FAQ? How to prevent a C pgm that knows the RMI protocol from

luskj@us.ibm.com
Tue, 13 Jul 1999 17:59:49 -0400

From: luskj@us.ibm.com
To: java-security@java.sun.com
Date: Tue, 13 Jul 1999 17:59:49 -0400
Subject: FAQ? How to prevent a C pgm that knows the RMI protocol from

Howdy, y'all.

I have a question that must be a FAQ, but I haven't seen it anywhere. Having
read the RMI wire protocol spec, it seems to me that it might be possible for
somebody to write a C program that can talk to a remote RMI server object and
ask it to do Bad Things (e.g., corrupt server data). I can't tell from reading
the RMI spec, but it seems to me that it might close the socket connection to
the client as part of its normal connection management, thereby allowing some
other pgm on the client to re-open it and pretend to be the client.

(I'm assuming that an unexpected socket close (e.g., caused by a malicious user
killing the client while its socket is open and attempting to start a malicious
client on the same TCP connection) will cause the server to terminate the RMI
concrete connection. Good assumption?)

(I'm also assuming that these sorts of shenanigans would be impossible w/a
malicious Java RMI client, so a savvy cracker would have to resort to C (or Java
doing straight socket ops).)

(I'm also assuming the malicious user would have programmatic access to
tcpdump-like functionality, so he could conceivably write a program to sniff out
whatever certificates or signatures the good client is sending and duplicate
them in his malicious client, if even they are generated once per client JVM
process lifetime.)

How is A & A handled between client and server? On every single RMI call, or
just on initialization of the connection?

Would you be so kind as to cc my email address (luskj@us.ibm.com) on your reply?

Thanks!

John.