[External] : Re: JEP 411, removal of finalizers, a path forward.

Peter Firmstone peter.firmstone at zeus.net.au
Tue Aug 3 01:30:38 UTC 2021


Thanks Ron,

What we do now is dynamic, so we need to figure out how to replicate 
that post SM.  Things we don't grant dynamically are good candidates for 
command line argument options.

We basically authenticate, then authorize class loading dynamically at 
runtime, along with other things, such as deserialization (not to be 
confused with Java Serialization) and network connections. The dynamic 
grants are removed by garbage collection. Dynamic grants are probably 
very rare for most developers, although OSGi also supports dynamic 
grants also, I had a discussion with Peter Kriens around OSGi dynamic 
grants some years ago.

I am still hopeful that OpenJDK might create some hooks for us and keep 
the AccessController, AccessControlContext and Subject.doAs methods to 
make supporting all Java versions easier. Also replacing thread 
inherited context, with an unprivileged context would be good too.  Then 
remove all the permission implementations and we could use the hooks we 
need.  The hooks could simply be an empty static method that's not 
subject to change, so we can instrument it with our own implementation 
and it gets optimized out at runtime if not used by hotspot.  Clearly if 
there are alternative mechanisms available from the command line that we 
don't need to dynamically enable, then they are preferable to adding 
clutter to policy files.   The existing policy provider can be removed, 
so we can strip it down to just the essential minimum components, which 
removes much of the testing required by OpenJDK.

Just curious, when using Agents, what are the recommendations for line 
numbers in code, for exceptions etc, how are these affected when 
instrumenting?

Quite happy to contribute time to adding hooks and removing other 
components.

Regards,

Peter.

On 2/08/2021 9:00 pm, Ron Pressler wrote:
> Our path to making Java more secure is, indeed, similar to what you’re proposing.
>
> The general direction is that the application, rather than the libraries, will have the final say on security-sensitive capabilities.
> Just as strong encapsulation is now on by default, other things, such as native code, some dynamic Agent capabilities, and
> perhaps others, will likely require explicit permission by the application on the command line. I don’t know the details about
> management, but I believe that remote management requires explicit permission already.
>
> I am not aware, however, of plans to restrict class loading. The idea is that code is trusted to do what it says it does, and
> what’s restricted is the ability to manipulate it (without permission) to do something else through transformation or
> circumvention of its declared API.
>
> The default security policy today is already more restrictive than it was a couple of versions ago, and we expect it to become
> even more restrictive.
>
> — Ron
>
>> On 2 Aug 2021, at 11:33, Peter Firmstone <peter.firmstone at zeus.net.au> wrote:
>>
>> Hello Andrew,
>>
>> I think you may be misinterpreting my comment, let me clarify:
>>
>> I'm assuming that during the process of removal of security manager, any external ports or process hooks that we can only turn off now by not granting a permission will be replaced by a command line property or something similar?  Eg, Agents, Management, etc. If this is the case, it would be nice if they were set to off by default, such that they needed to be enabled from the command line.  It's a suggestion.   So configuration is secure by default.  Eg, similar to how OpenBSD is configured secure by default, is that something RedHat does?   I used RedHat back in the 90's, it was my first Linux distro, on sparc. :)
>>
>> For example, the permissions granted in this policy file:
>>
>> https://urldefense.com/v3/__https://github.com/pfirmstone/JGDMS/blob/trunk/qa/harness/policy/defaultsecurephoenix.policy.new__;!!ACWV5N9M2RV99hQ!cVJkwzysH02ZFZWT3rnO_o5viWUCBTm9nnM50QaJ5G9hsg9B3p2naDVYknIrqSNURQ$
>> Ensure that anything that isn't specifically granted, is switched off, eg agents, management, etc.
>>
>> This file is generated by a policy writing tool, the comments in the policy file, indicate the tests that were run to generate the policy.  It's important to note that we aren't using sandboxing, or isolation, we are simply running with privileges we don't require switched off.   All network entry points to the JVM require authentication and classes loaded, or data parsed requires authentication first.
>>
>> In my software without SM, authentication isn't required, and there are no defenses against parsing un-trusted data or downloading and loading malicious classes.  Although you've made it clear, you think this is a /special case/ and /special loss/ you needn't concern yourself with and that's fine, you've made your point.
>>
>> In future it will not be possible to switch these features off using policy files, so I imagine that OpenJDK must be considering alternative methods to switch off features that may be security sensitive?
>>
>> We already know de-serialization can be switched off from the command line using: -Djdk.serialFilter=!*,
>>
>> However if you switch off java de-serialization, you best be sure to initialize the serialization framework when starting your JVM, as SM won't be there to stop it being turned back on, if it's not used, it's not initialized, then the property can be changed and is potentially a link in a gadget chain attack where serialization can be re-enabled. :)  Just saying.
>>
>> Not sure what canard you're referring to, is the JDK config secure by default?  If so, then it won't be possible for a malicious java attachment in an email (or an image file) to be run inadvertently and use the attach API to steal secrets.  Although it's processor could be subject to speculative execution attacks.
>>
>> A good reason to use OpenBSD (or Solaris perhaps) on Sparc for secure systems?   I know RedHat is into supporting military application in a big way, but I'm surprised if they're not concerned about speculative execution vulnerabilities.
>>
>> Speculative execution attacks will eventually be addressed in processor architectures, they are trying, we shouldn't assume that we don't need to program defensively because the underlying architecture has speculative execution bugs.  If we do that, then were do we stop?
>>
>> Anyway, if possible I would like to get back to discussing how to instrument the Java API using Agents, and whether we can coordinate removal of finalizers with SM removal.
>>
>> Of course if you'd like to keep SM and cancel JEP 411, as Uwe suggested, I'd support that.  I'm also grateful that Uwe spoke up, and I hope others do as well, so this topic receives further productive discussion.  It would be nice to sort the use cases prior to SM removal.   JEP 411 appears symbolic at this stage anyway, more JEP's will be created for it's disablement I believe.
>>
>> Regards,
>>
>> Peter.
>>
>> On 2/08/2021 7:17 pm, Andrew Dinn wrote:
>>> On 01/08/2021 15:28, Uwe Schindler wrote:
>>>>>> I'm working on the assumption that OpenJDK will close any
>>>>>> external holes currently defended by permission checks.  It would
>>>>>> be good if the JDK was secure by default, with properties
>>>>>> required to be set for allowing such things as agents,
>>>>>> management, parsing xml and serialization.
>>>>> You need to stop repeating this canard. There is no absolute need
>>>>> for OpenJDK to retain a security mechanism to deal with problems
>>>>> that for almost every use case are better solved by using
>>>>> non-OpenJDK alternatives (such as OS security measures). Indeed,
>>>>> it's the other way round: there is an imperative for the project to
>>>>> spend precious resources on alternative capabilities (not
>>>>> necessarily security related).
>>>> Sorry, as another open source project affected by the stupid JEP 411
>>>> desaster I would like to fully confirm to EVERYTHING that Peter said.
>>>> It is not a canard, it is the reality and I am really disappointed
>>>> what happened.
>>> Sorry, Uwe, but the canard *is* right there in the comment I quoted from Peter's email i.e. the bogus implication that without the security manager the JDK is not 'secure by default'. Irrespective of how useful the security manager is to your project it is utter steer manure to claim that without it there is a serious security hole.
>>>
>>> That's not to say different measures may need to be taken by some applications, yours included. I'm not denying that. However, I'm not going to back down when it comes to objecting to the lack of proportionality in Peter's claims.
>>>
>>> I believe Alan has answered your rather speculative follow-up comments so I'll rest on that clarification.
>>>
>>> regards,
>>>
>>>
>>> Andrew Dinn
>>> -----------
>>> Red Hat Distinguished Engineer
>>> Red Hat UK Ltd
>>> Registered in England and Wales under Company Registration No. 03798903
>>> Directors: Michael Cunningham, Michael ("Mike") O'Neill
>>>
-- 
Regards,
  
Peter Firmstone
0498 286 363
Zeus Project Services Pty Ltd.



More information about the security-dev mailing list