After finding 30 serious security issues in the Java security sandbox of the Google App Engine (GAE), Polish firm Security Explorations continued searching for more issues since Google allowed the company to move forward.
Google reenabled the company’s GAE test account, with the understanding they will restrict their testing to the Java VM and will not try to break into the sandboxing layer. Google also indicated they would not like the details of the sandboxing layer or of its monitoring capabilities to become public knowledge.
The researchers went back in, and over a period of a few days they delivered 16 POC codes and information regarding 21 separate issues.
“Google has been able to reproduce the issues locally, but when tried in production some of them didn’t seem to work (27 unexploitable issues with barely 7 candidates to work). The reason was that our custom local GAE environment didn’t properly emulate Google App Engine production environment (we did check availability of selected classes, but in this particular class loader case, not all classpath JAR files were immediately available to user code in production GAE),” the company Chief Executive Adam Gowdiak said in a blog.
“Most of the vulnerabilities found are specific to the GAE environment,” the company said. “None of the implemented, complete Java security sandbox escapes affect Oracle Java software. We used only one unpublished, minor issue in Oracle Java code to implement a given instance of a JRE classes whitelisting escape.”
Some of the found issues allow for a bypass of GAE security restrictions such as the whitelisting of JRE classes and/or a complete escape of a Java VM security sandbox, possibly allowing attackers to gain insight into the workings of the JRE sandbox and Google internal services and protocols, as well as serving as a staging point for further attacks against the OS sandbox and RPC services visible to the sandboxed Java environment, the company said.