Detecting java sandbox escaping attacks based on java bytecode instrumentation and java method hooking

We claim: 1 . A machine-readable medium on which are stored instructions, comprising instructions that when executed by a programmable device, cause the programmable device to: instantiate a sandbox environment on the programmable device; and inject code into the sandbox environment, the code comprising instructions that when executed by the programmable device, instruments a method of the sandbox to cause the programmable device to detect an attempt to escape from the sandbox environment without depending on knowledge of an exploit used to attempt to escape the sandbox environment. 2 . The machine-readable medium of claim 1 , wherein the method is a method that provides a reference to a security manager object. 3 . The machine-readable medium of claim 2 , wherein the instructions that when executed instrument a method of the sandbox to cause the programmable device to detect an attempt to escape from the sandbox environment without depending on knowledge of the exploit used to attempt to escape the sandbox environment comprise instructions that when executed cause the method of the sandbox to: indicate an attempt to escape has occurred responsive to an invocation of the method returning a value indicating that no security manager object exists. 4 . The machine-readable medium of claim 2 , wherein the instructions that when executed instrument a method of the sandbox to cause the programmable device to detect an attempt to escape from the sandbox environment without depending on knowledge of the exploit used to attempt to escape the sandbox environment comprise instructions that when executed cause the method of the sandbox to: indicate an attempt to escape has occurred if an invocation of the method returns a value indicating that the security manager object has been disabled. 5 . The machine-readable medium of claim 1 , wherein the method is a method that executes a specified command in a separate process on the programmable device. 6 . The machine-readable medium of claim 5 , wherein the instructions that when executed instrument a method of the sandbox to cause the programmable device to detect an attempt to escape from the sandbox environment without depending on knowledge of the exploit used to attempt to escape the sandbox environment comprise instructions that when executed cause the method of the sandbox to: check a permission status of an application invoking the method; and indicate an attempt to escape responsive to the application having a predetermined set of permissions. 7 . The machine-readable medium of claim 5 , wherein the instructions that when executed instrument a method of the sandbox to cause the programmable device to detect an attempt to escape from the sandbox environment without depending on knowledge of the exploit used to attempt to escape the sandbox environment comprise instructions that when executed cause the method of the sandbox to: check a permission status of an application invoking the method; and indicate an attempt to escape responsive to the application having a predetermined permission. 8 . The machine-readable medium of claim 1 , wherein the instructions that when executed by the programmable device cause the programmable device to inject code into the sandbox environment comprise instructions that when executed cause the programmable device to inject code into the sandbox environment after the sandbox environment has started. 9 . The machine-readable medium of claim 1 , wherein the instructions further comprise instructions that when executed cause the programmable device to terminate an application attempting to escape the sandbox environment. 10 . The machine-readable medium of claim 1 , wherein the instructions further comprise instructions that when executed cause the programmable device to report an application attempting to escape the sandbox environment. 11 . A method of detecting an attempt to escape from a bytecode-based sandbox environment of a programmable device, comprising: instantiating the sandbox environment in the programmable device; injecting bytecode into a predetermined method of the sandbox environment; executing the bytecode in the predetermined method upon invocation of the method by an application; and indicating an attempt to escape from the sandbox by the application without depending on knowledge of an exploit used by the application to attempt to escape from the sandbox. 12 . The method of claim 11 , wherein the predetermined method of the sandbox environment is a method that provides a reference to a security manager object. 13 . The method of claim 12 , wherein indicating an attempt to escape from the sandbox by the application comprises: indicating an attempt to escape from the sandbox responsive to the method indicating that no security manager object exists. 14 . The method of claim 11 , wherein the predetermined method of the sandbox environment is a method that allows the application to execute a command in a separate process on the programmable device. 15 . The method of claim 14 , wherein executing the bytecode in the predetermined method comprises: checking a permission status of the application; and wherein indicating an attempt to escape comprises: indicating an attempt to escape from the sandbox responsive to the application having a predetermined permission status. 16 . A system for allowing applications to run in a sandbox environment, comprising: a programmable device; an operating system for the programmable device; a virtual machine environment, configured for execution under the operating system, that when executed by the programmable device creates a sandbox environment; detection logic to instrument a method of the sandbox environment to detect that an application executing in the sandbox environment has attempted to escape the sandbox environment, without depending on knowledge of an exploit used to attempt to escape the sandbox environment, wherein the virtual machine environment comprises: an agent class object; and a class loader method of the virtual machine environment, configured to load the agent class object upon initialization of the virtual machine environment, and wherein the agent class object is configured to inject the detection logic into a predetermined method of the sandbox environment. 17 . The system of claim 16 , wherein the detection logic comprises bytecode. 18 . The system of claim 16 , wherein the predetermined method is a method that provides a reference to a security manager object. 19 . The system of claim 18 , wherein the detection logic, when injected by the agent class object into the predetermined method of the sandbox environment, is configured to cause the predetermined method to indicate that an attempt to escape has occurred responsive to an invocation of the method returning a value that no security manager exists. 20 . The system of claim 16 , wherein the predetermined method is a method that when executed causes a command to execute on the programmable device as a separate process. 21 . The system of claim 20 , wherein the detection logic, when injected by the agent class object into the predetermined method of the sandbox environment, is configured to cause the predetermined method to: check a permission status of the application; and indicate an attempt to escape has occurred responsive to the application having a predetermined set of permissions. 22 . The system