Welcome!

Cloud Security Authors: Liz McMillan, Scott Millis, Elizabeth White, Kevin Jackson, Doron Kolton

Related Topics: Java IoT, Cloud Security

Java IoT: Article

How to Provide Dynamic Security Permissions

Two approaches

For various reasons, an application may install a security manager. Usually it does so to guard against malicious third-party code either installed or dynamically downloaded at runtime. If the application uses RMI APIs, it's even required by a Java specification that a security manager be installed, otherwise the classloader will not download any classes from remote locations.

The most convenient security manager to use is java.lang.SecurityManager. Once installed, it will work with security policy to control the security permissions granted to different protection domains. For simplicity, it will be referred to as SecurityManager for the rest of this article.

The security policy is statically initialized at application start-up. For Sun's JDK, the security policy is defined in a security policy file. Naturally, this initial security policy cannot be changed at runtime once it's loaded with the application.

What if you want the security permissions to change at runtime? For example, you have a list of hosts from which the socket connection requests should not be accepted by the security manager. This list keeps changing when the application is running and you don't want to shut the application down to make the latest list effective. Or you feel that the expressions allowed in the security policy file are not enough for your application. Sure, it allows wildcards like "*", but you need something more dynamic and powerful, like a regular expression. What can you do?

Before any solution is proposed, let's take a look at how security permissions are managed normally. First, create a security policy that defines a set of security permissions granted to one or more protection domains, then install java.lang.SecurityManager at the start of your application. When the application calls a security-sensitive API, the API first checks with the SecurityManager to determine whether certain operations are allowed. The SecurityManager calls AccessContoller.checkPermission() method, which in turn consults the security policy when making security permission decisions.

It's not difficult to find out from the above that three components work together to provide security permissions - a security manager, a security policy, and the AccessContoller. AccessController is a final class and cannot be dynamically set with the system, so there's nothing we can do about it. SecurityManager and Policy, on the other hand, are extendable and can be set with the system.

It seems there are two approaches - writing your own security manager or writing your own security policy.

Writing Your Own Security Manager
If you take a look at SecurityManager APIs, the bulk of them are two checkPermission() methods and some checkOperation() methods, where Operation is an action like Connect, Listen, SetFactory, etc. If the security permission is granted, these methods simply return without doing anything. Otherwise, they throw SecurityException to indicate that the related security permission is denied. To dynamically control the behavior, just override one or more such APIs. If a method is not overridden, leave the behavior to SecurityManager and essentially the security policy to decide.

So far this seems easy. Is that so? Let's find out with a simple example. In this example, you want to control which properties can be accessed by overriding the checkPropertyAccess(String key) API. It's assumed that the list of accessible properties keeps changing and you get a fresh list each time checkPropertyAccess(String key) is invoked (see Listing 1).

You don't expect to get a security exception because we allow access to "user.home". By the way, if you use a security policy file that grants PropertyPermission to access "user.home" and "user.dir" and install a SecurityManager, TestProperty prints out the value of "user.home" just as expected.

If you run TestProperty with MySecurityManager in Sun's JDK 1.4.2, it prints out the following:

Exception in thread "main" java.lang.ExceptionInInitializerError
at java.lang.System.setSecurityManager0(System.java:243)
at java.lang.System.setSecurityManager(System.java:212)
at TestProperty.main(TestProperty.java:5)
Caused by: java.lang.SecurityException: Not allowed!
at MySecurityManager.checkPropertyAccess(MySecurityManager.java:9)
at java.lang.System.getProperty(System.java:573)
at java.lang.Integer.getInteger(Integer.java:814)
at java.lang.Integer.getInteger(Integer.java:731)
at sun.security.action.GetIntegerAction.run(GetIntegerAction.java:90)
at java.security.AccessController.doPrivileged(Native Method)
at sun.net.InetAddressCachePolicy.<clinit>(InetAddressCachePolicy.java:94)
... 3 more

The exception is thrown from System.setSecurityManager() and is caused by a read of property "su.net.inetaddr.ttl", which is totally unrelated to our code. Seems like you just shot yourself in the foot, yet you don't know where the bullet came from.

Actually it's not important to know where the check comes from, but it is important to note that the security exception is caused by an AccessController.doPrivileged() call.

When we try the TestProperty application with the standard SecurityManager and security policy, AccessController.doPrivileged doesn't throw a security exception. This is because SecurityManager.checkPropertyAccess() delegates to checkPermission(), which in turn calls AccessController.checkPermission(). AccessController knows how to handle privileged code blocks. When it sees a privileged code block and the associated protection domain has the required permission, it returns without further checking callers of the privileged code block on the call stack. In our case, the privileged code block is in the sun.net.InetAddressCachePolicy, which is from the system domain that has all the permissions.

Let's go back to MySecurityManager. There is no way for it to know whether a call is from a privileged code block or the information about the call stack. It grants and denies the same set of permissions to all protection domains, even if the protection domain is the system domain where all permissions should be granted. That's where the problem comes from.

For more details regarding AccessController, I encourage you to check out the JavaDoc for the AccessController and security documentation at http://java.sun.com/j2se/1.4.2/docs/guide/security/ spec/security-spec.doc4.html#20389.

It's important to note that MySecurityManager tends to be more restrictive than SecurityManager (or the initial security policy) by specifically disallowing access to most of the properties. On the other hand, an application may need a security manager that is less restrictive than the initial security policy at certain times. In this case, override a SecurityManager's check method in the following manner:

  1. Specifically allow an action by directly returning from the method when a condition is met.
  2. Otherwise delegate to the same checkOperation() method in its super class to get the default behavior controlled by the initial security policy.

More Stories By Xiaozhong Wang

Xiaozhong Wang is a software engineer at Sun where he has solved some security problems in his TCK (Technology Compatibility Kit) work.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
Internet-of-Things discussions can end up either going down the consumer gadget rabbit hole or focused on the sort of data logging that industrial manufacturers have been doing forever. However, in fact, companies today are already using IoT data both to optimize their operational technology and to improve the experience of customer interactions in novel ways. In his session at @ThingsExpo, Gordon Haff, Red Hat Technology Evangelist, will share examples from a wide range of industries – includin...
We're entering the post-smartphone era, where wearable gadgets from watches and fitness bands to glasses and health aids will power the next technological revolution. With mass adoption of wearable devices comes a new data ecosystem that must be protected. Wearables open new pathways that facilitate the tracking, sharing and storing of consumers’ personal health, location and daily activity data. Consumers have some idea of the data these devices capture, but most don’t realize how revealing and...
Unless your company can spend a lot of money on new technology, re-engineering your environment and hiring a comprehensive cybersecurity team, you will most likely move to the cloud or seek external service partnerships. In his session at 18th Cloud Expo, Darren Guccione, CEO of Keeper Security, revealed what you need to know when it comes to encryption in the cloud.
"We build IoT infrastructure products - when you have to integrate different devices, different systems and cloud you have to build an application to do that but we eliminate the need to build an application. Our products can integrate any device, any system, any cloud regardless of protocol," explained Peter Jung, Chief Product Officer at Pulzze Systems, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
Data is the fuel that drives the machine learning algorithmic engines and ultimately provides the business value. In his session at 20th Cloud Expo, Ed Featherston, director/senior enterprise architect at Collaborative Consulting, will discuss the key considerations around quality, volume, timeliness, and pedigree that must be dealt with in order to properly fuel that engine.
In addition to all the benefits, IoT is also bringing new kind of customer experience challenges - cars that unlock themselves, thermostats turning houses into saunas and baby video monitors broadcasting over the internet. This list can only increase because while IoT services should be intuitive and simple to use, the delivery ecosystem is a myriad of potential problems as IoT explodes complexity. So finding a performance issue is like finding the proverbial needle in the haystack.
According to Forrester Research, every business will become either a digital predator or digital prey by 2020. To avoid demise, organizations must rapidly create new sources of value in their end-to-end customer experiences. True digital predators also must break down information and process silos and extend digital transformation initiatives to empower employees with the digital resources needed to win, serve, and retain customers.
"Once customers get a year into their IoT deployments, they start to realize that they may have been shortsighted in the ways they built out their deployment and the key thing I see a lot of people looking at is - how can I take equipment data, pull it back in an IoT solution and show it in a dashboard," stated Dave McCarthy, Director of Products at Bsquare Corporation, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
Fact is, enterprises have significant legacy voice infrastructure that’s costly to replace with pure IP solutions. How can we bring this analog infrastructure into our shiny new cloud applications? There are proven methods to bind both legacy voice applications and traditional PSTN audio into cloud-based applications and services at a carrier scale. Some of the most successful implementations leverage WebRTC, WebSockets, SIP and other open source technologies. In his session at @ThingsExpo, Da...
@GonzalezCarmen has been ranked the Number One Influencer and @ThingsExpo has been named the Number One Brand in the “M2M 2016: Top 100 Influencers and Brands” by Onalytica. Onalytica analyzed tweets over the last 6 months mentioning the keywords M2M OR “Machine to Machine.” They then identified the top 100 most influential brands and individuals leading the discussion on Twitter.
Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more business becomes digital the more stakeholders are interested in this data including how it relates to business. Some of these people have never used a monitoring tool before. They have a question on their mind like “How is my application doing” but no id...
As data explodes in quantity, importance and from new sources, the need for managing and protecting data residing across physical, virtual, and cloud environments grow with it. Managing data includes protecting it, indexing and classifying it for true, long-term management, compliance and E-Discovery. Commvault can ensure this with a single pane of glass solution – whether in a private cloud, a Service Provider delivered public cloud or a hybrid cloud environment – across the heterogeneous enter...
"IoT is going to be a huge industry with a lot of value for end users, for industries, for consumers, for manufacturers. How can we use cloud to effectively manage IoT applications," stated Ian Khan, Innovation & Marketing Manager at Solgeniakhela, in this SYS-CON.tv interview at @ThingsExpo, held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA.
"We're a cybersecurity firm that specializes in engineering security solutions both at the software and hardware level. Security cannot be an after-the-fact afterthought, which is what it's become," stated Richard Blech, Chief Executive Officer at Secure Channels, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
Information technology is an industry that has always experienced change, and the dramatic change sweeping across the industry today could not be truthfully described as the first time we've seen such widespread change impacting customer investments. However, the rate of the change, and the potential outcomes from today's digital transformation has the distinct potential to separate the industry into two camps: Organizations that see the change coming, embrace it, and successful leverage it; and...
Data is the fuel that drives the machine learning algorithmic engines and ultimately provides the business value. In his session at Cloud Expo, Ed Featherston, a director and senior enterprise architect at Collaborative Consulting, discussed the key considerations around quality, volume, timeliness, and pedigree that must be dealt with in order to properly fuel that engine.
We are always online. We access our data, our finances, work, and various services on the Internet. But we live in a congested world of information in which the roads were built two decades ago. The quest for better, faster Internet routing has been around for a decade, but nobody solved this problem. We’ve seen band-aid approaches like CDNs that attack a niche's slice of static content part of the Internet, but that’s it. It does not address the dynamic services-based Internet of today. It does...
Internet of @ThingsExpo, taking place June 6-8, 2017 at the Javits Center in New York City, New York, is co-located with the 20th International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. @ThingsExpo New York Call for Papers is now open.
What happens when the different parts of a vehicle become smarter than the vehicle itself? As we move toward the era of smart everything, hundreds of entities in a vehicle that communicate with each other, the vehicle and external systems create a need for identity orchestration so that all entities work as a conglomerate. Much like an orchestra without a conductor, without the ability to secure, control, and connect the link between a vehicle’s head unit, devices, and systems and to manage the ...