Home/ Questions/Q 3792544
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-19T12:38:19+00:00

All, I’m working on the design of a cloud-based service that will provide the

  • 0

All,

I’m working on the design of a cloud-based service that will provide the option to execute some “plugin” code submitted by clients. In order to make this work it is essential that the plugins can’t threaten system integrity or have any ability to access the data of other clients.

Ideally I’d like it to be possible for clients to submit a simple jar file (containing a class conforming to some pre-defined interface) which would then be run within a sandbox.

The client code should be allowed to:

  • Take as much CPU time as it needs on a single thread
  • Perform any calculations using standard java classes (e.g. java.lang.Math, java.util.Random etc.)
  • Call any libraries bundled in the jar (but which must be subject to the same restrictions)

But I would specifically need to disallow the following:

  • Spawning new threads (so that server resource can be fairly managed!)
  • Any access to the file system / IO / network
  • Any access to native code
  • Any access to data in the JVM other than that passed to / created by the client code
  • Any access to reflection on classes other than those in the .jar sandbox
  • Any ability to call methods on objects outside the sandbox, other than the standard Java libraries

Is it be possible to achieve this with a custom ClassLoader / SecurityManager setup? Or will I need to start looking for a more sophisticated solution (e.g. launching multiple JVMs?)

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Managing resource and limiting resources is not possible in java. You can prevent malicious code to access system resources (disk/network and so) or the JVM itself but:

    Spawning new threads (so that server resource can be fairly managed!)

    • If i wanna be malicious I am gonna do all my code in the finalizer thread and just block the VM. Same doing protected void finalize(synchronized(Thread.class) {for(;;) LockSupport.park();}} bye-bye new threads.
    • Eating all the memory, eating all direct memory and so on.
    • Accessing zip files in my own jar, and expect ’em getting moved away, so the JVM crashes (due to bug(s) in zlib)

    If one purposely wants to deny resources, it is just not a feasible task to try and catch the hacker. You’d need to know what to search for and dynamically check/enhance the classes on run-time to disallow the behavior.

    Any ability to call methods on objects outside the sandbox, other than the standard Java libraries

    What are the standard libraries? Do you know if/when they must possibly execute some code in a privileged method.

    Each customer – separate VM w/ full restrictions, process affinity/priority, incl max memory/stack and so on.

    • 0