This week's book giveaway is in the Mac OS forum. We're giving away four copies of a choice of "Take Control of Upgrading to Yosemite" or "Take Control of Automating Your Mac" and have Joe Kissell on-line! See this thread for details.
I'm reading about the sandbox security model, and there is a slight confusion...
Based on my understanding, sandbox works by allowing local code to have full permissions, and remote code to have restricted access.. but the way it works is by looking at the stack and if anything has originated from a remote code then it fires exception!
which means it can distinguish between local and remote calls...
But i also read the following
To implement a Java application that runs untrusted code within itself (such as the HotJava Web browser), the Java system libraries need a way to distinguish between calls originating from untrusted code, which should be restricted, and calls originating from the application itself, which should be allowed to proceed.
and this paragraph refers to the latest Java2 security model, which implies that previous version couldnt distinguish between calls coming from untrusted source and calls from trusted!
every class in the jvm has a code-source. a code-source and some other stuff makes up a protection domain. the policy assigns a bunch of permissions to every protection domain. now regardless of whether the class is remote or local if the policy assigns a permission to its protection domain, the security manager will allow it to access the resources.
so what was your confusion again?
Joined: Jan 04, 2005
Thanks for replying aldrin
you see i want to understand how both work... the old model and the new model
my confusion is here...
when i write a "Java application" that runs untrusted code within itself (e.g. compute engine or a browser), can the sandbox model distinguish between calls originating from my trusted application, and calls originating from the untrusted code running inside my trusted application?
That quote above is a bit misleading, as it refers to trusted Java code that runs untrusted Java code. In the case of applets, the trusted part would be the Java plugin that makes up the JVM environment in the browser. It consists of Java classes loaded from the local machine, and it is inherently trusted. The untrusted part would be the applet, which consists of code from a remote location. That code can be distinguished from the trusted code because a different classloader is used to load and run it.
I wrote an article a while back on how to create your own classloader and security manager, so that an application can securely load untrusted java classes.
Originally posted by Ulf Dittmer: [QB]That quote above is a bit misleading, as it refers to trusted Java code that runs untrusted Java code. In the case of applets, the trusted part would be the Java plugin that makes up the JVM environment in the browser. It consists of Java classes loaded from the local machine, and it is inherently trusted. The untrusted part would be the applet, which consists of code from a remote location. That code can be distinguished from the trusted code because a different classloader is used to load and run it.
I understand that is true for the new model (Java 2)... but now I guess the use of different class loaders was also used in the sandbox model running in a "Java Application"?
In that case, the quote doesn't make much sense because the writers [Wallach & Felton 1998] have first discussed the lack of flexibility in the old sandbox, and then went into discussing the need for the new model with the quoted introduction!
It made me feel that what i read about the sandbox (that it CAN distinguish between calls) appear to be false when it come to "Java applications"!
Joined: Mar 22, 2005
Both security models are implemented using classloaders. It was always possible to find out which classloader was used to load a particular class, and by that it was possible to know if a class was trusted or untrusted.
So I think you read something into the author's words that they didn't mean to imply.
subject: Can sandbox model distinguish between local and remote calls?