I want to create a Java-based website that will execute completely untrusted code from third parties. This third-party code will need to be able to access websites on the Internet, but not, for example, attempt a DoS on them.
I can choose the language, but if its obscure it will hurt adoption of the service I'm building.
Can anyone provide some pointers as to open source tools I should investigate?
Are you thinking of something like the Google App Engine? They do this for Java by providing a "sandbox" where the app has access only to carefully restricted subset of the Java API. You might take a look at their JRE White List for ideas. (They also provide other languages.)
Yahoo App Platform and Amazon Web Services provide similar functionality, but not in Java (which, from your tag, I assume is your main interest).
The key to do this with Java code, of course, is defining a SecurityManager and then carefully specifying the policy. Aside from that, you'd host on a Linux system and use a chroot jail -- or better yet, a chroot jail on a virtualized system.
You don't have to worry about someone using your single server to launch a DDOS attack, though, by definition!
First things first, you need to build an excellent jail or sandbox for your application. Virtualization can help, but even within a guest VM there are a lot of operations you wouldn't want your untrusted code to perform.
So investigate mandatory access control such as AppArmor, SElinux, TOMOYO, or SMACK. Any of these can lock down your server code to only a subset of allowed operations. There are patches available that can lock your application to a subset of system calls that is probably worth investigating as well. (Since I've worked on AppArmor for almost a decade, it's the tool I know best. It's also the tool I think best suited for the task, but SMACK's utter simplicity is really appealing.)
You can perform rate limiting at the firewall level to try to limit the amount of outside annoyances that your code hosting can cause. Rate limiting isn't the same as preventing :) but it gives you an opportunity to see obvious attempts to do stupid things in your logs.
Wait you all.
There is no reason for #sanity to look for 3rd party solutions, because Java already has a policy mechanism which allows untrusted code to access only a given subset of the Java API. See package java.security and SecurityManager. It allows you to say the JVM, "this app must have permission to access this stuff but not this other one".
But I think #sanity wants to grant a given permission to run untrusted code, without allowing it to do harmful things with that permission...
I'm not sure if I understand your question. But from what I understand you just need the user to be able to execute code (in a java-based website, however the code doesn't need to be java), in that case have you considered letting the user execute only client-side code (ie javascript)? This way the only machine they can harm is their own. You can read more about how other websites handle malicious code here and you can read about the few dangers of letting users execute JS here.
Related
I have java application and I thinking about security. I can obfuscate code but I can still "steal" code from memory or modify code in runtime using for example javassist. I looking for SecurityManager to protect my code before modify and get code from memory by another java application.
Someone know how how use SecurityManager for this example or knows better solution?
A SecurityManager does the opposite of what you are trying to do. It protects the user's machine against the potentially harmful effects of running untrusted code. You are trying to protect the code against the user.
There is no real solution that will 100% protect your code. If the code executes on the user's machine, it can be stolen, and (with skill and effort) reverse engineered. This is true for all programming languages.
Basically, if the user controls the platform they can access stuff in a running applications memory, and you cannot stop this. In the case of Java, they can also disable any security managers, attach agents, and ... basically override any security controls that you might want to impose. It is >>their<< platform.
The best you can hope to do is to make it too hard for someone without the necessary reverse engineering skills and time.
And if the code is that precious ... only run it on >>your<< hardware in >>your<< data centre, etc.
I need to add something that generate an activation code in my android app so the app features should work only if the app is activated. what is the best way to do that ?
If I understand the question correctly, what you want to achieve is technically impossible.
Any functionality your app has is already there in the app, downloaded to the client. A user can use a debugger to disassemble the app file and change your source code to either not require an activation code or accept any code (whatever is easier, but both are possible). Anything you give to a client should be considered as being fully controlled by the client, any logic in there can be changed, secrets can be seen, etc.
This may not be straightforward, especially if you use some kind of an obfuscation, but it will always be possible. The question is only the effort needed.
And the effort is key here. In some scenarios, protecting low-value resources, it may be good enough to deter the lowest profile attackers. It's always about risk and the cost of protection. But you need to be aware of the above, that the logic in an app cannot be protected.
So if you want to protect your stuff, you have a few options for different scenarios:
Have two separate apps, one free without paid functionality included and one paid. Users can use the free one and then buy the other if they want.
Have paid functionality served by a server. If critical business logic is on the server side, you can really enforce access control rules and you can maintain control over who has access. This may have serious implications on your app architecture and functionality though.
If the value you are trying to protect is low, you can go for obfuscation and access control logic in the app as mentioned above, but you need to be aware that this can be cracked relatively easily, especially on Android by changing the apk.
I believe you cannot do this with just your app, you definitely need the help of server which would generate an activation code for you and match it with the logged in user. Once the generated activation code is passed on to the user via email or any other means, then you can match the activation code given by the user and then match with the one in the server and if they match, let them use the features.
I hope this is what you want. But I might even be dumb enough to misunderstand you. Let me know if this is what you want.
Read an interesting article about securing XP,http://www.expertreviews.co.uk/software/1304965/when-windows-xp-support-ends-this-is-how-you-secure-your-pc-and-save-all-updates.
With these suggestions is building apps for the marketplace ok with this setup to get by w/o headaches.
Here are my noob thoughts and question:
Just learning to code. Do you think I could run a limited setup to learn languages Java and C# while still being able to use my desktop for deployment of apps? A limited login as described only allows certain actions which I believe is different than a typical guest account. I wonder if my comp could still act as a server to retrieve data requested by users away from my machine. I figure I would need to be logged in as an admin to make some changes but, would hope that tasking processes or jobs could still be done.
I guess my question is, do users of a program you made need access to a local machine for some functions and would that work in limited?
I would like to get something portable and keep my desktop for business to be economical and not run the risk of logging on to an unsecure Wi-Fi with a portable that has business use. Ideally, I'd pony up for newer, better. I'm just learning though.
Do users of a program you made need access to a local machine for some functions and would that work in limited.
No. If you need some sort of server backend for your app a personal computer would be a bad choice for several reasons:
It would need to be available at all times: you can't frequently turn it off or restart.
It would require the same ip address.
It could consume a good amount of you're computer's resources, making it difficult to use for personal use
Instead you should probably be using a dedicated server or a cloud based solution, of which several offer free usage tiers.
I'm going to deploy my webapp (WAR) in a server machine. But, server machine is in client people hand, and they take database dump(so new data can be created), and WAR file can be copied from tomcat webapp directory. OS is Windows. If they able to copy my WAR and create a database, they can use it elsewhere. How can I protect this? JNI? Something else? If JNI, what's the smart way?
Seriously, if you cannot trust the people who run the server on which your software is to run, then there is no viable technical solution that will prevent them stealing it and running it somewhere else.
All known technical "fixes" (e.g. obfuscation, encrypted classes, license managers, "call home", etc) only make it a bit harder for the bad guys. They all can can be defeated relatively easily. IMO, they are not worth the effort and the accompanying technical problems that they cause for you and/or your client.
Your best approach is the legal one:
Get your lawyers to help you draw up a contract with the client that expressly forbids them from reverse engineering your software, modifying it, running it in ways that you don't want, and so on.
Get the client to agree to the contract.
Monitor what they are doing (to the extent that you can), and if it looks like they are violating the contract ... SUE THEM.
Even this is not a guarantee, but it should cause your client to have second thoughts about stealing your stuff.
Possible solutions:
Use a code obfuscation library. This will make the code look complex in case they try to decompile it (in case they need to change anything). This is usually software that you need to buy and sometimes it will complicate things when you try to look through an exception when debugging the live system.
Include checks in your code that prevent the application of running in case some "hidden" environment variable (or whatever) is not found.
Setup a contract with your client which will explicitly forbit him of stealing and using your app/code elsewhere.
Solution #3 is the most common.
Assume I have a webpage where people submit java source code (a simple class).
I want to compile and run the code on my server, but naturally I want to prevent people from harming my server, so how do I disable java.io.* and other functions/libraries of my choice?
A regexp on the source code would be one way, but it would be "nicer" if one could pass some argument to javac or java.
(This could be useful when creating an AI competition or something where one implements a single class, but I want to prevent tampering with the java environment.)
If you are in complete control of the JVM, then you can use security policies to do this. It's the same approach taken by web browsers when they host applets.
http://java.sun.com/j2se/1.5.0/docs/guide/security/permissions.html
Hope this helps.
Depending on your intent, you might be able to speak with Nick Parlante, who runs javabat.com - it does pretty much exactly what you're describing. I don't know whether he's willing to share his solution, but he might be able to give you some specific help.
My advice is don't do it. At least, don't do it unless you are willing and prepared to accept the consequences of the machine that runs your server being hacked. And maybe other machines on the same network.
The Google App Engine uses an approach where classes are white listed - that is, they are probably either not loaded, or the classes themselves changed and the libraries recompiled, so that no IO, or other system calls can be made. perhaps you could try this by recompiling a jvm like http://jikesrvm.org/.
You can always run the code in a custom classloader. This allows you full control about what you will accept to load.