Command line flag to disable finalizers.
Peter Firmstone
peter.firmstone at zeus.net.au
Tue Oct 25 06:02:28 UTC 2022
Hi Sean,
I only just read this email, thanks, it allows us to start investigating
a new authorization layer.
Regards,
Peter.
On 21/04/2022 1:01 am, Sean Mullan wrote:
>
> On 4/15/22 10:46 PM, Peter Firmstone wrote:
>> To securely instrument access controls onto public Java API, we need to
>> have the ability to disable finalizers, to prevent finalizer attacks
>> from circumventing access controls.
>>
>> Since finalizers are planned for removal, as soon as finalizers are
>> officially deprecated, I propose a command line flag be provided to
>> disable jvm calls to finalizer methods.
>
> This is already supported. JEP 421 added a "--finalization=disabled"
> option to JDK 18:
>
> https://openjdk.java.net/jeps/421#Command-line-option-to-disable-finalization
>
>
> --Sean
>
More information about the security-dev
mailing list