[kaffe] class loading security/compatibility concerns

Patrick Tullmann tullmann@cs.utah.edu
Fri, 2 Aug 2002 15:03:20 -0600


gonzo wrote:
> Patrick Tullmann wrote:
> > I think you can get Sun's VM to load `A' it if you put the path to it
> > on the bootclasspath.  This works for me with jdk1.4: 
> >    'java -Xbootclasspath/p:. java.A'
> > 
> > This is also how it knows which jars to verify (or not), as I think
> > Sun's VM does what you propose (not veryifying system classes).
> 
> in using -Xbootclasspath you're saying "use these files in place of the
> boot class files included in the J2SDK and J2RE", which means that you
> trust the files quite a bit.

Yep.  My example was meant to imply that the bootclasspath is how
Sun's VM knows which classes to trust or not.  Only classes loaded
from this path may load themselves into "java." (or even "sun.",
equally "kaffe." in Kaffe).

> i definitely agree that kaffe should support the bootclasspath flag
> (i'm not sure that it does now, though i remember reading in one of
> the FAQs that it's not implemented), but in that case we would still
> need some way of knowing at run time whether a class came from a
> trusted source, such as the runtime libraries or some jar on
> bootclasspath, or an untrusted source that requires verification.

I think bootclasspath is the only way Sun's VM determines that level
of trustedness.  If I were to implement that in Kaffe, I'd say adding
a tag 'trusted' to the file.h:classFile struct, and then probably add
a bit to the Hjava_lang_Class that is inherited from the classFile the
class is loaded from.  Any classpath entries in the bootclasspath get
the bit set, and it gets inherited from there.

> Sun's JVM trusts all files in JAVAHOME/jre/lib and JAVAHOME/lib (these are
> also the default locations where they load their library classes from).

Just to be clear, I think it trusts those only because they show up on
the bootclasspath.  Note that in my example I used a /p suffix to
pre-pend onto the bootclasspath, if you use '-Xbootclasspath:.'
(without the /p) then the VM will fail to find java.lang.Object.

> so my question is this: do you guys agree that this is something
> that's beneficial for kaffe?  if so, then i can go about making the
> changes to the system classloader to make it happen.  i can also
> toss in bootclasspath support if we want that soon.

Yeah, I think this is a good thing for Kaffe.  It is definitely
reasonable to hardcode the bootclasspath for now.  Support for 
the command-line options can be added later...

-Pat

----- ----- ---- ---  ---  --   -    -      -         -               -
Pat Tullmann                                       tullmann@cs.utah.edu
          This signature witticism intentionally left blank.