The term “cloud computing” is generally used to describe a computing model which enables on-demand access to a shared pool of computing resources, such as computer servers, software applications, and services, and which allows for provisioning of applications and resources with minimal management effort or service provider interaction. Examples of such environments include Oracle Cloud, which generally provides a comprehensive set of cloud services that enables software developers to build and deploy applications that can be accessed via the cloud.
However, security issues can arise when a cloud environment includes support for third-party development frameworks, such as Spring, Hibernate, or Wicket, which perform custom classloading. Although functionalities such as Java security manager can enforce permissions granted to classes, including allowing specific classes running within a runtime to permit or not permit certain runtime operations, a third-party framework may allow a user to define an application class with a protection domain that includes all available permissions, or that performs injections into private fields using reflections, which in turn requires the system to grant, e.g., Reflect or Runtime permissions. A malicious user could potentially leverage these granted permissions to gain unauthorized access to environment APIs. A standard Java security manager is unable to defend against such attacks.
Although functionality such as API whitelisting can be useful in addressing various circumstances, it may not fully address those situations in which the cloud environment is managed by one party, while the application being deployed to it is untrusted, particularly when the application is dynamically created. These are some examples of the types of environment in which embodiments of the invention can be used.