`
wenson
  • 浏览: 1052184 次
  • 性别: Icon_minigender_1
  • 来自: 广州
社区版块
存档分类
最新评论

Define a Security Policy(定义java安全策略)

阅读更多

from:http://web.securityinnovation.com/appsec-weekly/blog/bid/72451/Define-a-Security-Policy

Applies to

Applications written using Servlets or JSP.

What to Do

Define a security policy for your application while applying the principle of least privilege. Restrict application execution to allow only the minimum set of necessary actions.

Why

Defining a Java security policy is a defense in-depth mechanism for restricting your application from performing tasks that the operating system would otherwise allow. This is especially important in the event your application becomes compromised by an attacker.

When

Always define a security policy for your application. This process should take place during your application's design stage.

How

Although Java applications run inside a virtual machine, do not execute your application in the context of a privileged user. Consider tightening the restrictions on your application by employing Java Policies.

Use the following steps to successfully utilize Java Permissions:

  1. Identify the system resources that your application uses. Enumerate all resources that your application will need to access. Identify the types of permissions that your application requires to access those resources. For example, your application will need to connect to your database via a socket connection or write to your logs.

  2. Identify your application. Your application can be identified via two ways inside a Java policy — code signing or code base.

    • Code signing. Always sign your code whenever possible. This ensures the authenticity of your code. Use Java's KeyTool when signing your code.

    • Code base. Identify the location of your code. Example:

      codeBase "file:e:/myapp/bin/"
  3. Create the appropriate policy. Once all required resources are enumerated, create a Java policy that reflects the type of access that is required for each resource. Example:

    grant codeBase "file:e:/myapp/bin/-" 
    {
        // A placeholder for all appropriate permissions
    };

    Assign a permission for each required resource. Java provides different types of permissions, each of which can be customized to meet your application's needs:

    • java.security.AllPermission: AllPermission grants all other permissions to the code. It should seldom be used. Example:

      permission java.security.AllPermission;

      For more information, consult the documentation for Class AllPermission in the Java SDK.

    • javax.sound.sampled.AudioPermission: AudioPermission grants access rights to the system's audio components. It should be used only when the application is required to play or record audio. Example:

      permission javax.sound.sampled.AudioPermission "play";

      For more information, consult the documentation for Class AudioPermission in the Java SDK.

    • javax.security.auth.AuthPermission: AuthPermission is used during authentication procedures. TheAuthPermission's only argument is the name of the security configuration parameter. This permission class is used to guard access to the Policy, Subject, LoginContext, and Configuration objects. Example:

      permission javax.security.auth.AuthPermission "modifyPrincipals";

      For more information, consult the documentation for Class AuthPermission in the Java SDK.

    • java.awt.AWTPermission: AWTPermission grants access to the system's user experience and graphical interface. For example, the following permission would allow the application to access the system's clipboard:

      permission java.awt.AWTPermission "accessClipboard";

      For more information, consult the documentation for Class AWTPermission in the Java SDK.

    • javax.security.auth.kerberos.DelegationPermission: DelegationPermission restricts the usage of the Kerberos delegation model. Example:

      permission javax.security.auth.kerberos.DelegationPermission
             "\"host/foo.example.com@EXAMPLE.COM\" \"krbtgt/EXAMPLE.COM@EXAMPLE.COM\"";

      For more information, consult the documentation for Class DelegationPermission in the Java SDK.

    • java.io.FilePermission: FilePermission grants access to files on the local system. Access right are read, write, execute, delete. Note that FilePermission always grants read access to files within the code's directory and any subdirectories. Example:

      permission java.io.FilePermission "e:/myapp/logs/20061016.log", "write";

      For more information, consult the documentation for Class FilePermission in the Java SDK.

    • java.util.logging.LoggingPermission: LoggingPermission is associated with Java's standard logging mechanism. Because Java's logging mechanism does not meet the recommendation for logging security events, please consult the Log Important Security Operations guideline if your application performs logging. CurrentlyLoggingPermission grants only the right to control Java's logging configuration. Example:

      permission java.util.logging.LoggingPermission "control";

      For more information, consult the documentation for Class LoggingPermission in the Java SDK.

    • java.net.NetPermission: NetPermission grants access to various network permissions. For example, the following permission allows the ability to specify a stream handler when constructing a URL:

      permission java.net.NetPermission "specifyStreamHandler";

      For more information, consult the documentation for Class NetPermission in the Java SDK.

    • javax.security.auth.PrivateCredentialPermission: PrivateCredentialPermission protects access to the privateCredentials belonging to a particular Subject. Example:

      permission javax.security.auth.PrivateCredentialPermission
                      "javax.resource.spi.security.PasswordCredential * \"*\"","read";

      For more information, consult the documentation for Class PrivateCredentialPermission in the Java SDK.

    • java.util.PropertyPermission: PropertyPermission specifies the read/write access to an object's or System's properties. Example:

      permission java.util.PropertyPermission "java.home", "read";

      For more information, consult the documentation for Class PropertyPermission in the Java SDK.

    • java.lang.reflect.ReflectPermission: ReflectPermission grants access to reflective operations. Currently it only allows suppressing the standard Java language access checks (i.e. public, protected and private) by reflected objects at their point of use. Example:

      permission java.lang.reflect.ReflectPermission "suppressAccessChecks";

      For more information, consult the documentation for Class ReflectPermission in the Java SDK.

    • java.lang.RuntimePermission: RuntimePermission grants access to runtime operations such as loading external libraries and halting the JVM. Example:

      permission java.lang.RuntimePermission "accessDeclaredMembers";

      For more information, consult the documentation for Class RuntimePermission in the Java SDK.

    • java.security.SecurityPermission: SecurityPermission is used any security related events. Example:

      permission java.security.SecurityPermission "createAccessControlContext";

      For more information, consult the documentation for Class SecurityPermission in the Java SDK.

    • java.io.SerializablePermission: SerializablePermission grant access to more advanced features of Java's serialization model. For example, the following permission allows the substitution of one object for another during serialization:

      permission java.io.SerializablePermission "enableSubstitution";

      For more information, consult the documentation for Class SerializablePermission in the Java SDK.

    • javax.security.auth.kerberos.ServicePermission: ServicePermission protects the access to Kerberos services and any supplemental credentials. Example:

      permission javax.security.auth.kerberos.ServicePermission
                                          "krbtgt/EXAMPLE.COM@EXAMPLE.COM", "initiate";

      For more information, consult the documentation for Class ServicePermission in the Java SDK.

    • java.net.SocketPermission: SocketPermission grants access to the network via sockets. It allows your application to connect to a host, accept connections from a host, listen on a given port, or resolve the other host's IP/hostname. Example:

      permission java.net.SocketPermission "serv02.example.com:3306", "connect";

      For more information, consult the documentation for Class SocketPermission in the Java SDK.

    • java.sql.SQLPermission: SQLPermission grants access to operations executed during database access. Currently all standard Java methods that use SQLPermission are deprecated. For more information, consult the documentation for Class SQLPermission in the Java SDK.

    • javax.net.ssl.SSLPermission: SSLPermission grants access to SSL related operations. For example, anSSLPermission would be required to get the SSLSessionContext of an SSLSession:

      permission javax.net.ssl.SSLPermission "getSSLSessionContext";

      For more information, consult the documentation for Class SSLPermission in the Java SDK.

  4. Load the policy at runtime. By default Java provides two policy files: a system policy file({java.home}/lib/security/java.policy) and a user policy file ({user.home}/.java.policy). Use the -Djava.security.policy(={policy file}) flag to load your policy during the start-up routine of your application's server. Make sure you use only a single = to append your policy to the JVM's default policies as == will force the JVM to load your policy only. Example:

    -Djava.security.policy=e:/myapp/config/myapp.policy
  5. Enforce your application's policy. To fully enforce your application's policy, attach a SecurityManager to the System object. Because most standard Java packages come with built-in permission checks that are linked to the System's SecurityManager, enforcing a certain set of permissions is a fairly easy task. Example:

    if (System.getSecurityManager() == null)
    {
          System.setSecurityManager(new SecurityManager());
    }

    or

    -Djava.security.manager

    Be aware that enforcing a security policy may restrict access to various resources that are essential to the application's environment. Examples of such resources include, but are not limited to, use of network sockets, application server's local files, etc. Use the following steps to resolve such problems:

    1. Enumerate all permissions that are granted to your application's environment. Enumerating all granted permissions to your application's environment helps identify the basic functionality that it requires for its normal operations. The following code helps you identify all permissions that your application inherits from its environment:

      public void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException
      {
            PrintWriter out = response.getWriter();
            CodeSigner[] cSign = null;
            CodeSource cSource = new CodeSource(null, cSign);
            Principal[] principals = new Principal[0];
            ProtectionDomain pDomain = new ProtectionDomain(cSource,
                                                          null, null, principals);
            java.security.Policy policy = java.security.Policy.getPolicy();
            PermissionCollection permCollect = policy.getPermissions(pDomain);
            Enumeration permList = permCollect.elements();
            while (permList.hasMoreElements())
            {
                  out.println( "<br>" + permList.nextElement().toString());
            }
      }

      Note that the code snippet will perform its intended action only if the System's SecurityManager is set to null.

    2. Check if your application's environment performs unauthorized actions. Enable the SecurityManagerduring the start-up routine of your application's environment. Monitor the environment's logs for any access denied errors. For instance, Tomcat will not function properly if the administrator does not grant aSocketPermission to connect and resolve 127.0.0.1 on port 8005:

      Exception in thread "ContainerBackgroundProcessor[StandardEngine[Catalina]]"
           java.security.AccessControlException: access denied
                (java.lang.RuntimePermission setContextClassLoader)
      ...
      Caused by: java.security.AccessControlException: access denied
                (java.net.SocketPermission 127.0.0.1:8005 connect,resolve)
    3. Grant the essential permissions for your application's environment. Grant all essential permissions into the security policy for your application's environment to allow the environment to function properly.

  6. Protect security policy files. Make sure that appropriate security measures are taken when storing the security policy files.

    • Choose a security policy directory: Dedicate a directory for storing your application's security policy files. Make sure the directory is not web-accessible. This limits the scope of users who can potentially compromise the contents inside the directory.
    • Set appropriate permissions: Apply the appropriate filesystem permissions such that the security policy files can be only accessed by your application and its administrators.
  7. Avoid common mistakes.

    • Delegate a Policy Manager: Java allows its applications to alter the JVM's policies during runtime. If your application needs to alter its policies during runtime, create a custom Policy Manager and delegate it the task of altering Java policies. Using the SecurityPermission class, enforce strict access control to the manager's functionality such that only authorized components can request modifications to the JVM's policies.

      The following permissions must be granted to the Policy Manager's code:

      java.security.SecurityPermission "getPolicy";
      java.security.SecurityPermission "setPolicy";
    • Enforce the security policy as early as possible: Delaying the enforcement of the security policies provides a bigger window of opportunity for an attacker to execute a payload through your compromised application.

分享到:
评论

相关推荐

    宏(#define)定义函数妙用

    例如,`SUM(a + b, c + d)` 使用宏 `#define SUM(x, y) x + y` 会被错误地展开为 `a + b + c + d`,而不是 `(a + b) + (c + d)`。为了避免这种情况,通常需要在宏定义中加入额外的括号。 此外,宏定义不支持重载,...

    PolicySpi.rar_java security

    `java.security.Policy`是Java平台核心安全框架的关键组件,它负责定义和管理系统的安全策略。安全策略是一组规则,决定哪些权限(permissions)被授予到哪些代码,以及这些代码是否可以执行特定的敏感操作。这些...

    常用宏定义#define

    在C/C++编程语言中,`#define` 是预处理器指令,用于创建宏定义,它在编译阶段执行文本替换,使得代码更加灵活且可定制化。宏定义是C/C++编程中的一个重要概念,它可以帮助程序员实现代码复用、简化复杂表达式、提供...

    宏定义#define用法总结

    宏的特殊单行定义可以让我们在宏定义中使用一些特殊的符号,例如 #define A(x) T_##x,这将被替换为 T_1、#define B(x) #@x,这将被替换为 '1'、#define C(x) #x,这将被替换为 "1"。 4. 多行定义 define 可以替代...

    define用法集锦

    #define max(a,b) ((a)&gt;(b)? (a):(b)) 七、头文件和条件编译 define 还可以用来避免头文件的重复包含,例如: #ifndef __headerfileXXX__ #define __headerfileXXX__ // 文件内容 #endif 这种方式可以防止...

    #define——用法大全

    #define A(x) T_##x #define B(x) #@x #define C(x) #x ``` 这些定义可以用于生成特殊的字符串。 ### 4. define 的多行定义 define 还可以用于多行定义,例如: ```c #define MACRO(arg1, arg2) do { \ /* ...

    C++/C 宏定义(define)中# ## 的含义

    ### C++/C宏定义(define)中#与##的含义及应用 #### 一、引言 在C++和C语言中,预处理器指令`#define`被广泛用于定义宏,这些宏可以包含简单的替换文本,也可以进行复杂的条件判断和参数处理。本文将详细介绍宏...

    define程序 非定义自定义

    ### 宏定义(#define) 在C语言中,宏定义是一种预处理器指令,用于定义一个符号名与另一个字符串的替换关系。宏定义有两种形式:不带参数的宏定义和带参数的宏定义。 #### 不带参数的宏定义 在本例中使用的`#...

    宏定义define使用整理

    #define宏定义使用整理,主要是宏定义的编译过程,##和#的使用。

    define用法以及.doc

    在定义指针类型时,`typedef`更安全,如在上述例子中防止了`pin a, b;`的错误。 在编写代码时,应谨慎使用`#define`宏,尤其是在处理复杂表达式或类型转换时,因为它们可能导致意外的副作用。`typedef`则更适合于...

    #define 宏定义的一些用法总结

    ### #define宏定义的一些用法总结 #### 一、引言 在C及C++编程中,`#define`是一个非常强大的预处理器指令,用于创建宏。宏可以在编译前阶段替代代码片段,提高代码的复用性与可维护性。本文将详细探讨`#define`的...

    C语言 #define用法集锦[修正版]

    上述代码的意图是定义两个 `int` 类型的指针 `a` 和 `b`,但由于 `#define` 的工作方式,实际上定义的是一个 `int` 类型指针 `a` 和一个 `int` 类型变量 `b`。正确的做法是使用 `typedef` 语句来定义指针类型: ```...

    define用法完全集锦

    #define Add(a, b) a + b ``` 当使用 `Add` 时,如果不慎写成 `c * Add(a, b) * d`,则实际结果将是 `c * a + b * d` 而不是预期的 `(c * (a + b)) * d`。因此,良好的编程习惯是在所有宏定义中都使用括号,以...

    C语言#define拼接宏定义实现方式

    使用场合:拼接两个宏,一个是传入的宏。但是传入的宏不会被替换,...#define DEFINE(X) DEFINE_(X) //再次定义 #define PARAM DEFINE(OBJECT) void fun() { // DEFINE_(OBJECT)=100; 这个操作是拒绝的,它就是直接拼

    define的用法

    带参宏定义允许宏接受参数,例如,`#define MAX(a,b) ((a)&gt;(b)?(a):(b))`定义了一个名为`MAX`的宏,它接受两个参数`a`和`b`,并返回两个参数中的最大值。在使用带参宏定义时,需要注意宏参数的使用规则。 3、#的...

    Java A Beginners Guide 7th Edition 1259589315.pdf

    Java is more than just the elements that define the language. Java also includes extensive libraries and tools that aid in the development of programs. To be a top-notch Java programmer implies ...

    Define a SELinux domain for Service

    SELinux(Security-Enhanced Linux)是Linux内核的一个安全模块,它提供了强制访问控制(MAC)安全策略机制,通过定义哪些程序可以使用哪些资源来实现安全政策。这篇文章主要讲述如何为一个服务定义SELinux域,以...

    const #define inline

    `#define`用于宏定义,它可以定义常量、函数或者进行条件编译。例如: ```cpp #define PI 3.1415926 #define MAX(a, b) ((a) &gt; (b) ? (a) : (b)) ``` `#define`的主要缺点在于其仅仅进行文本替换,没有类型检查,...

    typedef和define的区别

    其次,#define 是一宏定义语句,通常用来定义常量(包括无参量与带参量),以及用来实现那些“表面似和善、背后一长串”的宏。#define 语句本身并不在编译过程中进行,而是在预处理过程中已经完成了。例如,#define ...

Global site tag (gtag.js) - Google Analytics