Can I guarantee that my Java application will be executed with a Security Manager with a restrictive policy?

Question

I will be distributing a stand alone Java application that will be installed on a public/shared computer. I want to secure the application as best I can from possible malicious/curious users. This means that I want the application to run in the context of a SecurityManager with a custom policy file.

I know of two ways to run a Java application with a Security Manager.

1. When launching the application specify the parameters -Djava.security.manager and -Djava.security.policy=someUrl. This approach seems to suffer from the following weaknesses:
   • If someUrl refers to a location on the local machine an attacker could modify the policy file and effectively bypass the security sandbox.
   • If an attacker can restart the application they could launch it without passing either of these parameters and run the application without a Security Manager and therefore bypass the security sandbox.
   • If someUrl refers to a location on a remote machine and the remote machine is unaccessible when the application is launched then the application would (presumably) fail to launch.
2. Inside the application execute the following code: System.setProperty("java.security.policy", "path/to/policy/file"); System.setSecurityManager(new SecurityManager());
   This approach seems to suffer from the following weakness:
   • Since the Security Manager is not started by the JVM prior to loading the application, an attacker could tamper with the class files in the application and bypass the security sandbox.

Either way, it seems to me it is not possible to guarantee that a stand alone application will be run in the context of a Security Manager on a public/shared computer.

Is my analysis wrong? Is it possible for an application developer to guarantee the application is run in a Security Manager, and guarantee that the policy file has not been tampered with, when the application is run on a public/shared computer?

Answer 1

Your analysis is correct, you cannot have such a guarantee.

Your program is executed by the Java virtual machine. Whatever property you want to require of the JVM, you have to ask it “does this property hold?”. So you'd be asking the JVM “do you protect my application against the people who are running you?”, and the people who are running that JVM can configure it to lie — just say “yes” even though the answer is no. At most you would require a minor patch to the JVM, and probably not even that as whoever wants to see your application run can just fire up a debugger.

The Security Manager controls separation between applications. It protects your application from other Java applications. It doesn't protect you against the JVM itself: by running an application on it, you are trusting it.

I am sometimes shocked by the blasphemies of those who think themselves pious-for instance, the nuns who never take a bath without wearing a bathrobe all the time. When asked why, since no man can see them, they reply: 'Oh, but you forget the good God.' Apparently they conceive of the Deity as a Peeping Tom, whose omnipotence enables Him to see through bathroom walls, but who is foiled by bathrobes. This view strikes me as curious. (Bertrand Russell)

Answer 2

I want to secure the application as best I can from possible malicious/curious users.

I would say that the purpose of the security manager is to secure users from malicious applications, meaning that it is the right of the user to define the policy under which the particular application will be run.

Of course, the application can check that the SecurityManager is set, and either to refuse to work without one or to install the SecurityManager programmatically.

If you need to secure your application against modifications then security manager/access controller is not the right mechanism. Your first stop would be looking into signing your application and running it as an applet or as a more generic web start application.

If you need to prevent a particular user (or a group of users) from doing something then you need some kind of authentication and authorization scheme. The security policy kind of has a notion of per-user policies and it is kind of useful in the context of manually configuring the application deployment on a single specific computer, but it is hard to use in the generic case.