Researchers confirm multiple Google App Engine security sandbox bypasses

Polish firm Security Explorations, which announced last week that they found over 30 serious security issues in the Java security sandbox of the Google App Engine (GAE), has been permitted by Google to continue their investigation.

In order to allow them to do that, the Internet giant has reenabled the company’s GAE test account, with the understanding that they will restrict their testing to the Java VM and will not try to break into the sandboxing layer. Google also indicated that they would not like the details of the sandboxing layer or of its monitoring capabilities to become public knowledge.

The researchers went back in, and in the past few days, they have delivered to Google 16 POC codes and information regarding 21 separate issues. Initially, information about 35 separate issues has been provided by Security Explorations.

“Google has been able to reproduce the issues locally, but when tried in production some of them didn’t seem to work (27 unexploitable issues with barely 7 candidates to work). The reason was that our custom local GAE environment didn’t properly emulate Google App Engine production environment (we did check availability of selected classes, but in this particular class loader case, not all classpath JAR files were immediately available to user code in production GAE),” the company CEO Adam Gowdiak explained in an update.

“Most of the vulnerabilities found are specific to the GAE environment,” the company reported. “None of the implemented, complete Java security sandbox escapes affect Oracle Java software. We used only one unpublished, minor issue in Oracle Java code to implement a given instance of a JRE classes whitelisting escape.”

Some of the found issues allow for a bypass of GAE security restrictions such as the whitelisting of JRE classes and/or a complete escape of a Java VM security sandbox, possibly allowing attackers to gain insight into the workings of the JRE sandbox and Google internal services and protocols, as well as serving as a staging point for further attacks against the OS sandbox and RPC services visible to the sandboxed Java environment, they company noted.

Full results of the research will be published in due time, they promised.