JEP411: Missing use-case: Monitoring / restricting libraries

Markus Gronlund markus.gronlund at oracle.com
Wed Apr 21 14:31:58 UTC 2021


Hi Lim and Ron,

Some information about JFR that can be pertinent to this discussion:

JFR is flexible when it comes to control, with many entry points: command-line, jcmd, JMX, and programmatically via the Java API which I think is relevant for your use case [1] [2].

There is currently no support for JFR Event Streaming in JDK Mission Control.

If the existing event probes in the JDK does not give you the information you need, like the name of URL's, it can be a reached by building your own "custom events" via the Events API [3]. It can be harder to add events to unknown code dynamically, but it can be done and you can use java.lang.Instrument to build an agent to inject the custom event. A Java Agent can be loaded dynamically, without command-line options, see [4] "Starting and Agent after VM Startup". However, this dynamic approach requires bytecode programming to some extent. You might want to take a look at the new JMC Agent that was just released might be useful as a reference [5].

If there is a general problem area and provides a good scaling factor, and the URL information might just be such a case, it can make sense to investigate if this information can be provided directly by the JDK, by extending existing or new JFR events. 

Thank you
Markus

[1] https://docs.oracle.com/en/java/javase/16/docs/api/jdk.jfr/jdk/jfr/Recording.html 
[2] https://docs.oracle.com/en/java/javase/16/docs/api/jdk.jfr/jdk/jfr/consumer/RecordingStream.html 
[3] https://docs.oracle.com/en/java/javase/16/docs/api/jdk.jfr/jdk/jfr/Event.html 
[4] https://docs.oracle.com/en/java/javase/16/docs/api/java.instrument/java/lang/instrument/package-summary.html 
[5] https://developers.redhat.com/blog/2020/10/29/collect-jdk-flight-recorder-events-at-runtime-with-jmc-agent/ 


-----Original Message-----
From: security-dev <security-dev-retn at openjdk.java.net> On Behalf Of Ron Pressler
Sent: den 21 april 2021 14:56
To: Lim <lim.chainz11+mailing at gmail.com>
Cc: security-dev at openjdk.java.net
Subject: Re: JEP411: Missing use-case: Monitoring / restricting libraries

P.S.

In your hypothetical scenario you’re treating the library as untrusted code. In that case, even today Security Manager is not the best option because correctly creating a sandbox that is both hermetically secure against *untrusted* code (i.e. possibly malicious) and allows it to use a rich set of APIs (i.e. it isn’t a self-contained Applet) is very, very hard, and usually requires the host application to be written with the SM in mind, i.e. to use AccessController.doPrivileged; how many applications/libraries do that correctly?

For rich libraries and applications, your best bet is an OS-level sandbox. The Security Manager might give you a false sense of security.

— Ron

> On 21 Apr 2021, at 13:28, Lim <lim.chainz11+mailing at gmail.com> wrote:
> 
>> Monitoring network connections can be done with JFR. It will tell you 
>> which classes perform the connections. It does not require a Java agent.
> 
> Hi Ron, I read about the JFR and it required a command line argument 
> "-XX:StartFlightRecording" and it is not suitable since it is 
> distributed to the *end user*. Does JFR able capture the URLs 
> performed by those libraries (which can be obtained by getting the 
> name of URLPermission)? I have used it before in JMC and it only shows 
> the hostname address only. Is there an alternative besides JFR that is 
> capable of using programmatically means like SM such as 
> setSecurityManager, ability to capture logs, perform blocking in real 
> time?
> If JFR is capable of operating *without using command line flags*, can 
> you please link it to the relevant documentation? Besides that, if 
> using JFR streams, can it be used with JMC concurrently?
> 
>> Setting up the SM to *block* connections while also not allowing 
>> those libraries to disable the SM is not very easy.
> 
> Well if those libraries are able to disable SM, those libraries are 
> able to circumvent the native restrictions of the operating system 
> too. But these mostly occur in malicious-like libraries that are less 
> well known or in the worst possible case, popular libraries that are 
> hijacked.
> 
>> Those libraries are trusted, and monitoring is more effective than sandboxing for trusted code.
> 
> I disagree to a degree, not all libraries can be vetted by the 
> operators of the websites,  especially those who do not use those 
> distribution websites. This is because some of the libraries might be 
> obfuscated by the library authors themselves and thus unable to 
> determine the trustworthiness, or libraries are unknowingly tampered 
> by 3rd parties. Not every end user will know how to perform hash 
> checking of the downloaded library, even more on verifying the 
> signature of the library. The users implicitly trust because they 
> assume the distribution sites will perform checks on the library for 
> malicious code. They rely on users reporting the library that is 
> malicious. This means that there is a chance that untrustworthy code 
> is executed before knowing it.
> 
> In addition, assume if the end user needs to decide if the library is 
> "trusted" before they introduce it to the game, but not everyone has 
> the knowledge to audit those libraries themselves. For example, if I 
> have downloaded a modpack that contains 100 mods (which are libraries 
> that are bundled together), do I need to audit each one or will the 
> producer of the pack perform the audit? I believe it will be a waste 
> of time since some of the library is frequently updated with features 
> and bug fixes.
> 
> For a hypothetical scenario: I have developed a popular library that 
> has intuitive APIs, and this library is constantly updated with 
> features and in one day, I have added a "subtle feature" to gather and 
> upload sensitive information of the monetization purpose and this code 
> is not found in the source. Assuming the user has a monitoring library 
> using the JFR streams, it was able to detect the unknown remote 
> connection to the author server, but it is already too late since when 
> you see the log, it has already happened.
> 
> I would like to ask in this scenario, what is the best possible 
> solution to mitigate it for the end user perspective besides not 
> downloading it since it can be included implicitly as a dependency, 
> and how can I help the end user to mitigate this scenario?
> 
> - Lim
> 
> 
> 
> 
> 
> 
> On Wed, Apr 21, 2021 at 4:24 PM Ron Pressler <ron.pressler at oracle.com> wrote:
>> 
>> Monitoring network connections can be done with JFR. It will tell you 
>> which classes perform the connections. It does not require a Java agent.
>> 
>> Setting up the SM to *block* connections while also not allowing 
>> those libraries to disable the SM is not very easy. Those libraries 
>> are trusted, and monitoring is more effective than sandboxing for trusted code.
>> 
>> — Ron
>> 
>>> On 21 Apr 2021, at 06:26, Lim <lim.chainz11+mailing at gmail.com> wrote:
>>> 
>>> Hi all, apologize if I interrupted this thread.
>>> 
>>> I agreed on what Reinier has said and I have similar concerns about 
>>> the removal of SecurityManager.
>>> 
>>> I have developed a "Mod" for a certain game to monitor which "Mods"
>>> are using network connections. The mod is a kind of library since 
>>> other libraries can use them to extend the library functionality 
>>> such as add-on. In this context, library refers to Mod, a 
>>> modification that can provide extra features to the base game. These 
>>> libraries are usually obtained from reputable websites by the end 
>>> user. However, not all libraries can be obtained in these websites, 
>>> some which are hosted by the author themselves that are readily compiled.
>>> 
>>> Most of the library in this game does not require network 
>>> connections to work except, for legitimate reasons such as version 
>>> checker, downloading required resources, but some requested network 
>>> connections anyway without reasons. This gives the concern, are the 
>>> network calls justified for a game that can be played offline?
>>> 
>>> Besides that, Reinier gives good point of why the ability to 
>>> deny/allow network is important and I would like to give an example 
>>> when I am developing the library:
>>> 
>>> On 2021-04-16 09:29, Reinier Zwitserloot wrote:
>>>> * Any library could have the bright idea to 'phone home' and make a 
>>>> network call simply to give the library author some idea of how 
>>>> widespread their library is used. This could have an entirely 
>>>> innocuous
>>>> purpose: The library author thought it'd be a cool idea to have a 
>>>> live map of the planet on their website, with a little animated 
>>>> blip every time their library is used to, say, parse some JSON. 
>>>> SecurityManager is the simplest way to spot this and stop it.
>>> 
>>> Although most of the recent libraries do not have analytics that 
>>> I've seen, I have seen one older version of the library that has 
>>> analytics enabled without any way to disable except performing 
>>> bytecode modifications. This has implications to the users' privacy 
>>> since they do not anticipate it has analytics within them and 
>>> libraries that have analytics are frowned upon in the mod community. 
>>> This also violates some of the privacy laws in some countries.
>>> 
>>> The security manager is the only viable way to control these 
>>> libraries from "phone home" in my opinion. Since the end user 
>>> "install" these libraries by putting into a specific folder for the 
>>> loader to launch the game with these modifications. They are not 
>>> expected to change their system just to know if a particular library 
>>> has these "features". For example, using firewall/hosts 
>>> file/DNS/other monitoring tools. It might help but it does not 
>>> provide insight into which class/package which Reinier has said and 
>>> that's where the SecurityManager can help.
>>> 
>>> By using the "checkConnect" methods in SecurityManager, I can 
>>> allow/deny and notify appropriate messages in the log for the end 
>>> user to check. In addition, there is a configuration that allows the 
>>> end user to configure which hosts are allowed for the network connections.
>>> 
>>> I hope that the core SecurityManager functionality will be preserved.
>>> Will there be an alternative that is able to provide similar 
>>> functionality through programmatic means for my use case? I have 
>>> read the comments about using JFR stream/bytecode instrumentation 
>>> but it required the usage of Java Agent and command line flags which 
>>> is not acceptable in this use case.
>>> 
>>> Thanks
>> 



More information about the security-dev mailing list