Sandbox JVM to secure server from untrusted sources

Question

How can protecting my server from malicious activity when accepting and executing uploaded, untrusted code?

The users should be able to implement my interface and given data, perform some calculations and return data. No I/O operations are required and certainly no thread/process manipulation or other tomfoolery.

Using the java.policy file it is possible to deny everything (by granting nothing).

$ cat test.policy 
grant {
};

Using this policy file, operations not granted will cause a security exception.

$ cat Print.java
public class Print {
    public static void main(String a[]) throws Exception {
        System.out.println(System.getProperty("os.name"));
    }
}

$ javac Print.java
$ java -Djava.security.manager -Djava.security.policy==test.policy Print
Exception in thread "main" java.security.AccessControlException: 
  access denied (java.util.PropertyPermission os.name read)
    at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
    at java.security.AccessController.checkPermission(AccessController.java:546)
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
    at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1285)
    at java.lang.System.getProperty(System.java:650)
    at Print.main(Print.java:3)

Is this foolproof? Do I need to do more to secure my server environment from untrusted sources?

Answer 1

I wouldn't simply rely on the SecurityManager if I were you. Yes, your configuration looks to be correct and that would be enough, if the Java sandbox were flawless. But look at how many Java vulnerabilities are being fixed in every security release of Java. For example, the latest Oracle Java CPU. A lot of those Java vulnerabilities are ones that escape from the Sandbox. This is very bad on the client-side (several people are advocating turning off Java from the browser), but would be even worse on the server side, as attackers don't have to lure you to their site, they can just attack your server.

For example, currently I personally have several such vulnerabilities that I'm awaiting Oracle to address, or I'm in the process of communicating them to Oracle. And I'm not the only researcher that has them. And there must be bad guys that have them, too. So even if you'd update your Java religiously the second the new version comes out, you wouldn't be safe.

I think at the very least you should have something on the OS level, permissions, etc, to control the server process. Sorry, I don't have very good suggestions there, but I'm just saying that no, you absolutely cannot rely on the JVM Sandbox for security on the server.