Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Java Security Manager Reloaded 
Josef Cacek 
Senior Quality Engineer 
Red Hat / JBoss
Agenda 
2 
● Java Security Manager 
– quickstart 
– issues 
● Reloaded 
– there is an easier way 
– pro-grade library
3 
Do you run 
?
4 
Do you run 
Java Applications 
?
YYoouu sshhoouulldd bbee aaffffrraaiidd 
YYoouu aarree ttrreeaatteenneedd!!
Threats 
6 
● bugs in libraries 
– lazy programmers 
● hidden features 
– evil programmers 
● man-in-the-middle 
– The Hac...
JJaavvaa hhaass aa ssoolluuttiioonn
8 
Java Security Manager (JSM) 
checks if the caller has permissions 
to run protected actions.
Terminology 
Sensitive code calls extends java.lang.SecurityManager 
9 
Security Manager 
enforces 
Policy 
Permissions 
e...
Example: Sensitive code calling JSM 
10 
SecurityManager sm = System.getSecurityManager(); 
if (sm != null) 
sm.checkPermi...
Example: Sensitive code calling JSM 
11 
SecurityManager sm = System.getSecurityManager(); 
if (sm != null) 
sm.checkPermi...
Policy 
● keeps which protected actions are allowed 
12 
– No action by default 
● defined in policy file 
● grant entries...
Example: Policy file 
keystore "/opt/redhat.keystore"; 
grant { 
13 
permission java.io.FilePermission "/tmp/-", "read,wri...
Example: Policy file 
keystore "/opt/redhat.keystore"; 
grant { 
14 
permission java.io.FilePermission "/tmp/-", "read,wri...
Example: Policy file 
keystore "/opt/redhat.keystore"; 
grant { 
15 
permission java.io.FilePermission "/tmp/-", "read,wri...
Example: Policy file 
keystore "/opt/redhat.keystore"; 
grant { 
16 
permission java.io.FilePermission "/tmp/-", "read,wri...
Permission 
● represents access right to a protected action 
● has a type and target 
● may have actions 
● java.lang.AllP...
Example: Read a file 
● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) 
18
Example: Read a file 
● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) 
19
JSM quickstart 
● set java.security.manager system property 
20 
– no value → default implementation 
– class name → custo...
Example: Run Application with JSM enabled 
21 
java  
-Djava.security.manager  
-Djava.security.policy=/opt/jEdit/jEdit.po...
22 
Protect your systems 
Use Java Security Manager!
23 
However ...
JSM issues - #1 performance 
24
JSM issues - #2 policy file tooling 
25
26 
JSM Reloaded 
pro-grade library 
Set of SecurityManager 
and Policy implementations.
pro-grade library 
● Java Security Manager made easy(ier) 
● authors 
27 
– Ondřej Lukáš 
– Josef Cacek 
● Apache License ...
pro-grade components 
#1 policy with deny entries 
#2 policy file generator 
#3 missing permissions debugger 
28
#1 pro-grade policy with deny rules 
● “subtracting” permissions from the granted ones 
● helps to decrease count of mappe...
#1 pro-grade policy with deny rules 
● “subtracting” permissions from the granted ones 
● helps to decrease count of mappe...
#2 pro-grade policy file generator 
● policytool on (a)steroids 
● No GUI is better than any GUI! 
● doesn't throw the 
Ac...
#3 pro-grade permissions debugger 
● lightweigh alternative to java.security.debug 
● info about missing permissions to er...
It's demo time! 
Security policy for Java EE server 
in 3 minutes.
34 
Use Java Security Manager!
35 
Use Java Security Manager!
36 
Use Java Security Manager! 
Make it easy with pro-grade
pro-grade fighting JSM issues 
● performance 
→ deny rules helps 
● policy file tooling 
→ generator – fully automated 
→ ...
38 
Josef Cacek 
@jckwart 
josef.cacek@gmail.com 
http://javlog.cacek.cz 
http://pro-grade.sourceforge.net 
http://github....
Credits 
● public domain images 
39 
– pixabay.com 
● public domain drawings 
– openclipart.org 
No pony was hurt in the p...
Upcoming SlideShare
Loading in …5
×

Java Security Manager Reloaded - jOpenSpace Lightning Talk

1,368 views

Published on

How to protect your systems with Java Security Manager
and
How to make it simple with pro-grade library

Published in: Software
  • Be the first to comment

  • Be the first to like this

Java Security Manager Reloaded - jOpenSpace Lightning Talk

  1. 1. Java Security Manager Reloaded Josef Cacek Senior Quality Engineer Red Hat / JBoss
  2. 2. Agenda 2 ● Java Security Manager – quickstart – issues ● Reloaded – there is an easier way – pro-grade library
  3. 3. 3 Do you run ?
  4. 4. 4 Do you run Java Applications ?
  5. 5. YYoouu sshhoouulldd bbee aaffffrraaiidd YYoouu aarree ttrreeaatteenneedd!!
  6. 6. Threats 6 ● bugs in libraries – lazy programmers ● hidden features – evil programmers ● man-in-the-middle – The Hackers
  7. 7. JJaavvaa hhaass aa ssoolluuttiioonn
  8. 8. 8 Java Security Manager (JSM) checks if the caller has permissions to run protected actions.
  9. 9. Terminology Sensitive code calls extends java.lang.SecurityManager 9 Security Manager enforces Policy Permissions extends java.security.Policy extends java.security.Permission
  10. 10. Example: Sensitive code calling JSM 10 SecurityManager sm = System.getSecurityManager(); if (sm != null) sm.checkPermission( new org.jboss.SimplePermission("getCache"));
  11. 11. Example: Sensitive code calling JSM 11 SecurityManager sm = System.getSecurityManager(); if (sm != null) sm.checkPermission( new org.jboss.SimplePermission("getCache"));
  12. 12. Policy ● keeps which protected actions are allowed 12 – No action by default ● defined in policy file ● grant entries assigns Permissions to – code path [codeBase] – signed classes [signedBy] – authenticated user [principal]
  13. 13. Example: Policy file keystore "/opt/redhat.keystore"; grant { 13 permission java.io.FilePermission "/tmp/-", "read,write"; }; grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write"; }; grant signedBy "jboss" { permission java.security.AllPermission; };
  14. 14. Example: Policy file keystore "/opt/redhat.keystore"; grant { 14 permission java.io.FilePermission "/tmp/-", "read,write"; }; grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write"; }; grant signedBy "jboss" { permission java.security.AllPermission; };
  15. 15. Example: Policy file keystore "/opt/redhat.keystore"; grant { 15 permission java.io.FilePermission "/tmp/-", "read,write"; }; grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write"; }; grant signedBy "jboss" { permission java.security.AllPermission; };
  16. 16. Example: Policy file keystore "/opt/redhat.keystore"; grant { 16 permission java.io.FilePermission "/tmp/-", "read,write"; }; grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write"; }; grant signedBy "jboss" { permission java.security.AllPermission; };
  17. 17. Permission ● represents access right to a protected action ● has a type and target ● may have actions ● java.lang.AllPermission 17 – unrestricted access to all resources – automatically granted to system classes
  18. 18. Example: Read a file ● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) 18
  19. 19. Example: Read a file ● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) 19
  20. 20. JSM quickstart ● set java.security.manager system property 20 – no value → default implementation – class name → custom SecurityManager implementation ● set java.security.policy system property – path to text file with permission mappings ● set java.security.debug system property (optional)
  21. 21. Example: Run Application with JSM enabled 21 java -Djava.security.manager -Djava.security.policy=/opt/jEdit/jEdit.policy -Djava.security.debug=access:failure -jar /opt/jEdit/jedit.jar /etc/passwd
  22. 22. 22 Protect your systems Use Java Security Manager!
  23. 23. 23 However ...
  24. 24. JSM issues - #1 performance 24
  25. 25. JSM issues - #2 policy file tooling 25
  26. 26. 26 JSM Reloaded pro-grade library Set of SecurityManager and Policy implementations.
  27. 27. pro-grade library ● Java Security Manager made easy(ier) ● authors 27 – Ondřej Lukáš – Josef Cacek ● Apache License http://pro-grade.sourceforge.net/
  28. 28. pro-grade components #1 policy with deny entries #2 policy file generator #3 missing permissions debugger 28
  29. 29. #1 pro-grade policy with deny rules ● “subtracting” permissions from the granted ones ● helps to decrease count of mapped permissions 29 Policy Rules Of Granting And DEnying
  30. 30. #1 pro-grade policy with deny rules ● “subtracting” permissions from the granted ones ● helps to decrease count of mapped permissions // grant full access to /tmp folder grant { 30 permission java.io.FilePermission "/tmp/-", "read,write"; }; // deny write access to the static subfolder of /tmp deny { permission java.io.FilePermission "/tmp/static/-", "write"; };
  31. 31. #2 pro-grade policy file generator ● policytool on (a)steroids ● No GUI is better than any GUI! ● doesn't throw the AccessControlException 31
  32. 32. #3 pro-grade permissions debugger ● lightweigh alternative to java.security.debug ● info about missing permissions to error stream ● doesn't throw the AccessControlException >> Denied permission java.io.FilePermission "/etc/passwd", "read"; >>> CodeSource: (file:/tmp/app-lib.jar <no signer certificates>) 32
  33. 33. It's demo time! Security policy for Java EE server in 3 minutes.
  34. 34. 34 Use Java Security Manager!
  35. 35. 35 Use Java Security Manager!
  36. 36. 36 Use Java Security Manager! Make it easy with pro-grade
  37. 37. pro-grade fighting JSM issues ● performance → deny rules helps ● policy file tooling → generator – fully automated → debugger – quick check what's missing 37
  38. 38. 38 Josef Cacek @jckwart josef.cacek@gmail.com http://javlog.cacek.cz http://pro-grade.sourceforge.net http://github.com/pro-grade/pro-grade http://docs.oracle.com/javase/8/docs/technotes/guides/security/ Q & A
  39. 39. Credits ● public domain images 39 – pixabay.com ● public domain drawings – openclipart.org No pony was hurt in the preparation of this presentation.

×