Skip to content

Secure Plugin Deployment

It is absolutely vital that only known plugin modules from trusted vendors be installed on the Delphix Masking Engine. A bad plugin may include algorithms that malfunction, possibly by failing to mask data or entering a loop consuming CPU or memory resource. This can lead to job failure, the engine UI becoming unresponsive, or failure to properly mask sensitive data in the case of algorithms. Plugin execution is sandboxed using the Java Security Manager to guard against malfunctioning code. However, JVM security has historically proven susceptible to allowing untrusted modules to run with the danger of malicious code gaining enhanced or full access to the system running the JVM.

With these considerations in mind, this section describes steps the Delphix Masking Engine administrator can take to ensure that only trusted plugins are executed.

Using Roles to Restrict Plugin Installation

This section describes how to define roles and assign roles to Delphix Masking Engine users. The new profile privilege Plugins controls which users are able to install new plugins on to the engine. It is advised that only users that need the ability to install plugin modules onto the engine be granted roles that include this privilege.

Verifying the SHA256 Hash of Installed Plugins

When the Masking Web API Client plugin endpoint is used to GET the details of a plugin, the field originalFileChecksum contains the SHA256 hash of the plugin file installed. This may be compared to a vendor-supplied list of known plugin hashes to verify that a plugin installed on the Delphix Masking Engine has not been tampered with.

For example:

    {
      "pluginId": 9,
      "pluginName": "demoPlugin",
      "originalFileName": "demoProject.jar",
      "originalFileChecksum": "65053d20874ec7929d219b24bdf98ac5b6f7b06ac6bab59712cf78971be135c9",
      "installDate": "2020-06-24T18:19:42.534+0000",
      "installUser": 5,
      "builtIn": false,
      "pluginVersion": "1.0.0",
      "pluginObjects": [
        {
          "objectIdentifier": "demoPlugin:Clobber",
          "objectName": "demoPlugin:Clobber",
          "objectType": "ALGORITHM"
        },
        {
          "objectIdentifier": "demoPlugin:SampleAlgorithm",
          "objectName": "demoPlugin:SampleAlgorithm",
          "objectType": "ALGORITHM"
        }
      ]
    }

Most UNIX like operating systems provide a way to compute the same hash of a file on the command line.

Apple OSX Example:

$ shasum -a 256 demoProject.jar
65053d20874ec7929d219b24bdf98ac5b6f7b06ac6bab59712cf78971be135c9  demoProject.jar

Ubuntu Linux Example:

$ sha256sum demoProject.jar
65053d20874ec7929d219b24bdf98ac5b6f7b06ac6bab59712cf78971be135c9  demoProject.jar

At the time this document was written, there are no known means that would allow an attacker to produce a plugin module with different content, but the same SHA256 hash value of a particular file.