Visible to the public Evaluating the Flexibility of the Java SandboxConflict Detection Enabled

TitleEvaluating the Flexibility of the Java Sandbox
Publication TypeConference Paper
Year of Publication2015
AuthorsZack Coker, Michael Maass, Tianyuan Ding, Claire Le Goues, Joshua Sunshine
Conference NameACSAC Annual Computer Security Applications Conference
Date Published12-7-2015
PublisherACM New York, NY, USA ©2015
Conference LocationLos Angeles, CA
ISBN Number978-1-4503-3682-6
KeywordsCMU, Jan'16

The ubiquitously-installed Java Runtime Environment (JRE) provides a complex, flexible set of mechanisms that support the execution of untrusted code inside a secure sandbox. However, many recent exploits have successfully escaped the sandbox, allowing attackers to infect numerous Java hosts. We hypothesize that the Java security model affords developers more flexibility than they need or use in practice, and thus its complexity compromises security without improving practical functionality. We describe an empirical study of the ways benign open-source Java applications use and interact with the Java security manager. We found that developers regularly misunderstand or misuse Java security mechanisms, that benign programs do not use all of the vast flexibility afforded by the Java security model, and that there are clear differences between the ways benign and exploit programs interact with the security manager. We validate these results by deriving two restrictions on application behavior that restrict (1) security manager modifications and (2) privilege escalation. We demonstrate that enforcing these rules at runtime stop a representative proportion of modern Java 7 exploits without breaking backwards compatibility with benign applications. These practical rules should be enforced in the JRE to fortify the Java sandbox.

Citation Keynode-24909
Refereed DesignationUnknown