-
Notifications
You must be signed in to change notification settings - Fork 115
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request: Security Policy #24
Comments
That's interesting. I don't actually know much about Java's security policies, but you can pass additional JVM options using the environment variable
|
Here's a policy file that seems to be working for me for JQF+Tika:
Keep in mind that this is a trial-and-error whitelist policy created for the corpus I have. Parts of the code I don't reach with my corpus might need more permissions. Performance seems to be fine too, on the new x86 machine I get around 10 execs/sec without the policy and with the policy. However, it seems to me that with the policy, less paths are found (maybe it's just coincidence). Is there a good explanation for that? And is it normal that jqf.log has exceptions in it such as the followin?
|
The exceptions in the log file that you see are due to the inability of JQF to instrument some classes, due to code patterns such as those described in #22. Unfortunately, this means that those classes will not be instrumented (and branches in their methods will not be recorded). However, it is fine in that JQF will just skip those classes and instrument everything else that it can. As to why you are seeing fewer paths with the use of the policy, I cannot say for sure. As I said, I don't have much experience with security policies in Java, but perhaps I can try reproducing your experiment to see if I can find any anomalies. |
I just wanted to let you know that I ran JQF instances with Java Security Policy by default now and they seem to run fine. The lesser paths issue might have been random differences and not related to the Security Policy. |
Any chance we could support Java Security Policy with JQF? An example is here: https://github.com/floyd-fuh/kelinci/tree/master/examples/commons-imaging . It basically means starting Java with
java -Djava.security.manager -Djava.security.policy=java-security-policy.txt
, which would then throw an exception if the Java program tries to write to a file that was not specified in the policy (whitelist). In theory it should allow finding vulnerabilities such as Server Side Request Forgery, as the code would throw an exception when the Java program tries to create a socket.The text was updated successfully, but these errors were encountered: