7.2 Loading Untrusted Code

Let's continue our Server example. Suppose now that you want to modify the server so that it can load Service classes over the network from an arbitrary URL. Suppose also that you want to give Service classes the ability to read and write files from a "scratch" directory on the local system. You can accomplish this by writing a simple class that uses URLClassLoader to load service classes and pass them to an instance of the Server class. To make it work, however, you also have to develop an appropriate security policy file.

Example 7-1 shows our SafeServer class. Like the original Server class, this one expects a list of Service classes and port numbers on the command line. But the first command-line argument it expects is the URL from which the service classes should be downloaded.

Example 7-1. SafeServer.java

package je3.security; import je3.net.Server; import java.io.*; import java.net.*; import java.security.*; /**  * This class is a program that uses the Server class defined in Chapter 5.  * Server would load arbitrary "Service" classes to provide services.  * This class is an alternative program to start up a Server in a similar   * way.  The difference is that this one uses a SecurityManager and a   * ClassLoader to prevent the Service classes from doing anything damaging  * or malicious on the local system.  This allows us to safely run Service   * classes that come from untrusted sources.  **/ public class SafeServer {     public static void main(String[  ] args) {         try {             // Install a Security manager if the user didn't already install             // one with the -Djava.security.manager argument             if (System.getSecurityManager( ) == null) {                 System.out.println("Establishing a security manager");                 System.setSecurityManager(new SecurityManager( ));             }             // Create a Server object             Server server = new Server(null, 5);             // Create the ClassLoader that we'll use to load Service classes.             // The classes should be stored in the JAR file or the directory             // specified as a URL by the first command-line argument             URL serviceURL = new URL(args[0]);             ClassLoader loader =                 new java.net.URLClassLoader(new URL[  ] {serviceURL});             // Parse the argument list, which should contain Service name/port             // pairs.  For each pair, load the named Service using the class             // loader, then instantiate it with newInstance( ), then tell the             // server to start running it.             int i = 1;             while(i < args.length) {                 // Dynamically load the Service class using the class loader                 Class serviceClass = loader.loadClass(args[i++]);                       // Dynamically instantiate the class.                   Server.Service service =                     (Server.Service)serviceClass.newInstance( );                 int port = Integer.parseInt(args[i++]);  // Parse the port #                 server.addService(service, port);        // Run service             }         }         catch (Exception e) { // Display a message if anything goes wrong             System.err.println(e);             System.err.println("Usage: java " + SafeServer.class.getName( ) +                                " <url> <servicename> <port>\n" +                                "\t[<servicename> <port> ... ]");             System.exit(1);         }     } }

7.2.1 A Policy for SafeServer

The SafeServer class creates and establishes a SecurityManager even if the user doesn't do this with the -Djava.security.manager argument. This means that the program is not able to run without a security policy that grants it the permissions it needs. Example 7-2 shows a policy file you can use to make it work.

There are a couple of things to note about the SafeServer.policy file. First, the policy file reads system properties named service.dir and service.tmp. These are not standard system properties; they are properties that you must specify to the Java interpreter when you run the SafeServer program. service.dir specifies the directory from which the service classes are to be loaded. Assume here that they are loaded via a local file: URL, not through an http: or other network URL. The service.tmp property specifies a directory in which the service classes are allowed to read and write temporary scratch files. SafeServer.policy demonstrates a syntax that replaces the name of a system property with the value of that property. In this way, the security policy file can be made somewhat independent of the installation location of the application.

Example 7-2. SafeServer.policy

// This file grants the SafeServer class the permissions it needs to load // Service classes through a URLClassLoader, and grants the Service classes // permission to read and write files in and beneath the directory specified // by the service.tmp system property.  Note that you'll need to edit the  // URL that specifies the location of the SafeServer class, and that for  // Windows systems, you'll need to replace "/" with "\\" // Grant permissions to the SafeServer class.   // Edit the directory for your system. grant codeBase "file:/home/david/Books/JavaExamples2/Examples" {      // Allow the server to listen for and accept network connections       // from any host on any port > 1024      permission java.net.SocketPermission "*:1024-", "listen,accept";      // Allow the server to create a class loader to load service classes      permission java.lang.RuntimePermission "createClassLoader";      // Give the server permission to read the directory that contains the      // service classes.  If we were using a network URL instead of a file URL,      // we'd need to add a SocketPermission instead of a FilePermission      permission java.io.FilePermission "${service.dir}/-", "read";      // The server cannot grant permissions to the Service classes unless it      // has those permissions itself. So we give the server these two Service      // permissions.      permission java.util.PropertyPermission "service.tmp", "read";      permission java.io.FilePermission "${service.tmp}/-", "read,write"; }; // Grant permissions to classes loaded from the directory specified by the // service.dir system property.  If we were using a network URL instead of a // local file: URL, this line would have to be different. grant codeBase "file:${service.dir}" {      // Services can read the system property "service.tmp"            permission java.util.PropertyPermission "service.tmp", "read";      // And they can read and write files in the directory specified by      // that system property      permission java.io.FilePermission "${service.tmp}/-", "read,write"; };

7.2.2 Testing SafeServer

To demonstrate that SafeServer runs its services safely, you need a demonstration service. Example 7-3 shows one such service that attempts various restricted actions and reports its results. Note that since you're going to load this class with a custom class loader, rather than from the class path, I haven't bothered to give it a package statement.

Example 7-3. SecureService.java

import je3.net.*;  // Note no package statement here. import java.io.*; /**  * This is a demonstration service.  It attempts to do things that may  * or may not be allowed by the security policy and reports the  * results of its attempts to the client.  **/ public class SecureService implements Server.Service {     public void serve(InputStream i, OutputStream o) throws IOException {         PrintWriter out = new PrintWriter(o);         // Try to install our own security manager.  If we can do this,         // we can defeat any access control.         out.println("Trying to create and install a security manager...");         try {             System.setSecurityManager(new SecurityManager( ));             out.println("Success!");         }         catch (Exception e) { out.println("Failed: " + e); }         // Try to make the Server and the Java VM exit.         // This is a denial of service attack, and it should not succeed!         out.println( );         out.println("Trying to exit...");         try { System.exit(-1); }         catch (Exception e) { out.println("Failed: " + e); }         // The default system policy allows this property to be read         out.println( );         out.println("Attempting to find java version...");         try { out.println(System.getProperty("java.version")); }         catch (Exception e) { out.println("Failed: " + e); }         // The default system policy does not allow this property to be read         out.println( );         out.println("Attempting to find home directory...");         try { out.println(System.getProperty("user.home")); }         catch (Exception e) { out.println("Failed: " + e); }         // Our custom policy explicitly allows this property to be read         out.println( );         out.println("Attempting to read service.tmp property...");         try {             String tmpdir = System.getProperty("service.tmp");             out.println(tmpdir);             File dir = new File(tmpdir);             File f = new File(dir, "testfile");             // Check whether we've been given permission to write files to             // the tmpdir directory             out.println( );             out.println("Attempting to write a file in " + tmpdir + "...");             try {                 new FileOutputStream(f);                 out.println("Opened file for writing: " + f);             }             catch (Exception e) { out.println("Failed: " + e); }             // Check whether we've been given permission to read files from             // the tmpdir directory             out.println( );             out.println("Attempting to read from " + tmpdir + "...");             try {                 FileReader in = new FileReader(f);                 out.println("Opened file for reading: " + f);             }             catch (Exception e) { out.println("Failed: " + e); }         }         catch (Exception e) { out.println("Failed: " + e); }         // Close the Service sockets         out.close( );         i.close( );     } }

To test SafeServer with the SecureService class, you have to decide which directories you'll use for storing the service classes and for the scratch directory. In the material that follows, I've used /tmp/services and /tmp/scratch as the directory names.

First, compile SecureService using the -d option to tell javac where to put the resulting class file:

% javac -d /tmp/services SecureService.java

It is important that you make sure there isn't a copy of the SecureService.class file in the current directory or anywhere else that Java might find it in the local class path. If the URLClassLoader can find the class locally, it won't bother loading it through the URL you specify.

Now, to run the SafeServer class, specify the name of the SecureService class, the URL to load it from, the port to listen for connections on, and four different system properties with -D options:

% java -Djava.security.manager -Djava.security.policy=SafeServer.policy \      -Dservice.dir=/tmp/services -Dservice.tmp=/tmp/scratch \      je3.security.SafeServer file:/tmp/services/ \      SecureService 4000

This is a complicated command line, but it produces the desired results. When you connect to port 4000, you get the following output from the service:

% java je3.net.GenericClient localhost 4000 Connected to localhost/127.0.0.1:4000 Trying to create and install a security manager... Failed: java.security.AccessControlException: access denied   (java.lang.RuntimePermission createSecurityManager) Trying to exit... Failed: java.security.AccessControlException: access denied   (java.lang.RuntimePermission exitVM) Attempting to find java version... 1.3.0 Attempting to find home directory... Failed: java.security.AccessControlException: access denied   (java.util.PropertyPermission user.home read) Attempting to read service.tmp property... /tmp/scratch Attempting to write a file in /tmp/scratch... Opened file for writing: /tmp/scratch/testfile Attempting to read from /tmp/scratch... Opened file for reading: /tmp/scratch/testfile Connection closed by server.