patternMinor
How does Stack Inspection work?
Viewed 0 times
inspectionstackworkdoeshow
Problem
This is precursor to my other, more advanced question about Stack Inspection.
Stack Inspection is a security mechanism introduced in the JVM to deal with running code originating from locations having different levels of trust. This is question aims at finding a simple description of its functionality. So:
How does stack inspection work?
Stack Inspection is a security mechanism introduced in the JVM to deal with running code originating from locations having different levels of trust. This is question aims at finding a simple description of its functionality. So:
How does stack inspection work?
Solution
See
From the paper:
... The stack inspection algorithm used in current Java systems
can be thought of as a generalization of the following simple
stack inspection model:
In this model, the only principals are “system” and “untrusted”. Likewise,
the only privilege available is “full.” This model
resembles the stack inspection system used internally in
Netscape Navigator 3.0.
In this model, every stack frame is labeled with a principal
(“system” if the frame is executing code that is part of
the virtual machine or its built-in libraries, and “untrusted”
otherwise), and contains a privilege flag which may be set
by a system class which chooses to “enable its privileges,”
explicitly stating that it wants to do something dangerous.
An untrusted class cannot set its privilege flag. When a
stack frame exits, its privilege flag (if any) automatically
disappears.
All procedures about to perform a dangerous operation
such as accessing the file system or network first apply a
stack inspection algorithm to decide whether access is allowed.
The stack inspection algorithmsearches the frames
on the caller’s stack in sequence, from newest to oldest.
The search terminates, allowing access, upon finding a
stack frame with a privilege flag. The search also terminates,
forbidding access and throwing an exception, upon
finding an untrusted stack frame (which could never have
gotten a privilege flag). ...
- "Understanding Java Stack Inspection" by D. S. Wallach and E. W. Felten (1998)
From the paper:
... The stack inspection algorithm used in current Java systems
can be thought of as a generalization of the following simple
stack inspection model:
In this model, the only principals are “system” and “untrusted”. Likewise,
the only privilege available is “full.” This model
resembles the stack inspection system used internally in
Netscape Navigator 3.0.
In this model, every stack frame is labeled with a principal
(“system” if the frame is executing code that is part of
the virtual machine or its built-in libraries, and “untrusted”
otherwise), and contains a privilege flag which may be set
by a system class which chooses to “enable its privileges,”
explicitly stating that it wants to do something dangerous.
An untrusted class cannot set its privilege flag. When a
stack frame exits, its privilege flag (if any) automatically
disappears.
All procedures about to perform a dangerous operation
such as accessing the file system or network first apply a
stack inspection algorithm to decide whether access is allowed.
The stack inspection algorithmsearches the frames
on the caller’s stack in sequence, from newest to oldest.
The search terminates, allowing access, upon finding a
stack frame with a privilege flag. The search also terminates,
forbidding access and throwing an exception, upon
finding an untrusted stack frame (which could never have
gotten a privilege flag). ...
- and the book "Securing Java" (in particular chapter three also available online)
Context
StackExchange Computer Science Q#796, answer score: 7
Revisions (0)
No revisions yet.