Zoltan Juhasz wrote:
Sim,
I think the important danger in Jini is the use of objects. In simple
messaging communication (especially if non-binary), you don't have to worry
about objects. In Jini, any method can take and object as a parameter that
results in serialisation and unmarshalling at the receiver end. When an
object has something nasty executing during within the readObject() method,
it's too late to do anything.
This was a big problem in the days of single core, not as bad now.
Perhaps we need a software watchdog? Or an easy way to kill and
quarantine a misbehaving service? Or an unmarshalling executor thread
pool, which passes the object after it has been deserialized.
We had made experiments putting an infinite
loop into an object's default constructor (I think) and you got a 100% CPU
load at the service side before even knowing what the object was. We had the
solution to use certificates and only accept service invocations from
trusted parties but this is very difficult to enforce over the Internet.
I have given this some thought too, perhaps what we need is a web of trust.
Identifying the problems is very important for solutions.
Peter.
(or
you have to contrain the system to a specific task that is only used by a
closed group via the Internet).
Zoltan
=================================
Dr Zoltan Juhasz
Dept of Electrical Engineering and Information Systems
Pannon University (formerly University of Veszprem)
Veszprem, Hungary
-----Original Message-----
From: Sim IJskes - QCG [mailto:[email protected]]
Sent: 29 September 2010 10:50
To: [email protected]
Subject: Re: Towards Internet Jini Services (dos attacks)
On 29-09-10 10:26, Zoltan Juhasz wrote:
> and
unmarshalling and object movements may help DoS attacks to
happen, etc, etc.
Could you explain the basic difference between RPC and
messaging within the context of DOS attacks?
The only difference i see right now, is that RPC mandates an
ordered relation between the request- and reply messages.
Does this theorically create an extra opportunity for DOS attacks?
Gr. Sim
--
QCG, Software voor het MKB, 071-5890970, http://www.qcg.nl
Quality Consultancy Group b.v., Leiderdorp, Kvk Den Haag: 28088397
_____________ NOD32 5487 (20100928) Információ _____________
Az üzenetet a NOD32 antivirus system megvizsgálta.
http://www.nod32.hu
