river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Firmstone <j...@zeus.net.au>
Subject Re: JDK 7 Enhancements just bit me again
Date Thu, 02 May 2013 13:35:27 GMT
On 2/05/2013 9:32 PM, Michal Kleczek wrote:
>> An attacker can use a serialization attack, without requiring jini, 
>> to create a ClassLoader and start downloading classes out of band.
> Given you never execute untrusted code: how?

I'm glad you asked me this question, because I just stumbled over a 
partial solution:


Ironically I went looking for an example on the web for you, but this 
article instead, completely unexpected, this article is very good 
because it describes the issues with serialization well.  The article 
was only written in January this year.

Just possibly we could restrict the classes that MarshaledInputStream 
can instantiate to only those required to perform proxy verification.

Could we limit both the bytes read from the stream and the classes 
(required for connection and proxy trust) deserialized from the stream 
until proxy verification has been performed?

The challenge is, how can we do this and retain backward compatibility 
in marshalled object streams?

If there's an answer to those questions, it's the security grail for 
Jini the Sun team was looking for.



View raw message