Add SecurityManager support to block suspicious code #622

Author: Markoutte

utbot-framework-api/src/main/kotlin/org/utbot/framework/plugin/api/UtExecutionResult.kt

@@ -17,6 +17,10 @@ data class UtOverflowFailure(
     override val exception: Throwable,
 ) : UtExecutionFailure()
 
+data class UtSandboxFailure(
+    override val exception: Throwable
+) : UtExecutionFailure()
+
 /**
  * unexpectedFail (when exceptions such as NPE, IOBE, etc. appear, but not thrown by a user, applies both for function under test and nested calls )
  * expectedCheckedThrow (when function under test or nested call explicitly says that checked exception could be thrown and throws it)

utbot-framework/src/main/kotlin/org/utbot/engine/Resolver.kt

@@ -71,6 +71,7 @@ import kotlin.math.max
 import kotlin.math.min
 import kotlinx.collections.immutable.persistentListOf
 import kotlinx.collections.immutable.persistentSetOf
+import org.utbot.framework.plugin.api.UtSandboxFailure
 import soot.ArrayType
 import soot.BooleanType
 import soot.ByteType
@@ -88,6 +89,7 @@ import soot.SootField
 import soot.Type
 import soot.VoidType
 import sun.java2d.cmm.lcms.LcmsServiceProvider
+import java.security.AccessControlException
 
 // hack
 const val MAX_LIST_SIZE = 10
@@ -371,12 +373,11 @@ class Resolver(
         return if (explicit) {
             UtExplicitlyThrownException(exception, inNestedMethod)
         } else {
-            // TODO SAT-1561
-            val isOverflow = exception is ArithmeticException && exception.message?.contains("overflow") == true
-            if (isOverflow) {
-                UtOverflowFailure(exception)
-            } else {
-                UtImplicitlyThrownException(exception, inNestedMethod)
+            when {
+                // TODO SAT-1561
+                exception is ArithmeticException && exception.message?.contains("overflow") == true -> UtOverflowFailure(exception)
+                exception is AccessControlException -> UtSandboxFailure(exception)
+                else -> UtImplicitlyThrownException(exception, inNestedMethod)
             }
         }
     }

utbot-framework/src/main/kotlin/org/utbot/framework/codegen/model/constructor/tree/CgMethodConstructor.kt

@@ -113,6 +113,7 @@ import org.utbot.framework.plugin.api.UtNewInstanceInstrumentation
 import org.utbot.framework.plugin.api.UtNullModel
 import org.utbot.framework.plugin.api.UtPrimitiveModel
 import org.utbot.framework.plugin.api.UtReferenceModel
+import org.utbot.framework.plugin.api.UtSandboxFailure
 import org.utbot.framework.plugin.api.UtStaticMethodInstrumentation
 import org.utbot.framework.plugin.api.UtTimeoutException
 import org.utbot.framework.plugin.api.UtVoidModel
@@ -149,6 +150,7 @@ import org.utbot.framework.util.isUnit
 import org.utbot.summary.SummarySentenceConstants.TAB
 import sun.reflect.generics.reflectiveObjects.ParameterizedTypeImpl
 import java.lang.reflect.InvocationTargetException
+import java.security.AccessControlException
 import kotlin.reflect.jvm.javaType
 
 private const val DEEP_EQUALS_MAX_DEPTH = 5 // TODO move it to plugin settings?
@@ -368,6 +370,11 @@ internal class CgMethodConstructor(val context: CgContext) : CgContextOwner by c
                 methodType = CRASH
                 writeWarningAboutCrash()
             }
+            is AccessControlException -> {
+                methodType = CRASH
+                writeWarningAboutFailureTest(exception)
+                return
+            }
             else -> {
                 methodType = FAILING
                 writeWarningAboutFailureTest(exception)
@@ -378,6 +385,7 @@ internal class CgMethodConstructor(val context: CgContext) : CgContextOwner by c
     }
 
     private fun shouldTestPassWithException(execution: UtExecution, exception: Throwable): Boolean {
+        if (exception is AccessControlException) return false
         // tests with timeout or crash should be processed differently
         if (exception is TimeoutException || exception is ConcreteExecutionFailureException) return false
 
@@ -1618,6 +1626,12 @@ internal class CgMethodConstructor(val context: CgContext) : CgContextOwner by c
             )
         }
 
+        if (result is UtSandboxFailure) {
+            testFrameworkManager.disableTestMethod(
+                "Disabled due to sandbox"
+            )
+        }
+
         val testMethod = buildTestMethod {
             name = methodName
             parameters = params

utbot-framework/src/main/kotlin/org/utbot/framework/concrete/UtExecutionInstrumentation.kt

@@ -20,6 +20,7 @@ import org.utbot.framework.plugin.api.UtInstrumentation
 import org.utbot.framework.plugin.api.UtMethod
 import org.utbot.framework.plugin.api.UtModel
 import org.utbot.framework.plugin.api.UtNewInstanceInstrumentation
+import org.utbot.framework.plugin.api.UtSandboxFailure
 import org.utbot.framework.plugin.api.UtStaticMethodInstrumentation
 import org.utbot.framework.plugin.api.UtTimeoutException
 import org.utbot.framework.plugin.api.util.UtContext
@@ -37,6 +38,7 @@ import org.utbot.instrumentation.instrumentation.et.ExplicitThrowInstruction
 import org.utbot.instrumentation.instrumentation.et.TraceHandler
 import org.utbot.instrumentation.instrumentation.instrumenter.Instrumenter
 import org.utbot.instrumentation.instrumentation.mock.MockClassVisitor
+import java.security.AccessControlException
 import java.security.ProtectionDomain
 import java.util.IdentityHashMap
 import kotlin.reflect.jvm.javaMethod
@@ -212,6 +214,9 @@ object UtExecutionInstrumentation : Instrumentation<UtConcreteExecutionResult> {
         if (exception is TimeoutException) {
             return UtTimeoutException(exception)
         }
+        if (exception is AccessControlException) {
+            return UtSandboxFailure(exception)
+        }
         val instrs = traceHandler.computeInstructionList()
         val isNested = if (instrs.isEmpty()) {
             false

utbot-instrumentation/src/main/kotlin/org/utbot/instrumentation/process/ChildProcess.kt

@@ -11,6 +11,7 @@ import java.io.File
 import java.io.OutputStream
 import java.io.PrintStream
 import java.net.URLClassLoader
+import java.security.AllPermission
 import java.time.LocalDateTime
 import java.time.format.DateTimeFormatter
 import kotlin.system.exitProcess
@@ -51,6 +52,12 @@ private val kryoHelper: KryoHelper = KryoHelper(System.`in`, System.`out`)
  * It should be compiled into separate jar file (child_process.jar) and be run with an agent (agent.jar) option.
  */
 fun main() {
+    permissions {
+        // Enable all permissions for instrumentation.
+        // SecurityKt.sandbox() is used to restrict these permissions.
+        + AllPermission()
+    }
+
     // We don't want user code to litter the standard output, so we redirect it.
     val tmpStream = PrintStream(object : OutputStream() {
         override fun write(b: Int) {}
@@ -127,7 +134,7 @@ private fun loop(instrumentation: Instrumentation<*>) {
                 }
                 System.err.println("warmup finished in $time ms")
             }
-            is Protocol.InvokeMethodCommand -> {
+            is Protocol.InvokeMethodCommand -> sandbox {
                 val resultCmd = try {
                     val clazz = HandlerClassesLoader.loadClass(cmd.className)
                     val res = instrumentation.invoke(

utbot-instrumentation/src/main/kotlin/org/utbot/instrumentation/process/Security.kt

@@ -0,0 +1,147 @@
+package org.utbot.instrumentation.process
+
+import sun.security.provider.PolicyFile
+import java.lang.reflect.ReflectPermission
+import java.net.URI
+import java.nio.file.Files
+import java.nio.file.Paths
+import java.security.AccessControlContext
+import java.security.AccessController
+import java.security.CodeSource
+import java.security.Permission
+import java.security.PermissionCollection
+import java.security.Permissions
+import java.security.Policy
+import java.security.PrivilegedAction
+import java.security.ProtectionDomain
+import java.security.cert.Certificate
+
+internal fun permissions(block: SimplePolicy.() -> Unit) {
+    val policy = Policy.getPolicy()
+    if (policy !is SimplePolicy) {
+        Policy.setPolicy(SimplePolicy(block))
+        System.setSecurityManager(SecurityManager())
+    } else {
+        policy.block()
+    }
+}
+
+/**
+ * Run [block] in sandbox mode.
+ *
+ * When running in sandbox by default only necessary to instrumentation permissions are enabled.
+ * Other options are not enabled by default and rises [java.security.AccessControlException].
+ *
+ * To add new permissions create and/or edit file "{user.home}/.utbot/sandbox.policy".
+ *
+ * For example to enable property reading (`System.getProperty("user.home")`):
+ *
+ * ```
+ * grant {
+ *      permission java.util.PropertyPermission "user.home", "read";
+ * };
+ * ```
+ * Read more [about policy file and syntax](https://docs.oracle.com/javase/7/docs/technotes/guides/security/PolicyFiles.html#Examples)
+ */
+internal fun <T> sandbox(block: () -> T): T {
+    val policyPath = Paths.get(System.getProperty("user.home"), ".utbot", "sandbox.policy")
+    return sandbox(policyPath.toUri()) { block() }
+}
+
+internal fun <T> sandbox(file: URI, block: () -> T): T {
+    val path = Paths.get(file)
+    val perms = mutableListOf<Permission>(
+        RuntimePermission("accessDeclaredMembers"),
+        RuntimePermission("getProtectionDomain"),
+        RuntimePermission("accessClassInPackage.*"),
+        ReflectPermission("*"),
+    )
+    if (Files.exists(path)) {
+        val policyFile = PolicyFile(file.toURL())
+        val collection = policyFile.getPermissions(CodeSource(null, emptyArray<Certificate>()))
+        perms += collection.elements().toList()
+    }
+    return sandbox(perms) { block() }
+}
+
+internal fun <T> sandbox(permission: List<Permission>, block: () -> T): T {
+    val perms = permission.fold(Permissions()) { acc, p -> acc.add(p); acc }
+    return sandbox(perms) { block() }
+}
+
+internal fun <T> sandbox(perms: PermissionCollection, block: () -> T): T {
+    val acc = AccessControlContext(arrayOf(ProtectionDomain(null, perms)))
+    return AccessController.doPrivileged(
+        PrivilegedAction {
+            block()
+        },
+        acc
+    )
+}
+
+/**
+ * This policy can add grant or denial rules for permissions.
+ *
+ * To add a grant permission use like this in any place:
+ *
+ * ```
+ * permissions {
+ *   + java.security.PropertyPolicy("user.home", "read,write")
+ * }
+ * ```
+ *
+ * After first call [SecurityManager] is set with this policy
+ *
+ * To deny a permission:
+ *
+ * ```
+ * permissions {
+ *   - java.security.PropertyPolicy("user.home", "read,write")
+ * }
+ * ```
+ *
+ * To delete all concrete permissions (if it was added before):
+ *
+ * ```
+ * permissions {
+ *   ! java.security.PropertyPolicy("user.home", "read,write")
+ * }
+ * ```
+ *
+ * The last permission has priority. Enable all property read for "user.*", but forbid to read only "user.home":
+ *
+ * ```
+ * permissions {
+ *   + java.security.PropertyPolicy("user.*", "read,write")
+ *   - java.security.PropertyPolicy("user.home", "read,write")
+ * }
+ * ```
+ */
+internal class SimplePolicy(init: SimplePolicy.() -> Unit = {}) : Policy() {
+    sealed class Access(val permission: Permission) {
+        class Allow(permission: Permission) : Access(permission)
+        class Deny(permission: Permission) : Access(permission)
+    }
+    private var permissions = mutableListOf<Access>()
+
+    init { apply(init) }
+
+    operator fun Permission.unaryPlus() = permissions.add(Access.Allow(this))
+
+    operator fun Permission.unaryMinus() = permissions.add(Access.Deny(this))
+
+    operator fun Permission.not() = permissions.removeAll { it.permission == this }
+
+    override fun getPermissions(codesource: CodeSource) = UNSUPPORTED_EMPTY_COLLECTION!!
+    override fun getPermissions(domain: ProtectionDomain) = UNSUPPORTED_EMPTY_COLLECTION!!
+    override fun implies(domain: ProtectionDomain, permission: Permission): Boolean {
+        // 0 means no info, < 0 is denied and > 0 is allowed
+        val result = permissions.lastOrNull { it.permission.implies(permission) }?.let {
+            when (it) {
+                is Access.Allow -> 1
+                is Access.Deny -> -1
+            }
+        } ?: 0
+        return result > 0
+    }
+}

utbot-summary/src/main/kotlin/org/utbot/summary/TagGenerator.kt

@@ -9,6 +9,7 @@ import org.utbot.framework.plugin.api.UtExplicitlyThrownException
 import org.utbot.framework.plugin.api.UtImplicitlyThrownException
 import org.utbot.framework.plugin.api.UtOverflowFailure
 import org.utbot.framework.plugin.api.UtMethodTestSet
+import org.utbot.framework.plugin.api.UtSandboxFailure
 import org.utbot.framework.plugin.api.UtTimeoutException
 import org.utbot.framework.plugin.api.util.isCheckedException
 import org.utbot.summary.UtSummarySettings.MIN_NUMBER_OF_EXECUTIONS_FOR_CLUSTERING
@@ -140,7 +141,8 @@ enum class ClusterKind {
     EXPLICITLY_THROWN_UNCHECKED_EXCEPTIONS,
     OVERFLOWS,
     TIMEOUTS,
-    CRASH_SUITE;
+    CRASH_SUITE,
+    SECURITY;
 
     val displayName: String get() = toString().replace('_', ' ')
 }
@@ -152,6 +154,7 @@ private fun UtExecutionResult.clusterKind() = when (this) {
     is UtOverflowFailure -> ClusterKind.OVERFLOWS
     is UtTimeoutException -> ClusterKind.TIMEOUTS
     is UtConcreteExecutionFailure -> ClusterKind.CRASH_SUITE
+    is UtSandboxFailure -> ClusterKind.SECURITY
 }
 
 /**