RFR: 8200559: Java agents doing instrumentation need a means to define auxiliary classes [v2]
Andrew Dinn
adinn at openjdk.org
Thu Jan 25 13:35:45 UTC 2024
On Thu, 25 Jan 2024 12:16:13 GMT, Rafael Winterhalter <winterhalter at openjdk.org> wrote:
> Requiring such an API opens the module to anybody, though, punching a hole into the module boundary.
How so? Any module created to print Lookups can easily rely on a shared secret to secure the API. Byteman employs a non-null Instrumentation object (a value which any agent ought to keep secret). However, it could just as easily have employed an arbitrary bit length hash key. The key can be used to initialize a module-private static long[] field of an API implementation class generated into the module i.e. the hole can actually be a keyhole in the shape of a key known only to the API client and implementation.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/3546#issuecomment-1910230873
More information about the core-libs-dev
mailing list