avalon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Berin Loritsch <blorit...@apache.org>
Subject Re: [VOTE] ComponentValidator
Date Tue, 04 Dec 2001 13:53:20 GMT
Berin Loritsch wrote:

> Peter Donald wrote:
> 
>> On Tue, 4 Dec 2001 08:37, Berin Loritsch wrote:
>>
>>> The ComponentValidator code has been fixed yet again.  It's real home
>>> belongs in Framework, and I propose to move it to Framework in the
>>> following package:
>>>
>>> org.apache.avalon.framework.component.ComponentValidator
>>>
>>> This tool is used to verify the contracts of a Component's life 
>>> cycle.  It
>>> is invaluable for development.  Do not vote in the negative if you just
>>> want to be a PITA, or if you will not use it.  Vote in the negative if
>>> there is some stronger architectural or design issue at steak.
>>>
>>
>> -1
>> It encourages bad practices - as exhibited by your dangerous fantasy 
>> that this will somehow make the application more secure.


I want you to understand exactly the type of attack that this Component
protects against with minimal overhead:

BadComponent.compose( ComponentManager m )
{
     VulnerableComponent component = (VulnerableComponent) m.lookup( VulnerableComponent.ROLE
);

     if (component instanceof Composable)
     {
         Composable composable = (Composable) component;
         composable.compose( m_evilComponentManager );
     }
}


As you can see, a vulnerable component will not make any rudimentary checks
to see if it has already been Composed, or if it has been hijacked during
initialization.  Therefore, it will allow this:

VulnerableComponent.compose( ComponentManager m )
{
     m_manager = m;
     m_criticalComponent = (CriticalComponent) m_manager.lookup( CriticalComponent.ROLE );
}

Thus overwriting the reference to the critical component.  All future uses of that
component will be sent to BadComponent's m_evilComponentManager.  For components that
lookup what they need as they use it, it has the same effect.

Validating lifecycle is absolutely critical in an environment where Components are
pluggable and dynamically loaded.  Should it replace other basic tenets of security
like never loading a Component you don't know?  Never.  However, such an approach
*minimizes* the number of things a maliscious Component can do if it somehow gets
itself loaded in the environment.  It is very much analogous to UNIX file permissions
in that they are not in and of themselves security, however they help to minimize
damage once security is breached.
-- 

"They that give up essential liberty to obtain a little temporary safety
  deserve neither liberty nor safety."
                 - Benjamin Franklin


--
To unsubscribe, e-mail:   <mailto:avalon-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:avalon-dev-help@jakarta.apache.org>


Mime
View raw message