JEP411: Missing use-case: Monitoring / restricting libraries
David Black
dblack at atlassian.com
Thu May 13 02:11:42 UTC 2021
Hi,
I hope it is okay if I provide another
example/use case & view here.
On Thu, 13 May 2021 at 07:49, Ron Pressler <ron.pressler at oracle.com> wrote:
>
>
> > On 12 May 2021, at 22:41, Peter Tribble <peter.tribble at gmail.com> wrote:
> >
> >
> > Let me give a concrete example:
> >
> > Parsing and rendering a PDF file that may contain references to fonts or
> other resources.
> > We know exactly where the files are installed, so wish to allow the
> rendering routine access
> > to the fonts it will need. But not to any other files, and not
> (normally) to network resources at
> > all. Note that we trust the code, but not necessarily the document it's
> parsing. (Although the
> > document itself may be perfectly well formed - document formats often
> allow embedding
> > references to 3rd-party objects, undesirable as that may be.)
> >
>
> Thank you. Let me ask you this, then:
>
> 1. Would allowing access to certain files and no network for the *entire*
> application be
> sufficient? Consider that you can run some code in a separate Java process
> with OS protections.
> If not, why not?
>
It wouldn't be ideal but that is theoretically possible, but that will
likely come at a performance cost & require re-architecting applications.
>
> 2. Would turning such access on and off for the entire application through
> some Java process
> be sufficient?
>
No as this is similar to 1.
>
> 3. Would controlling such access on a per-thread basis be sufficient?
>
> Please don’t read 2 or 3 as some concrete proposals; I’m just trying to
> understand the requirements.
>
>
This seems somewhat more useful than 1 & 2 but imho it would be better to
be able to perform checks/grant access on a call stack basis. Atlassian
currently makes use of a security manager to prevent access to cloud
metadata services that do not have an amazon sdk related class on the call
stack. This helps to mitigate the impact of SSRF in applications running in
a cloud environment (
https://github.com/asecurityteam/ssrf-protection-example-manas-security-manager
).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20210513/1c37165c/attachment.htm>
More information about the security-dev
mailing list