沙盒JVM可以保护服务器不受信任的来源 [英] Sandbox JVM to secure server from untrusted sources

问题描述

如何在接受和执行上传的，不受信任的代码时保护我的服务器免受恶意活动的影响？

How can protecting my server from malicious activity when accepting and executing uploaded, untrusted code?

用户应该能够实现我的界面和给定的数据，执行一些计算和返回数据。不需要I / O操作，当然也不需要线程/进程操作或其他操作。

The users should be able to implement my interface and given data, perform some calculations and return data. No I/O operations are required and certainly no thread/process manipulation or other tomfoolery.

使用java.policy文件可以拒绝所有内容（通过不授予任何内容） 。

Using the java.policy file it is possible to deny everything (by granting nothing).

$ cat test.policy 
grant {
};

使用此策略文件，未授予的操作将导致安全性异常。

Using this policy file, operations not granted will cause a security exception.

$ cat Print.java
public class Print {
    public static void main(String a[]) throws Exception {
        System.out.println(System.getProperty("os.name"));
    }
}

$ javac Print.java
$ java -Djava.security.manager -Djava.security.policy==test.policy Print
Exception in thread "main" java.security.AccessControlException: 
  access denied (java.util.PropertyPermission os.name read)
    at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
    at java.security.AccessController.checkPermission(AccessController.java:546)
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
    at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1285)
    at java.lang.System.getProperty(System.java:650)
    at Print.main(Print.java:3)

这是万无一失的吗？我是否需要做更多工作以保护我的服务器环境不受信任来源？

Is this foolproof? Do I need to do more to secure my server environment from untrusted sources?

推荐答案

我不会简单地依赖SecurityManager我是你是的，如果Java沙箱完美无缺，那么您的配置看起来是正确的，这就足够了。但是看看Java的每个安全版本中修复了多少Java漏洞。例如，最新的Oracle Java CPU 。许多Java漏洞都是逃离沙盒的漏洞。这在客户端是非常糟糕的（有几个人主张从浏览器关闭Java），但在服务器端会更糟，因为攻击者不必引诱你到他们的网站，他们可以攻击你的服务器。

I wouldn't simply rely on the SecurityManager if I were you. Yes, your configuration looks to be correct and that would be enough, if the Java sandbox were flawless. But look at how many Java vulnerabilities are being fixed in every security release of Java. For example, the latest Oracle Java CPU. A lot of those Java vulnerabilities are ones that escape from the Sandbox. This is very bad on the client-side (several people are advocating turning off Java from the browser), but would be even worse on the server side, as attackers don't have to lure you to their site, they can just attack your server.

例如，目前我个人有几个这样的漏洞，我正在等待Oracle解决，或者我正在将它们传达给Oracle。而且我不是唯一拥有它们的研究员。而且一定有坏人也有。因此，即使你虔诚地更新你的Java，新版本出现了第二个，你也不会安全。

For example, currently I personally have several such vulnerabilities that I'm awaiting Oracle to address, or I'm in the process of communicating them to Oracle. And I'm not the only researcher that has them. And there must be bad guys that have them, too. So even if you'd update your Java religiously the second the new version comes out, you wouldn't be safe.

我认为至少你应该拥有一些东西在操作系统级别，权限等，以控制服务器进程。对不起，我在那里没有很好的建议，但我只是说不，你绝对不能依靠JVM Sandbox来保证服务器的安全。

I think at the very least you should have something on the OS level, permissions, etc, to control the server process. Sorry, I don't have very good suggestions there, but I'm just saying that no, you absolutely cannot rely on the JVM Sandbox for security on the server.

这篇关于沙盒JVM可以保护服务器不受信任的来源的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！