[kaffe] class loading security/compatibility concerns

gonzo Robert.N.Gonzalez at williams.edu
Thu Aug 1 11:11:47 PDT 2002


Patrick Tullmann wrote:
> I think you can get Sun's VM to load `A' it if you put the path to it
> on the bootclasspath.  This works for me with jdk1.4: 
>    'java -Xbootclasspath/p:. java.A'
> 
> This is also how it knows which jars to verify (or not), as I think
> Sun's VM does what you propose (not veryifying system classes).

in using -Xbootclasspath you're saying "use these files in place of the
boot class files included in the J2SDK and J2RE", which means that you
trust the files quite a bit.  but what if some untrested program tries to
dynamically load a class in some evil package named java to trick the VM
into giving it undeserved permissions (i posted a couple weeks ago 
regarding a situation in the classloader where code could get access to
the system class loader when it otherwise should have have had permission
to do so using the whole "i'm in the java package, so treat me different"
strategy).

i definitely agree that kaffe should support the bootclasspath flag (i'm
not sure that it does now, though i remember reading in one of the FAQs
that it's not implemented), but in that case we would still need some way
of knowing at run time whether a class came from a trusted source, such as
the runtime libraries or some jar on bootclasspath, or an untrusted source
that requires verification.  in the latter case we should probably adhere
to the way Sun's JVM deals with files in packages called java (as well as
perform full verification, though Sun's JVM appears to do most
verification on files in bootclasspath, aside from disallowing new
packages named java, etc.)

Sun's JVM trusts all files in JAVAHOME/jre/lib and JAVAHOME/lib (these are
also the default locations where they load their library classes from).
right now with kaffe you need your CLASSPATH to include KAFFE/jre/lib 
explicitly.  it would be nice if these were automatically in the 
bootclasspath (or something similar) so that we could tag them as trusted.

until we do something like that, anywhere in kaffe VM that we check for
permissions based on belonging to package java or kaffe we introduce a
hole for evildoers.  most particularly in the verifier that i'm attempting
to develop for kaffe.


so my question is this: do you guys agree that this is something that's
beneficial for kaffe?  if so, then i can go about making the changes to
the system classloader to make it happen.  i can also toss in
bootclasspath support if we want that soon.


cheers,
~rob



On Thu, 1 Aug 2002, Patrick Tullmann wrote:

> gonzo wrote:
> > if i create a file A.java in package java and try to run it on the Sun
> > java VM i get:
> > 	java.lang.SecurityException: Prohibited package name: java
> 
> I think you can get Sun's VM to load `A' it if you put the path to it
> on the bootclasspath.  This works for me with jdk1.4: 
>    'java -Xbootclasspath/p:. java.A'
> 
> This is also how it knows which jars to verify (or not), as I think
> Sun's VM does what you propose (not veryifying system classes).
> 
> -Pat
> 
> ----- ----- ---- ---  ---  --   -    -      -         -               -
> Pat Tullmann                                       tullmann at cs.utah.edu
>             He who dies with the most toys is still dead.
> 
> _______________________________________________
> kaffe mailing list
> kaffe at kaffe.org
> http://kaffe.org/cgi-bin/mailman/listinfo/kaffe
> 






More information about the kaffe mailing list