Full Disclosure mailing list archives
Re: Java 1.4.2_02 InsecurityManager JVM crash
From: Thiago Campos <th.campos () bol com br>
Date: Mon, 27 Oct 2003 09:25:57 -0300
Let's hope that noone uses -deprecation while compiling :) This function was replaced a time ago To who doesn't know, from the Java Docs "protected int classDepth(String name)Deprecated. This type of security checking is not recommended. It is recommended that the checkPermission call be used instead. "
At 01:20 26/10/2003 +0200, Marc Schoenefeld wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, Java 2 Security Managers are objects that should enforce system integrity and safety. Everyone would expect that the provided base classes from the JDK are therefore a role model for code quality and stability. But that's all theory. Let's do some practice: Imagine a lazy implementor (like me) of a SecurityManager, he codes the following: /* InsecurityManager-Demonstration */ /* coded by Marc Schoenefeld */ public class InSecurityManager extends SecurityManager { public void doit() { System.out.println("doit"); int o = classDepth(null); } public static void main(String[] a) { InSecurityManager m = new InSecurityManager(); m.doit(); } } When you run the class with the command java InSecurityManager you get a jvm crash, instead of a null pointer exception. I tested this with the latest 1.3.1,1.4.1,1.4.2 implementations. All Sun implementations crash, the IBM 1.4.1 (comes with Websphere or Cloudscape) is stable. This sample of code will do no harm to productive environments, because you cannot instantiate a second security manager, but it may be a snapshot of the inner condition of jvm security. Lesson learned: Do not believe white papers or specifications, test the implementation and report bugs to the vendor. Choose a stable implementation. Sincerely Marc Schoenefeld - -- Never be afraid to try something new. Remember, amateurs built the ark; professionals built the Titanic. -- Anonymous Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (AIX) Comment: For info see http://www.gnupg.org iD8DBQE/mwUxqCaQvrKNUNQRApt/AJ9uwaavBSTpMFa9vZ+BhwBDNxD8sACaA3DZ E3sLSXijpoAjR1iOdC1FGPo= =TYLu -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Java 1.4.2_02 InsecurityManager JVM crash Marc Schoenefeld (Oct 25)
- Re: Java 1.4.2_02 InsecurityManager JVM crash Francisco Andrades (Oct 27)
- Re: Java 1.4.2_02 InsecurityManager JVM crash Marc Schoenefeld (Oct 27)
- <Possible follow-ups>
- Re: Java 1.4.2_02 InsecurityManager JVM crash Thiago Campos (Oct 27)
- Re: Java 1.4.2_02 InsecurityManager JVM crash Torsten Lodderstedt (Oct 28)
- Re: Java 1.4.2_02 InsecurityManager JVM crash Francisco Andrades (Oct 27)