[External] : Re: JEP411: Missing use-case: Monitoring / restricting libraries

Ron Pressler ron.pressler at oracle.com
Wed Apr 21 12:38:11 UTC 2021


Using JFR does not require that command-line option; it’s required only for specific kinds
of use. Its current events might be not have everything you want, but will be expanded, in
part to address the functionality that will be lost with the removal of Security Manager. And
yes, I believe it is possible to use JFR streaming and recording at the same time, but perhaps
a JFR expert will chime in.

Libraries that can disable the Security Manager aren’t able to circumvent OS-level
sandboxing. If you’re not afraid of that, then they’re trusted and JFR is superior;
if they’re untrusted, then configuring the Security Manager correctly for untrusted rich
libraries is very difficult. There is no argument that this is a powerful capability *in theory*;
the problem is that it’s difficult to correctly employ this capability correctly *in practice*. See
this paper for an empirical study: http://www.cs.cmu.edu/~clegoues/docs/coker15acsac.pdf

The point is that while you *think* SM gives you a useful sandboxing capability, in practice,
in most cases it doesn’t.

— Ron



On 21 Apr 2021, at 13:28, Lim <lim.chainz11+mailing at gmail.com<mailto:lim.chainz11+mailing at gmail.com>> wrote:

Monitoring network connections can be done with JFR. It will tell you which classes
perform the connections. It does not require a Java agent.

Hi Ron, I read about the JFR and it required a command line argument
"-XX:StartFlightRecording" and it is not suitable since it is
distributed to the *end user*. Does JFR able capture the URLs
performed by those libraries (which can be obtained by getting the
name of URLPermission)? I have used it before in JMC and it only shows
the hostname address only. Is there an alternative besides JFR that is
capable of using programmatically means like SM such as
setSecurityManager, ability to capture logs, perform blocking in real
time?
If JFR is capable of operating *without using command line flags*, can
you please link it to the relevant documentation? Besides that, if
using JFR streams, can it be used with JMC concurrently?

Setting up the SM to *block* connections while also not allowing those libraries to
disable the SM is not very easy.

Well if those libraries are able to disable SM, those libraries are
able to circumvent the native restrictions of the operating system
too. But these mostly occur in malicious-like libraries that are less
well known or in the worst possible case, popular libraries that are
hijacked.

Those libraries are trusted, and monitoring is more effective than sandboxing for trusted code.

I disagree to a degree, not all libraries can be vetted by the
operators of the websites,  especially those who do not use those
distribution websites. This is because some of the libraries might be
obfuscated by the library authors themselves and thus unable to
determine the trustworthiness, or libraries are unknowingly tampered
by 3rd parties. Not every end user will know how to perform hash
checking of the downloaded library, even more on verifying the
signature of the library. The users implicitly trust because they
assume the distribution sites will perform checks on the library for
malicious code. They rely on users reporting the library that is
malicious. This means that there is a chance that untrustworthy code
is executed before knowing it.

In addition, assume if the end user needs to decide if the library is
"trusted" before they introduce it to the game, but not everyone has
the knowledge to audit those libraries themselves. For example, if I
have downloaded a modpack that contains 100 mods (which are libraries
that are bundled together), do I need to audit each one or will the
producer of the pack perform the audit? I believe it will be a waste
of time since some of the library is frequently updated with features
and bug fixes.

For a hypothetical scenario: I have developed a popular library that
has intuitive APIs, and this library is constantly updated with
features and in one day, I have added a "subtle feature" to gather and
upload sensitive information of the monetization purpose and this code
is not found in the source. Assuming the user has a monitoring library
using the JFR streams, it was able to detect the unknown remote
connection to the author server, but it is already too late since when
you see the log, it has already happened.

I would like to ask in this scenario, what is the best possible
solution to mitigate it for the end user perspective besides not
downloading it since it can be included implicitly as a dependency,
and how can I help the end user to mitigate this scenario?

- Lim






On Wed, Apr 21, 2021 at 4:24 PM Ron Pressler <ron.pressler at oracle.com<mailto:ron.pressler at oracle.com>> wrote:

Monitoring network connections can be done with JFR. It will tell you which classes
perform the connections. It does not require a Java agent.

Setting up the SM to *block* connections while also not allowing those libraries to
disable the SM is not very easy. Those libraries are trusted, and monitoring is
more effective than sandboxing for trusted code.

— Ron

On 21 Apr 2021, at 06:26, Lim <lim.chainz11+mailing at gmail.com<mailto:lim.chainz11+mailing at gmail.com>> wrote:

Hi all, apologize if I interrupted this thread.

I agreed on what Reinier has said and I have similar concerns about
the removal of SecurityManager.

I have developed a "Mod" for a certain game to monitor which "Mods"
are using network connections. The mod is a kind of library since
other libraries can use them to extend the library functionality such
as add-on. In this context, library refers to Mod, a modification that
can provide extra features to the base game. These libraries are
usually obtained from reputable websites by the end user. However, not
all libraries can be obtained in these websites, some which are hosted
by the author themselves that are readily compiled.

Most of the library in this game does not require network connections
to work except, for legitimate reasons such as version checker,
downloading required resources, but some requested network connections
anyway without reasons. This gives the concern, are the network calls
justified for a game that can be played offline?

Besides that, Reinier gives good point of why the ability to
deny/allow network is important and I would like to give an example
when I am developing the library:

On 2021-04-16 09:29, Reinier Zwitserloot wrote:
* Any library could have the bright idea to 'phone home' and make a
network call simply to give the library author some idea of how
widespread their library is used. This could have an entirely innocuous
purpose: The library author thought it'd be a cool idea to have a live
map of the planet on their website, with a little animated blip every
time their library is used to, say, parse some JSON. SecurityManager is
the simplest way to spot this and stop it.

Although most of the recent libraries do not have analytics that I've
seen, I have seen one older version of the library that has analytics
enabled without any way to disable except performing bytecode
modifications. This has implications to the users' privacy since they
do not anticipate it has analytics within them and libraries that have
analytics are frowned upon in the mod community. This also violates
some of the privacy laws in some countries.

The security manager is the only viable way to control these libraries
from "phone home" in my opinion. Since the end user "install" these
libraries by putting into a specific folder for the loader to launch
the game with these modifications. They are not expected to change
their system just to know if a particular library has these
"features". For example, using firewall/hosts file/DNS/other
monitoring tools. It might help but it does not provide insight into
which class/package which Reinier has said and that's where the
SecurityManager can help.

By using the "checkConnect" methods in SecurityManager, I can
allow/deny and notify appropriate messages in the log for the end user
to check. In addition, there is a configuration that allows the end
user to configure which hosts are allowed for the network connections.

I hope that the core SecurityManager functionality will be preserved.
Will there be an alternative that is able to provide similar
functionality through programmatic means for my use case? I have read
the comments about using JFR stream/bytecode instrumentation but it
required the usage of Java Agent and command line flags which is not
acceptable in this use case.

Thanks


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20210421/dc95c7c2/attachment.htm>


More information about the security-dev mailing list