[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [cross-project-issues-dev] (Mirror) security
|
Ed is right that Java/OSGi can check signatures and put several
restrictions based on this (e.g allow to consume/provide services and
such), but this assumes a closed/secured runtime.
If the runtime itself can be modified you are completely out of luck (as
one the simply can disable the check), and even if there is an unknown
signature and eclipse warns/ask if you trust them I suspect 99% of the
users to click the "install anyways" button ...
Am 25.09.20 um 10:10 schrieb Ed Merks:
Denis,
If one has a rogue running process that can write arbitrarily to your
file system (or parts thereof), it could tamper *anything*, so it would
seem that at that point you would have arbitrary security risks even
without an Eclipse IDE. Even Windows doesn't prevent a tampered or
unsigned executable from running. I don't think that Linux even has
signed executables, given there is no signing of such things in the
Tycho builds.
Looking at this search:
https://www.google.com/search?q=java+run+only+signed+jars
and at answers like these:
https://stackoverflow.com/questions/54011270/allow-a-jar-to-run-only-if-it-is-signed
https://stackoverflow.com/questions/34641305/is-it-possible-to-force-jvm-to-check-that-every-jar-must-be-signed
suggests that it's not really so feasible to prevent Java from running
unsigned jars, though I expect from Thomas' answer that OSGi can do
verification with its specialized class loader (though presumably that
has a performance impact).
Running Java with a security manager enabled for the purpose of running
an IDE I think makes zero sense, so generally the IDE can do anything
and can itself be a rogue process (if and when the user installs
arbitrary things from the marketplace).
Even if the jars are verified, I can still personally think of a number
of ways that I could tamper data files used by the IDE that would make
the IDE "do bad things". I'll not outline the possible ways that I can
think of... :-P
I think a fundamental aspect (assumption?) of security is that the
machine itself is secure, sufficiently so that a process that does rogue
things never runs in the first place. Verifying signatures and
checksums ensures that only known content is downloaded and installed in
order to keep the machine secure.
Regards,
Ed
On 24.09.2020 19:53, Denis Roy wrote:
So it's possible for another process to tamper with jars and have
Eclipse run them blindly.
Do we know if that is industry practice?
On 2020-09-24 12:07 p.m., Thomas Watson wrote:
Yes, p2 verifies the signatures and content of the JARs to confirm it
hasn't been tampered with before installing the JAR. At runtime the
verification of JARs is not enabled by default. Otherwise what you
did would have resulted in a runtime exception for the class you changed.
Tom
----- Original message -----
From: Wim Jongman <wim.jongman@xxxxxxxxx>
Sent by: cross-project-issues-dev-bounces@xxxxxxxxxxx
To: Cross project issues <cross-project-issues-dev@xxxxxxxxxxx>
Cc:
Subject: [EXTERNAL] [cross-project-issues-dev] (Mirror) security
Date: Thu, Sep 24, 2020 10:18 AM
Hi,
This is probably a silly question but I was wondering how we
protect the content of jar files as they are being pulled from
mirrors all over the world.
Due to a recent break in the Platform class, I compiled my own
version of the Platform class where I re-added the removed
method. Then I replaced it in the plugins/o.e.c.runtime jar using
7-zip.
This solved my issue but it also made me wonder how this was
protected if some mirror-server user used the same hack to dope
our jars.
I assume this is being done by p2 when downloading the jar files
by comparing some MDA hash?
Please enlighten me.
Cheers,
Wim
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visithttps://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
--
*Denis Roy*
*Director, IT Services | **Eclipse Foundation, Inc.*
/Eclipse Foundation/ <http://www.eclipse.org/>/: The Platform for Open
Innovation and Collaboration/
Twitter: @droy_eclipse
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visithttps://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev