Evaluating the Flexibility of the Java Sandbox

Coker, Zack; Maass, Michael; Ding, Tianyuan; Goues, Claire Le; Sunshine, Joshua

doi:10.1145/2818000.2818003

Cited by 11 publications

(7 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Coker et al [15] evaluates how the security manager is used in benign applications. Based on this knowledge, they devise two rules to prevent most of the exploits from working: the security manager cannot be changed if it has been set by the application and a class may not directly load a more privileged class if a security manager is set.…”

Section: Related Workmentioning

confidence: 99%

“…Function has flag match exception is represented in Figure 16. In order for this function to return true all the following conditions must pass: (1) the maximum number of local variables and the maximum size of the stack must be the same for the current frame and the target frame (lines 4-5); (2) the current frame must have the UNINIT flag set to true (line 10); and (3) uninitialized objects are not used in the target frame (lines [14][15][16][17][18][19][20][21][22][23][24]. Figure 17 illustrates bytecode that satisfies the three conditions.…”

Section: B12 Looking At the Patchmentioning

confidence: 99%

See 1 more Smart Citation

Musti: Dynamic Prevention of Invalid Object Initialization Attacks

Bartel¹,

Klein²,

Traon³

2019

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

The invalid object initialization vulnerability has been known at least since the 1990's when discovered by a research group at Princeton University. Recently, such a vulnerability, identified as CVE-2017-3289, was found again in the bytecode validation code of the Java virtual machine. In this paper, we explain what the vulnerability is and how it could be used to bypass Java sandbox restrictions, leading to a situation in which the security of the Java virtual machine is compromised. We then present a solution called MUSTI to detect and prevent attacks leveraging this kind of critical vulnerability at runtime. MUSTI, has been evaluated on the Dacapo Java benchmark as well as on real-world programs and has a runtime overhead below 5%. We also show how MUSTI can be optimized to have a runtime overhead below 1%.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: B12 Looking At the Patchmentioning

confidence: 99%

Musti: Dynamic Prevention of Invalid Object Initialization Attacks

Bartel¹,

Klein²,

Traon³

2019

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

show abstract

“…First, the Java sandbox model affords so much flexibility that it leads to unnecessary vulnerabilities and bad security practices [6]. In the Java sandbox model, the JVM leverages a number of security permissions to restrict the behaviors of untrusted code for securing a benign application.…”

Section: Java Exploits Analysismentioning

confidence: 99%

“…The vendors of Java platforms fulfill the memory-safety property by containing the safe execution of untrusted bytecodes in a so-called sandbox and isolating them from one another. However, some research already has revealed that the sandbox is no longer unbreakable and may be bypassable in recent years [6][7][8][9]. An adversary can execute malicious bytecode inside the same protection domain as trusted code or tamper with benign bytecode and even replace it deliberately on the fly.…”

Section: Introductionmentioning

confidence: 99%

“…Through the analysis of related work [6][7][8][9] and a set of Java exploits [10-24], we found that there are three factors to account for such a violation of byte integrity. First, the design and engineering of the Java security sandbox is too complex and affords developers more flexibility than they need or use in practice [6]. The unnecessary complexity and flexibility enable attackers to create a self-defined class loader to load malicious classes into any protection domain, such as the exploit of CVE-2012-0507 [10].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

RIM4J: An Architecture for Language-Supported Runtime Measurement against Malicious Bytecode in Cloud Computing

Zhou

Qiao

et al. 2018

Symmetry

View full text Add to dashboard Cite

While cloud customers can benefit from migrating applications to the cloud, they are concerned about the security of the hosted applications. This is complicated by the customers not knowing whether their cloud applications are working as expected. Although memory-safety Java Virtual Machine (JVM) can alleviate their anxiety due to the control flow integrity, their applications are prone to a violation of bytecode integrity. The analysis of some Java exploits indicates that the violation results primarily from the given excess sandbox permission, loading flaws in Java class libraries and third-party middlewares and the abuse of sun.misc.UnsafeAPI. To such an end, we design an architecture, called RIM4J, to enforce a runtime integrity measurement of Java bytecode within a cloud system, with the ability to attest this to a cloud customer in an unforgeable manner. Our RIM4J architecture is portable, such that it can be quickly deployed and adopted for real-world purposes, without requiring modifications to the underlying systems and access to application source code. Moreover, our RIM4J architecture is the first to measure dynamically-generated bytecode. We apply our runtime measurement architecture to a messaging server application where we show how RIM4J can detect undesirable behaviors, such as uploading arbitrary files and remote code execution. This paper also reports the experimental evaluation of a RIM4J prototype using both a macro-and a micro-benchmark; the experimental results indicate that RIM4J is a practical solution for real-world applications.

show abstract