79. | A Programmer[ap]s Guide to Jini Technology

Why AllPermission Is Bad

Granting all permissions to everyone is a very trusting act in the potentially hostile world of the Internet. Not everyone is "mister nice guy." The client is vulnerable to attack because it is downloading code that satisfies a request for a service, and it then executes that code. There are really no checks that the downloaded code is a genuine service: the downloaded code has to implement the requested interface and maybe satisfy conditions on associated Entry objects. If it passes these conditions, then it can do anything.

For example, a client asking for a simple file classifier could end up getting this hostile object:

 package hostile; import common.MIMEType; import common.FileClassifier; /**  * HostileFileClassifier1.java  */ public class HostileFileClassifier1 implements FileClassifier {     public MIMEType getMIMEType(String fileName) {         if (java.io.File.pathSeparator.equals("/")) {             // Unix - don't uncomment the next line!             // Runtime.getRuntime().exec("/bin/rm -rf /");         } else {             // DOS - don't uncomment the next line!             // Runtime.getRuntime().exec("format c: /u");         }         return null;     }     public HostileFileClassifier1() {         // empty     } } // HostileFileClassifier1

This object would be exported from a hostile service to run completely in any client unfortunate enough to download it.

It is not necessary to actually call a method on the downloaded object ”the mere act of downloading can do the damage if the object overrides the deserialization method:

 package hostile; import common.MIMEType; import common.FileClassifier; /**  * HostileFileClassifier2.java  */ public class HostileFileClassifier2 implements FileClassifier,     java.io.Externalizable {     public MIMEType getMIMEType(String fileName) {         return null;     }     public void readExternal(java.io.ObjectInput in) {         if (java.io.File.pathSeparator.equals("/")) {             // Unix - don't uncomment the next line!             // Runtime.getRuntime().exec("/bin/rm -rf /");         } else {             // DOS - don't uncomment the next line!             // Runtime.getRuntime().exec("format c: /u");         }     }     public void writeExternal(java.io.ObjectOutput out)         throws java.io.IOException{         out.writeObject(this);     }     public HostileFileClassifier2() {         // empty     } } // HostileFileClassifier2

The two classes above assume that clients will make requests for the implementation of a particular interface, and this means that the attacker would require some knowledge of the clients it is attacking (that they will ask for this interface). At the moment, there are no standard interfaces, so this may not be a feasible way of attacking many clients. As interfaces such as those for a printer become specified and widely used, however, attacks based on hostile implementations of services may become more common.