research-article

Public Access

Evaluating the Flexibility of the Java Sandbox

Authors:

Claire Le Goues,

Joshua SunshineAuthors Info & Claims

ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference

Pages 1 - 10

https://doi.org/10.1145/2818000.2818003

Published: 07 December 2015 Publication History

Abstract

The ubiquitously-installed Java Runtime Environment (JRE) provides a complex, flexible set of mechanisms that support the execution of untrusted code inside a secure sandbox. However, many recent exploits have successfully escaped the sandbox, allowing attackers to infect numerous Java hosts. We hypothesize that the Java security model affords developers more flexibility than they need or use in practice, and thus its complexity compromises security without improving practical functionality. We describe an empirical study of the ways benign open-source Java applications use and interact with the Java security manager. We found that developers regularly misunderstand or misuse Java security mechanisms, that benign programs do not use all of the vast flexibility afforded by the Java security model, and that there are clear differences between the ways benign and exploit programs interact with the security manager. We validate these results by deriving two restrictions on application behavior that restrict (1) security manager modifications and (2) privilege escalation. We demonstrate that enforcing these rules at runtime stop a representative proportion of modern Java 7 exploits without breaking backwards compatibility with benign applications. These practical rules should be enforced in the JRE to fortify the Java sandbox.

References

[1]

L. Gong, M. Mueller, H. Prafullchandra, and R. Schemers, "Going beyond the sandbox: An overview of the new security architecture in the Java Development Kit 1.2.," in USENIX Symposium on Internet Technologies and Systems, pp. 103--112, 1997.

Digital Library

[2]

L. Gong and G. Ellison, Inside Java (TM) 2 Platform Security: Architecture, API Design, and Implementation. Pearson Education, 2003.

Digital Library

[3]

IBM Security Systems, "IBM X-Force threat intelligence report." http://www.ibm.com/security/xforce/, February 2014.

[4]

L. Garber, "Have Java's Security Issues Gotten out of Hand?," in 2012 IEEE Technology News, pp. 18--21, 2012.

Digital Library

[5]

A. Singh and S. Kapoor, "Get Set Null Java Security." http://www.fireeye.com/blog/technical/2013/06/get-set-null-java-security.html, June 2013.

[6]

D. Svoboda, "Anatomy of Java Exploits." http://www.cert.org/blogs/certcc/post.cfm?EntryID=136.

[7]

A. Gowdiak, "Security Vulnerabilities in Java SE," Tech. Rep. SE-2012-01 Project, Security Explorations, 2012.

[8]

J. W. Oh, "Recent Java exploitation trends and malware," Tech. Rep. BH-US-12, Black Hat, 2012.

[9]

E. Tempero, C. Anslow, J. Dietrich, T. Han, J. Li, M. Lumpe, H. Melton, and J. Noble, "Qualitas corpus: A curated collection of java code for empirical studies," in Asia Pacific Software Engineering Conference (APSEC), pp. 336--345, Dec. 2010.

Digital Library

[10]

"Permissions in the JDK." http://docs.oracle.com/javase/7/docs/technotes/guides/security/permissions.html, 2014.

[11]

"Default Policy Implementation and Policy File Syntax." http://docs.oracle.com/javase/7/docs/technotes/guides/security/PolicyFiles.html.

[12]

A. Banerjee and D. A. Naumann, "Stack-based access control and secure information flow," Journal of Functional Programming, vol. 15, pp. 131--177, Mar. 2005.

Digital Library

[13]

F. Besson, T. Blanc, C. Fournet, and A. Gordon, "From stack inspection to access control: A security analysis for libraries," in Computer Security Foundations Workshop, pp. 61--75, June 2004.

Digital Library

[14]

D. S. Wallach and E. W. Felten, "Understanding Java Stack Inspection," in IEEE Symposium on Security and Privacy, pp. 52--63, 1998.

[15]

C. Fournet and A. D. Gordon, "Stack Inspection: Theory and Variants," in ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), pp. 307--318, 2002.

Digital Library

[16]

F. Long, D. Mohindra, R. C. Seacord, D. F. Sutherland, and D. Svoboda, The CERT Oracle Secure Coding Standard for Java. SEI Series in Software Engineering, Addison-Wesley Professional, 1st ed., Sept. 2011.

Digital Library

[17]

D. Svoboda and Y. Toda, "Anatomy of Another Java Zero-Day Exploit." https://oracleus.activeevents.com/2014/connect/sessionDetail.ww?SESSION_ID=2120, Sept. 2014.

[18]

"Vulnerability Summary for CVE-2012-0507." https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0507, June 2012.

[19]

N. Hardy, "The Confused Deputy: (or Why Capabilities Might Have Been Invented)," SIGOPS Oper. Syst. Rev., vol. 22, pp. 36--38, Oct. 1988.

Digital Library

[20]

"Vulnerability Summary for CVE-2012-4681." http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4681, Oct. 2013.

[21]

D. Hovemeyer and W. Pugh, "Finding bugs is easy," SIGPLAN Not., vol. 39, pp. 92--106, Dec. 2004.

Digital Library

[22]

"Java Virtual Machine Tool Interface." https://docs.oracle.com/javase/7/docs/technotes/guides/jvmti/.

[23]

S. M. Blackburn, R. Garner, C. Hoffman, A. M. Khan, K. S. McKinley, R. Bentzur, A. Diwan, D. Feinberg, D. Frampton, S. Z. Guyer, M. Hirzel, A. Hosking, M. Jump, H. Lee, J. E. B. Moss, A. Phansalkar, D. Stefanović, T. VanDrunen, D. von Dincklage, and B. Wiedermann, "The DaCapo benchmarks: Java benchmarking development and analysis," in Object-Oriented Programing, Systems, Languages, and Applications (OOPSLA), pp. 169--190, Oct. 2006.

Digital Library

[24]

M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov, "The most dangerous code in the world: Validating SSL certificates in non-browser software," in ACM Conference on Computer and Communications Security (CCS), pp. 38--49, ACM, 2012.

Digital Library

[25]

J. Somorovsky, A. Mayer, J. Schwenk, M. Kampmann, and M. Jensen, "On breaking SAML: Be whoever you want to be," in USENIX Security, pp. 21--21, 2012.

Digital Library

[26]

Z. Li, W. He, D. Akhawe, and D. Song, "The emperor's new password manager: Security analysis of web-based password managers," in USENIX Security, 2014.

Digital Library

[27]

J. Cappos, A. Dadgar, J. Rasley, J. Samuel, I. Beschastnikh, C. Barsan, A. Krishnamurthy, and T. Anderson, "Retaining sandbox containment despite bugs in privileged memory-safe code," in ACM Conference on Computer and Communications Security (CCS), pp. 212--223, ACM, 2010.

Digital Library

[28]

N. Provos, M. Friedl, and P. Honeyman, "Preventing Privilege Escalation," in USENIX Security, 2003.

Digital Library

[29]

D. Li and W. Srisa-an, "Quarantine: A Framework to Mitigate Memory Errors in JNI Applications," in Conference on Principles and Practice of Programming in Java (PPPJ), pp. 1--10, 2011.

Digital Library

[30]

J. Siefers, G. Tan, and G. Morrisett, "Robusta: Taming the Native Beast of the JVM," in ACM Conference on Computer and Communications Security (CCS), pp. 201--211, 2010.

Digital Library

[31]

M. Sun and G. Tan, "JVM-Portable Sandboxing of Java's Native Libraries," in European Symposium on Research in Computer Security (ESORICS), pp. 842--858, 2012.

[32]

M. Cova, C. Kruegel, and G. Vigna, "Detection and Analysis of Drive-by-download Attacks and Malicious JavaScript Code," in International World Wide Web Conference (WWW), pp. 281--290, 2010.

Digital Library

[33]

S. Ford, M. Cova, C. Kruegel, and G. Vigna, "Analyzing and Detecting Malicious Flash Advertisements," in Annual Computer Security Applications Conference (ACSAC), pp. 363--372, 2009.

Digital Library

[34]

G. Helmer, J. Wong, and S. Madaka, "Anomalous Intrusion Detection System for Hostile Java Applets," J. Syst. Softw., vol. 55, pp. 273--286, Jan. 2001.

Digital Library

[35]

J. Schlumberger, C. Kruegel, and G. Vigna, "Jarhead Analysis and Detection of Malicious Java Applets," in Annual Computer Security Applications Conference (ACSAC), pp. 249--257, 2012.

Digital Library

[36]

T. Blasing, L. Batyuk, A.-D. Schmidt, S. A. Camtepe, and S. Albayrak, "An android application sandbox system for suspicious software detection," in Conference on Malicious and Unwanted Software (MALWARE), pp. 55--62, 2010.

[37]

L. Gong, "Java security: a ten year retrospective," in Annual Computer Security Applications Conference (ACSAC), pp. 395--405, 2009.

Digital Library

[38]

"IntelliJ IDEA inspections list (632)." http://www.jetbrains.com/idea/documentation/inspections.jsp.

Cited By

Exman I(2024)QSandbox: The Agile Quantum Software SandboxQuantum Software10.1007/978-3-031-64136-7_4(71-91)Online publication date: 23-Aug-2024
https://doi.org/10.1007/978-3-031-64136-7_4
Feng PYang LLu DXi NMa J(2023)BejaGNN: behavior-based Java malware detection via graph neural networkThe Journal of Supercomputing10.1007/s11227-023-05243-x79:14(15390-15414)Online publication date: 17-Apr-2023
https://doi.org/10.1007/s11227-023-05243-x
Holzinger PBodden EMeng WLi L(2021)A Systematic Hardening of Java's Information HidingProceedings of the 2021 International Symposium on Advanced Security on Software and Systems10.1145/3457340.3458300(11-22)Online publication date: 7-Jun-2021
https://dl.acm.org/doi/10.1145/3457340.3458300
Show More Cited By

Recommendations

Evaluating the Java Native Interface JNI: Leveraging Existing Native Code, Libraries and Threads to a Running Java Virtual Machine

This article aims to explore JNI features and to discover fundamental operations of the Java programming language, such as arrays, objects, classes, threads and exception handling, and to illustrate these by using various algorithms and code samples. ...
Evaluating the Java Native Interface JNI: Data Types and Strings

This article describes how the java native interface JNI is a powerful feature of the java platform that started to draw attention in the latter years as an efficient programming framework for building and delivering innovative technological ...
Learn Java

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '15: Proceedings of the 31st Annual Computer Security Applications Conference

December 2015

489 pages

ISBN:9781450336826

DOI:10.1145/2818000

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

In-Cooperation

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 December 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Conference

ACSAC 2015

ACSAC 2015: 2015 Annual Computer Security Applications Conference

December 7 - 11, 2015

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
577
Total Downloads

Downloads (Last 12 months)113
Downloads (Last 6 weeks)12

Reflects downloads up to 03 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Exman I(2024)QSandbox: The Agile Quantum Software SandboxQuantum Software10.1007/978-3-031-64136-7_4(71-91)Online publication date: 23-Aug-2024
https://doi.org/10.1007/978-3-031-64136-7_4
Feng PYang LLu DXi NMa J(2023)BejaGNN: behavior-based Java malware detection via graph neural networkThe Journal of Supercomputing10.1007/s11227-023-05243-x79:14(15390-15414)Online publication date: 17-Apr-2023
https://doi.org/10.1007/s11227-023-05243-x
Holzinger PBodden EMeng WLi L(2021)A Systematic Hardening of Java's Information HidingProceedings of the 2021 International Symposium on Advanced Security on Software and Systems10.1145/3457340.3458300(11-22)Online publication date: 7-Jun-2021
https://dl.acm.org/doi/10.1145/3457340.3458300
Bartel AKlein JLe Traon Y(2019)MustiIEEE Transactions on Information Forensics and Security10.1109/TIFS.2019.289435614:8(2167-2178)Online publication date: 1-Aug-2019
https://dl.acm.org/doi/10.1109/TIFS.2019.2894356
Ba HZhou HQiao HWang ZRen J(2018)RIM4J: An Architecture for Language-Supported Runtime Measurement against Malicious Bytecode in Cloud ComputingSymmetry10.3390/sym1007025310:7(253)Online publication date: 2-Jul-2018
https://doi.org/10.3390/sym10070253
Craig APotanin AGroves LAldrich J(2018)Capabilities: Effects for FreeFormal Methods and Software Engineering10.1007/978-3-030-02450-5_14(231-247)Online publication date: 11-Oct-2018
https://doi.org/10.1007/978-3-030-02450-5_14
Ba HZhou HRen JWang Z(2017)Runtime Measurement Architecture for Bytecode Integrity in JVM-Based Cloud2017 IEEE 36th Symposium on Reliable Distributed Systems (SRDS)10.1109/SRDS.2017.39(262-263)Online publication date: Sep-2017
https://doi.org/10.1109/SRDS.2017.39

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents