JEP411: Missing use-case: Monitoring / restricting libraries

[Ron Pressler]

Monitoring network connections can be done with JFR. It will tell you which classes
perform the connections. It does not require a Java agent.

Setting up the SM to *block* connections while also not allowing those libraries to 
disable the SM is not very easy. Those libraries are trusted, and monitoring is 
more effective than sandboxing for trusted code.

— Ron

> On 21 Apr 2021, at 06:26, Lim <lim.chainz11+mailing at gmail.com> wrote:
> 
> Hi all, apologize if I interrupted this thread.
> 
> I agreed on what Reinier has said and I have similar concerns about
> the removal of SecurityManager.
> 
> I have developed a "Mod" for a certain game to monitor which "Mods"
> are using network connections. The mod is a kind of library since
> other libraries can use them to extend the library functionality such
> as add-on. In this context, library refers to Mod, a modification that
> can provide extra features to the base game. These libraries are
> usually obtained from reputable websites by the end user. However, not
> all libraries can be obtained in these websites, some which are hosted
> by the author themselves that are readily compiled.
> 
> Most of the library in this game does not require network connections
> to work except, for legitimate reasons such as version checker,
> downloading required resources, but some requested network connections
> anyway without reasons. This gives the concern, are the network calls
> justified for a game that can be played offline?
> 
> Besides that, Reinier gives good point of why the ability to
> deny/allow network is important and I would like to give an example
> when I am developing the library:
> 
> On 2021-04-16 09:29, Reinier Zwitserloot wrote:
>> * Any library could have the bright idea to 'phone home' and make a
>> network call simply to give the library author some idea of how
>> widespread their library is used. This could have an entirely innocuous
>> purpose: The library author thought it'd be a cool idea to have a live
>> map of the planet on their website, with a little animated blip every
>> time their library is used to, say, parse some JSON. SecurityManager is
>> the simplest way to spot this and stop it.
> 
> Although most of the recent libraries do not have analytics that I've
> seen, I have seen one older version of the library that has analytics
> enabled without any way to disable except performing bytecode
> modifications. This has implications to the users' privacy since they
> do not anticipate it has analytics within them and libraries that have
> analytics are frowned upon in the mod community. This also violates
> some of the privacy laws in some countries.
> 
> The security manager is the only viable way to control these libraries
> from "phone home" in my opinion. Since the end user "install" these
> libraries by putting into a specific folder for the loader to launch
> the game with these modifications. They are not expected to change
> their system just to know if a particular library has these
> "features". For example, using firewall/hosts file/DNS/other
> monitoring tools. It might help but it does not provide insight into
> which class/package which Reinier has said and that's where the
> SecurityManager can help.
> 
> By using the "checkConnect" methods in SecurityManager, I can
> allow/deny and notify appropriate messages in the log for the end user
> to check. In addition, there is a configuration that allows the end
> user to configure which hosts are allowed for the network connections.
> 
> I hope that the core SecurityManager functionality will be preserved.
> Will there be an alternative that is able to provide similar
> functionality through programmatic means for my use case? I have read
> the comments about using JFR stream/bytecode instrumentation but it
> required the usage of Java Agent and command line flags which is not
> acceptable in this use case.
> 
> Thanks