On 09/29/2010 03:05 PM, Zoltan Juhasz wrote:
object has something nasty executing during within the readObject() method,
it's too late to do anything. We had made experiments putting an infinite
loop into an object's default constructor (I think) and you got a 100% CPU
load at the service side before even knowing what the object was.
Zoltan, this is exactly the problem with downloading code. Downloading
code is only feasable for parties with strong trust relations.
When you execute code from another party you become responsible for the
actions of that code. You can limit the freedom of this code through the
use of policies.
Your example of the loop, is one example of where we are missing a
policy option. The amount of CPU a thread can use and the amount of
memory a thread can allocate is unlimited.
So basically you can only execute code from sources you trust. Sandbox
or no sandbox.
> We had the
solution to use certificates and only accept service invocations from
trusted parties but this is very difficult to enforce over the Internet. (or
you have to contrain the system to a specific task that is only used by a
closed group via the Internet).
Exactly. A closed user group is a group with a collective trust structure.
I'm not convinced the esthablisment of trust is impossible over the
internet. PGP is succesfull, HTTPS is successfull, although very
fragile. So lets define our new trust structure.
Gr. Sim
