Security as of version 4.0

Stéphane Konstantaropoulos stephane@cs.york.ac.uk
Sun May 1 01:16:00 GMT 2005

• Next message (by thread): Security as of version 4.0
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Hi Tom,
I had a closer look at libgcj's code since the release of GCC 4.0
The first big flaws that are found are:
- SecurityManager.checkPermission() does not call
AccessController.checkPermission() (it is commented out)
- AccessController.getContext() generates a dummy context with empty
ProtectionDomains instead of walking through the call stack.
- AccessController.doPrivileged() set of methods look like stubs.
There is an open bug in bugzilla: nr 13604 about the context not being
generated.
This means there is no security checks done at all. Even though all the
rest (java.security.Policy, java.security.Security...) seems to be
implemented OK.
Is the signature/certificate of jars taken into account when loading a
jar?
Minor fixes should bring libgcj close to the java 2 security model.
This is encouraging
-- 
Stéphane Konstantaropoulos
- Research Student, Computer Science
-- University of York, http://www-users.cs.york.ac.uk/~stephane
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://gcc.gnu.org/pipermail/java/attachments/20050501/351bbaad/attachment.sig>

---

• Next message (by thread): Security as of version 4.0
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

More information about the Java mailing list