Certain combinations of permissions can produce significant capability increases, and should not be granted. Other permissions should only be granted to special code.
AllPermission
The permission java.security.AllPermission
grants all possible permissions to code. This facility was included to reduce the burden of managing a multitude of permissions during routine testing, as well as when a body of code is completely trusted. Code is typically granted AllPermission
via the security policy file; it is also possible to programmatically associate AllPermission
with a ProtectionDomain
. This permission is dangerous in production environments; never grant AllPermission
to untrusted code.
ReflectPermission
on suppressAccessChecks
The suppressAccessChecks
permission granted in the context of java.lang.reflect.ReflectPermission
suppresses all standard Java language access checks when the permitted class attempts to operate on public
, default, protected
, or private
members of another class. Consequently, the permitted class can obtain permissions to examine any field or invoke any method belonging to an arbitrary class [[Reflect 2006]]. Therefore the suppressAccessChecks
permision must never be granted with ReflectPermission
.
According to the technical note, Permissions in the Java SE 6 Development Kit [[Permissions 2008]], Section ReflectPermission, target suppressAccessChecks
:
Warning: Extreme caution should be taken before granting this permission to code, for it provides the ability to access fields and invoke methods in a class. This includes not only
public
, butprotected
andprivate
fields and methods as well.
RuntimePermission
on createClassLoader
The java.lang.RuntimePermission
target createClassLoader
grants permission to code so that it can create a ClassLoader
object. This is extremely dangerous because malicious code can create its own custom class loader and load classes by assigning them arbitrary permissions. A custom class loader can define a class (or ProtectionDomain
) with permissions that override any restrictions specified in the system-wide security policy file.
The document Permissions 2008, in Section RuntimePermission, says:
This is an extremely dangerous permission to grant. Malicious applications that can instantiate their own class loaders could then load their own rogue classes into the system. These newly loaded classes could be placed into any protection domain by the class loader, thereby automatically granting the classes the permissions for that domain.
Noncompliant Code Example (Security Policy File)
This noncompliant example grants AllPermission
to the klib
library.
// Grant the klib library AllPermission grant codebase "file:${klib.home}/j2se/home/klib.jar" { permission java.security.AllPermission; };
The permission itself is specified in the security policy file used by the security manager. Program code can obtain a permission object by subclassing the java.security.Permission
class or any of its subclasses (for examle, BasicPermission
). The code can use the resulting object to grant AllPermission
to a ProtectionDomain
. This is bad practice.
Compliant Solution
This compliant solution shows a policy file that can be used to enforce fine-grained permissions.
grant codeBase "file:${klib.home}/j2se/home/klib.jar", signedBy "Admin" { permission java.io.FilePermission "/tmp/*", "read"; permission java.io.SocketPermission "*", "connect"; };
To check whether the caller has the requisite permissions, standard Java APIs use code, such as the following:
// Security manager code FilePermission perm = new java.io.FilePermission("/tmp/JavaFile", "read"); AccessController.checkPermission(perm); // ...
Always assign appropriate permissions to code. Define custom permissions when the granularity of the standard permissions is insufficient.
Noncompliant Code Example (PermissionCollection
)
This noncompliant code example shows an overridden getPermissions()
method, defined in a custom class loader. It grants java.lang.ReflectPermission
with target suppressAccessChecks
to any class that it loads.
protected PermissionCollection getPermissions(CodeSource cs) { PermissionCollection pc = super.getPermissions(cs); pc.add(new ReflectPermission("suppressAccessChecks")); // permission to create a class loader // other permissions return pc; }
Compliant Solution
This compliant solution omits granting the java.lang.ReflectPermission
with target suppressAccessChecks
to any class that it loads.
protected PermissionCollection getPermissions(CodeSource cs) { PermissionCollection pc = super.getPermissions(cs); // other permissions return pc; }
Exceptions
ENV03-EX0: It may be necessary to grant AllPermission
to trusted library code so that callbacks work as expected. For example, it is common practice, and acceptable, to grant AllPermission
to the optional Java packages (extension libraries):
// Standard extensions extend the core platform and are granted all permissions by default grant codeBase "file:${{java.ext.dirs}}/*" { permission java.security.AllPermission; };
Risk Assessment
Granting AllPermission
to untrusted code allows it to perform privileged operations.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
ENV03-J |
high |
likely |
low |
P27 |
L1 |
Automated Detection
Static detection of potential uses of dangerous permissions is a trivial search. Automated determination of the correctness of such uses is not feasible.
Related Vulnerabilities
|
CWE-470 "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')" |
Related Guidelines
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="34b495e2-065d-481b-8ed1-718722540e10"><ac:plain-text-body><![CDATA[ |
[[API 2006 |
AA. Bibliography#API 06]] |
[Class AllPermission |
http://java.sun.com/javase/6/docs/api/java/security/AllPermission.html], [ReflectPermission |
http://java.sun.com/javase/6/docs/api/java/lang/reflect/ReflectPermission.html], [RuntimePermission |
http://java.sun.com/javase/6/docs/api/java/lang/reflect/RuntimePermission.html] |
]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d354b2c7-d0f5-48cf-b664-5cf4f1cc1713"><ac:plain-text-body><![CDATA[ |
[[Gong 2003 |
AA. Bibliography#Gong 03]] |
|
]]></ac:plain-text-body></ac:structured-macro> |
|||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f97d3bdb-1a02-4927-83fd-da3bf40e026d"><ac:plain-text-body><![CDATA[ |
[[Long 2005 |
AA. Bibliography#Long 05]] |
Section 2.5, Reflection |
]]></ac:plain-text-body></ac:structured-macro> |
|||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e159d67f-e269-459d-89f6-27f335c714b3"><ac:plain-text-body><![CDATA[ |
[[Permissions 2008 |
AA. Bibliography#Permissions 08]] |
Section [ReflectPermission |
http://java.sun.com/javase/6/docs/technotes/guides/security/permissions.html#ReflectPermission] |
]]></ac:plain-text-body></ac:structured-macro> |
||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="1f72618b-6ce2-406e-81d4-4e199611edee"><ac:plain-text-body><![CDATA[ |
[[Reflect 2006 |
AA. Bibliography#Ref 06]] |
]]></ac:plain-text-body></ac:structured-macro> |
||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="08fa8117-3d94-4fb8-b6ce-4fb717f010c7"><ac:plain-text-body><![CDATA[ |
[[Security 2006 |
AA. Bibliography#Security 06]] |
[Security Architecture |
http://java.sun.com/javase/6/docs/technotes/guides/security/spec/security-spec.doc.html], Section [RuntimePermission |
http://java.sun.com/javase/6/docs/technotes/guides/security/permissions.html#RuntimePermission] |
]]></ac:plain-text-body></ac:structured-macro> |
void ENV02-J. Create a secure sandbox using a Security Manager 15. Runtime Environment (ENV) void ENV04-J. Do not grant ReflectPermission with target suppressAccessChecks