[langsec-discuss] Langsec and Java Object Serialization

Michael E. Locasto locasto at ucalgary.ca
Wed Jan 6 15:49:59 UTC 2016


On 1/5/16 10:42 PM, Will Sargent wrote:
> Although as far as I can tell, you should be running the JVM inside of
> Docker, inside of a VM, inside of AppArmor and seccomp (whatever that is),
> with a patched grsecurity kernel.  And CoreOS is involved somehow.
>
> The temptation to call it the Turducken Security Model is strong.

A delightfully astute observation!

When an application's logic is arbitrary, complex, and unpredictable, so
are the layers of security required to protect it. /s

Of course, it is difficult to fault things like grsec and apparmor by
themselves, but what one hopes to get out of the entire arrangement of
isolation mechanisms is never clear to me -- defense-in-depth is
received wisdom as far as I can tell without any real approach to
apprehending the hoped-for security guarantees.

As this thread has pointed out, the inside/outside dichotomy doesn't
quite work (it's either too broad a classification or ignored). Mutual
mistrust and suspicious, strict parsing of all input flows seems like a
more flexible approach that could be deployed piecemeal into both new
and legacy code. But it's not clear to me how to measure any security
gain in that case, either.

-M



More information about the langsec-discuss mailing list