river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Firmstone <j...@zeus.net.au>
Subject Re: Learnings from a RevokeableDynamicPolicy & A Future Roadmap
Date Wed, 11 Aug 2010 23:07:26 GMT
Don't worry, it's not based on Threads now, that model never did sit 
well, it's now based on AccessControlContext caching. New context, must 
be checked.

Patricia Shanahan wrote:
> Peter Firmstone wrote:
> ...
>> The assumption I've made is, it will be very difficult for an 
>> attacker to predict when a thread will access a method on the 
>> delegate, then later, be called by that very same thread, so his 
>> class can call the delegate unchecked.  Any thoughts on this?  Am I 
>> overlooking something?
> ...
>
> To win the overall game, a security system needs to block every single 
> attempt at breaking the rules.
>
> An attacker only needs have some chance of single try success and a 
> way of causing repeated attempts until one succeeds. Assuming 
> independence, an attacker with a probability p of single try success 
> gets a probability t of at least one success in log(1-t)/log(1-p) tries.
>
> For example, it takes less than 700,000 attempts to get a 50% chance 
> of at least one attempt succeeding, given a one in a million chance 
> for a single attempt.
>
> If you can enforce upper bounds on both the number of attempts and the 
> probability of each attempt succeeding it may be possible to show that 
> the overall probability of successful attack is low enough to ignore.
>
> Patricia
>


Mime
View raw message