| Wiki Markup |
|---|
The default {{SecurityManager}} checks whether the caller of a particular method has sufficient permissions to proceed with an action. An action is nothing but a level of access, for instance, the actions for {{java.io.FilePermission}} are "read", "write", "execute", and "delete" \[[Sun 06|AA. Java References#Sun 06]\]. The Permission Descriptions and Risks guide \[[Permissions 08|AA. Java References#Permissions 08]\] enumerates the default permissions and the risks associated with thegranting restrictedthese methodspermissions. |
At other timesSometimes, stronger restrictions than those provided by the default security manager are necessary, and then custom permissions prove to be more suitable for privilege separation. Failure to provide custom permissions in the absence of the corresponding default permissions can lead to privilege escalation vulnerabilities wherein untrusted callers can execute restricted operations or actions.
...
This noncompliant example contains a privileged block that is used to perform two sensitive operations, loading a library and setting the default exception handler. Fortunately, when the default security manager is used, it does not permit loading the library unless the RuntimePermission loadLibrary.awt is granted in the policy file. Quite deplorably, the programmer does not guard a caller from performing the second sensitive operation - — setting the default exception handler. This security weakness can be exploited, for example, by setting programming the verbosity of the handler to high so that the privilege separation mechanism envisioned by the rightful observers of the log files or error messages, is brokenthat it reveals information that should be kept secure.
| Code Block | ||
|---|---|---|
| ||
class LoadLibrary {
private void loadLibrary() {
AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
// privileged code
System.loadLibrary("awt");
// perform some sensitive operation like setting the default exception handler
MyExceptionReporter.setExceptionReporter(reporter);
return null;
}
});
}
}
|
Compliant Solution
Define This compliant solution defines a custom permission ExceptionReporterPermission, with target exc.reporter to prohibit illegitimate callers from setting the default exception handler. This can be achieved by subclassing BasicPermission which allows binary style permissions (either allow or disallow). By default, permissions cannot be defined with actions using BasicPermission but the actions can be implemented in the subclass if required. BasicPermission is abstract even though it contains no abstract methods; it defines all the methods it extends from the Permission class. The custom defined subclass of the BasicPermission class has to define two constructors to call the most appropriate (single one- or double two-argument) superclass constructor (the superclass lacks a default constructor). The two-argument constructor also accepts an action even though a basic permission does not use it. This is required for constructing permission objects from the policy file.
This The compliant solution then uses a security manager to check whether the caller has the requisite permission to set the handler. The code issues a SecurityException if the check fails. The custom permission class ExceptionReporterPermission is also defined with the two required constructors.
...
Assuming that the above sources reside in the c:\package directory on a Windows based system, for example, the policy file needs to grant two permissions, ExceptionReporterPermission exc.reporter and the RuntimePermission loadlibrary.awt.
...