> Whereas most programmers compose things to ensure certain things
> happen in certain cases, as appsec engineers, we need to ensure that
> certain things do not happen in any case, and so our calculus is
> roughly opposite that of the programmer, and we are in the difficult
> position of proving universals (conventionally, "proving a negative").
> By removing abilities from software (i.e. "this source file does not
> use eval"), we can reason much more reliably about their capabilities
> and tailor our reviews to relevant sections. If there are no
> constraints, we must review all of the code. Unfortunately I do
> not see such constraints added in at the language level, but I have
> not researched Java sandboxes and such yet.

I poked at the SecurityManager and Java sandboxes — the main problem is that if 
you have any kind of reflection or classloading ability at all, then you can 
poke into things very easily.

https://tersesystems.com/2015/12/22/an-easy-way-to-secure-java-applications/
https://tersesystems.com/2015/12/29/sandbox-experiment/

The Google App Engine sandbox vulnerabilties in particular make a great read:

http://www.security-explorations.com/en/SE-2014-02.html

The interesting thing is that most attackers seem to be going for a single 
target: System.setSecurityManager(null).  That’s a very unusual call, so if you 
can add a tripwire around it with Java instrumentation, you can find out an 
attacker immediately.  Put up a blog post about it today:

https://tersesystems.com/2016/01/19/redefining-java-dot-lang-dot-system/

> The problems which are most pernicious are those which do not operate
> through a single, identifiable API, and so cannot be grepped for -
> XSS, SQLi, integer vulns... are based on primitive operations mixing
> tainted and untainted data, with many APIs (or implicit) for tainted data 
> sinks.

Is there an execution environment equivalent of a context free grammar?  “This 
statement cannot be executed in sandbox foo”? 

(I realize we’re starting to sound like GED here.)

Will.
_______________________________________________
langsec-discuss mailing list
langsec-discuss@mail.langsec.org
https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss

Reply via email to