[langsec-discuss] Langsec and Java Object Serialization
Michael E. Locasto
locasto at ucalgary.ca
Wed Jan 6 15:49:59 UTC 2016
On 1/5/16 10:42 PM, Will Sargent wrote:
> Although as far as I can tell, you should be running the JVM inside of
> Docker, inside of a VM, inside of AppArmor and seccomp (whatever that is),
> with a patched grsecurity kernel. And CoreOS is involved somehow.
> The temptation to call it the Turducken Security Model is strong.
A delightfully astute observation!
When an application's logic is arbitrary, complex, and unpredictable, so
are the layers of security required to protect it. /s
Of course, it is difficult to fault things like grsec and apparmor by
themselves, but what one hopes to get out of the entire arrangement of
isolation mechanisms is never clear to me -- defense-in-depth is
received wisdom as far as I can tell without any real approach to
apprehending the hoped-for security guarantees.
As this thread has pointed out, the inside/outside dichotomy doesn't
quite work (it's either too broad a classification or ignored). Mutual
mistrust and suspicious, strict parsing of all input flows seems like a
more flexible approach that could be deployed piecemeal into both new
and legacy code. But it's not clear to me how to measure any security
gain in that case, either.
More information about the langsec-discuss