There are holes in the Google App Engine for Java, including ones that could complete a sandbox escape.
The Google App Engine, which is part of the Google Cloud Platform, is a platform-as-a-service (PaaS) offering that allows developers to host, manage and run their applications on Google’s scalable infrastructure, said researchers at Security Explorations.
Companies such as Rovio, Best Buy and Feedly use the platform. In the case of App Engine for Java, Google said Java Web applications execute using a Java 7 Virtual Machine (JVM) in the sandboxed environment.
Security Explorations researchers said there could be more than 30 vulnerabilities. Researchers said they bypassed Google App Engine whitelisting of Java Runtime Environment (JRE) classes and achieved a complete JVM security sandbox escape.
Adam Gowdiak, chief executive at Security Explorations, said in a posting they developed 17 proof-of-concept exploits for full sandbox bypass by taking advantage of 22 holes in the technology.
Gowdiak said they also issued a arbitrary library and system calls. Researchers gained access to files comprising the JRE sandbox, including the libjavaruntime.so binary, and they extracted pieces of information from Java classes and binary files.
Gowdiak would like to continue his research, but “unfortunately, we cannot complete our work due to the suspension of the ‘test’ GAE account that took place,” he said in the posting.
“Without any doubt this is an opsec failure on our end (this week we did poke a little bit more aggressively around the underlying OS sandbox/issued various system calls in order to learn more about the nature of the error code 202, the sandbox itself, etc.).
“Taking into account an educational nature of the security issues found in GAE Java security sandbox and what seems to be an appreciation Google has for arbitrary security research / all sorts of sandbox escapes , we hope the company makes it possible for us to complete our work and re-enables our GAE account, so that we could in particular:
• Verify the remaining potential vulnerabilities spotted
• Verify some attack ideas
• Prepare short report containing the description of the issues found (the results of the evaluation) and deliver it to Google (in a form similar to SE-2013-01 project report)
• Share the results of our research with the security community”