river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Firmstone <j...@zeus.net.au>
Subject A public bootstrap proxy interface and an Entry
Date Wed, 11 Feb 2015 11:57:36 GMT
Our present security model relies on the safety of the java sandbox, but 
we know that model is flawed.

If DownloadPermission is not granted, we cannot lookup a service that 
uses a smart proxy and ask it for the bootstrap proxy.  We could 
however, lookup a bootstrap proxy, authenticate it, grant it 
DownloadPermission and ask it for the smart proxy.

Would someone like to propose an interface for a bootstrap proxy and an 
Entry that allows the bootstrap proxy to list the service interfaces 
that its smart proxy provides, in order to perform lookup?

It appears that fixing ObjectInputStream and Serializable security 
issues was much easier than expected, provided we're prepared to 
implement atomic invariant validation and give up some functionality:

   1. Circular references
   2. Limits on object cache size and periodically calling reset()
   3. Limits on array lengths.
   4. Classes that don't implement Serializable's readObject() method
      safely.

Despite placing limits on functionality, none of the tests in the 
qa-suite tested so far (lookup services and javaspaces) fail without it, 
or depend on it.

Would anyone like to assist construct some stream test cases that cause 
DOS?  Eg read in a stream that contains an array length of 
Integer.MAX_VALUE, or one that uses a known exploit, eg deserialization 
into privileged context to create a ClassLoader instance on an unpatched 
jvm?  I'm quite confident I can prevent them, anyone up for a challenge?

Regards,

Peter.


Mime
View raw message