Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Java Security Manager Reloaded - jOpenSpace Lightning Talk

1,426 views

Published on

How to protect your systems with Java Security Manager
and
How to make it simple with pro-grade library

Published in: Software
  • Be the first to comment

  • Be the first to like this

Java Security Manager Reloaded - jOpenSpace Lightning Talk

  1. 1. Java Security Manager Reloaded Josef Cacek Senior Quality Engineer Red Hat / JBoss
  2. 2. Agenda 2 ● Java Security Manager – quickstart – issues ● Reloaded – there is an easier way – pro-grade library
  3. 3. 3 Do you run ?
  4. 4. 4 Do you run Java Applications ?
  5. 5. YYoouu sshhoouulldd bbee aaffffrraaiidd YYoouu aarree ttrreeaatteenneedd!!
  6. 6. Threats 6 ● bugs in libraries – lazy programmers ● hidden features – evil programmers ● man-in-the-middle – The Hackers
  7. 7. JJaavvaa hhaass aa ssoolluuttiioonn
  8. 8. 8 Java Security Manager (JSM) checks if the caller has permissions to run protected actions.
  9. 9. Terminology Sensitive code calls extends java.lang.SecurityManager 9 Security Manager enforces Policy Permissions extends java.security.Policy extends java.security.Permission
  10. 10. Example: Sensitive code calling JSM 10 SecurityManager sm = System.getSecurityManager(); if (sm != null) sm.checkPermission( new org.jboss.SimplePermission("getCache"));
  11. 11. Example: Sensitive code calling JSM 11 SecurityManager sm = System.getSecurityManager(); if (sm != null) sm.checkPermission( new org.jboss.SimplePermission("getCache"));
  12. 12. Policy ● keeps which protected actions are allowed 12 – No action by default ● defined in policy file ● grant entries assigns Permissions to – code path [codeBase] – signed classes [signedBy] – authenticated user [principal]
  13. 13. Example: Policy file keystore "/opt/redhat.keystore"; grant { 13 permission java.io.FilePermission "/tmp/-", "read,write"; }; grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write"; }; grant signedBy "jboss" { permission java.security.AllPermission; };
  14. 14. Example: Policy file keystore "/opt/redhat.keystore"; grant { 14 permission java.io.FilePermission "/tmp/-", "read,write"; }; grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write"; }; grant signedBy "jboss" { permission java.security.AllPermission; };
  15. 15. Example: Policy file keystore "/opt/redhat.keystore"; grant { 15 permission java.io.FilePermission "/tmp/-", "read,write"; }; grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write"; }; grant signedBy "jboss" { permission java.security.AllPermission; };
  16. 16. Example: Policy file keystore "/opt/redhat.keystore"; grant { 16 permission java.io.FilePermission "/tmp/-", "read,write"; }; grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write"; }; grant signedBy "jboss" { permission java.security.AllPermission; };
  17. 17. Permission ● represents access right to a protected action ● has a type and target ● may have actions ● java.lang.AllPermission 17 – unrestricted access to all resources – automatically granted to system classes
  18. 18. Example: Read a file ● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) 18
  19. 19. Example: Read a file ● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) 19
  20. 20. JSM quickstart ● set java.security.manager system property 20 – no value → default implementation – class name → custom SecurityManager implementation ● set java.security.policy system property – path to text file with permission mappings ● set java.security.debug system property (optional)
  21. 21. Example: Run Application with JSM enabled 21 java -Djava.security.manager -Djava.security.policy=/opt/jEdit/jEdit.policy -Djava.security.debug=access:failure -jar /opt/jEdit/jedit.jar /etc/passwd
  22. 22. 22 Protect your systems Use Java Security Manager!
  23. 23. 23 However ...
  24. 24. JSM issues - #1 performance 24
  25. 25. JSM issues - #2 policy file tooling 25
  26. 26. 26 JSM Reloaded pro-grade library Set of SecurityManager and Policy implementations.
  27. 27. pro-grade library ● Java Security Manager made easy(ier) ● authors 27 – Ondřej Lukáš – Josef Cacek ● Apache License http://pro-grade.sourceforge.net/
  28. 28. pro-grade components #1 policy with deny entries #2 policy file generator #3 missing permissions debugger 28
  29. 29. #1 pro-grade policy with deny rules ● “subtracting” permissions from the granted ones ● helps to decrease count of mapped permissions 29 Policy Rules Of Granting And DEnying
  30. 30. #1 pro-grade policy with deny rules ● “subtracting” permissions from the granted ones ● helps to decrease count of mapped permissions // grant full access to /tmp folder grant { 30 permission java.io.FilePermission "/tmp/-", "read,write"; }; // deny write access to the static subfolder of /tmp deny { permission java.io.FilePermission "/tmp/static/-", "write"; };
  31. 31. #2 pro-grade policy file generator ● policytool on (a)steroids ● No GUI is better than any GUI! ● doesn't throw the AccessControlException 31
  32. 32. #3 pro-grade permissions debugger ● lightweigh alternative to java.security.debug ● info about missing permissions to error stream ● doesn't throw the AccessControlException >> Denied permission java.io.FilePermission "/etc/passwd", "read"; >>> CodeSource: (file:/tmp/app-lib.jar <no signer certificates>) 32
  33. 33. It's demo time! Security policy for Java EE server in 3 minutes.
  34. 34. 34 Use Java Security Manager!
  35. 35. 35 Use Java Security Manager!
  36. 36. 36 Use Java Security Manager! Make it easy with pro-grade
  37. 37. pro-grade fighting JSM issues ● performance → deny rules helps ● policy file tooling → generator – fully automated → debugger – quick check what's missing 37
  38. 38. 38 Josef Cacek @jckwart josef.cacek@gmail.com http://javlog.cacek.cz http://pro-grade.sourceforge.net http://github.com/pro-grade/pro-grade http://docs.oracle.com/javase/8/docs/technotes/guides/security/ Q & A
  39. 39. Credits ● public domain images 39 – pixabay.com ● public domain drawings – openclipart.org No pony was hurt in the preparation of this presentation.

×