Our present security model relies on the safety of the java sandbox, but
we know that model is flawed.
If DownloadPermission is not granted, we cannot lookup a service that
uses a smart proxy and ask it for the bootstrap proxy. We could
however, lookup a bootstrap proxy, authenticate it, grant it
DownloadPermission and ask it for the smart proxy.
Would someone like to propose an interface for a bootstrap proxy and an
Entry that allows the bootstrap proxy to list the service interfaces
that its smart proxy provides, in order to perform lookup?
It appears that fixing ObjectInputStream and Serializable security
issues was much easier than expected, provided we're prepared to
implement atomic invariant validation and give up some functionality:
1. Circular references
2. Limits on object cache size and periodically calling reset()
3. Limits on array lengths.
4. Classes that don't implement Serializable's readObject() method
safely.
Despite placing limits on functionality, none of the tests in the
qa-suite tested so far (lookup services and javaspaces) fail without it,
or depend on it.
Would anyone like to assist construct some stream test cases that cause
DOS? Eg read in a stream that contains an array length of
Integer.MAX_VALUE, or one that uses a known exploit, eg deserialization
into privileged context to create a ClassLoader instance on an unpatched
jvm? I'm quite confident I can prevent them, anyone up for a challenge?
Regards,
Peter.
