[wildfly-dev] my 2 cents on Security Manager discussion

David M. Lloyd david.lloyd at redhat.com
Thu Apr 24 08:49:07 EDT 2014


Consider also that there are currently *zero* viable multi-tenant JVMs 
in existence - just some experimental work, that I know of at least.

Using a JVM per application combined with OS-level safeguards is far 
simpler (and more capable) for the small minority of users who feel the 
need to run untrusted code on their system.

On 04/24/2014 02:49 AM, Przemyslaw Bielicki wrote:
> Do we really need multi-tenancy in server-side Java?
>
> We all know that Java has a serious limitation of max heap size - 16GB
> is the max I've ever seen (used by Hadoop name node). Now, consider
> modern commodity hardware that ships with 500GB - 1000GB of RAM. Let's
> assume that your application's max heap usage is really 16GB and another
> 16GB off-heap memory (in case of mentioned name node it can be up to max
> RAM available if your application uses IO heavily and it can be cached
> by the OS). My humble calculations let me think that on such machine we
> can easily run 16 - 32 separate JVMs (considering RAM only, CPU is
> another story).
>
> Knowing this, I don't think JVM can be a serious host of multi-tenant
> applications in the cloud. I rather see JVM instance per application and
> in such case we don't have  security issues and SM is not needed. If one
> application is dead (e.g. malicious System.exit, JVM core dump, etc.)
> all the rest is safe.
>
>
> On Wed, Apr 23, 2014 at 6:00 PM, Anil Saldhana <Anil.Saldhana at redhat.com
> <mailto:Anil.Saldhana at redhat.com>> wrote:
>
>     Well explained, Jason.  I feel the JVM needs to be a true multi-tenant
>     system to be a serious contender in the multi-tenant cloud env. I doubt
>     any efforts are being made at the VM level.
>
>     On 04/23/2014 09:10 AM, Jason Greene wrote:
>      > Right. An operating system is able to segment code by using page
>     mapping and traps. Each process gets a dedicated memory area that
>     another process can’t access at a very low level (without special
>     permissions). The JVM + SM on the other hand relies on protection at
>     a higher level. Fundamentally the entire JVM memory area is shared
>     between all code. The only thing that prevents it is lots of
>     security checks on every possible method that might leak a
>     reference. So the fundamental flaw is that the SM requires a perfect
>     policy, and is essentially trust-by-default. If a developer forgets
>     to add a check, then a vulnerability is possible. This happens
>     frequently, even in the JDK itself (hence the multiple CVEs)
>      >
>      > The only way the JVM could fix this, is if it introduced real
>     multi-tenancy at the lowest levels. You would have to operate
>     similar to an OS and assign blocks of heap to a particular app, and
>     allow sharing for certain “safe” things like code pages tied to
>     class implementations.
>      >
>      > On Apr 23, 2014, at 8:38 AM, Bill Burke <bburke at redhat.com
>     <mailto:bburke at redhat.com>> wrote:
>      >
>      >> As much as we like to think the app server is an operating
>     system, it
>      >> isn't.  The app server isn't a place where untrusted apps run.
>      >>
>      >> On 4/23/2014 8:40 AM, Josef Cacek wrote:
>      >>> Hi Arjan,
>      >>>
>      >>> let me give you few examples. Do you really want to allow
>     users/deployed-apps/3rd-party-libs
>      >>>
>      >>>   * call System.exit()?
>      >>>   * change behavior of the whole JVM by changing some system
>     properties (keystores and truststores for instance)?
>      >>>   * use reflection to read/change private data (caches, etc)?
>      >>>   * access the filesystem (e.g. rewrite the WildFly
>     configuration files)?
>      >>>   * ...
>      >>>
>      >>> If the answer is always yes, then you don't need the JSM I think.
>      >>>
>      >>> But if you care what can do the parts of code which you don't
>     have under full control, then you should really use the Java
>     Security Manager.
>      >>>
>      >>> Best regards,
>      >>>
>      >>> -- Josef
>      >>>
>      >>> ----- Original Message -----
>      >>>> From: "arjan tijms" <arjan.tijms at gmail.com
>     <mailto:arjan.tijms at gmail.com>>
>      >>>> To: "Jason T. Greene" <jgreene at redhat.com
>     <mailto:jgreene at redhat.com>>
>      >>>> Cc: wildfly-dev at lists.jboss.org
>     <mailto:wildfly-dev at lists.jboss.org>
>      >>>> Sent: Saturday, April 19, 2014 7:43:24 PM
>      >>>> Subject: Re: [wildfly-dev] my 2 cents on Security Manager
>     discussion
>      >>>>
>      >>>> Hi,
>      >>>>
>      >>>> Just wondering, but what is the primary use case for a
>     security manager
>      >>>> server side?
>      >>>>
>      >>>> While the model obviously makes sense for Applets and Webstart
>     where
>      >>>> untrusted code is executed on the user's machine, I found it
>     to be extremely
>      >>>> rare for a server to run untrusted code. In fact, I don't
>     think I've ever
>      >>>> seen this situation.
>      >>>>
>      >>>> There's maybe a case to prevent privilege escalation in case
>     of a legitimate
>      >>>> app being hacked, but in practice it doesn't look like a
>     security manager is
>      >>>> really being used a lot for that, is it? Instead the default
>     thing to do
>      >>>> there seems to be to run the AS under a user with limited
>     rights on the host
>      >>>> OS and/or use things like SELinix or Virtual Servers (e.g.
>     XEN) to isolate
>      >>>> the complete AS.
>      >>>>
>      >>>> Kind regards,
>      >>>> Arjan Tijms
>      >>>>
>     _______________________________________________
>     wildfly-dev mailing list
>     wildfly-dev at lists.jboss.org <mailto:wildfly-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/wildfly-dev
>
>
>
>
> _______________________________________________
> wildfly-dev mailing list
> wildfly-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/wildfly-dev
>


-- 
- DML


More information about the wildfly-dev mailing list