< Day Day Up > |
8.8 ProtectionDomain InheritanceA potential problem that could arise with the basic access-control model as described in Section 8.6 on page 267 is that when a Java program creates a new java.lang.Thread object, the child thread could become more privileged than its parent thread. As each new thread creates a new runtime stack, it would be a serious problem if the ProtectionDomain s on the stack of the parent thread were not present on the new thread's stack. Important ProtectionDomain information would no longer be available when an AccessController.checkPermission() operation is performed, giving new threads more Permission s than the threads that created them. Malicious programs could therefore bypass the security restrictions by simply creating new threads. In fact, the Permission set granted to a thread is obtained by intersecting the sets of the Permission s implied by the ProtectionDomain s traversed by the thread itself. Therefore, if a newly created thread's stack did not contain the parent thread's ProtectionDomain s, the child thread could be granted more Permission s than its parent because the set of the Permission s granted to it would be obtained by intersecting fewer ProtectionDomain s. To correct this potential loss of security information, the ProtectionDomain objects of the parent thread are attached to any child thread that is created. This process, called ProtectionDomain inheritance , is shown in Figure 8.18. With ProtectionDomain inheritance, unless a doPrivileged() operation is performed in the child thread, the parent thread's ProtectionDomain objects are also checked during an AccessController.checkPermission() operation. Figure 8.18. ProtectionDomain Inheritance
|
< Day Day Up > |