[wildfly-dev] my 2 cents on Security Manager discussion

Anil Saldhana Anil.Saldhana at redhat.com
Thu Apr 24 12:40:14 EDT 2014


Thanks for your excellent observations.  Answers inline.

On 04/24/2014 02:49 AM, Przemyslaw Bielicki wrote:
> Do we really need multi-tenancy in server-side Java?
>
It may be necessary for the following reasons:
- save memory wastage (as outlined by Jason)
- lower management of resources needs that comes with single 
application/singleVM/large box combination (management of ports is a big 
issue along with IP addresses)
    * Additionally if the app is fronted by Apache/NGinx or IIS with 
some proxy capabilities, then you deal with the proxy configuration 
(rewriting for multiple IPs/port combination due to app/vm)

> We all know that Java has a serious limitation of max heap size - 16GB 
> is the max I've ever seen (used by Hadoop name node). Now, consider 
> modern commodity hardware that ships with 500GB - 1000GB of RAM. Let's 
> assume that your application's max heap usage is really 16GB and 
> another 16GB off-heap memory (in case of mentioned name node it can be 
> up to max RAM available if your application uses IO heavily and it can 
> be cached by the OS). My humble calculations let me think that on such 
> machine we can easily run 16 - 32 separate JVMs (considering RAM only, 
> CPU is another story).
>
> Knowing this, I don't think JVM can be a serious host of multi-tenant 
> applications in the cloud. I rather see JVM instance per application 
> and in such case we don't have security issues and SM is not needed. 
> If one application is dead (e.g. malicious System.exit, JVM core dump, 
> etc.) all the rest is safe.
Solving the system exit or core dump issues is really a tall order to 
climb for multi-tenant JVMs.  The complexity/work involved probably 
outweighs the benefits.

I am leaning now toward a single app/single JVM strategy.
>
>
> On Wed, Apr 23, 2014 at 6:00 PM, Anil Saldhana 
> <Anil.Saldhana at redhat.com <mailto:Anil.Saldhana at redhat.com>> wrote:
>
>     Well explained, Jason.  I feel the JVM needs to be a true multi-tenant
>     system to be a serious contender in the multi-tenant cloud env. I
>     doubt
>     any efforts are being made at the VM level.
>
>     On 04/23/2014 09:10 AM, Jason Greene wrote:
>     > Right. An operating system is able to segment code by using page
>     mapping and traps. Each process gets a dedicated memory area that
>     another process can't access at a very low level (without special
>     permissions). The JVM + SM on the other hand relies on protection
>     at a higher level. Fundamentally the entire JVM memory area is
>     shared between all code. The only thing that prevents it is lots
>     of security checks on every possible method that might leak a
>     reference. So the fundamental flaw is that the SM requires a
>     perfect policy, and is essentially trust-by-default. If a
>     developer forgets to add a check, then a vulnerability is
>     possible. This happens frequently, even in the JDK itself (hence
>     the multiple CVEs)
>     >
>     > The only way the JVM could fix this, is if it introduced real
>     multi-tenancy at the lowest levels. You would have to operate
>     similar to an OS and assign blocks of heap to a particular app,
>     and allow sharing for certain "safe" things like code pages tied
>     to class implementations.
>     >
>     > On Apr 23, 2014, at 8:38 AM, Bill Burke <bburke at redhat.com
>     <mailto:bburke at redhat.com>> wrote:
>     >
>     >> As much as we like to think the app server is an operating
>     system, it
>     >> isn't.  The app server isn't a place where untrusted apps run.
>     >>
>     >> On 4/23/2014 8:40 AM, Josef Cacek wrote:
>     >>> Hi Arjan,
>     >>>
>     >>> let me give you few examples. Do you really want to allow
>     users/deployed-apps/3rd-party-libs
>     >>>
>     >>>   * call System.exit()?
>     >>>   * change behavior of the whole JVM by changing some system
>     properties (keystores and truststores for instance)?
>     >>>   * use reflection to read/change private data (caches, etc)?
>     >>>   * access the filesystem (e.g. rewrite the WildFly
>     configuration files)?
>     >>>   * ...
>     >>>
>     >>> If the answer is always yes, then you don't need the JSM I think.
>     >>>
>     >>> But if you care what can do the parts of code which you don't
>     have under full control, then you should really use the Java
>     Security Manager.
>     >>>
>     >>> Best regards,
>     >>>
>     >>> -- Josef
>     >>>
>     >>> ----- Original Message -----
>     >>>> From: "arjan tijms" <arjan.tijms at gmail.com
>     <mailto:arjan.tijms at gmail.com>>
>     >>>> To: "Jason T. Greene" <jgreene at redhat.com
>     <mailto:jgreene at redhat.com>>
>     >>>> Cc: wildfly-dev at lists.jboss.org
>     <mailto:wildfly-dev at lists.jboss.org>
>     >>>> Sent: Saturday, April 19, 2014 7:43:24 PM
>     >>>> Subject: Re: [wildfly-dev] my 2 cents on Security Manager
>     discussion
>     >>>>
>     >>>> Hi,
>     >>>>
>     >>>> Just wondering, but what is the primary use case for a
>     security manager
>     >>>> server side?
>     >>>>
>     >>>> While the model obviously makes sense for Applets and
>     Webstart where
>     >>>> untrusted code is executed on the user's machine, I found it
>     to be extremely
>     >>>> rare for a server to run untrusted code. In fact, I don't
>     think I've ever
>     >>>> seen this situation.
>     >>>>
>     >>>> There's maybe a case to prevent privilege escalation in case
>     of a legitimate
>     >>>> app being hacked, but in practice it doesn't look like a
>     security manager is
>     >>>> really being used a lot for that, is it? Instead the default
>     thing to do
>     >>>> there seems to be to run the AS under a user with limited
>     rights on the host
>     >>>> OS and/or use things like SELinix or Virtual Servers (e.g.
>     XEN) to isolate
>     >>>> the complete AS.
>     >>>>
>     >>>> Kind regards,
>     >>>> Arjan Tijms
>     >>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/wildfly-dev/attachments/20140424/a4d6d20b/attachment.html 


More information about the wildfly-dev mailing list