Menu

#66 prevent backtrace revealing private information

Need_for_security
open
7
2005-05-30
2005-05-30
No

The universal scope also allows applications to create
a stack trace, for debugging purposes. Such a
backtrace would not reveal the value of internal
variables of other stack frames, but could potentially
reveal information present at the site of the
exception. For example, an inner confined object could
throw an exception containing a capability that was
confined (e.g., a private key or database), through an
intermediate caller, to a colluding outer object, thus
breaking confinement. Also, the depth of the execution
stack is visible, which could pose a risk in certain
scenarios: for instance, consider trusted code
containing a recursive function whose level of
recursion depends on some sensitive data (e.g., a
secret cryptographic key), and suppose the recursive
function is called with arguments that induce it to hit
an error condition and throw an exception from deep
within the recursion. In such a case, the caller might
be able to learn something about the callee’s secrets
by catching the exception, examining the resulting
stack trace, and recovering the stack depth.

Followups 2002-May-29 04:09 markm

I renamed this from "prevent backtrace revealing
capabilities" to "prevent backtrace revealing private
information". It is already the case that the more
severe bug indicated by the previous title should not
be able to happen from unprivileged code, since E
cannot subclass Java (so unprivileged code cannot make
new subclasses of Throwable), the only Throwable
classes declared safe (Throwable, RuntimeException, and
TwineException) have only data members, and of all the
exceptions that E code can induce Java code to throw,
there are no known cases where the thrown exception
might contain something worse than private information.
If the possibility of such a case is discovered, this
should become a separate bug report.

(Once we have auditors, we will eventually allow E code
to throw a Throwable containing any object that passes
the DeepPassByCopy guard, ie, an object which is
transitively PassByCopy.)

Discussion

  • Mark Samuel Miller

    • assigned_to: nobody --> caplet
     

Log in to post a comment.