<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body style="background-color: rgb(255, 255, 255); color: rgb(0, 0,
0);" bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 07/28/2014 03:34 PM, David M. Lloyd
wrote:<br>
</div>
<blockquote cite="mid:53D65149.8030504@redhat.com" type="cite"><!--[if !IE]><DIV style="border-left: 2px solid #009900; border-right: 2px solid #009900; padding: 0px 15px; margin: 2px 0px;"><![endif]-->On
07/24/2014 04:17 AM, Tom Hawtin wrote:
<br>
<blockquote type="cite" style="color: #000000;"><!--[if !IE]><DIV style="border-left: 2px solid #009900; border-right: 2px solid #009900; padding: 0px 15px; margin: 2px 0px;"><![endif]-->On
23/07/2014 14:40, David M. Lloyd wrote:
<br>
<blockquote type="cite" style="color: #000000;"><!--[if !IE]><DIV style="border-left: 2px solid #009900; border-right: 2px solid #009900; padding: 0px 15px; margin: 2px 0px;"><![endif]-->On
07/23/2014 07:07 AM, Tom Hawtin wrote:
<br>
<blockquote type="cite" style="color: #000000;"><!--[if !IE]><DIV style="border-left: 2px solid #009900; border-right: 2px solid #009900; padding: 0px 15px; margin: 2px 0px;"><![endif]-->On
23/07/2014 05:26, David M. Lloyd wrote:
<br>
<!--[if !IE]></DIV><![endif]--></blockquote>
<!--[if !IE]></DIV><![endif]--></blockquote>
<br>
<blockquote type="cite" style="color: #000000;"><!--[if !IE]><DIV style="border-left: 2px solid #009900; border-right: 2px solid #009900; padding: 0px 15px; margin: 2px 0px;"><![endif]-->
<blockquote type="cite" style="color: #000000;"><!--[if !IE]><DIV style="border-left: 2px solid #009900; border-right: 2px solid #009900; padding: 0px 15px; margin: 2px 0px;"><![endif]-->
<blockquote type="cite" style="color: #000000;"><!--[if !IE]><DIV style="border-left: 2px solid #009900; border-right: 2px solid #009900; padding: 0px 15px; margin: 2px 0px;"><![endif]-->•
Always have static initialization blocks be privileged
(this does
<br>
require users to be cognizant of this fact when writing
static blocks)
<br>
<!--[if !IE]></DIV><![endif]--></blockquote>
<br>
If we were following "secure by default", this would break
it. It turns
<br>
out having a static initaliser run with an unprivileged acc
highlights
<br>
code that is doing something naughty.
<br>
<!--[if !IE]></DIV><![endif]--></blockquote>
<br>
I thought this mindset might dominate, which is unfortunate.
In
<br>
practice, it is far better for code to be predictable,
concise, and
<br>
clear. It does not really make any sense to have random
security
<br>
contexts in place and then call it "secure"; it makes more
sense to just
<br>
tell people "hey your static initializers are privileged".
<br>
<!--[if !IE]></DIV><![endif]--></blockquote>
<br>
I'm not suggesting that the random context is a good design.
("Random"
<br>
in the sense that an adversary can often arrange for a trusted
context
<br>
when the code expects typical untrusted.) Years ago I suggested
the same
<br>
thing. I'm glad that it was rejected due to subsequent
experience and a
<br>
bit of reflection.
<br>
<!--[if !IE]></DIV><![endif]--></blockquote>
<br>
Logically speaking there is no weakness here though.
<br>
<br>
In order to do privileged things (in static init), you must use a
privileged block. You must always assume that the context is
random (because it is). Thus static blocks are already using
privileged blocks.<!--[if !IE]></DIV><![endif]--></blockquote>
<br>
But what to do if you don't want to do privileged things and play
safe. Would following help?<br>
<br>
public class SomeClass {<br>
static {<br>
AccessController.doPrivileged(<br>
(PrivilegedAction<Void>) ::unprivilegedInit,<br>
new AccessControlContext(new ProtectionDomain[] {
new ProtectionDomain(null, null) })<br>
);<br>
}<br>
<br>
private static void unprivilegedInit() {<br>
...<br>
}<br>
<br>
...<br>
<br>
<br>
I guess the majority of static initializers don't do privileged
things so they should not be privileged by default. I suspect it
would be better for static initializers to behave like the above
code - the contrary to what David would like them to be...<br>
<br>
<br>
Regards, Peter<br>
<br>
<blockquote cite="mid:53D65149.8030504@redhat.com" type="cite"><!--[if !IE]><DIV style="border-left: 2px solid #009900; border-right: 2px solid #009900; padding: 0px 15px; margin: 2px 0px;"><![endif]-->There
is no meaningful way (in a static init) to test that a caller has
permission to cause a class to initialize. Therefore every
privileged block is superfluous and wasteful. There is no
logically provable benefit to requiring the privileged block on
static init - only superstition. There is no attack vector here
that is not already here.
<br>
<!--[if !IE]></DIV><![endif]--></blockquote>
<br>
</body>
</html>