1

Is there a way to run some java byte-code into a specially restricted part of a running JVM ? I'm thinking about access to very little ram (a few tens of kilobytes perhaps) and no access to the external world whatsoever (apart from that ram).

The goal would be to execute some user provided byte-code into this safe environment in a way that the host cannot ever crash or leak information from the execution of rogue byte-code.

gsimard
  • 643
  • 8
  • 24

2 Answers2

4

You can run untrusted bytecodes within a security sandbox, and setup the sandbox so that there is no possibility of communicating with the outside world. This is what a browser-resident JVM does when you run an untrusted applet ... except that you need the sandbox restrictions to be tighter. (An applet sandbox doesn't block ALL network connections.)

Reference: How do I create a Java sandbox?

However, it is NOT POSSIBLE to entirely control what the rogue code does. For example, if it decides to go into an infinite loop or allocate a huge data structure, the trusted part of your JVM has no bomb-proof way of stopping it. And if there is a security flaw in the JVM, class libraries or your sandbox, then there's a chance that the rogue code could exploit it.

Note that none of this involves restricting the code to a particular area of RAM. You can't do that in Java.

Community
  • 1
  • 1
Stephen C
  • 698,415
  • 94
  • 811
  • 1,216
  • 1- To avoid an infinite loop, could the untrusted byte-code be run in a separate thread and given a timeout to complete its execution ? 2- Let's say I'm willing to filter the bytecode before executing it, is there, then, a bomb-proof way to avoid allocation of a huge data structure ? – gsimard Jan 07 '13 at 02:48
  • @gsimard - 1) No ... because there is no bomb-proof way to kill the thread if the timeout expires. 2) I can't think of an approach that would actually work. Can you? – Stephen C Jan 07 '13 at 03:03
  • 1) I see, Thread.stop() was deprecated. 2) How about filtering instructions anewarray, multianewarray, new and newarray ? Of course, this would imply setting up the byte-code in an environment with pre-allocated "input/output" variables or the like. Or is this a bad idea again ? – gsimard Jan 07 '13 at 03:15
  • 1) It was deprecated because it is unsafe, and there's a good chance that rogue code could exploit that to the detriment of the rest of the JVM. 2) That only deals with array allocations that the rogue performs directly. If you apply the same filters to standard library code, you risk breaking the trusted code. And you can create a huge data structure without using arrays ... – Stephen C Jan 07 '13 at 03:30
1

You could use JavaPathfinder (JPF) for this type of exercise. JPF is a model checking tool that takes a source-code/byte-code and executes it in its own virtual machine, you can define various properties (deadlock-free, infinite loops, etc.) to check for.

JPF operates as a self-standing tool so it would be hard to integrate it in your application but perhaps you could call it externally and then just query for results.

Aleš
  • 8,896
  • 8
  • 62
  • 107