On 15/04/2021 22:10, Roel Spilker wrote:
:
But on my server application, we use libraries. And I'm very
interested on how they behave.
I would like to log or restrict the following actions:
- Spawning new processes
- Unexpected file access
- Unexpected network traffic
Currently, our application sets a custom written security manager to
restrict or log those aspects.
It's possible to use bytecode instrumentation and a Java agent to
instrument the API classes that support these operations and that may be
an alternative. One thing that would be interesting to expand on is what
you mean by "restrict"? Do you grant socket permissions to connect to
specific hosts or just set your own security manager to log the socket
permissions?
For Runtime.exec/ProcessBuilder, there are API additions in the works
that should help with this too.
For example, we would block all XXE attacks by just having our
security manager.
Someone else asked about this a few days ago too. The Security
Developer's Guide has a good chapter on this topic [1] as there many
configuration knobs to restrict or disable "external access" that don't
require setting a SecurityManager.
-Alan.
[1]
https://docs.oracle.com/en/java/javase/16/security/java-api-xml-processing-jaxp-security-guide.html
