On 06-01-16 18:49, Simon IJskes - QCG wrote:
On 06-01-16 13:38, Peter wrote:
Your security analysis is too narrow, your thinking like a user, not
an attacker.
An attacker is not going to send you a proxy to load into a standalone
Classloader. She has the choice of the entire classpath, not you and
not River, that's right it's the senders choice, not the receivers.
She's looking for vulnerable classes on your classpath.
ObjectInputStream will load the attackers instructions. There's no
protection domain on the stack representing the attacker, the
attacker is looking to deserialize into privileged context, the
attacker wants AllPermission. This all occurs before your remote
method call even returns. Once the the attacker has privileges, she
can create her own URLClassLoader grant AllPermission to her
downloaded code, install her own security manager.
https://cwe.mitre.org/data/definitions/502.html
https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=27492407
Has a number of secure coding recomendations.
G.
--
QCG, Software development, 071-5890970, http://www.qcg.nl
Quality Consultancy Group b.v., Leiderdorp, Kvk Den Haag: 28088397
