Don't worry, it's not based on Threads now, that model never did sit
well, it's now based on AccessControlContext caching. New context, must
be checked.
Patricia Shanahan wrote:
Peter Firmstone wrote:
...
The assumption I've made is, it will be very difficult for an
attacker to predict when a thread will access a method on the
delegate, then later, be called by that very same thread, so his
class can call the delegate unchecked. Any thoughts on this? Am I
overlooking something?
...
To win the overall game, a security system needs to block every single
attempt at breaking the rules.
An attacker only needs have some chance of single try success and a
way of causing repeated attempts until one succeeds. Assuming
independence, an attacker with a probability p of single try success
gets a probability t of at least one success in log(1-t)/log(1-p) tries.
For example, it takes less than 700,000 attempts to get a 50% chance
of at least one attempt succeeding, given a one in a million chance
for a single attempt.
If you can enforce upper bounds on both the number of attempts and the
probability of each attempt succeeding it may be possible to show that
the overall probability of successful attack is low enough to ignore.
Patricia
