Re: How to remove the SecurityManager

[Peter Firmstone]

On 28/07/2021 9:12 am, Peter Firmstone wrote:

While its possible to use a dynamic proxy without downloading code, 
via an atomic serialization connection, it's not generally advised to 
do so with unauthenticated users, decisions around dynamic discovery, 
whether class loading or downloads are allowed, it's all based on 
policy decisions.


Minor clarification / correction, it's not possible on our system to 
allow an unauthenticated user over a secure connection, our code 
disallows TLS connections with anon clients. We do provide TCP/IP 
connections, that are unsecured, however this is generally to allow 
testing of services during development and shouldn't be used in 
production.   No changes to a service need to be made other than 
configuration settings to enable secure connections.


Regards,

Peter.

Re: How to remove the SecurityManager

[Peter Firmstone]

Thanks Remi,

Sand-boxing is a bad idea, we are in agreement, it's not something we 
do, personally I'm taking an interest in safer languages, eg Haskell on 
secure platforms, eg OpenBSD on Sparc64 *.


Perhaps JEP 411 is simply a reflection on the evolution of languages.  
Java was safer than C and C++ so replaced these, something safer again 
will replace Java.


I think people are getting our primary use case, authorization, confused 
with sandboxing (not on our use case list).  OpenJDK developers provided 
a Sandbox example, I just wanted to communicate that I didn't think it 
was a practical defense against exploits, nor applicable to our use case:


https://inside.java/2021/04/23/security-and-sandboxing-post-securitymanager/

Our process for establishing whether third party libraries are trusted 
before we use them:


1. Build dependency check using Owasp
   https://owasp.org/www-project-dependency-check/  Reject any
   dependencies that fail, see
   https://github.com/pfirmstone/JGDMS/blob/trunk/JGDMS/pom.xml line 87
   for an example of a disabled module due to a vulnerability in a
   dependency, the module will only be re-enabled if the vulnerability
   is fixed.
2. Static analysis using SpotBugs, then review identified bugs, review
   source code if available.  Reject if security bugs are present, or
   fix / patch.
3. Profiling of permission access checks using:
   
https://github.com/pfirmstone/JGDMS/blob/trunk/JGDMS/tools/security-policy-debug/src/main/java/org/apache/river/tool/SecurityPolicyWriter.java
4. Reviewing generated policy files, using grep, this example was
   generated from over 2000 tests:
   
https://github.com/pfirmstone/JGDMS/blob/trunk/qa/harness/policy/defaultsecuresharedvm.policy.new
5. Remove any permission from the policy file you don't want to grant
   to third party code, if safe to do so, eg usage statistics reporting.

One of my use cases for SM is for auditing to establish trust, and then 
using SM with POLP policy files generated following the audit, to turn 
off JVM features we're not using.   Our policy provider is performant 
and high scaling even with policy files containing 1000's of lines: 
https://github.com/pfirmstone/JGDMS/blob/trunk/JGDMS/jgdms-platform/src/main/java/org/apache/river/api/security/ConcurrentPolicyFile.java


Our use of SM for access decisions occurs during and after 
authentication, but also defines access roles for trusted parties, it's 
not possible to replace SM authorization layer functionality (not to be 
confused with sandboxes).   Our use case is distributed systems, with 
trusted services and trusted clients, which have POJO proxy's, different 
service proxies are given different ProtectionDomain identity and these 
identities are used for authorization decisions.


In a simple Client - Server application, you only have one user, from 
the client and the thread runs with this permission, but our systems 
might be performing a transaction, with 5 different services, and the 
transaction service is the client of these 5 services, which are 
represented by their proxy ProtectionDomain's.   If one of the 
authenticated services is not authorized to participate in the 
transaction (eg a third party that's not on the contract, or maybe the 
contract expired), then it's not authorized and the transaction will 
fail.  This all occurs over secure authenticated connections, where both 
servers and clients are authenticated, who's the server and who's the 
client, well that gets a little blurred sometimes.


https://github.com/pfirmstone/JGDMS/blob/trunk/JGDMS/jgdms-platform/src/main/java/net/jini/core/transaction/Transaction.java

Back in the Jini days, Sun Microsystems, allowed different service 
proxy's to be loaded by the same ClassLoader, if they had the same 
CodeSource, they had the same identity if they had the same parent 
ClassLoader, we don't do that, ClassLoader's are assigned to a service 
proxy, based on it's authenticated identity.


https://github.com/pfirmstone/JGDMS/blob/trunk/JGDMS/jgdms-pref-class-loader/src/main/java/net/jini/loader/pref/PreferredProxyCodebaseProvider.java

This system, at its foundations is based on Jini Extensible Remote 
Invocation (JERI), we've replaced the serialization layer, to use what 
we term atomic serialization and apply constraints during connection 
establishment over secure connections.


https://github.com/pfirmstone/JGDMS/tree/trunk/JGDMS/jgdms-platform/src/main/java/net/jini/core/constraint

We limit access based on both the service and user identity.  We 
generate our policy files by profiling (the tool creates a policy file 
with correct syntax, ready for immediate use), we recently added 
replacement of local file paths with properties for policy property 
expansion with cross platform trans-portability.  While its possible to 
use a dynamic proxy without downloading code, via an atomic 
serialization connection, it's not generally advised to do so with 
unauthenticated users, 

Integrated: 8267485: Remove the dependency on SecurityManager in JceSecurityManager.java

[Bradford Wetmore]

On Sat, 22 May 2021 00:20:11 GMT, Bradford Wetmore  wrote:

> The JceSecurityManager is currently a subclass of 
> java.security.SecurityManager.  Now that JEP 411 has been integrated, this 
> class should be updated to no longer subclass SecurityManager.
> 
> The only reason for using SecurityManager to easily get the Class Context 
> (call stack), but we can achieve the same effect by using the JDK 9 API 
> java.lang.StackWalkeer.  None of the other SecurityManager API are used.
> 
> I have run mach5 tier1/tier2 plus --test 
> jck:api/java_security,jck:api/javax_crypto,jck:api/javax_net,jck:api/javax_security,jck:api/org_ietf,jck:api/javax_xml/crypto
>  with all green.

This pull request has now been integrated.

Changeset: c8af8238
Author:Bradford Wetmore 
URL:   
https://git.openjdk.java.net/jdk/commit/c8af8238b4b55d515573374800015e115042d883
Stats: 55 lines in 2 files changed: 13 ins; 20 del; 22 mod

8267485: Remove the dependency on SecurityManager in JceSecurityManager.java

Reviewed-by: mchung

-

PR: https://git.openjdk.java.net/jdk/pull/4150

Integrated: 8270946: X509CertImpl.getFingerprint should not return the empty String

[Sean Mullan]

On Fri, 23 Jul 2021 17:16:26 GMT, Sean Mullan  wrote:

> Please review this fix to change the internal `X509CertImpl.getFingerprint` 
> method to not return "" as a fingerprint if there is an error generating that 
> fingerprint. Instead, `null` is now returned, and "" is no longer cached as a 
> valid fingerprint. Although errors generating fingerprints should be very 
> rare, this is a cleaner way to handle them.
> 
> Also, debugging messages have been added when there is an exception. And, as 
> a memory/performance improvement, `X509CertImpl.getFingerprint` now calls 
> `X509CertImpl.getEncodedInternal` which avoids cloning the encoded bytes if 
> the `Certificate` is an instance of `X509CertImpl`.

This pull request has now been integrated.

Changeset: fc80a6b4
Author:Sean Mullan 
URL:   
https://git.openjdk.java.net/jdk/commit/fc80a6b49364594fafa0e2efc769d2f6234cfa22
Stats: 228 lines in 6 files changed: 192 ins; 12 del; 24 mod

8270946: X509CertImpl.getFingerprint should not return the empty String

Reviewed-by: weijun

-

PR: https://git.openjdk.java.net/jdk/pull/4891

Re: RFR: 8267485: Remove the dependency on SecurityManager in JceSecurityManager.java [v8]

[Sean Mullan]

On Tue, 27 Jul 2021 05:43:53 GMT, Bradford Wetmore  wrote:

>> The JceSecurityManager is currently a subclass of 
>> java.security.SecurityManager.  Now that JEP 411 has been integrated, this 
>> class should be updated to no longer subclass SecurityManager.
>> 
>> The only reason for using SecurityManager to easily get the Class Context 
>> (call stack), but we can achieve the same effect by using the JDK 9 API 
>> java.lang.StackWalkeer.  None of the other SecurityManager API are used.
>> 
>> I have run mach5 tier1/tier2 plus --test 
>> jck:api/java_security,jck:api/javax_crypto,jck:api/javax_net,jck:api/javax_security,jck:api/org_ietf,jck:api/javax_xml/crypto
>>  with all green.
>
> Bradford Wetmore has updated the pull request incrementally with one 
> additional commit since the last revision:
> 
>   More codereview comments

The JBS issue should have an applicable `noreg` label. Perhaps `noreg-other` 
with a comment about the existing tests that have been run.

-

PR: https://git.openjdk.java.net/jdk/pull/4150