More secure ModuleFileFormat.Reader class?
Mandy Chung
mandy.chung at oracle.com
Tue Mar 8 16:49:26 PST 2011
On 3/5/11 8:30 AM, Sean Mullan wrote:
> I've been working again on jigsaw signed modules. The current design
> of the ModuleFileFormat.Reader class is a little shaky from a security
> perspective. Most of the methods are public (as well as the class).
> These methods allow one to read different parts of a module file and
> the resulting data is stored inside the Reader object. Some of this
> data is security-sensitive such as the signature and the hashes. This
> data is currently protected from malicious code by returning clones, etc.
>
> But the problem is that some of the methods can still be used to
> change this data. For example, I can call the readFile method with my
> own DataInputStream. This DataInputStream could contain a different
> Signature section, and this could then replace the signature contained
> in a Reader object that had already been used to read a signed module
> file. There are several methods like this.
>
> It seems it would be a better (and safer) design to decouple the
> module file data (or at least the signature and hashes) and store it
> separately from the Reader class.
>
It sounds like a good thing to do.
Mandy
More information about the jigsaw-dev
mailing list