Strengthening Java Application Security Against Supply Chain Threats
A system to prevent attacks on Java applications by using a class allowlist.
― 5 min read
Table of Contents
The software Supply Chain is essential for developing applications today, but it also brings risks. Many developers use third-party libraries for their software, which can create security issues. If these libraries have flaws, they can be exploited by attackers. One notorious attack is called Log4Shell, which allowed code from a malicious source to run on the server. This paper discusses a new system that helps prevent such attacks in Java applications.
The Problem
As software development has grown, the reliance on external code has increased. This introduces vulnerabilities, particularly when unverified code is run. Many recent attacks have targeted this weakness, exploiting flaws in popular libraries to execute harmful commands remotely. Traditional security methods may catch these issues during development but often fail to protect against threats during Runtime.
The Solution
Our proposed system builds an AllowList of classes that are permitted to run in a Java application. This allowlist is created based on the software supply chain of the application. By ensuring that only trusted classes are executed, the system can block any unrecognized or modified classes at runtime.
How the System Works
Allowlist Creation
During the building phase of an application, the system scans all classes, creating a list known as the Bill of Materials Index (BOMI). This list includes classes from the core Java libraries, classes written by developers, and any dynamically generated classes.
Environment Classes: These are built-in Java classes. The system records the checksums for these classes, which serve as unique identifiers.
Supply Chain Classes: These classes come from third-party libraries. The system takes inventory of all the libraries and their classes to create a complete list.
Dynamic Classes: Java allows for the generation of classes while the application is running. The system monitors the application during testing to record any dynamically created classes.
Runtime Monitoring
Once the BOMI is created, the application can be monitored during execution. A component called the SBOM Runtime Watchdog is activated. It checks each class that is loaded against the BOMI.
- If the class is on the BOMI and matches the checksum, it is allowed to run.
- If the class is not found or if the checksum does not match, the application is terminated immediately. This prevents any potentially harmful code from executing.
Why It Matters
This system directly addresses a critical issue: the ability to execute unknown classes. By maintaining a strict allowlist and monitoring class loading, the system can effectively minimize the risk posed by dynamic class loading features in Java.
Testing the System
To validate the effectiveness of our system, we tested it against three significant vulnerabilities commonly known in the security landscape.
Log4j: The Log4Shell vulnerability showed how attackers could execute malicious code via a logging library. Our system successfully prevented the execution of this malicious code by comparing it against the BOMI.
H2 Database: This database engine was also vulnerable to similar attacks. We replicated the conditions for a potential exploit and again found that our system stopped any harmful code from executing.
Apache Commons Configuration: Using the Nashorn JavaScript engine, which was bundled with Java, this vulnerability demonstrated how JavaScript code could lead to severe security issues. Our system effectively intercepted the malicious code before it could run.
Real-World Applicability
We also evaluated our system on real-world applications to measure its impact and performance. We tested its compatibility with existing software, aiming to ensure that it does not interfere with legitimate operations.
PDFBox: This application manipulates PDF files and was tested under a workload that involved various PDF operations. Our system ran without any false positives, successfully identifying and allowing legitimate operations.
Ttorrent: A peer-to-peer downloading application was evaluated, successfully managing dynamic class generation without interruptions.
GraphHopper: This routing application was more challenging, revealing that some classes generated dynamically could not be captured due to their randomized nature. Even so, the system managed to block unauthorized code effectively.
Performance Considerations
A key aspect of any security system is its performance impact. We measured the overhead introduced by our system during operations:
- During the initial startup and class verification, there is a noticeable overhead due to checksumming and verification processes.
- However, after the initial warm-up, the performance impact becomes minimal, making it suitable for long-running applications.
Conclusion
The integration of our system into Java applications significantly enhances security against supply chain attacks exploiting dynamic code execution. By creating a detailed BOMI and actively monitoring class loading, we can effectively ensure the integrity of Java applications in a complex software landscape.
Future Directions
Looking ahead, we aim to expand our system’s capabilities, focusing on the detection of hidden classes that current methodologies may overlook. We also plan to explore comparisons with other technologies that address similar security concerns. Overall, our approach lays a solid foundation for improving software security against evolving threats.
Title: SBOM.EXE: Countering Dynamic Code Injection based on Software Bill of Materials in Java
Abstract: Software supply chain attacks have become a significant threat as software development increasingly relies on contributions from multiple, often unverified sources. The code from unverified sources does not pose a threat until it is executed. Log4Shell is a recent example of a supply chain attack that processed a malicious input at runtime, leading to remote code execution. It exploited the dynamic class loading facilities of Java to compromise the runtime integrity of the application. Traditional safeguards can mitigate supply chain attacks at build time, but they have limitations in mitigating runtime threats posed by dynamically loaded malicious classes. This calls for a system that can detect these malicious classes and prevent their execution at runtime. This paper introduces SBOM.EXE, a proactive system designed to safeguard Java applications against such threats. SBOM.EXE constructs a comprehensive allowlist of permissible classes based on the complete software supply chain of the application. This allowlist is enforced at runtime, blocking any unrecognized or tampered classes from executing. We assess SBOM.EXE's effectiveness by mitigating 3 critical CVEs based on the above threat. We run our tool with 3 open-source Java applications and report that our tool is compatible with real-world applications with minimal performance overhead. Our findings demonstrate that SBOM.EXE can effectively maintain runtime integrity with minimal performance impact, offering a novel approach to fortifying Java applications against dynamic classloading attacks.
Authors: Aman Sharma, Martin Wittlinger, Benoit Baudry, Martin Monperrus
Last Update: 2024-06-28 00:00:00
Language: English
Source URL: https://arxiv.org/abs/2407.00246
Source PDF: https://arxiv.org/pdf/2407.00246
Licence: https://creativecommons.org/licenses/by/4.0/
Changes: This summary was created with assistance from AI and may have inaccuracies. For accurate information, please refer to the original source documents linked here.
Thank you to arxiv for use of its open access interoperability.
Reference Links
- https://www.figma.com/file/hJy2ipZIE6zxGpZl4edy20/Untitled?type=design&node-id=0%3A1&mode=design&t=hIPopkVquOTQXC0o-1
- https://ctan.org/pkg/etoolbox
- https://github.com/chains-project/sbom.exe
- https://hacker.com/Exploit.class
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
- https://nvd.nist.gov/vuln/detail/CVE-2021-42392
- https://nvd.nist.gov/vuln/detail/CVE-2022-33980
- https://github.com/apache/pdfbox
- https://github.com/mpetazzoni/ttorrent
- https://github.com/graphhopper/graphhopper/
- https://central.sonatype.com/artifact/com.h2database/h2/1.4.200
- https://central.sonatype.com/artifact/org.apache.logging.log4j/log4j-core/2.14.1
- https://central.sonatype.com/artifact/org.apache.commons/commons-configuration2/2.7
- https://mvnrepository.com/artifact/org.apache.pdfbox/pdfbox-app/3.0.2
- https://mvnrepository.com/artifact/com.turn/ttorrent-cli/1.5
- https://mvnrepository.com/artifact/com.graphhopper/graphhopper-web/9.1
- https://www.flaticon.com/