为SecurityManager的云服务"沙盒" [英] SecurityManager for a cloud service "sandbox"
问题描述
所有,
我工作的一个基于云的服务,将提供给执行提交的客户一些插件code选项的设计。为了使这项工作是至关重要的插件不能危及系统的完整性或者访问其他客户的数据的能力。
在理想情况下,我想它有可能为客户提交一个简单的jar文件(含符合一些pre定义接口的类),那么这将沙箱中运行。
客户端code应该被允许:
- 花多少CPU时间,因为它需要在单个线程
- 使用标准的Java类执行任何计算(例如java.lang.Math中,java.util.Random中等等)
- 呼叫在罐子任何捆绑库(但必须受到同样的限制)
不过,我特别要禁止以下内容:
- 产生新的线程(使服务器资源能够得到公平的管理!)
- 任何访问文件系统/ IO /网络
- 任何访问本地code
- 任何访问数据的JVM比传递到/客户端code创建 其他
- 任何访问反思班比在沙箱的.jar其他
- 任何调用方法的对象的沙箱外部的能力,比标准的Java库等
时,才有可能用定制的ClassLoader / SecurityManager的设置来实现这一目标?或将我需要开始寻找一个更复杂的解决方案(例如推出多个JVM?)
管理资源,限制资源是不可能在Java中。您可以prevent恶意code来访问系统资源(磁盘/网络等)或JVM本身,而是:
...
产卵新主题(让服务器资源能够得到公平的管理!)
- 如果我想成为恶意,我会尽我code的终结器线程,只是阻止虚拟机。同样做
保护无效的finalize(同步(Thread.class){为(;;)LockSupport.park();}}再见新主题- 吃所有的记忆,吃的都是直接存储器等。
- 访问我自己的jar zip文件,并希望'时间越来越搬走,于是JVM崩溃(由于zlib的错误(S))
如果有人故意想否认的资源,它只是没有一个可行的任务,试图赶上黑客。你需要知道该怎么寻找和动态检查/加强对运行时类禁止的行为。
任何调用比标准的Java库对象上沙箱以外的方法,其他的能力。
什么是标准库?你知道,如果/当他们必须有可能在一个特权方法执行一些code。
每个客户 - 独立的VM瓦特/完全限制,进程相似性/优先级,包括最大内存/堆栈等等
All,
I'm working on the design of a cloud-based service that will provide the option to execute some "plugin" code submitted by clients. In order to make this work it is essential that the plugins can't threaten system integrity or have any ability to access the data of other clients.
Ideally I'd like it to be possible for clients to submit a simple jar file (containing a class conforming to some pre-defined interface) which would then be run within a sandbox.
The client code should be allowed to:
- Take as much CPU time as it needs on a single thread
- Perform any calculations using standard java classes (e.g. java.lang.Math, java.util.Random etc.)
- Call any libraries bundled in the jar (but which must be subject to the same restrictions)
But I would specifically need to disallow the following:
- Spawning new threads (so that server resource can be fairly managed!)
- Any access to the file system / IO / network
- Any access to native code
- Any access to data in the JVM other than that passed to / created by the client code
- Any access to reflection on classes other than those in the .jar sandbox
- Any ability to call methods on objects outside the sandbox, other than the standard Java libraries
Is it be possible to achieve this with a custom ClassLoader / SecurityManager setup? Or will I need to start looking for a more sophisticated solution (e.g. launching multiple JVMs?)
解决方案Managing resource and limiting resources is not possible in java. You can prevent malicious code to access system resources (disk/network and so) or the JVM itself but: ...
Spawning new threads (so that server resource can be fairly managed!)
- If i wanna be malicious I am gonna do all my code in the finalizer thread and just block the VM. Same doing
protected void finalize(synchronized(Thread.class) {for(;;) LockSupport.park();}}bye-bye new threads.- Eating all the memory, eating all direct memory and so on.
- Accessing zip files in my own jar, and expect 'em getting moved away, so the JVM crashes (due to bug(s) in zlib)
If one purposely wants to deny resources, it is just not a feasible task to try and catch the hacker. You'd need to know what to search for and dynamically check/enhance the classes on run-time to disallow the behavior.
Any ability to call methods on objects outside the sandbox, other than the standard Java libraries
What are the standard libraries? Do you know if/when they must possibly execute some code in a privileged method.
Each customer - separate VM w/ full restrictions, process affinity/priority, incl max memory/stack and so on.
这篇关于为SecurityManager的云服务"沙盒"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
