river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michal Kleczek <michal.klec...@xpro.biz>
Subject Re: Towards Internet Jini Services (trust)
Date Tue, 12 Oct 2010 12:57:40 GMT
On Tuesday 12 of October 2010 14:23:44 Sim IJskes - QCG wrote:
> On 10/12/2010 02:12 PM, Michal Kleczek wrote:
> > On Tuesday 12 of October 2010 14:00:14 Sim IJskes - QCG wrote:
> >> It doesn't happen with readUTF(). The first bytes read are the stream
> >> header, (0xac, 0xed, 0, 5), and then the length, then the bytes
> >> composing the string. No parsing of TC constants, and no optional code
> >> paths that can lead to out-of-anything dos attacks. Send it with
> >> writeUTF, read it with a custom function limiting the length of the
> >> string and voila whe have at least made it 1 step more difficult to dos.
> > 
> > I understand your arguments but I am still not convinced - you somehow
> > have to send a ProxyTrust instance (or any remote object reference) so
> > that you can verify codebase using it.
> No you don't. You can delegate it to the IntegrityVerifier. This is the
> place where you should check the integrity. You will have enough
> information there (coded in the codebase parameter), to load the code,
> check endpoints (dns name, ip address, TLS) if wanted, check signatures,
> certificates, checksums.

Right - but it looks to me we're turning circles right now. Maybe I just don't 
understand what you're saying so let me describe a scenario that I would like 
to support:
1. Prerequisite - you and I are logged in to the same Kerberos realm and I 
know your kerberos principal
2. I got a piece of data - a marshalled object
3. Before I deserialize an object I want to make sure the codebase of the 
object I got is the one you wanted it to be (regardless of the contents of the 
jar file I will download later - I'm going to check its integrity later on)

Are we talking about the same thing?

View raw message