Java ClassLoader: How to make it secure and stable
A Hello to everybody,
now, maybe this is a real beginners question, but searching the web and the forums up and down for the last three days and I couldn't find any clue. Now I'm turning to the pro's, hoping to get an answer. This is the request:
We're building a new application by using Java and the openJDK to create a JVM fitting our needs. In the end the application shall fulfil the following (mostly security related) requirements
- classes /jars developed by ourself shall be checked for being signed with our signature. These are the basic classes for the application and required for running it basically.
- these classes / jars will/shall have the ability to run with usual rights, i.e. reading/writing etc.
- the classes will not only be signed but additionally encrypted and shall be decrypted for usage during runtime. Classes failing to be decrypted will be assumed to be modified/corrupted and will not be loaded resp. block the further execution of the whole application
- there will be an opportunity for third party developers to add functionality to the application by linking into a plug-in system, but all third party classes don't need to be signed or encrypted. Therefore all functionality in such classes will run with (very) restricted rights.
The first idea to accomplish this was to just only create a ClassLoader of our own, which could check for signature, encryption, origin etc. But if you think about it, you'll see very quick, that such a mechanism will be easily undermineable: just create another custom ClassLoader and anyone could rebuild the Application without the above mentioned security levels. Plus: such a plain Java ClaossLoader can very easy be reverse engineered and it's mechanism can be analyzed and modified.
Next idea was to try to find out, where the primordial class loader is located in the original OpenJDK sources. There are in fact several sources, offering somewhat like "Java_java_lang_ClassLoader_00024NativeLibrary_loa d" (in \openjdk\jdk\src\share\native\java\lang\ClassLoade r.c) or also "JVM_DefineClassWithSource" (in \openjdk\hotspot\src\share\vm\classfile\systemDict ionary.cpp).
But: What must be modified to make sure, that the above described security rules will be working. How can one avoid, that someone will undermine the security of the application by just creating his own class loader and use that instead of ours. How can be secured, that no one does a reverse engeneering on our class loader.
Thats a lot of questions, but I do believe, there IS a solution, but I can't see it.
Any hint is highly appreciated.