aspose file tools*
The moose likes Security and the fly likes Can sandbox model distinguish between local and remote calls? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Can sandbox model distinguish between local and remote calls?" Watch "Can sandbox model distinguish between local and remote calls?" New topic
Author

Can sandbox model distinguish between local and remote calls?

H Melua
Ranch Hand

Joined: Jan 04, 2005
Posts: 172
Hello

I'm reading about the sandbox security model, and there is a slight confusion...

Based on my understanding, sandbox works by allowing local code to have full permissions, and remote code to have restricted access..
but the way it works is by looking at the stack and if anything has originated from a remote code then it fires exception!

which means it can distinguish between local and remote calls...

But i also read the following
To implement a Java application that runs untrusted
code within itself (such as the HotJava Web browser), the
Java system libraries need a way to distinguish between
calls originating from untrusted code, which should be restricted,
and calls originating from the application itself,
which should be allowed to proceed.


and this paragraph refers to the latest Java2 security model, which implies that previous version couldnt distinguish between calls coming from untrusted source and calls from trusted!

or does that only apply to java applications?



Thanks
aldrin d'souza
Greenhorn

Joined: Jul 03, 2008
Posts: 4
well, for most practical purposes its better to forget about the antediluvian sandbox model and think only in terms of the current security model. (i.e. http://java.sun.com/javase/6/docs/technotes/guides/security/spec/security-spec.doc.html)

roughly, here's how it works -

every class in the jvm has a code-source. a code-source and some other stuff makes up a protection domain. the policy assigns a bunch of permissions to every protection domain. now regardless of whether the class is remote or local if the policy assigns a permission to its protection domain, the security manager will allow it to access the resources.

so what was your confusion again?
H Melua
Ranch Hand

Joined: Jan 04, 2005
Posts: 172
Thanks for replying aldrin

you see i want to understand how both work... the old model and the new model

my confusion is here...

when i write a "Java application" that runs untrusted code within itself (e.g. compute engine or a browser), can the sandbox model distinguish between calls originating from my trusted application, and calls originating from the untrusted code running inside my trusted application?

is that better?

HannaH
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41906
    
  63
That quote above is a bit misleading, as it refers to trusted Java code that runs untrusted Java code. In the case of applets, the trusted part would be the Java plugin that makes up the JVM environment in the browser. It consists of Java classes loaded from the local machine, and it is inherently trusted. The untrusted part would be the applet, which consists of code from a remote location. That code can be distinguished from the trusted code because a different classloader is used to load and run it.

I wrote an article a while back on how to create your own classloader and security manager, so that an application can securely load untrusted java classes.


Ping & DNS - my free Android networking tools app
H Melua
Ranch Hand

Joined: Jan 04, 2005
Posts: 172
Originally posted by Ulf Dittmer:
[QB]That quote above is a bit misleading, as it refers to trusted Java code that runs untrusted Java code. In the case of applets, the trusted part would be the Java plugin that makes up the JVM environment in the browser. It consists of Java classes loaded from the local machine, and it is inherently trusted. The untrusted part would be the applet, which consists of code from a remote location. That code can be distinguished from the trusted code because a different classloader is used to load and run it.


Thanks Ulf

I understand that is true for the new model (Java 2)... but now I guess the use of different class loaders was also used in the sandbox model running in a "Java Application"?

In that case, the quote doesn't make much sense because the writers [Wallach & Felton 1998] have first discussed the lack of flexibility in the old sandbox, and then went into discussing the need for the new model with the quoted introduction!

It made me feel that what i read about the sandbox (that it CAN distinguish between calls) appear to be false when it come to "Java applications"!

HannaH
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41906
    
  63
Both security models are implemented using classloaders. It was always possible to find out which classloader was used to load a particular class, and by that it was possible to know if a class was trusted or untrusted.

So I think you read something into the author's words that they didn't mean to imply.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Can sandbox model distinguish between local and remote calls?