public inbox for mauve-discuss@sourceware.org
 help / color / mirror / Atom feed
* SecurityException throwpoint audit
@ 2005-11-21 16:58 Gary Benson
  2005-11-22 16:27 ` Gary Benson
  2005-11-25  0:02 ` Mark Wielaard
  0 siblings, 2 replies; 9+ messages in thread
From: Gary Benson @ 2005-11-21 16:58 UTC (permalink / raw)
  To: mauve-discuss

Hi all,

I've been trying to work out how to test that permissions are checked
at every point they ought to be.  There's a table of every such point
here:

  http://java.sun.com/j2se/1.4.2/docs/guide/security/permissions.html#PermsAndMethods

Some of these already have tests, but most probably do not.  Before I
start creating tests I'm thinking that we need some way to correlate
mauve tests with the throwpoints on this (and future) lists.

How would people feel if I numbered the throwpoints on the above list
and noted them in their corresponding tests in some easily parsable
form (probably in comments like Tags are already).  That way whether a
throwpoint is tested (and the location of the test) can be found with
a simple grep.

For simplicity I'd probably number the 1.4.2 list from 1-whatever.
Checks added in 1.5 can be added at the end of the list.

It would be convenient if we made a version of the above list
annotated with the throwpoint numbers, but obviously such a thing
could not be distributed.  It should be possible to write a script
that would download and annotate the list for local use.

Does this sound reasonable?

Cheers,
Gary

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: SecurityException throwpoint audit
  2005-11-21 16:58 SecurityException throwpoint audit Gary Benson
@ 2005-11-22 16:27 ` Gary Benson
  2005-11-25  0:02 ` Mark Wielaard
  1 sibling, 0 replies; 9+ messages in thread
From: Gary Benson @ 2005-11-22 16:27 UTC (permalink / raw)
  To: mauve-discuss

[-- Attachment #1: Type: text/plain, Size: 1542 bytes --]

Hi again,

I take it that nobody minds if I start doing this.  The attached
script can be used to create the annotated list of throwpoints so
you can look up IDs I add in comments or whatever.  The script
performs some MD5 checks so you can be sure you're looking at the
same page I am.

Cheers,
Gary

Gary Benson wrote:
> Hi all,
> 
> I've been trying to work out how to test that permissions are
> checked at every point they ought to be.  There's a table of
> every such point here:
> 
>   http://java.sun.com/j2se/1.4.2/docs/guide/security/permissions.html#PermsAndMethods
> 
> Some of these already have tests, but most probably do not.  Before
> I start creating tests I'm thinking that we need some way to
> correlate mauve tests with the throwpoints on this (and future)
> lists.
> 
> How would people feel if I numbered the throwpoints on the above
> list and noted them in their corresponding tests in some easily
> parsable form (probably in comments like Tags are already).  That
> way whether a throwpoint is tested (and the location of the test)
> can be found with a simple grep.
> 
> For simplicity I'd probably number the 1.4.2 list from 1-whatever.
> Checks added in 1.5 can be added at the end of the list.
> 
> It would be convenient if we made a version of the above list
> annotated with the throwpoint numbers, but obviously such a thing
> could not be distributed.  It should be possible to write a script
> that would download and annotate the list for local use.
> 
> Does this sound reasonable?
> 
> Cheers,
> Gary

[-- Attachment #2: get-throwpoints.py --]
[-- Type: text/plain, Size: 3886 bytes --]

#!/usr/bin/env python

import md5
import sgmllib

def escape(data, escape_quote = False):
    data = data.replace("&", "&")
    data = data.replace("<", "&lt;")
    if escape_quote:
        data = data.replace('"', "&quot;")
    return data

class Parser(sgmllib.SGMLParser):
    from htmlentitydefs import entitydefs

    def __init__(self, fp, verbose = False):
        sgmllib.SGMLParser.__init__(self, verbose)
        self.fp = fp

    def reset(self):
        sgmllib.SGMLParser.reset(self)
        self.hashes = md5.new(), md5.new()
        self.passthrough = False
        self.row = None

    def feed(self, data):
        sgmllib.SGMLParser.feed(self, data)
        self.hashes[0].update(data)

    def write(self, data):
        self.fp.write(data)
        self.hashes[1].update(data)

    def digests(self):
        return [hash.hexdigest() for hash in self.hashes]

    # handle passthrough in generic overrides

    def handle_starttag(self, tag, method, attrs):
        sgmllib.SGMLParser.handle_starttag(self, tag, method, attrs)
        if self.passthrough:
            self.__write_tag(tag, attrs)
            
    def unknown_starttag(self, tag, attrs):
        sgmllib.SGMLParser.unknown_starttag(self, tag, attrs)
        if self.passthrough:
            self.__write_tag(tag, attrs)

    def handle_endtag(self, tag, method):
        if self.passthrough:
            self.__write_tag("/" + tag)
        sgmllib.SGMLParser.handle_endtag(self, tag, method)

    def unknown_endtag(self, tag):
        if self.passthrough:
            self.__write_tag("/" + tag)
        sgmllib.SGMLParser.unknown_endtag(self, tag)

    def handle_data(self, data):
        if self.passthrough:
            self.write(data)

    def __write_tag(self, tag, attrs = ()):
        self.write("<%s%s>" % (tag, "".join(
            [' %s="%s"' % (name, escape(value, True))
             for name, value in attrs])))

    # handle everything else in tag-specific overrides

    def start_table(self, attrs):
        for name, value in attrs:
            if name == "summary":
                if value == "methods and the premissions they require":
                    self.passthrough = True
                    self.row = 0
                break
        if self.passthrough:
            self.write("<html>\n  <body>\n    ")

    def end_table(self):
        if self.passthrough:
            self.write("\n  </body>\n</html>\n")
        self.passthrough = False

    def start_tr(self, attrs):
        if self.passthrough:
            if self.row == 29:
                self.passthrough = False
            self.row_tagged = False
        elif self.row == 29:
            self.passthrough = True

    def end_tr(self):
        if self.passthrough:
            self.row += 1

    def start_th(self, attrs):
        if self.passthrough:
            if not self.row_tagged:
                self.write("<th>ID</th>\n      ")
                self.row_tagged = True

    def start_td(self, attrs):
        if self.passthrough:
            if not self.row_tagged:
                self.write("<td>se%03d</td>\n      " % self.row)
                self.row_tagged = True

if __name__ == "__main__":
    import os
    import sys
    import urllib

    version = "1.4.2"
    src = "http://java.sun.com/j2se/" + version \
          + "/docs/guide/security/permissions.html"
    dst = "throwpoints-%s.html" % version
    if os.path.exists(dst):
        print "%s: file exists" % dst
        sys.exit(1)

    parser = Parser(open(dst, "w"))
    parser.feed(urllib.urlopen(src).read())
    parser.close()

    digests = parser.digests()
    if digests[1] == "3c40052647c417dead97068a32f51911":
        status = "PASS"
    elif digests[0] == "c4b9248859682e65ad71788acfc03b78":
        status = "FAIL (processing)"
    else:
        status = "FAIL (input = %s)" % digests[0]
    print "status:", status

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: SecurityException throwpoint audit
  2005-11-21 16:58 SecurityException throwpoint audit Gary Benson
  2005-11-22 16:27 ` Gary Benson
@ 2005-11-25  0:02 ` Mark Wielaard
  2005-11-25 19:30   ` Tom Tromey
  2005-11-28 14:04   ` Gary Benson
  1 sibling, 2 replies; 9+ messages in thread
From: Mark Wielaard @ 2005-11-25  0:02 UTC (permalink / raw)
  To: Gary Benson; +Cc: mauve-discuss

[-- Attachment #1: Type: text/plain, Size: 1695 bytes --]

Hi Gary,

On Mon, 2005-11-21 at 16:58 +0000, Gary Benson wrote:
> I've been trying to work out how to test that permissions are checked
> at every point they ought to be.  There's a table of every such point
> here:
> 
>   http://java.sun.com/j2se/1.4.2/docs/guide/security/permissions.html#PermsAndMethods

I would not trust that list as the definite guide. I just looked for a
random method (which I was just working on for GNU Classpath)
Toolkit.getSystemSelection() and it was not listed.

> Some of these already have tests, but most probably do not.  Before I
> start creating tests I'm thinking that we need some way to correlate
> mauve tests with the throwpoints on this (and future) lists.
> 
> How would people feel if I numbered the throwpoints on the above list
> and noted them in their corresponding tests in some easily parsable
> form (probably in comments like Tags are already).  That way whether a
> throwpoint is tested (and the location of the test) can be found with
> a simple grep.
> 
> For simplicity I'd probably number the 1.4.2 list from 1-whatever.
> Checks added in 1.5 can be added at the end of the list.

I don't really like the numbering. I would propose to actually name the
tests with somewhat meaningful names. Something like
<PermissionClassName>_<ClassName>_<MethodName> for each Permission and
class.method() needing to check for that permission. (example:
AWTPermission_Toolkit_getSystemSelection)

Or maybe have a directory per PermissionClassName.

That is how jacks is setup. It follows the JLS, but it doesn't use the
section numbers, but logical names of the sections that the tests are
for.

Cheers,

Mark

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: SecurityException throwpoint audit
  2005-11-25  0:02 ` Mark Wielaard
@ 2005-11-25 19:30   ` Tom Tromey
  2005-11-28 14:04   ` Gary Benson
  1 sibling, 0 replies; 9+ messages in thread
From: Tom Tromey @ 2005-11-25 19:30 UTC (permalink / raw)
  To: Mark Wielaard; +Cc: Gary Benson, mauve-discuss

>>>>> "Mark" == Mark Wielaard <mark@klomp.org> writes:

Mark> I don't really like the numbering. I would propose to actually name the
Mark> tests with somewhat meaningful names.

Yeah, if there is a way to do this "stably" then I think it would be
preferable.

Tom

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: SecurityException throwpoint audit
  2005-11-25  0:02 ` Mark Wielaard
  2005-11-25 19:30   ` Tom Tromey
@ 2005-11-28 14:04   ` Gary Benson
  1 sibling, 0 replies; 9+ messages in thread
From: Gary Benson @ 2005-11-28 14:04 UTC (permalink / raw)
  To: mauve-discuss

Mark Wielaard wrote:
> On Mon, 2005-11-21 at 16:58 +0000, Gary Benson wrote:
> > I've been trying to work out how to test that permissions are
> > checked at every point they ought to be.  There's a table of every
> > such point here:
> > 
> >   http://java.sun.com/j2se/1.4.2/docs/guide/security/permissions.html#PermsAndMethods
> 
> I would not trust that list as the definite guide. I just looked for
> a random method (which I was just working on for GNU Classpath)
> Toolkit.getSystemSelection() and it was not listed.

Ah, thanks for the warning.

> > How would people feel if I numbered the throwpoints on the above
> > list and noted them in their corresponding tests in some easily
> > parsable form (probably in comments like Tags are already).  That
> > way whether a throwpoint is tested (and the location of the test)
> > can be found with a simple grep.
> > 
> > For simplicity I'd probably number the 1.4.2 list from 1-whatever.
> > Checks added in 1.5 can be added at the end of the list.
> 
> I don't really like the numbering. I would propose to actually name
> the tests with somewhat meaningful names. Something like
> <PermissionClassName>_<ClassName>_<MethodName> for each Permission
> and class.method() needing to check for that permission. (example:
> AWTPermission_Toolkit_getSystemSelection)

Yeah, that's better I suppose, I'll use that.

Cheers,
Gary

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: SecurityException throwpoint audit
  2006-05-24 12:53   ` Olli Vertanen
@ 2006-06-02 11:55     ` Gary Benson
  0 siblings, 0 replies; 9+ messages in thread
From: Gary Benson @ 2006-06-02 11:55 UTC (permalink / raw)
  To: mauve-discuss, classpath

Hi Olli,

Sorry for the slow response: I've not been too well this week.

There's no driver for running just the throwpoint checks, or just
the security-sensitive checks (though pretty much anything can be
security-sensitive).  The easiest way to do it would be I guess
to tag the relevant tests with a "throwpoint" or "security" tag
and use the existing tags mechanism to run them.  A tag for these
tests is long overdue actually.  Actually, most of the tests I've
written have no tags at all, which I think is wrong.  Perhaps
someone can enlighten me here.

Expected exceptions are checked: it all happens in the the calls to
sm.checkAllChecked().

And I fixed the report page -- the machine that generated them had
a disk crash a week or so ago, and something got locked up somewhere.

Cheers,
Gary

Olli Vertanen wrote:
> Gary,
> 
> Thanks for your reply!
> 
> So throwpoint checks are in these security.java testlets under
> various directories? Do you have a driver that could run just the
> security tests and nothing else? If not, what would be best strategy
> to implement one?
> 
> I can try to write some tests, but your report list seems to be a
> bit broken right now. I'm interested in the security manager and the
> access controller.
> 
> You seem to check unexpected exceptions (I looked at
> FileInputStream/security.java) but what about checking that
> expected exceptions are thrown?
> 
> Olli
> 
> > Hi Olli,
> >
> > Yeah, I'm working on it, slowly but surely.  Currently the
> > only information online is the automatic status page at
> > http://people.redhat.com/gbenson/throwpoint-report.html.
> > I have some stuff I wrote the other day for Tom Tromey
> > and Anthony Green which I'm tidying up for the wiki but
> > I've attached it below in case you're interested.
> >
> > Cheers,
> > Gary
> >
> > ----- Forwarded message from Gary Benson -----
> > Date: Mon, 15 May 2006 16:51:31 +0100
> > From: Gary Benson <gbenson@redhat.com>
> > To: Tom Tromey <tromey@redhat.com>
> > Cc: Anthony Green <green@redhat.com>
> > Subject: Re: question about security stuff...
> >
> > Hi Tom, Anthony,
> >
> > Most of the security work I've been doing is driven by writing
> > throwpoint tests for Mauve.  There's a list of every throwpoint
> > at http://tinyurl.com/o2ttz and what I do is pick a class and
> > write a Mauve test for it.  Sometimes it's easy, other times
> > whether or not a check happens is governed by some really bizarre
> > logic and getting it right is a fiddle.
> >
> > If you want to write throwpoint tests then that'd be really
> > helpful.  There's a list of what's done and what's not at
> > http://tinyurl.com/egrve (updated nightly) so pick something
> > that's not done and have a go.  Currently I'm looking at AWT:
> > that, java.net and java.security are the gaping holes at the
> > moment.
> >
> > Most of the dirty work happens in TestSecurityManager2.
> > First you call its prepareChecks() to tell it what permissions
> > you expect to be checked, then you call whatever should perform
> > the check, and finally you call its checkAllChecked() method.
> > Any unexpected checks will cause a SecurityException to be
> > thrown.  As well as a list of must-check permissions you can
> > supply prepareChecks() with some permissions that may be checked
> > (there's some cases where Sun or IBM check something incidental
> > that Classpath does not) and there's also a different way of
> > running checks to allow stuff like System.exit() to be tested
> > without actually exiting the VM.
> >
> > gnu/testlet/java/io/FileInputStream/security.java is a nice
> > simple one to base things on.  Some stuff requires different
> > classloaders or different threads and if you need that then
> > look at gnu/testlet/java/lang/Thread/security.java to see what
> > I mean.  The "// throwpoint:" comments are for the nightly
> > status page.
> >
> > Of course, there's always PR libgcj/13603 if you don't fancy
> > throwpoint tests...
> >
> > Cheers,
> > Gary

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: SecurityException throwpoint audit
  2006-05-18 11:40 ` Gary Benson
@ 2006-05-24 12:53   ` Olli Vertanen
  2006-06-02 11:55     ` Gary Benson
  0 siblings, 1 reply; 9+ messages in thread
From: Olli Vertanen @ 2006-05-24 12:53 UTC (permalink / raw)
  To: mauve-discuss; +Cc: classpath


Gary,

Thanks for your reply!

So throwpoint checks are in these security.java testlets
under various directories? Do you have a driver that could run just the
security tests and nothing else? If not, what would be best strategy to
implement one?

I can try to write some tests, but your report list seems to be a bit
broken right now. I'm interested in the security manager and the access
controller.

You seem to check unexpected exceptions (I looked at
FileInputStream/security.java) but what about checking that
expected exceptions are thrown?

Olli


> Hi Olli,
>
> Yeah, I'm working on it, slowly but surely.  Currently the
> only information online is the automatic status page at
> http://people.redhat.com/gbenson/throwpoint-report.html.
> I have some stuff I wrote the other day for Tom Tromey
> and Anthony Green which I'm tidying up for the wiki but
> I've attached it below in case you're interested.
>
> Cheers,
> Gary
>
> ----- Forwarded message from Gary Benson -----
> Date: Mon, 15 May 2006 16:51:31 +0100
> From: Gary Benson <gbenson@redhat.com>
> To: Tom Tromey <tromey@redhat.com>
> Cc: Anthony Green <green@redhat.com>
> Subject: Re: question about security stuff...
>
> Hi Tom, Anthony,
>
> Most of the security work I've been doing is driven by writing
> throwpoint tests for Mauve.  There's a list of every throwpoint
> at http://tinyurl.com/o2ttz and what I do is pick a class and
> write a Mauve test for it.  Sometimes it's easy, other times
> whether or not a check happens is governed by some really bizarre
> logic and getting it right is a fiddle.
>
> If you want to write throwpoint tests then that'd be really
> helpful.  There's a list of what's done and what's not at
> http://tinyurl.com/egrve (updated nightly) so pick something
> that's not done and have a go.  Currently I'm looking at AWT:
> that, java.net and java.security are the gaping holes at the
> moment.
>
> Most of the dirty work happens in TestSecurityManager2.
> First you call its prepareChecks() to tell it what permissions
> you expect to be checked, then you call whatever should perform
> the check, and finally you call its checkAllChecked() method.
> Any unexpected checks will cause a SecurityException to be
> thrown.  As well as a list of must-check permissions you can
> supply prepareChecks() with some permissions that may be checked
> (there's some cases where Sun or IBM check something incidental
> that Classpath does not) and there's also a different way of
> running checks to allow stuff like System.exit() to be tested
> without actually exiting the VM.
>
> gnu/testlet/java/io/FileInputStream/security.java is a nice
> simple one to base things on.  Some stuff requires different
> classloaders or different threads and if you need that then
> look at gnu/testlet/java/lang/Thread/security.java to see what
> I mean.  The "// throwpoint:" comments are for the nightly
> status page.
>
> Of course, there's always PR libgcj/13603 if you don't fancy
> throwpoint tests...
>
> Cheers,
> Gary
>

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: SecurityException throwpoint audit
  2006-05-17 20:39 Olli Vertanen
@ 2006-05-18 11:40 ` Gary Benson
  2006-05-24 12:53   ` Olli Vertanen
  0 siblings, 1 reply; 9+ messages in thread
From: Gary Benson @ 2006-05-18 11:40 UTC (permalink / raw)
  To: mauve-discuss; +Cc: classpath

Olli Vertanen wrote:
> I just joined the list. I was browsing the archieves and found a
> short discussion about SecurityException throwpoint audit. Anybody
> working on that?

Hi Olli,

Yeah, I'm working on it, slowly but surely.  Currently the
only information online is the automatic status page at
http://people.redhat.com/gbenson/throwpoint-report.html.
I have some stuff I wrote the other day for Tom Tromey
and Anthony Green which I'm tidying up for the wiki but
I've attached it below in case you're interested.

Cheers,
Gary

----- Forwarded message from Gary Benson -----
Date: Mon, 15 May 2006 16:51:31 +0100
From: Gary Benson <gbenson@redhat.com>
To: Tom Tromey <tromey@redhat.com>
Cc: Anthony Green <green@redhat.com>
Subject: Re: question about security stuff...

Hi Tom, Anthony,

Most of the security work I've been doing is driven by writing
throwpoint tests for Mauve.  There's a list of every throwpoint
at http://tinyurl.com/o2ttz and what I do is pick a class and
write a Mauve test for it.  Sometimes it's easy, other times
whether or not a check happens is governed by some really bizarre
logic and getting it right is a fiddle.

If you want to write throwpoint tests then that'd be really
helpful.  There's a list of what's done and what's not at
http://tinyurl.com/egrve (updated nightly) so pick something
that's not done and have a go.  Currently I'm looking at AWT:
that, java.net and java.security are the gaping holes at the
moment.

Most of the dirty work happens in TestSecurityManager2.
First you call its prepareChecks() to tell it what permissions
you expect to be checked, then you call whatever should perform
the check, and finally you call its checkAllChecked() method.
Any unexpected checks will cause a SecurityException to be
thrown.  As well as a list of must-check permissions you can
supply prepareChecks() with some permissions that may be checked
(there's some cases where Sun or IBM check something incidental
that Classpath does not) and there's also a different way of
running checks to allow stuff like System.exit() to be tested
without actually exiting the VM.

gnu/testlet/java/io/FileInputStream/security.java is a nice
simple one to base things on.  Some stuff requires different
classloaders or different threads and if you need that then
look at gnu/testlet/java/lang/Thread/security.java to see what
I mean.  The "// throwpoint:" comments are for the nightly
status page.

Of course, there's always PR libgcj/13603 if you don't fancy
throwpoint tests...

Cheers,
Gary

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: SecurityException throwpoint audit
@ 2006-05-17 20:39 Olli Vertanen
  2006-05-18 11:40 ` Gary Benson
  0 siblings, 1 reply; 9+ messages in thread
From: Olli Vertanen @ 2006-05-17 20:39 UTC (permalink / raw)
  To: mauve-discuss

Hi all,

I just joined the list. I was browsing the archieves and found a short
discussion about SecurityException throwpoint audit. Anybody working on
that?

Cheers,

Olli Vertanen
University of Kuopio, Dept of Comp. Sci.
Kuopio, Finland

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2006-06-02 11:55 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2005-11-21 16:58 SecurityException throwpoint audit Gary Benson
2005-11-22 16:27 ` Gary Benson
2005-11-25  0:02 ` Mark Wielaard
2005-11-25 19:30   ` Tom Tromey
2005-11-28 14:04   ` Gary Benson
2006-05-17 20:39 Olli Vertanen
2006-05-18 11:40 ` Gary Benson
2006-05-24 12:53   ` Olli Vertanen
2006-06-02 11:55     ` Gary Benson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).