[e-lang] Java security hole in interplay of stack introspection & deserialization

David Wagner daw at cs.berkeley.edu
Sun Feb 8 22:25:43 EST 2009


Mark Miller  wrote:
> http://slightlyrandombrokenthoughts.blogspot.com/2008/12/calendar-bug.html

Thanks for pointing us to this.

Obligatory Joe-E tie-in: I'm trying to figure out whether Joe-E was
ever vulnerable to this attack.  It looks like the particular attack
method described in the blog post would not work on Joe-E.  The attack
described on the blog involves both a custom readObject code in the
attack object and storing a reference into a static field.  Of course
Joe-E bans mutable static fields, but more importantly, As part of Joe-E's
"attack surface reduction", we ban serialization (including prohibiting
Joe-E code from implementing readObject or writeObject).  So as far as
I can see, it looks like Joe-E code could not implement the particular
attack described in that blog post.

Does anyone see whether there is any other way that Joe-E code could
have exploited this vulnerability in stack inspection?  Would it be
accurate to say that Joe-E's banning of features incompatible with
capability programming happened to defend against this vulnerability,
even though we didn't know of this vulnerability at the time we designed
Joe-E?


More information about the e-lang mailing list