[e-lang] Fwd: @RISK: Sun Java Floating-Point Value Denial of Service
Kevin Reid
kpreid at switchb.org
Wed Feb 16 11:11:23 PST 2011
On Feb 16, 2011, at 10:32, Thomas Leonard wrote:
>> If we were to eliminate pipelining and mobile code, such that the
>> client is obligated to handle the computation of every object which
>> is
>> not far from it, and the interface of every single exported object
>> was
>> carefully designed so it is O(N) in input message size, even in the
>> face of misbehaving arguments, except where required by the
>> application -- then perhaps a vat could be made DoS-safe.
>
> The O(N) requirement might not be necessary. For messages to our own
> objects, we typically record some usage (and we could therefore
> abort if
> limits are reached). e.g.
>
> def bubbleSort {
> to sort(l : List) {
> reserve(l.size() ** 2)
> return l.sort()
> }
> }
>
> The main problem is that operations on primitive types (e.g. int) can
> generate unlimited amounts of usage without any checks.
That's what I meant by “the client is obligated to handle the
computation”. All such primitives are PassByCopy and therefore are
never far. The application interface would be designed such that it
never returns a non-PassByCopy (PassByProxy) object except those that
are also part of that interface and also implement usage limits.
--
Kevin Reid <http://switchb.org/kpreid/>
More information about the e-lang
mailing list