JEP411: Missing use-case: Monitoring / restricting libraries

[Ron Pressler]

P.S.

In your hypothetical scenario you’re treating the library as untrusted code. In that
case, even today Security Manager is not the best option because correctly creating
a sandbox that is both hermetically secure against *untrusted* code (i.e. possibly malicious)
and allows it to use a rich set of APIs (i.e. it isn’t a self-contained Applet) is very, very hard, 
and usually requires the host application to be written with the SM in mind, i.e. to use 
AccessController.doPrivileged; how many applications/libraries do that correctly?

For rich libraries and applications, your best bet is an OS-level sandbox. The Security Manager 
might give you a false sense of security.

— Ron

> On 21 Apr 2021, at 13:28, Lim <lim.chainz11+mailing at gmail.com> wrote:
> 
>> Monitoring network connections can be done with JFR. It will tell you which classes
>> perform the connections. It does not require a Java agent.
> 
> Hi Ron, I read about the JFR and it required a command line argument
> "-XX:StartFlightRecording" and it is not suitable since it is
> distributed to the *end user*. Does JFR able capture the URLs
> performed by those libraries (which can be obtained by getting the
> name of URLPermission)? I have used it before in JMC and it only shows
> the hostname address only. Is there an alternative besides JFR that is
> capable of using programmatically means like SM such as
> setSecurityManager, ability to capture logs, perform blocking in real
> time?
> If JFR is capable of operating *without using command line flags*, can
> you please link it to the relevant documentation? Besides that, if
> using JFR streams, can it be used with JMC concurrently?
> 
>> Setting up the SM to *block* connections while also not allowing those libraries to
>> disable the SM is not very easy.
> 
> Well if those libraries are able to disable SM, those libraries are
> able to circumvent the native restrictions of the operating system
> too. But these mostly occur in malicious-like libraries that are less
> well known or in the worst possible case, popular libraries that are
> hijacked.
> 
>> Those libraries are trusted, and monitoring is more effective than sandboxing for trusted code.
> 
> I disagree to a degree, not all libraries can be vetted by the
> operators of the websites,  especially those who do not use those
> distribution websites. This is because some of the libraries might be
> obfuscated by the library authors themselves and thus unable to
> determine the trustworthiness, or libraries are unknowingly tampered
> by 3rd parties. Not every end user will know how to perform hash
> checking of the downloaded library, even more on verifying the
> signature of the library. The users implicitly trust because they
> assume the distribution sites will perform checks on the library for
> malicious code. They rely on users reporting the library that is
> malicious. This means that there is a chance that untrustworthy code
> is executed before knowing it.
> 
> In addition, assume if the end user needs to decide if the library is
> "trusted" before they introduce it to the game, but not everyone has
> the knowledge to audit those libraries themselves. For example, if I
> have downloaded a modpack that contains 100 mods (which are libraries
> that are bundled together), do I need to audit each one or will the
> producer of the pack perform the audit? I believe it will be a waste
> of time since some of the library is frequently updated with features
> and bug fixes.
> 
> For a hypothetical scenario: I have developed a popular library that
> has intuitive APIs, and this library is constantly updated with
> features and in one day, I have added a "subtle feature" to gather and
> upload sensitive information of the monetization purpose and this code
> is not found in the source. Assuming the user has a monitoring library
> using the JFR streams, it was able to detect the unknown remote
> connection to the author server, but it is already too late since when
> you see the log, it has already happened.
> 
> I would like to ask in this scenario, what is the best possible
> solution to mitigate it for the end user perspective besides not
> downloading it since it can be included implicitly as a dependency,
> and how can I help the end user to mitigate this scenario?
> 
> - Lim
> 
> 
> 
> 
> 
> 
> On Wed, Apr 21, 2021 at 4:24 PM Ron Pressler <ron.pressler at oracle.com> wrote:
>> 
>> Monitoring network connections can be done with JFR. It will tell you which classes
>> perform the connections. It does not require a Java agent.
>> 
>> Setting up the SM to *block* connections while also not allowing those libraries to
>> disable the SM is not very easy. Those libraries are trusted, and monitoring is
>> more effective than sandboxing for trusted code.
>> 
>> — Ron
>> 
>>> On 21 Apr 2021, at 06:26, Lim <lim.chainz11+mailing at gmail.com> wrote:
>>> 
>>> Hi all, apologize if I interrupted this thread.
>>> 
>>> I agreed on what Reinier has said and I have similar concerns about
>>> the removal of SecurityManager.
>>> 
>>> I have developed a "Mod" for a certain game to monitor which "Mods"
>>> are using network connections. The mod is a kind of library since
>>> other libraries can use them to extend the library functionality such
>>> as add-on. In this context, library refers to Mod, a modification that
>>> can provide extra features to the base game. These libraries are
>>> usually obtained from reputable websites by the end user. However, not
>>> all libraries can be obtained in these websites, some which are hosted
>>> by the author themselves that are readily compiled.
>>> 
>>> Most of the library in this game does not require network connections
>>> to work except, for legitimate reasons such as version checker,
>>> downloading required resources, but some requested network connections
>>> anyway without reasons. This gives the concern, are the network calls
>>> justified for a game that can be played offline?
>>> 
>>> Besides that, Reinier gives good point of why the ability to
>>> deny/allow network is important and I would like to give an example
>>> when I am developing the library:
>>> 
>>> On 2021-04-16 09:29, Reinier Zwitserloot wrote:
>>>> * Any library could have the bright idea to 'phone home' and make a
>>>> network call simply to give the library author some idea of how
>>>> widespread their library is used. This could have an entirely innocuous
>>>> purpose: The library author thought it'd be a cool idea to have a live
>>>> map of the planet on their website, with a little animated blip every
>>>> time their library is used to, say, parse some JSON. SecurityManager is
>>>> the simplest way to spot this and stop it.
>>> 
>>> Although most of the recent libraries do not have analytics that I've
>>> seen, I have seen one older version of the library that has analytics
>>> enabled without any way to disable except performing bytecode
>>> modifications. This has implications to the users' privacy since they
>>> do not anticipate it has analytics within them and libraries that have
>>> analytics are frowned upon in the mod community. This also violates
>>> some of the privacy laws in some countries.
>>> 
>>> The security manager is the only viable way to control these libraries
>>> from "phone home" in my opinion. Since the end user "install" these
>>> libraries by putting into a specific folder for the loader to launch
>>> the game with these modifications. They are not expected to change
>>> their system just to know if a particular library has these
>>> "features". For example, using firewall/hosts file/DNS/other
>>> monitoring tools. It might help but it does not provide insight into
>>> which class/package which Reinier has said and that's where the
>>> SecurityManager can help.
>>> 
>>> By using the "checkConnect" methods in SecurityManager, I can
>>> allow/deny and notify appropriate messages in the log for the end user
>>> to check. In addition, there is a configuration that allows the end
>>> user to configure which hosts are allowed for the network connections.
>>> 
>>> I hope that the core SecurityManager functionality will be preserved.
>>> Will there be an alternative that is able to provide similar
>>> functionality through programmatic means for my use case? I have read
>>> the comments about using JFR stream/bytecode instrumentation but it
>>> required the usage of Java Agent and command line flags which is not
>>> acceptable in this use case.
>>> 
>>> Thanks
>>