river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patricia Shanahan <p...@acm.org>
Subject Re: Learnings from a RevokeableDynamicPolicy & A Future Roadmap
Date Wed, 11 Aug 2010 16:45:15 GMT
Peter Firmstone wrote:
> The assumption I've made is, it will be very difficult for an attacker 
> to predict when a thread will access a method on the delegate, then 
> later, be called by that very same thread, so his class can call the 
> delegate unchecked.  Any thoughts on this?  Am I overlooking something?

To win the overall game, a security system needs to block every single 
attempt at breaking the rules.

An attacker only needs have some chance of single try success and a way 
of causing repeated attempts until one succeeds. Assuming independence, 
an attacker with a probability p of single try success gets a 
probability t of at least one success in log(1-t)/log(1-p) tries.

For example, it takes less than 700,000 attempts to get a 50% chance of 
at least one attempt succeeding, given a one in a million chance for a 
single attempt.

If you can enforce upper bounds on both the number of attempts and the 
probability of each attempt succeeding it may be possible to show that 
the overall probability of successful attack is low enough to ignore.


View raw message