[e-lang] Java security hole in interplay of stack introspection & deserialization
David Wagner
daw at cs.berkeley.edu
Sun Feb 8 22:25:43 EST 2009
Mark Miller wrote:
> http://slightlyrandombrokenthoughts.blogspot.com/2008/12/calendar-bug.html
Thanks for pointing us to this.
Obligatory Joe-E tie-in: I'm trying to figure out whether Joe-E was
ever vulnerable to this attack. It looks like the particular attack
method described in the blog post would not work on Joe-E. The attack
described on the blog involves both a custom readObject code in the
attack object and storing a reference into a static field. Of course
Joe-E bans mutable static fields, but more importantly, As part of Joe-E's
"attack surface reduction", we ban serialization (including prohibiting
Joe-E code from implementing readObject or writeObject). So as far as
I can see, it looks like Joe-E code could not implement the particular
attack described in that blog post.
Does anyone see whether there is any other way that Joe-E code could
have exploited this vulnerability in stack inspection? Would it be
accurate to say that Joe-E's banning of features incompatible with
capability programming happened to defend against this vulnerability,
even though we didn't know of this vulnerability at the time we designed
Joe-E?
More information about the e-lang
mailing list