Return-Path: X-Original-To: apmail-river-dev-archive@www.apache.org Delivered-To: apmail-river-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 78AA57DD8 for ; Sun, 25 Dec 2011 07:12:38 +0000 (UTC) Received: (qmail 45231 invoked by uid 500); 25 Dec 2011 07:12:38 -0000 Delivered-To: apmail-river-dev-archive@river.apache.org Received: (qmail 45114 invoked by uid 500); 25 Dec 2011 07:12:37 -0000 Mailing-List: contact dev-help@river.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@river.apache.org Delivered-To: mailing list dev@river.apache.org Received: (qmail 45099 invoked by uid 99); 25 Dec 2011 07:12:36 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 25 Dec 2011 07:12:36 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of SRS0=BejG9C=7F=wonderly.org=gregg@yourhostingaccount.com designates 65.254.253.121 as permitted sender) Received: from [65.254.253.121] (HELO mailout15.yourhostingaccount.com) (65.254.253.121) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 25 Dec 2011 07:12:27 +0000 Received: from mailscan21.yourhostingaccount.com ([10.1.15.21] helo=mailscan21.yourhostingaccount.com) by mailout15.yourhostingaccount.com with esmtp (Exim) id 1ReiFa-0002Yb-PP for dev@river.apache.org; Sun, 25 Dec 2011 02:12:06 -0500 Received: from impout02.yourhostingaccount.com ([10.1.55.2] helo=impout02.yourhostingaccount.com) by mailscan21.yourhostingaccount.com with esmtp (Exim) id 1ReiFa-0002Mi-K0; Sun, 25 Dec 2011 02:12:06 -0500 Received: from authsmtp06.yourhostingaccount.com ([10.1.18.6]) by impout02.yourhostingaccount.com with NO UCE id DKC51i00207rVmq0000000; Sun, 25 Dec 2011 02:12:05 -0500 X-EN-OrigOutIP: 10.1.18.6 X-EN-IMPSID: DKC51i00207rVmq0000000 Received: from ip98-178-191-230.tu.ok.cox.net ([98.178.191.230] helo=[192.168.1.107]) by authsmtp06.yourhostingaccount.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim) id 1ReiFa-0001MJ-8r; Sun, 25 Dec 2011 02:12:06 -0500 Message-ID: <4EF6CCE7.7040903@wonderly.org> Date: Sun, 25 Dec 2011 01:12:39 -0600 From: Gregg Wonderly User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: dev@river.apache.org CC: Dan Creswell Subject: Re: Implications for Security Checks - SocketPermission, URL and DNS lookups References: <4EE2D1C9.1050402@zeus.net.au> <4EE71322.20408@zeus.net.au> <4EE75EE6.4040509@wonderly.org> <4EE7A712.2090407@zeus.net.au> <1323942138.7030.5.camel@Nokia-N900-51-1> <4EF3E22E.6090900@zeus.net.au> <4EF466E0.6000901@zeus.net.au> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-EN-UserInfo: 5bac21c6012e8295aaee92c67842fba3:d1e94006e19829b2b3cf849ab9ff0f3c X-EN-AuthUser: greggwon Sender: Gregg Wonderly X-EN-OrigIP: 98.178.191.230 X-EN-OrigHost: ip98-178-191-230.tu.ok.cox.net X-Virus-Checked: Checked by ClamAV on apache.org On 12/24/2011 2:14 AM, Dan Creswell wrote: > So... > > On 23 December 2011 11:32, Peter Firmstone wrote: > One question I've asked myself when creating my own policy implementation > was CodeSource.implies(CodeSource cs), the implementation seemed like a bad > idea, it uses DNS, an attacker could use DNS cache poisoning to gain > elevated permission using an untrusted CodeSource URL, simply because the > policy thinks the CodeSource is implied. I changed PolicyFile to > specifically not use CodeSource.implies(). In reality a signer Certificate > is required to identify the CodeSource with any level of trust. > > Well, I think a more general point here would be that JDK's default > set of behaviours are designed to "protect" against DNS based attacks > (i.e. a successful lookup result is cached forever and so changes > can't leak in). This is bogus, because if the first lookup is > compromised you're dead and buried. I think it's fundamental to understand that a lot of the DNS caching behavior was born in the Applet world. When Java first hit the scenes, we had the problem that people could demonstrate that they could "know" the address of the socket on the remote end, and thus could use that (this was before NAT was in use, or at least wide spread), and poison the DNS so that subsequent lookups returned addresses on the local network, instead of the correct address of the original server. That's one path of exploitation, but as Dan says, there are others in the Jini world where the first lookup, being poisoned, can cause exploitative code to be downloaded. I think that it's vital to understand, that whether you cache the first, second or fifth lookup, each situation presents a different set of challenges in providing security. Ultimately, Jini needs, in my opinion, to focus authentication above the network layer, and use signed jars, encrypted paths, and cert based auth, so that the network path, can not be a part of the exploitation, and instead, each end of a "communication", is responsible for trusting the other, through negotiations carried through the network, instead of using information about the network to guarantee trust. Gregg Wonderly