All,
I'm working on the design of a cloud-based service that will provide the option to execute some "plugin" code submitted by clients. In order to make this work it is essential that the plugins can't threaten system integrity or have any ability to access the data of other clients.
Ideally I'd like it to be possible for clients to submit a simple jar file (containing a class conforming to some pre-defined interface) which would then be run within a sandbox.
The client code should be allowed to:
- Take as much CPU time as it needs on a single thread
- Perform any calculations using standard java classes (e.g. java.lang.Math, java.util.Random etc.)
- Call any libraries bundled in the jar (but which must be subject to the same restrictions)
But I would specifically need to disallow the following:
- Spawning new threads (so that server resource can be fairly managed!)
- Any access to the file system / IO / network
- Any access to native code
- Any access to data in the JVM other than that passed to / created by the client code
- Any access to reflection on classes other than those in the .jar sandbox
- Any ability to call methods on objects outside the sandbox, other than the standard Java libraries
Is it be possible to achieve this with a custom ClassLoader / SecurityManager setup? Or will I need to start looking for a more sophisticated solution (e.g. launching multiple JVMs?)
Managing resource and limiting resources is not possible in java. You can prevent malicious code to access system resources (disk/network and so) or the JVM itself but:
...
Spawning new threads (so that server resource can be fairly managed!)
- If i wanna be malicious I am gonna do all my code in the finalizer thread and just block the VM. Same doing
protected void finalize(synchronized(Thread.class) {for(;;) LockSupport.park();}}
bye-bye new threads.
- Eating all the memory, eating all direct memory and so on.
- Accessing zip files in my own jar, and expect 'em getting moved away, so the JVM crashes (due to bug(s) in zlib)
If one purposely wants to deny resources, it is just not a feasible task to try and catch the hacker. You'd need to know what to search for and dynamically check/enhance the classes on run-time to disallow the behavior.
Any ability to call methods on objects outside the sandbox, other than the standard Java libraries
What are the standard libraries? Do you know if/when they must possibly execute some code in a privileged method.
Each customer - separate VM w/ full restrictions, process affinity/priority, incl max memory/stack and so on.
I think everything you want to achieve can be done through a custom SecurityManager
. In fact it's pretty simple, you just create a class that extends SecurityManager
, implement the two checkPermission(..)
methods and in the first iteration just throw an SecurityException
for everything that comes in (and log what you just denied). Then you allow specific operations until you find yourself in the situation that it's possible to create useful plugins and let your clients play with it. They will complain. Then you have to judge whether to allow them to do whatever they requested or if you want to stick with your rules. Here the difficult part begins...