river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michał Kłeczek <mic...@kleczek.org>
Subject Re: OSGi NP Complete Was: OSGi - deserialization remote invocation strategy
Date Tue, 14 Feb 2017 12:13:46 GMT
It seems like I am missing the high level view on the architecture of 
your software.
Would it be possible for you to write one?

Peter wrote:
> There's a new constraint AtomicInputValidation that jeri uses to prevent standard serialization
being used.
> Reggie has been granted DownloadPermission and DeserializationPermission but only for
its own codebase.
I do not understand this.
How does the client know it is "Reggie" it is talking to?
How Reggie can grant itself permissions in the client environment???

Could you be more precise?
> Reggie has also been granted necessary permissions to communicate with its service. 
No perms have been granted allowing Reggie to do anything else
> Reggie gives the client a dynamic proxy token (via SafeServiceRegistrar's lookup method).
What is this "token"? Is it a Java object implementing a well known 
interface? What interface is it?
> If your class is a client class you can give it the power to open network connections
and do as you wish, but it's not a good idea to grant that power to Reggie.  But it's also
worth remembering it's risky to deserialize into privileged context and you're going to have
to do that in this case.
I do not understand this. I the SmartProxyWrapper there are no 
permissions granted to any downloaded code.
The code can be downloaded and classes defined only if the client 
imposed constraints are met.
> SafeServiceRegistrar will still allow you to use your wrapper class, it just adds an
additional step of allowing you to authenticate that service before you deserialize your service
wrapper, making it a little safer.
By using the "token" you talk about earlier? But you have to verify the 
token to be secure, don't you?

So you delegate "token" authentication to Reggie, but that requires 
verification of Reggie proxy.
But how do you verify Reggie proxy?

Does Reggie also provide the "token"? If so - how is it authenticated? 
If not - how do you authenticate reggie?
You have to break the chain somewhere - and the shorter the trust chain 
the more secure system is.

> You can grant permissions to services only to the codebase certificate signers if you
want.  Using the url in the permission grant just restricts it more, but it's not mandatory.
Fair enough.

The downside is that the permission check requires downloading the jar 
file and reading it to verify the code signers.

In my proposal the check is done even before actual code downloading.


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message