SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 74

changes.mady.by.user Melanie Thompson

Saved on

compared with

New Version 75

changes.mady.by.user Dean Sutherland

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The security manager is a class that allows applications to implement a security policy. It allows an application to determine, before performing a possibly unsafe or sensitive operation, what the operation is and whether it is being attempted in a security context that allows the operation to be performed. The application can allow or disallow the operation.

As an example, the The applet security manager denies applets all but the most essential privileges. It is designed to protect inadvertent system modification, information leakage and user impersonation. The use of security managers is not limited to client side protection. Webservers such as Tomcat and Websphere use this facility to isolate trojan servlets , and malicious JSP code and , as well as to protect sensitive system resources from inadvertent access.

...

The security manager is closely tied to the AccessController class. The former is used as a hub for access control whereas the latter is the actual implementer of the access control algorithm. Two requirements necessitate the use of the The security manager supports:

  • Providing backward compatibility: Legacy code often contains custom implementations of the security manager class because it was originally abstract.
  • Defining custom policies: It is sometimes desired to subclass Subclassing the security manager to define permits definition of custom security policies (e.g. multilevel, coarse or fine grained security policies).

Wiki Markup
Regarding the implementation and use of custom security managers as opposed to default ones, the Java Security Architecture Specification \[[SecuritySpec 2008|AA. Bibliography#SecuritySpec 08]\] states

We encourage the use of AccessController in application code, while customization of a security manager (via subclassing) should be the last resort and should be done with extreme care. Moreover, a customized security manager, such as one that always checks the time of the day before invoking standard security checks, could and should utilize the algorithm provided by AccessController whenever appropriate.

Many of the Java SE APIs use perform security manager checks by default before performing sensitive operations. For example, the constructor of class java.io.FileInputStream throws a SecurityException if the caller does not have the permission to read a file. Note that the documentation of some APIs, for example Because SecurityException is a subclass of RuntimeException, the declarations of some API methods (e.g. those of the java.io.FileReader class, may not contain information about the SecurityException because it is a subclass of RuntimeException; it is not mandatory to document runtime exceptions) may lack a throws clause that lists the SecurityException. Avoid depending on the presence or absence of security manager checks that are not specified in the API method's documentation.

Noncompliant Code Example (Command Line Installation)

This noncompliant code example does not fails to install the security manager from the command line (assuming that the security manager is not set programatically).

Code Block
bgColor#FFcccc
java LocalJavaApp

Compliant Solution (Default Policy File)

Any Java program (bean, servlet or application) can instantiate a SecurityManager programatically in the absence of a default, global security manager that does not permit can attempt to install a SecurityManager programmatically; a default global security manager may forbid this operation. Applications designed to run locally can use specify a default global security manager by explicitly setting use of a flag on the command line while invoking the applicationat invocation.

The command line option is usually preferred when applications must be prohibited from installing custom security managers programmatically, and thus are required to abide by the default global security policy under all circumstances. This compliant solution installs the default security manager using the appropriate command line flags. The security policy file grants permissions to the application for allowable its intended actions.

Code Block
bgColor#ccccff
java -Djava.security.manager -Djava.security.policy=policyURL LocalJavaApp

Even The command line flag can specify a custom security manager can be made the default and whose policies are enforced globally from the command line by specifying its absolute path location, immediately after an equal-to sign that must appear after the -. Use the -Djava.security.manager flag, as follows:

Code Block

java -Djava.security.manager=/path/to/manager ...

Invocation of the setSecurityManager() method may be omitted in controlled environments where flag. If it is known in advance that the user prefers using the that a default global security manager is always installed from the command line, invoking the ; this is not a typical case. In this case, attempts to invoke setSecurityManager() method can be forgone in code. In fact, using this method will throw a SecurityException if the current security policy enforced by the global security manager does not permit forbids replacements (by not granting omitting the RuntimePermission("setSecurityManager")).

The default security policy file java.policy grants a few permissions (reading system properties, binding to unprivileged ports and so forth) and can be found in the ~/path/to/java.home/lib/security directory on UNIX-like systems and its equivalent on Microsoft Windows systems — grants a few permissions (reading system properties, binding to unprivileged ports and so forth). There is may also be a user-specific policy file located in the user's home directory. The union of both these policy files defines specifies the permissions given granted to a program. Refer to the The java.security file to set can specify which policy files should be are used. If either of these the system-wide java.policy or java.security files is deleted, by default no permissions are granted to the implementing codeexecuting Java program.

Compliant Solution (Custom Policy File)

If the default policy file needs to be bypassed in lieu of a custom policy file, the Use double equals (==) idiom should be used instead of the single equals = when overriding the global Java security policy file with a custom policy file.

Code Block
bgColor#ccccff
java -Djava.security.manager -Djava.security.policy==policyURL LocalJavaApp

...

Code Block
bgColor#ccccff
appletviewer -J-Djava.security.manager -Djava.security.policy==policyURL LocalJavaApp

Wiki Markup
Notably,Note that the policy file specified in the argument is ignored when the {{policy.allowSystemProperty}} property in the security properties file ({{java.security}}) is set to {{false}}.; Itsthe default value of this property is {{true}}. The document "Default Policy Implementation and Policy File Syntax" \[[Policy 2002|AA. Bibliography#Policy 02]\] discusses in depth the issues of and syntax for writing policy files in depth.

Noncompliant Code Example (Programmatic Installation)

When the SecurityManager API is used instead of the command line to install the security manager instead of the command line, there can be are instances where the appropriate checks are not installedomitted.

This noncompliant code example passes a null value to the setSecurityManager method that is responsible for setting the expected SecurityManager argument. As a result, no security manager is installed (assuming that the security manager is not installed from the command line)programmatically. In the case where the command line failed to install a security manager, this noncompliant code example would execute in the total absence of any security manager.

Code Block
bgColor#FFcccc
try {
  System.setSecurityManager(null);
} catch (SecurityException se) {
  // cannot set security manager, log to file
}

...

This compliant solution demonstrates how a custom SecurityManager class called CustomSecurityManager can be instantiated by invoking its constructor with a password, and set ; this security manager is then installed as the default security manager.

Code Block
bgColor#ccccff
try {
  System.setSecurityManager(new CustomSecurityManager("password here"));
} catch (SecurityException se) {
  // cannot set security manager, log to file
}

The After this code executes, APIs that have perform security checks built into them will use the custom security manager subsequently. As noted earlier, custom security managers should be installed only be rolled out when the default security manager does not provide lacks the required functionality.

Risk Assessment

Running Java code without a Security Manager being set means that there is no restrictive sandbox and All Java security depends on the existence of a SecurityManager. In the absence of a SecurityManager, arbitrary code may execute including code provided by an adversary.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

ENV02-J

high

probable

low

P18

L1

Automated Detection

TODOProgrammatic detection of the presence or absence of a SecurityManager at runtime is straightforward. Static analysis can address the presence or absence of code that would attempt to install a SecurityManager if the code were executed. Checking whether the SecurityManager is installed early enough, specifies the desired properties, or is guaranteed to be installed may be possible in some special cases, but is not feasible in full generality.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

...

Wiki Markup
\[[API 2006|AA. Bibliography#API 06]\] [Class SecurityManager|http://java.sun.com/javase/6/docs/api/java/lang/SecurityManager.html], Class AccessControlContext, Class AccessController
\[[PolicyGong 20022003|AA. Bibliography#PolicyBibliography#Gong 0203]\] Section 6.1, Security Manager
\[[PistoiaMITRE 20042009|AA. Bibliography#PistoiaBibliography#MITRE 0409]\] Section 7.4, The Security Manager[CWE ID 358|http://cwe.mitre.org/data/definitions/358.html] "Improperly Implemented Security Check for Standard"
\[[GongPistoia 20032004|AA. Bibliography#GongBibliography#Pistoia 0304]\] Section 67.14, The Security Manager
\[[SecuritySpecPolicy 20082002|AA. Bibliography#SecuritySpecBibliography#Policy 0802]\] 6.2 SecurityManager versus AccessController
\[[MITRESecuritySpec 20092008|AA. Bibliography#MITREBibliography#SecuritySpec 0908]\] [CWE ID 358|http://cwe.mitre.org/data/definitions/358.html] "Improperly Implemented Security Check for Standard"6.2 SecurityManager versus AccessController

...

ENV01-J. Place all privileged code in a single package and seal the package      01. Runtime Environment (ENV)      ENV03-J. Never grant AllPermission to untrusted code