I Member of Jakarta EE Specification Committee Member of JCP Executive Committee Board of Director of Eclipse Foundation Member of Adoptium Steering Committee 3
Manage Dependencies Plan A Fork all dependent third-party libraries. Understand the behavior of all those libraries. Give up fully understanding the behavior of third-party libraries. Instead, limit the behavior of libraries to those that are safe. Practically Impossible Plan B Sandbox 9
Sandbox Java inherently possesses sandbox functionality as Countermeasures against untrusted code (Applet). Restricting what code can do. Over the years On the server side, trusted code is typically running. The danger on the server side lies not in untrusted code, but in malicious data sent to exploit vulnerabilities with trusted code. 10
NOT Trustworthy https://x.com/Cryolite/status/1774300154566455736 https://xkcd.com/2347/ xz-utils case OSS is open and transparent. It does not mean OSS is trustworthy. 12
Deep Sandbox main call stack Shallow Sandbox prohibits to call ‘foo’ foo read Deep Sandbox prohibits to call ‘read’ code running in sandbox STOP STOP 15
File example https://docs.oracle.com/javase/jp/21/security/permissions-jdk1.html grant signedBy "sysadmin", codeBase "file:/home/sysadmin/*" { permission java.security.SecurityPermission "Security.insertProvider.*"; permission java.security.SecurityPermission "Security.removeProvider.*"; permission java.security.SecurityPermission "Security.setProperty.*"; }; grant principal javax.security.auth.x500.X500Principal "cn=Alice" { permission java.io.FilePermission "/home/Alice", "read, write"; }; The more feature , the more complex the configuration who to permit what to permit on what to permit 18
Sandbox configuration Can configure who, what, on what to permit But, configuration is too complex Complexity is a source of vulnerability At first glance, improving security Lower security 19
in General Not Always all three parameters can be specified Who which code? trusted.jar What which operation? /etc/passwd on What which resource? can read Example: 20
in Cloud Native Secure Computing Mode seccomp provided by Linux Kernel control system calls AppArmor provided by Linux Kernel control resources Docker/Kubernetes provide sandboxes using seccomp and/or AppArmor 22
by its parameter values, but only values with pass-by-value are effective. String, such as a file name, can’t be used for filtering. ‘open(“foo.txt”, O_RDWR)’ actually passes a pointer ➔ ’open(0x1234, 2)’ Run in Kernel Specify system calls to allow or disallow Available with Docker/Kubernetes Note 24
available in seccomp SCMP_ACT_KILL_PROCESS: Terminate process with SIGSYS SCMP_ACT_ERRNO: system call returns error SCMP_ACT_LOG: callings are logged (can be used when creating a whitelist) SCMP_ACT_ALLOW: no effect ・・・ https://man7.org/linux/man-pages/man3/seccomp_init.3.html 25
in Kernel Specify resources to allow or disallow mount devices files / directories signals sockets List of resources must be registered as a profile before using AppArmor Available with Docker/Kubernetes 27
But, you need to create your own filter program. seccomp notifies happens of system calls to the filter program running on User Space The filter program decided to allow or disallow the call. Parameter values Passed-By-Reference can also be checked. 31
notify parameters UNIX Socket Notfication FD Memory open(0x1234, O_RDWR) Process seccomp 0x1234: “/tmp/abc” 1 4 read memory (0x1234) “/tmp/abc” 5 6 result of judgement 3 2 information of Notification FD Filter Program PID,SC type(open), parameter(0x1234), and so on 33
written by Java Because seccomp is low-level I/F, Filter Program need to be written by C Language. Java recently enables system programing by using FFM #include <sys/socket.h> ... struct msghdr msg = {0}; msg.msg_iov = &io; if (recvmsg(socfd, &msg, 0) < 0) printf("Failed to receive message¥n"); private static final MemoryLayout MSGHDR_LAYOUT = MemoryLayout.structLayout( ValueLayout.ADDRESS.withName("msg_name"), ValueLayout.JAVA_INT.withName("msg_namelen"), MemoryLayout.paddingLayout(4), ValueLayout.ADDRESS.withName("msg_iov"), ... MemorySegment msg = Arena.global().allocate(MSGHDR_LAYOUT); msg.fill((byte)0); msg.set(ADDRESS, MSGHDR_LAYOUT.byteOffset(PathElement.groupElement("msg_iov")), io); if ( recvmsgHandle.invokeExact(sockfd, msg, 0) < 0) { throw new Exception("Failed to receive message"); C program pure Java program https://gist.github.com/kazumura/aae857e754cfbc30283aa688d52f1ac7 34
filtering container synergy configuration complexity difficulty Java oriented who what on what Java SM seccomp AppAromor seccomp notify - - - - - - - - can can’t - up to you yes no - 36
Securing Software Supply Chain is critical theme in modern software development. Securing only JDK is insufficient Adoptium technologies contribute to securing not only Temurin but also vendors’ JDK Sandbox can be seen as a way to secure complex Java ecosystem Give It A Try ! 37
kazumura
ryotaros
giginet
ssssota
ukitaka
progfay
ikesyo
syumai
cheebow
kaorumuta
takahashiikki
teamhimeh
teamlab
aleyda
jonyablonski
tammyeverts
tammielis
sstephenson
speakerdeck
shlominoach
erikaheidi
tenderlove
scottboms
brettharned
quramy
