With the deprecation of the Security Manager in Java 17 and 21, I'm looking for ways to restrict plugin code to prevent access to sensitive methods like System.exit(). I've seen discussions on techniques such as bytecode manipulation, but I'm curious about other potential methods that software like IDEs might use to ensure plugins don't misuse permissions. I'm particularly interested in any alternatives that could help achieve a similar level of security without the complexity of implementing Java Agents. Any suggestions would be appreciated!
5 Answers
You might want to check out JEP 486 for some insights on blocking exit calls. However, keep in mind it only handles simple cases. There are more robust solutions out there like the RealBlockSystemExitAgent, which offers a deeper implementation. Scaling up security beyond just exit calls can be quite challenging, though.
I've been working on this too and developed a library called WiseLoader. It allows only certain classes to be loaded by the plugin by maintaining a whitelist, which helps avoid risky classes. This way, plugins can only interact with safe classes and APIs you provide. Depending on your use case, this might suit you well, though it’s something to keep in mind regarding potential limitations.
Generally speaking, it's really tough to sandbox bytecode in the same JVM. Most applications run plugins with the same permissions as their own code because plugins often need access to critical resources. If security is a concern, the best way is to run plugins in a separate process with limited permissions instead.
Got it! Thanks for the clarification.
Exactly, that makes a lot of sense. Managing permissions is key!
Consider running plugins as external processes. This allows for better restrictions and limits the damage if something goes wrong since each plugin runs in isolation. You can establish communication through RPC, which might fit your needs well.
Interesting approach! Does that mean plugins can be written in any supported language?
If you're open to using Groovy, the SecureASTCustomizer can restrict method calls and class loading. It’s not perfect, but it does offer a level of security.
That sounds interesting! But I wonder if this method gives enough granularity for permissions.