river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Firmstone <j...@zeus.net.au>
Subject Re: Towards Internet Jini Services (dos attacks)
Date Thu, 30 Sep 2010 07:40:51 GMT
Yes, it certainly can.

Regards,

Peter.

Christopher Dolan wrote:
> private void readObject(ObjectInputStream in) {
>     new Runnable() {
>         public void run() {
>             while (true)
>                 new Thread(this).start();
>         }
>     }.run();
> }
>
> At 1MB of stack RAM per thread, this will thrash most machines in no
> time.  Can a SecurityManager block thread creation?
> Chris
>
> -----Original Message-----
> From: Peter Firmstone [mailto:jini@zeus.net.au] 
> Sent: Wednesday, September 29, 2010 3:58 PM
> To: river-dev@incubator.apache.org
> Subject: Re: Towards Internet Jini Services (dos attacks)
>
> Zoltan Juhasz wrote:
>   
>> Sim,
>>
>> I think the important danger in Jini is the use of objects. In simple
>> messaging communication (especially if non-binary), you don't have to
>>     
> worry
>   
>> about objects. In Jini, any method can take and object as a parameter
>>     
> that
>   
>> results in serialisation and unmarshalling at the receiver end. When
>>     
> an
>   
>> object has something nasty executing during within the readObject()
>>     
> method,
>   
>> it's too late to do anything.
>>     
>
> This was a big problem in the days of single core, not as bad now. 
> Perhaps we need a software watchdog?  Or an easy way to kill and 
> quarantine a misbehaving service?  Or an unmarshalling executor thread 
> pool, which passes the object after it has been deserialized.
>
>   


Mime
View raw message