The default SecurityManager
checks whether the caller of a particular method has sufficient permissions to proceed with an action. An action is defined in Java's security architecture as a level of access ; for instanceand requires certain permissions before it can be performed. For Example, the actions for java.io.FilePermission
are "read, " " write, " " execute, " and "delete" [Sun 2006API 2013]. The "Permission Descriptions and Risks" guide [Permissions 2008Oracle 2011d] enumerates the default permissions and the risks associated with granting these permissions to Java code.
Sometimes, stronger restrictions than those provided by the default security manager are necessary. Custom permissions prove to be more suitable for privilege separation in such cases. Failure to provide custom permissions when no corresponding default permissions exist can lead to privilege escalation vulnerabilities that enable untrusted callers to execute restricted operations or actions.
This guideline addresses the problem of excess privileges. See SEC50-J. Avoid granting excess privileges for another approach to solving this problem.
Noncompliant Code Example
This noncompliant code example contains a privileged block that is used to perform two sensitive operations, : loading a library and setting the default exception handler. When used, the default security manager does not permit the loading of the library unless the RuntimePermission
loadLibrary.awt
is granted in the policy file. However, the security manager does not automatically guard a caller from performing the second sensitive operation of setting the default exception handler because the permission for this operation is not nondefault and consequently is unavailable. This security weakness can be exploited, for example, by programming and installing an exception handler that reveals information that a legitimate handler would filter out.
Code Block | ||
---|---|---|
| ||
class LoadLibrary { private void loadLibrary() { AccessController.doPrivileged(new PrivilegedAction() { public Object run() { // privilegedPrivileged code System.loadLibrary("awtmyLib.so"); // performPerform some sensitive operation like setting the default exception handler MyExceptionReporter.setExceptionReporter(reporter); return null; } }); } } |
When used, the default security manager forbids the loading of the library unless the RuntimePermission
loadLibrary.myLib
is granted in the policy file. However, the security manager does not automatically guard a caller from performing the second sensitive operation of setting the default exception handler because the permission for this operation is nondefault and, consequently, unavailable. This security weakness can be exploited, for example, by programming and installing an exception handler that reveals information that a legitimate handler would filter out.
Compliant Solution
This compliant solution defines a custom permission ExceptionReporterPermission
with target exc.reporter
to prohibit illegitimate callers from setting the default exception handler. This can be achieved by subclassing BasicPermission
, which allows binary-style permissions (either allow or disallow).By default, permissions cannot be defined to support actions using BasicPermission
, but the actions can be freely implemented in the subclass if required. BasicPermission
is abstract
even though it contains no abstract
methods; it defines all the methods that it extends from the Permission
class. The custom-defined subclass of the BasicPermission
class has to define two constructors to call the most appropriate (one- or two-argument) superclass constructor (the superclass lacks a default constructor). The two-argument constructor also accepts an action even though a basic permission does not use it. This is required for constructing permission objects from the policy file. Note that the custom-defined subclass of the BasicPermission
class is declared to be final
in accordance with guideline SEC55-JG. Classes that derive from a sensitive class or implement a sensitive interface must be declared final. The compliant solution then uses a security manager to check whether the caller has the requisite permission to set the handler. The code throws a SecurityException
if the check fails. The custom permission class ExceptionReporterPermission
is also defined with the two required constructors.
Code Block | ||
---|---|---|
| ||
class LoadLibrary { private void loadLibrary() { AccessController.doPrivileged(new PrivilegedAction() { public Object run() { // privilegedPrivileged code System.loadLibrary("awtmyLib.so"); // Perform some sensitive operation like setting the default exception handler SecurityManager sm = SystemMyExceptionReporter.getSecurityManagersetExceptionReporter(reporter); if(sm != null) {return null; } sm.checkPermission(new ExceptionReporterPermission("exc.reporter")}); } } final class MyExceptionReporter extends ExceptionReporter } { public void setExceptionReporter(ExceptionReporter reporter) { // perform someSecurityManager sensitivesm operation like setting the default exception handler = System.getSecurityManager(); if(sm != null) { MyExceptionReporter.setExceptionReporter(reporter); sm.checkPermission(new ExceptionReporterPermission("exc.reporter")); } return// null;Proceed to set the exception reporter } // }); }... Other methods of MyExceptionReporter } final class ExceptionReporterPermission extends BasicPermission { public ExceptionReporterPermission(String permName) { super(permName); } // Even though the actions parameter is ignored, this constructor has to be defined public ExceptionReporterPermission(String permName, String actions) { super(permName, actions); } } |
Assuming that the above The policy file needs to grant two permissions: ExceptionReporterPermission exc.reporter
and RuntimePermission loadlibrary.myLib
. The following policy file assumes that the preceding sources reside in the c:\package
directory on a Windows-based system, for example, the policy file needs to grant two permissions, ExceptionReporterPermission exc.reporter
and RuntimePermission loadlibrary.awt
.
Code Block |
---|
grant codeBase "file:/c:\\/package" { // For *nix, file:${user.home}/package/ permission ExceptionReporterPermission "exc.reporter"; permission java.lang.RuntimePermission "loadLibrary.awtmyLib"; }; |
...
By default, permissions cannot be defined to support actions using BasicPermission
, but the actions can be freely implemented in the subclass ExceptionReporterPermission
if required. BasicPermission
is abstract
even though it contains no abstract methods; it defines all the methods that it extends from the Permission
class. The custom-defined subclass of the BasicPermission
class must define two constructors to call the most appropriate (one- or two-argument) superclass constructor (because the superclass lacks a default constructor). The two-argument constructor also accepts an action even though a basic permission does not use it. This behavior is required for constructing permission objects from the policy file. Note that the custom-defined subclass of the BasicPermission
class is declared to be final
.
Applicability
Running Java code without defining custom permissions where default permissions are inapplicable can leave an application open to privilege escalation vulnerabilities.
...
Guideline
...
Severity
...
...
Remediation Cost
...
Priority
...
Level
...
SEC56-JG
...
medium
...
probable
...
high
...
P4
...
L3
Automated Detection
Automated detection is not feasible.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Related Guidelines
MITRE CWE: CWE-732, "Incorrect Permission Assignment for Critical Resource"
Bibliography
[API |
...
...
, "The Access Controller," "Permissions" | |
[Oracle 2011d] | Permissions in the Java™ SE 6 Development Kit (JDK) |
[ |
...
...
Permissions in Java SE 7 Development Kit (JDK) | |
[Policy 2010] | "Permission Descriptions and Risks" |
...