[E-Lang] Announcing stl-E 0.8.9k: An interim non-distributed release

Karp, Alan alan_karp@hp.com
Tue, 2 Jan 2001 17:31:13 -0800


> -----Original Message-----
> From: Chip Morningstar [mailto:chip@groucho.communities.com]
> Sent: Tuesday, January 02, 2001 3:46 PM
> To: e-lang@eros-os.org
> Subject: Re: [E-Lang] Announcing stl-E 0.8.9k: An interim
> non-distributed release
> 
> 
> Alan Karp wrote:
> > Does that mean you can make a Java class access the file 
> system by passing
> > it a bad argument even if there's no file access code in the class?
> 
> It depends on whether you mean file access code per se or 
> merely code which
> ultimately leads to file access. For example, one of the Java 
> security problems
> that the Princeton folks found was a case in which font names 
> where ultimately
> used in the construction of filenames (in order to obtain a 
> font's descriptive
> data).  By correctly providing a suitably mangled font name, 
> a user could trick
> the font code into accessing all kinds of files that it 
> shouldn't have (a
> classic Confused Deputy bug).
> 
> A piece of GUI code might not realize it is refering to a 
> file when it hands
> around a string that it believes is merely a font name. 
> Somebody inspecting
> that code for file accesses might not realize it either.

No, I was talking about the class itself accessing the file system.  Any
such transitivity attack should be caught in the class that has file access
code, not the class merely forwarding a parameter to it.  Remember, the goal
is to reduce the number of classes that have to be examined by hand.  If
100% coverage of the GUI code never hits the security manager, I contend
that you don't have to manually look at it for any of the accesses that must
go through the security manager.

> 
> --------------------------------------------------------------
> --------------
>   Chip Morningstar                                         
> Communities.com
>   chip@communities.com             10101 N.DeAnza Blvd, 
> Cupertino CA 95014
>   http://www.communities.com                                  
> 408-342-9522
> 
> 	      "It's now safe to turn off your computer."
> --------------------------------------------------------------
> --------------
> 
> _______________________________________________
> e-lang mailing list
> e-lang@mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/e-lang
> 

_________________________
Alan Karp
Principal Scientist
Decision Technology Department
Hewlett-Packard Laboratories MS 1U-2
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-6278