objects outside the sandbox, other than the standard Java libraries

What are the standard libraries? Do you know if/when they must possibly execute some code in a privileged method.


Each customer - separate VM w/ full restrictions, process affinity/priority, incl max memory/stack and so on.



回答2:

I think everything you want to achieve can be done through a custom SecurityManager. In fact it's pretty simple, you just create a class that extends SecurityManager, implement the two checkPermission(..) methods and in the first iteration just throw an SecurityException for everything that comes in (and log what you just denied). Then you allow specific operations until you find yourself in the situation that it's possible to create useful plugins and let your clients play with it. They will complain. Then you have to judge whether to allow them to do whatever they requested or if you want to stick with your rules. Here the difficult part begins...