←back to thread

OpenJDK Authorization

(github.com)
16 points pfirmst | 2 comments | 19 Nov 24 23:51 UTC | HN request time: 1.023s | source
1. jalcazar ◴[21 Nov 24 01:18 UTC] No.42200028[source]
What are use cases for handling the authorization at the JVM level?

As opposed to do it at the OS level or platform level e.g., SELinux, AWS security policy

replies(1): >>42200428 #
2. pfirmst ◴[21 Nov 24 02:20 UTC] No.42200428[source]
The JVM has a lot of modules and powerful features that, should perimeter defences fail, an attacker has access to. Then there's the issue of vulnerabilities in transitive dependencies upon which trusted libraries might depend, but aren't needed for deployed software, additional functionality which may be useful to an attacker. Features our software doesn't utilise may be available to a hacker to load dynamically, once perimeter defences have been breached or assist the attacker in breaching perimeter defences.

We may need to give the JVM access to keystores and private information that, should an attacker obtain them, have significant consequences. This isn't going to be the case for everyone, we have software that doesn't utilise SM authorization.

Java's existing SM infrastructure doesn't prevent loading modules or jar files based on signers, nor does it perform whitelisting of serializable classes. I've added LoadClassPermission to SecureClassLoader and SerialObjectPermission to Serialization. Java has serial filters for whitelisting, but these suffer the same problem as SecurityManager did, limited tooling to support building the whitelist. These new permissions allow policy to control loading of modules, including platform modules, based on Signer certificates etc and Serialization whitelists. The Serialization whitelist includes the code on the stack, and the authenticated user. Without the authenticated user (the source of the data), the code alone doesn't have permission to deserialize, the user, cannot deserialized with unauthorized code.

We developed high scaling policy providers (used for over a decade in production), that utilise immutability and thread confinement, we also developed a security manager with a non-blocking cache (cleaned by garbage collection), to avoid repeated permission checks from executor tasks and such like.

I've added these high-performance implementations.

However, the main feature is a principle of least privilege policy tool, with the following property -Djava.security.manager=polpAudit, The JVM will generate policy files, from least privilege principles, including execution paths with code signers, logged in users and serialized classes. This step is performed in a deployment staging environment.

When ready to deploy to production, simply set the property back to -Djava.security.manager=default and the JVM will now use high performance implementations, feel free to try it, the performance cost is unnoticeable for the majority of tasks, keep in mind the cache and hotspot will need time to warm up.

This isn't for sandboxing untrusted code; it's for constraining execution to trusted code and users and assisting in auditing. This isn't your old security manager you used for Applets, we're discarding the cruft and reusing the good.

The goal is, make it simple and practical to deploy a JVM with Authorization.

Answers to other questions:

There are no plans to backport to earlier releases, we'll follow OpenJDK's release cycle.

I have submitted a request for a TCK license.