如何安全地实现Java插件安全? [英] How to implement Java plugin security safely?

问题描述

我正在设计一个用于在Java应用程序中加载，处理和支持插件的系统.我认为，在每个功能都可以部署之前，对此绝对至关重要的一项功能是能够建立一个安全的环境，在该环境中，插件只能执行允许的操作.

I'm designing a system for loading, handling and supporting plugins in Java applications. One feature that I feel is absolutely crucial to this before it can every be deployed is the ability to establish a secure environment where plugins are restricted to what they are allowed to do.

我不理解如何在启动时不运行-Djava.security.manager参数的情况下以编程方式使用策略文件.所以现在就出来了.

I've failed to understand how to use policy files programmatically without running the -Djava.security.manager argument at launch. So that's out for now.

我的下一个想法是在我自己的SecurityManager子类中覆盖我在SecurityManager中关心的所有方法，并对可以执行它们的人施加限制.

My next idea was to override all the methods I cared about in SecurityManager in my own SecurityManager subclass and place restrictions on who could execute them.

然后出现了问题，找出谁在问这个权限的唯一方法是通过线程ID检查.因此，我设计了一个系统，其中所有插件线程都驻留在该系统中，并且只能驻留在PluginThreads线程组中.

The problem then arose that the only way to figure out who was asking this permission was through Thread ID checking. So, I devised a system where all plugin threads reside and can ONLY reside in the PluginThreads thread group.

那行得通...直到一切开始崩溃.问题在于，某些被阻止的事情是由Sun的代码执行的内部操作.

That worked... until everything started blowing up. The problem is that some of the things being blocked are internal operations being executed by Sun's code.

因此，即使最基本的操作(如打开窗口)也将失败，因为我的安全管理器拒绝访问Sun的代码.使用Sun的线程检查方法无法解决此问题，因为Sun的代码是在PluginThreads组中执行的.

So even the most basic operations such as opening a window would fail because my security manager was denying the access to Sun's code. There is no away around this using my method of Thread checking because Sun's code IS executing within the PluginThreads group.

所以我需要知道的是:

1)有没有办法我可以确定使用当前线程进行调用的上下文?

1) Is there possibly a way I could figure out the context within which the call is coming from using the current thread?

2)有我不知道的更好的方法吗?

2) Is there a better method to doing this that I don't know about?

3)如果该方法涉及策略文件，如何将它们加载到代码中?

3) If that method involves policy files, how do you load them into your code?

4)您还有其他方法可以防止阻止Sun的内部Java代码被阻止吗?

4) Is there any other method you can think of to prevent Sun's internal Java code from being blocked?

推荐答案

SecurityManager是一团糟.您应该考虑要求以Java的子集编写插件，从而使您能够合理地思考它们可以做什么，而不是迭代地授予更多可能被滥用的权限，直到看起来可行为止.

The SecurityManager is a horrible mess. Instead of iteratively granting more possibly abusable authority until it seems to work, you should consider requiring plugins be written in a subset of Java that allows you to soundly reason about what they can do.

Joe-E 提供了可分解的安全性.来自 http://lambda-the-ultimate.org/node/3830 :

Joe-E provides decomposable security. From http://lambda-the-ultimate.org/node/3830 :

我们介绍了Joe-E，这是一种旨在支持安全软件系统开发的语言. Joe-E是Java的子集，它使构建和实施具有强大安全性的程序变得更加容易，可以在安全性检查过程中对其进行检查.它使程序员能够将最小特权原则应用于其程序.实施无法绕过的特定于应用程序的参考监视器；引入和使用特定于域的安全性抽象； 安全地执行不受信任的代码并与之交互；并建立安全，可扩展的系统. Joe-E演示了如何在保留主流主流面向对象语言的功能和感觉的同时实现对象功能语言的强大安全性……

We present Joe-E, a language designed to support the development of secure software systems. Joe-E is a subset of Java that makes it easier to architect and implement programs with strong security properties that can be checked during a security review. It enables programmers to apply the principle of least privilege to their programs; implement application-specific reference monitors that cannot be bypassed; introduce and use domain-specific security abstractions; safely execute and interact with untrusted code; and build secure, extensible systems. Joe-E demonstrates how it is possible to achieve the strong security properties of an object-capability language while retaining the features and feel of a mainstream object-oriented language...

这篇关于如何安全地实现Java插件安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！