Can JavaScript from untrusted sources be safely executed on the JVM?
Can JavaScript from untrusted sources be safely executed on the JVM?
h1 { margin-bottom: 0.21cm; }h1.western { font-family: "Liberation Sans",sans-serif; font-size: 18pt; }h1.cjk { font-family: "Droid Sans Fallback"; font-size: 18pt; }h1.ctl { font-family: "FreeSans"; font-size: 18pt; }p { margin-bottom: 0.25cm; line-height: 120%; }
Hoe bescherm je iemand die blindelings bevelen moet opvolgen?
Stel je voor: je wil technisch ingestelde mensen, die je online-platform gebruiken, de mogelijkheid bieden om zelf extra logica te gaan toevoegen. Je zou ze kunnen vragen om hun wensen door te mailen, maar dat duurt even en dan moet je mensen inhuren om dit voor jou te gaan implementeren. Daarom kies je ervoor om de mogelijkheid tot scripting aan te bieden: je laat gebruikers toe zelf kleine programma's te schrijven die dan worden uitgevoerd op jouw servers.
Een no-brainer
Stel je een butler voor, die alles doet wat de mensen vragen. In een hotel die deze service aanbiedt, zullen veel mensen de weg vragen, hun auto laten halen of eten bestellen. Maar misschien vraagt een kwaadwillend persoon plots aan de butler om van het dak te springen. Een persoon zal twijfelen, maar een computer duikelt zonder aarzelen de diepte in.
99 problems
Met scripting toelaten heb je hetzelfde probleem, meer zelfs, verschillende problemen. Er zijn verschillende manieren die personen met slechte bedoelingen kunnen gebruiken om je servers neer te halen: ze kunnen de processor bezig houden, waardoor niemand anders nog iets kan doen, ze kunnen je harde schijf opvullen of objecten aanmaken in het geheugen, waardoor niemand anders nog programma's kan starten... Maar ze kunnen ook andere servers aanvallen, bijvoorbeeld wanneer er netwerktoegang is. Zo lijkt het alsof jij die aanval pleegde: die kwam namelijk van jou servers.
Virtual reality
Om dit probleem op te lossen, wordt er gewerkt met “virtuele machines”: in plaats van programma's directe toegang te geven tot een systeem, worden ze uitgevoerd in soort zandbak, waar niet alles in mogelijk is. Zo kan je bijvoorbeeld netwerktoegang gaan uitschakelen: daarmee vermijd je al een hele hoop mogelijke problemen.
Vaker wel dan niet moet je toegang deels gaan toelaten. Sommige programma's hebben nu eenmaal netwerktoegang nodig, of moeten aan bestanden kunnen op de harde schijf. Zo heeft een programma dat de weersvoorspelling van morgen ophaalt op het internet, netwerktoegang nodig. Daar beginnen de problemen: hoe ga je selectief programma's toegang geven tot bronnen? Er zijn zoveel omwegen en trucs om beveiligingen te omzeilen dat dit als een moeilijk probleem wordt beschouwd.
Self-service
Ik onderzocht de mogelijkheden om JavaScript, de populairste scriptingtaal, veilig uit te gaan voeren op de Java Virtual Machine, een van meest gebruikte serverplatformen. Het result was ontnuchterend: helaas, tegenwoordig nog niet mogelijk. Alle platformen die ik onderzocht, boden beschermingen aan, maar bij elk platform was er wel een mogelijkheid om snode plannen uit te voeren. Geen butler aanbieden dan maar?
p { margin-top: 0.21cm; margin-bottom: 0.46cm; line-height: 150%; }p.western { font-family: "Baskerville"; }a.western:visited { }a.cjk:visited { }a.ctl:visited { }
Apigee. (n.d.). apigee/rowboat. Retrieved March 19, 2016, from https://github.com/apigee/rowboat
Apigee. (n.d.). apigee/rowboat: Performance. Retrieved March 19, 2016, from https://github.com/apigee/rowboat#performance
Apigee. (n.d.). apigee/rowboat. Retrieved March 19, 2016, from https://github.com/apigee/rowboat#status
Ball, L. (2015, June 12). Update README.md. Retrieved from https://github.com/nodyn/nodyn/commit/7e73bd692664110c381f663561767e78645dd23b
Boyd, N., & Bukanov, I. (2011, June 1). Scriptable.java. Retrieved from https://github.com/mozilla/rhino/blob/master/src/org/mozilla/javascript/Scriptable.java#L12
Brail, G. (n.d.). trireme/samples/apigee-edge-like-runner/. Retrieved March 19, 2016, from https://github.com/apigee/trireme/tree/master/samples/apigee-edge-like-runner
Brail, G. (2016, March 19). Context.java. Retrieved from https://github.com/mozilla/rhino/blob/15f57d5785fe3da878eb269ebcb6c3a4873c4a98/src/org/mozilla/javascript/Context.java#L29
Brail, G. (2016, February 19). Context.java. Retrieved from https://github.com/mozilla/rhino/blob/master/src/org/mozilla/javascript/NativeString.java
Brail, G., & Whitlock, J. (n.d.). NodeEnvironment.java. Retrieved March 19, 2016, from https://github.com/apigee/trireme/blob/master/core/src/main/java/io/apigee/trireme/core/NodeEnvironment.java
Byrne, M. (2016, February 2). The Rise and Fall of the Java Applet: Creative Coding’s Awkward Little Square. Retrieved from http://motherboard.vice.com/read/a-brief-history-of-the-java-applet
Campos, D. (2016, August 6). Get > 90% spec compliance on IR #128. Retrieved March 19, 2016, from https://github.com/dynjs/dynjs/issues/128
Campos, D. (2016, January 28). this project is unmaintained atm. Retrieved March 19, 2016, from https://github.com/dynjs/dynjs/commit/d89b684c317f5668cb5e982aade35ec39b235599
Charles Severance, M. R. (2010, February). JavaScript: Designing a Language in 10 Days. Retrieved from https://www.computer.org/csdl/mags/co/2012/02/mco2012020007.pdf
Ched Perrin, M. R. (2009, July 7). Understanding risk, threat, and vulnerability. Retrieved from http://www.techrepublic.com/blog/it-security/understanding-risk-threat-and-vulnerability/
Dahl, R. (2009, March 3). Major refactoring: program name now "node". Retrieved from https://github.com/nodejs/node-v0.x-archive/commit/19478ed4b14263c489e872156ca55ff16a07ebe0
DynJS. (n.d.). dynjs/dynjs. Retrieved March 19, 2016, from https://github.com/dynjs/dynjs
ECMA International. (1997, June). ECMAScript: A general purpose, cross-platform programming language. Retrieved from http://www.ecma-international.org/publications/files/ECMA-ST-ARCH/ECMA-262,%201st%20edition,%20June%201997.pdf
Facebook. (n.d.). HHVM. Retrieved March 17, 2016, from http://hhvm.com/
Garrett, J. J. (2005, February 18). Ajax: A New Approach to Web Applications. Retrieved from http://adaptivepath.org/ideas/ajax-new-approach-web-applications/
Holowaychuk, M. R. (2009, June 26). Initial commit (expressjs/expressjs). Retrieved from https://github.com/expressjs/express/commit/9998490f93d3ad3d56c00d23c0aa13fac41c3f6b
Java Delight. (n.d.). javadelight/delight-rhino-sandbox. Retrieved March 19, 2016, from https://github.com/javadelight/delight-rhino-sandbox
Java Delight. (n.d.). javadelight/delight-nashorn-sandbox. Retrieved March 19, 2016, from https://github.com/javadelight/delight-nashorn-sandbox
Krill, P. (2016, January 20). Node.js welcomes Microsoft’s Chakra JavaScript engine. Retrieved from http://www.infoworld.com/article/3024271/javascript/nodejs-welcomes-microsoft-chakra-javascript-engine.html
Köbler, N. (2015, February 12). Current Status of Oracle's Project Avatar. Retrieved from http://www.n-k.de/2015/02/current-status-of-oracles-project-avatar.html
Microsoft Corporation. (1998, September). Using VBScript and JScript on a Web Page. Retrieved from https://msdn.microsoft.com/en-us/library/aa260861%28v=vs.60%29.aspx
Mozilla. (n.d.). Rhino. Retrieved February 29, 2016, from https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Rhino
Mozilla. (2015, July 26). Rhino history. Retrieved February 22, 2016, from https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Rhino/History
Node.js Foundation. (n.d.). Node.js. Retrieved March 17, 2016, from https://nodejs.org/en/
Node.js Foundation. (n.d.). Node.js v5.9.0 Documentation. Retrieved March 19, 2016, from https://nodejs.org/api/fs.html
OpenJDK. (n.d.). OpenJDK: Nashorn. Retrieved February 29, 2016, from http://openjdk.java.net/projects/nashorn/
Oracle Corp.. (2014, December 12). Nashorn Architecture and Performance Improvements in the Upcoming JDK 8u40 Release (Nashorn) [Blog post]. Retrieved from https://blogs.oracle.com/nashorn/entry/nashorn_performance_work_in_the
Oracle Corp.. (2015, February 13). The Java® Virtual Machine Specification Java SE 8 Edition. Retrieved from http://docs.oracle.com/javase/specs/jvms/se8/jvms8.pdf
Oracle Corp.. (2015, February 13). The Java® Language Specification Java SE 8 Edition. Retrieved from http://docs.oracle.com/javase/specs/jls/se8/jls8.pdf
Oracle Corporation. (n.d.). JSRs: Java Specification Requests. Retrieved February 22, 2016, from https://jcp.org/en/jsr/overview
Oracle Corporation. (n.d.). ArrayIndexOutOfBoundsException (Java Platform SE 8). Retrieved February 28, 2016, from https://docs.oracle.com/javase/8/docs/api/java/lang/ArrayIndexOutOfBoundsException.html
Oracle Corporation. (n.d.). javac - Java programming language compiler. Retrieved March 19, 2016, from http://docs.oracle.com/javase/7/docs/technotes/tools/windows/javac.html
Oracle Corporation. (n.d.). Chapter 4. The class File Format. Retrieved March 19, 2016, from http://docs.oracle.com/javase/specs/jvms/se7/html/jvms-4.html#jvms-4.10.1.9.checkcast
Oracle Corporation. (n.d.). Project Avatar Essentials. Retrieved March 19, 2016, from https://avatar.java.net/essentials.html
Oracle Corporation. (1997, December 19). Writing Server-Side JavaScript Applications with Enterprise Server 3.x. Retrieved from https://docs.oracle.com/cd/E19957-01/816-5653-10/816-5653-10.pdf
Oracle Corporation. (2006, December 11). JSR 223: Scripting for the JavaTM Platform. Retrieved from https://www.jcp.org/en/jsr/detail?id=223
Oracle Corporation. (2013, February 28). Java Virtual Machine Specification, Java SE 7 Edition. Retrieved from http://docs.oracle.com/javase/specs/jvms/se7/html/jvms-4.html#jvms-4.10.2.2
Rubenking, N. J. (2013, March 1). How to Disable Java. Retrieved from http://www.pcmag.com/article2/0,2817,2414191,00.asp
Srinivas, R. N. (2000, July 28). Java security evolution and concepts, Part 2. Retrieved from http://www.javaworld.com/article/2076135/java-security/java-security-evolution-and-concepts--part-2.html
Sun Microsystems, Inc.. (1998, January 15). Security Tools: Is the Only Really Secure Computer a Dead Computer? Retrieved from http://pawlan.com/monica/articles/sectools/
Taggart, T., & Brail, G. (2015, December 18). Can rowboat run the TypeScript Compiler? #1. Retrieved March 19, 2016, from https://github.com/apigee/rowboat/issues/1
Threat Analysis Group. (n.d.). Threat, vulnerability, risk – commonly mixed up terms. Retrieved from http://www.threatanalysis.com/2010/05/03/threat-vulnerability-risk-commonly-mixed-up-terms/
Torreborre, E. (n.d.). specs2 User Guid. Retrieved March 17, 2016, from https://etorreborre.github.io/specs2/guide/SPECS2-3.7.2/org.specs2.guide.UserGuide.html
Yegulalp, S. (2014, March 3). Node.js arrives for the JVM. Retrieved from http://www.infoworld.com/article/2610123/javascript/node-js-arrives-for-the-jvm.html