云服务“沙箱"的安全管理器 [英] SecurityManager for a cloud service "sandbox"
问题描述
全部,
我正在设计基于云的服务,该服务将提供执行客户提交的某些插件"代码的选项.为了使这项工作发挥作用,插件不能威胁系统完整性或有任何能力访问其他客户端的数据是至关重要的.
理想情况下,我希望客户可以提交一个简单的 jar 文件(包含一个符合某些预定义接口的类),然后该文件将在沙箱中运行.
应该允许客户端代码:
- 在单个线程上占用尽可能多的 CPU 时间
- 使用标准 Java 类(例如 java.lang.Math、java.util.Random 等)执行任何计算
- 调用 jar 中捆绑的任何库(但必须遵守相同的限制)
但我特别需要禁止以下内容:
- 生成新线程(以便可以公平地管理服务器资源!)
- 对文件系统/IO/网络的任何访问
- 对本机代码的任何访问
- 对 JVM 中数据的任何访问,除了传递给客户端代码/由客户端代码创建的数据
- 对 .jar 沙箱中的类以外的类的任何反射访问
- 任何在沙箱之外的对象上调用方法的能力,标准 Java 库除外
是否可以通过自定义 ClassLoader/SecurityManager 设置来实现这一点?或者我是否需要开始寻找更复杂的解决方案(例如启动多个 JVM?)
在 java 中无法管理资源和限制资源.您可以防止恶意代码访问系统资源(磁盘/网络等)或 JVM 本身,但是:...
<块引用><块引用>产生新线程(以便可以公平地管理服务器资源!)
- 如果我想成为恶意的,我会在终结器线程中执行我的所有代码,然后阻塞 VM.同样做
protected void finalize(synchronized(Thread.class) {for(;;) LockSupport.park();}}再见新线程. - 吃掉所有的记忆,吃掉所有的直接记忆等等.
- 访问我自己的 jar 中的 zip 文件,并期望它们被移走,因此 JVM 崩溃(由于 zlib 中的错误)
如果故意拒绝资源,试图抓住黑客并不是一项可行的任务.您需要知道要搜索什么并在运行时动态检查/增强类以禁止该行为.
<块引用>任何在沙箱外调用对象方法的能力,标准 Java 库除外
什么是标准库?您知道他们是否/何时必须以特权方法执行某些代码.
<小时>每个客户 - 具有完全限制、进程关联/优先级、包括最大内存/堆栈等的单独 VM.
All,
I'm working on the design of a cloud-based service that will provide the option to execute some "plugin" code submitted by clients. In order to make this work it is essential that the plugins can't threaten system integrity or have any ability to access the data of other clients.
Ideally I'd like it to be possible for clients to submit a simple jar file (containing a class conforming to some pre-defined interface) which would then be run within a sandbox.
The client code should be allowed to:
- Take as much CPU time as it needs on a single thread
- Perform any calculations using standard java classes (e.g. java.lang.Math, java.util.Random etc.)
- Call any libraries bundled in the jar (but which must be subject to the same restrictions)
But I would specifically need to disallow the following:
- Spawning new threads (so that server resource can be fairly managed!)
- Any access to the file system / IO / network
- Any access to native code
- Any access to data in the JVM other than that passed to / created by the client code
- Any access to reflection on classes other than those in the .jar sandbox
- Any ability to call methods on objects outside the sandbox, other than the standard Java libraries
Is it be possible to achieve this with a custom ClassLoader / SecurityManager setup? Or will I need to start looking for a more sophisticated solution (e.g. launching multiple JVMs?)
Managing resource and limiting resources is not possible in java. You can prevent malicious code to access system resources (disk/network and so) or the JVM itself but: ...
Spawning new threads (so that server resource can be fairly managed!)
- If i wanna be malicious I am gonna do all my code in the finalizer thread and just block the VM. Same doing
protected void finalize(synchronized(Thread.class) {for(;;) LockSupport.park();}}bye-bye new threads. - Eating all the memory, eating all direct memory and so on.
- Accessing zip files in my own jar, and expect 'em getting moved away, so the JVM crashes (due to bug(s) in zlib)
If one purposely wants to deny resources, it is just not a feasible task to try and catch the hacker. You'd need to know what to search for and dynamically check/enhance the classes on run-time to disallow the behavior.
Any ability to call methods on objects outside the sandbox, other than the standard Java libraries
What are the standard libraries? Do you know if/when they must possibly execute some code in a privileged method.
Each customer - separate VM w/ full restrictions, process affinity/priority, incl max memory/stack and so on.
这篇关于云服务“沙箱"的安全管理器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
