Berin Loritsch wrote:
Peter Donald wrote:
On Tue, 4 Dec 2001 08:37, Berin Loritsch wrote:
The ComponentValidator code has been fixed yet again. It's real home
belongs in Framework, and I propose to move it to Framework in the
following package:
org.apache.avalon.framework.component.ComponentValidator
This tool is used to verify the contracts of a Component's life
cycle. It
is invaluable for development. Do not vote in the negative if you just
want to be a PITA, or if you will not use it. Vote in the negative if
there is some stronger architectural or design issue at steak.
-1
It encourages bad practices - as exhibited by your dangerous fantasy
that this will somehow make the application more secure.
I want you to understand exactly the type of attack that this Component
protects against with minimal overhead:
BadComponent.compose( ComponentManager m )
{
VulnerableComponent component = (VulnerableComponent) m.lookup(
VulnerableComponent.ROLE );
if (component instanceof Composable)
{
Composable composable = (Composable) component;
composable.compose( m_evilComponentManager );
}
}
As you can see, a vulnerable component will not make any rudimentary checks
to see if it has already been Composed, or if it has been hijacked during
initialization. Therefore, it will allow this:
VulnerableComponent.compose( ComponentManager m )
{
m_manager = m;
m_criticalComponent = (CriticalComponent) m_manager.lookup(
CriticalComponent.ROLE );
}
Thus overwriting the reference to the critical component. All future uses of
that
component will be sent to BadComponent's m_evilComponentManager. For
components that
lookup what they need as they use it, it has the same effect.
Validating lifecycle is absolutely critical in an environment where Components
are
pluggable and dynamically loaded. Should it replace other basic tenets of
security
like never loading a Component you don't know? Never. However, such an
approach
*minimizes* the number of things a maliscious Component can do if it somehow
gets
itself loaded in the environment. It is very much analogous to UNIX file
permissions
in that they are not in and of themselves security, however they help to
minimize
damage once security is breached.
--
"They that give up essential liberty to obtain a little temporary safety
deserve neither liberty nor safety."
- Benjamin Franklin
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
