More secure ModuleFileFormat.Reader class?
Sean Mullan
sean.mullan at oracle.com
Sat Mar 5 08:30:07 PST 2011
I've been working again on jigsaw signed modules. The current design of the
ModuleFileFormat.Reader class is a little shaky from a security perspective.
Most of the methods are public (as well as the class). These methods allow one
to read different parts of a module file and the resulting data is stored inside
the Reader object. Some of this data is security-sensitive such as the signature
and the hashes. This data is currently protected from malicious code by
returning clones, etc.
But the problem is that some of the methods can still be used to change this
data. For example, I can call the readFile method with my own DataInputStream.
This DataInputStream could contain a different Signature section, and this could
then replace the signature contained in a Reader object that had already been
used to read a signed module file. There are several methods like this.
It seems it would be a better (and safer) design to decouple the module file
data (or at least the signature and hashes) and store it separately from the
Reader class.
Comments?
--Sean
More information about the jigsaw-dev
mailing list