* SecurityException throwpoint audit @ 2005-11-21 16:58 Gary Benson 2005-11-22 16:27 ` Gary Benson 2005-11-25 0:02 ` Mark Wielaard 0 siblings, 2 replies; 9+ messages in thread From: Gary Benson @ 2005-11-21 16:58 UTC (permalink / raw) To: mauve-discuss Hi all, I've been trying to work out how to test that permissions are checked at every point they ought to be. There's a table of every such point here: http://java.sun.com/j2se/1.4.2/docs/guide/security/permissions.html#PermsAndMethods Some of these already have tests, but most probably do not. Before I start creating tests I'm thinking that we need some way to correlate mauve tests with the throwpoints on this (and future) lists. How would people feel if I numbered the throwpoints on the above list and noted them in their corresponding tests in some easily parsable form (probably in comments like Tags are already). That way whether a throwpoint is tested (and the location of the test) can be found with a simple grep. For simplicity I'd probably number the 1.4.2 list from 1-whatever. Checks added in 1.5 can be added at the end of the list. It would be convenient if we made a version of the above list annotated with the throwpoint numbers, but obviously such a thing could not be distributed. It should be possible to write a script that would download and annotate the list for local use. Does this sound reasonable? Cheers, Gary ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: SecurityException throwpoint audit 2005-11-21 16:58 SecurityException throwpoint audit Gary Benson @ 2005-11-22 16:27 ` Gary Benson 2005-11-25 0:02 ` Mark Wielaard 1 sibling, 0 replies; 9+ messages in thread From: Gary Benson @ 2005-11-22 16:27 UTC (permalink / raw) To: mauve-discuss [-- Attachment #1: Type: text/plain, Size: 1542 bytes --] Hi again, I take it that nobody minds if I start doing this. The attached script can be used to create the annotated list of throwpoints so you can look up IDs I add in comments or whatever. The script performs some MD5 checks so you can be sure you're looking at the same page I am. Cheers, Gary Gary Benson wrote: > Hi all, > > I've been trying to work out how to test that permissions are > checked at every point they ought to be. There's a table of > every such point here: > > http://java.sun.com/j2se/1.4.2/docs/guide/security/permissions.html#PermsAndMethods > > Some of these already have tests, but most probably do not. Before > I start creating tests I'm thinking that we need some way to > correlate mauve tests with the throwpoints on this (and future) > lists. > > How would people feel if I numbered the throwpoints on the above > list and noted them in their corresponding tests in some easily > parsable form (probably in comments like Tags are already). That > way whether a throwpoint is tested (and the location of the test) > can be found with a simple grep. > > For simplicity I'd probably number the 1.4.2 list from 1-whatever. > Checks added in 1.5 can be added at the end of the list. > > It would be convenient if we made a version of the above list > annotated with the throwpoint numbers, but obviously such a thing > could not be distributed. It should be possible to write a script > that would download and annotate the list for local use. > > Does this sound reasonable? > > Cheers, > Gary [-- Attachment #2: get-throwpoints.py --] [-- Type: text/plain, Size: 3886 bytes --] #!/usr/bin/env python import md5 import sgmllib def escape(data, escape_quote = False): data = data.replace("&", "&") data = data.replace("<", "<") if escape_quote: data = data.replace('"', """) return data class Parser(sgmllib.SGMLParser): from htmlentitydefs import entitydefs def __init__(self, fp, verbose = False): sgmllib.SGMLParser.__init__(self, verbose) self.fp = fp def reset(self): sgmllib.SGMLParser.reset(self) self.hashes = md5.new(), md5.new() self.passthrough = False self.row = None def feed(self, data): sgmllib.SGMLParser.feed(self, data) self.hashes[0].update(data) def write(self, data): self.fp.write(data) self.hashes[1].update(data) def digests(self): return [hash.hexdigest() for hash in self.hashes] # handle passthrough in generic overrides def handle_starttag(self, tag, method, attrs): sgmllib.SGMLParser.handle_starttag(self, tag, method, attrs) if self.passthrough: self.__write_tag(tag, attrs) def unknown_starttag(self, tag, attrs): sgmllib.SGMLParser.unknown_starttag(self, tag, attrs) if self.passthrough: self.__write_tag(tag, attrs) def handle_endtag(self, tag, method): if self.passthrough: self.__write_tag("/" + tag) sgmllib.SGMLParser.handle_endtag(self, tag, method) def unknown_endtag(self, tag): if self.passthrough: self.__write_tag("/" + tag) sgmllib.SGMLParser.unknown_endtag(self, tag) def handle_data(self, data): if self.passthrough: self.write(data) def __write_tag(self, tag, attrs = ()): self.write("<%s%s>" % (tag, "".join( [' %s="%s"' % (name, escape(value, True)) for name, value in attrs]))) # handle everything else in tag-specific overrides def start_table(self, attrs): for name, value in attrs: if name == "summary": if value == "methods and the premissions they require": self.passthrough = True self.row = 0 break if self.passthrough: self.write("<html>\n <body>\n ") def end_table(self): if self.passthrough: self.write("\n </body>\n</html>\n") self.passthrough = False def start_tr(self, attrs): if self.passthrough: if self.row == 29: self.passthrough = False self.row_tagged = False elif self.row == 29: self.passthrough = True def end_tr(self): if self.passthrough: self.row += 1 def start_th(self, attrs): if self.passthrough: if not self.row_tagged: self.write("<th>ID</th>\n ") self.row_tagged = True def start_td(self, attrs): if self.passthrough: if not self.row_tagged: self.write("<td>se%03d</td>\n " % self.row) self.row_tagged = True if __name__ == "__main__": import os import sys import urllib version = "1.4.2" src = "http://java.sun.com/j2se/" + version \ + "/docs/guide/security/permissions.html" dst = "throwpoints-%s.html" % version if os.path.exists(dst): print "%s: file exists" % dst sys.exit(1) parser = Parser(open(dst, "w")) parser.feed(urllib.urlopen(src).read()) parser.close() digests = parser.digests() if digests[1] == "3c40052647c417dead97068a32f51911": status = "PASS" elif digests[0] == "c4b9248859682e65ad71788acfc03b78": status = "FAIL (processing)" else: status = "FAIL (input = %s)" % digests[0] print "status:", status ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: SecurityException throwpoint audit 2005-11-21 16:58 SecurityException throwpoint audit Gary Benson 2005-11-22 16:27 ` Gary Benson @ 2005-11-25 0:02 ` Mark Wielaard 2005-11-25 19:30 ` Tom Tromey 2005-11-28 14:04 ` Gary Benson 1 sibling, 2 replies; 9+ messages in thread From: Mark Wielaard @ 2005-11-25 0:02 UTC (permalink / raw) To: Gary Benson; +Cc: mauve-discuss [-- Attachment #1: Type: text/plain, Size: 1695 bytes --] Hi Gary, On Mon, 2005-11-21 at 16:58 +0000, Gary Benson wrote: > I've been trying to work out how to test that permissions are checked > at every point they ought to be. There's a table of every such point > here: > > http://java.sun.com/j2se/1.4.2/docs/guide/security/permissions.html#PermsAndMethods I would not trust that list as the definite guide. I just looked for a random method (which I was just working on for GNU Classpath) Toolkit.getSystemSelection() and it was not listed. > Some of these already have tests, but most probably do not. Before I > start creating tests I'm thinking that we need some way to correlate > mauve tests with the throwpoints on this (and future) lists. > > How would people feel if I numbered the throwpoints on the above list > and noted them in their corresponding tests in some easily parsable > form (probably in comments like Tags are already). That way whether a > throwpoint is tested (and the location of the test) can be found with > a simple grep. > > For simplicity I'd probably number the 1.4.2 list from 1-whatever. > Checks added in 1.5 can be added at the end of the list. I don't really like the numbering. I would propose to actually name the tests with somewhat meaningful names. Something like <PermissionClassName>_<ClassName>_<MethodName> for each Permission and class.method() needing to check for that permission. (example: AWTPermission_Toolkit_getSystemSelection) Or maybe have a directory per PermissionClassName. That is how jacks is setup. It follows the JLS, but it doesn't use the section numbers, but logical names of the sections that the tests are for. Cheers, Mark [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: SecurityException throwpoint audit 2005-11-25 0:02 ` Mark Wielaard @ 2005-11-25 19:30 ` Tom Tromey 2005-11-28 14:04 ` Gary Benson 1 sibling, 0 replies; 9+ messages in thread From: Tom Tromey @ 2005-11-25 19:30 UTC (permalink / raw) To: Mark Wielaard; +Cc: Gary Benson, mauve-discuss >>>>> "Mark" == Mark Wielaard <mark@klomp.org> writes: Mark> I don't really like the numbering. I would propose to actually name the Mark> tests with somewhat meaningful names. Yeah, if there is a way to do this "stably" then I think it would be preferable. Tom ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: SecurityException throwpoint audit 2005-11-25 0:02 ` Mark Wielaard 2005-11-25 19:30 ` Tom Tromey @ 2005-11-28 14:04 ` Gary Benson 1 sibling, 0 replies; 9+ messages in thread From: Gary Benson @ 2005-11-28 14:04 UTC (permalink / raw) To: mauve-discuss Mark Wielaard wrote: > On Mon, 2005-11-21 at 16:58 +0000, Gary Benson wrote: > > I've been trying to work out how to test that permissions are > > checked at every point they ought to be. There's a table of every > > such point here: > > > > http://java.sun.com/j2se/1.4.2/docs/guide/security/permissions.html#PermsAndMethods > > I would not trust that list as the definite guide. I just looked for > a random method (which I was just working on for GNU Classpath) > Toolkit.getSystemSelection() and it was not listed. Ah, thanks for the warning. > > How would people feel if I numbered the throwpoints on the above > > list and noted them in their corresponding tests in some easily > > parsable form (probably in comments like Tags are already). That > > way whether a throwpoint is tested (and the location of the test) > > can be found with a simple grep. > > > > For simplicity I'd probably number the 1.4.2 list from 1-whatever. > > Checks added in 1.5 can be added at the end of the list. > > I don't really like the numbering. I would propose to actually name > the tests with somewhat meaningful names. Something like > <PermissionClassName>_<ClassName>_<MethodName> for each Permission > and class.method() needing to check for that permission. (example: > AWTPermission_Toolkit_getSystemSelection) Yeah, that's better I suppose, I'll use that. Cheers, Gary ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: SecurityException throwpoint audit @ 2006-05-17 20:39 Olli Vertanen 2006-05-18 11:40 ` Gary Benson 0 siblings, 1 reply; 9+ messages in thread From: Olli Vertanen @ 2006-05-17 20:39 UTC (permalink / raw) To: mauve-discuss Hi all, I just joined the list. I was browsing the archieves and found a short discussion about SecurityException throwpoint audit. Anybody working on that? Cheers, Olli Vertanen University of Kuopio, Dept of Comp. Sci. Kuopio, Finland ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: SecurityException throwpoint audit 2006-05-17 20:39 Olli Vertanen @ 2006-05-18 11:40 ` Gary Benson 2006-05-24 12:53 ` Olli Vertanen 0 siblings, 1 reply; 9+ messages in thread From: Gary Benson @ 2006-05-18 11:40 UTC (permalink / raw) To: mauve-discuss; +Cc: classpath Olli Vertanen wrote: > I just joined the list. I was browsing the archieves and found a > short discussion about SecurityException throwpoint audit. Anybody > working on that? Hi Olli, Yeah, I'm working on it, slowly but surely. Currently the only information online is the automatic status page at http://people.redhat.com/gbenson/throwpoint-report.html. I have some stuff I wrote the other day for Tom Tromey and Anthony Green which I'm tidying up for the wiki but I've attached it below in case you're interested. Cheers, Gary ----- Forwarded message from Gary Benson ----- Date: Mon, 15 May 2006 16:51:31 +0100 From: Gary Benson <gbenson@redhat.com> To: Tom Tromey <tromey@redhat.com> Cc: Anthony Green <green@redhat.com> Subject: Re: question about security stuff... Hi Tom, Anthony, Most of the security work I've been doing is driven by writing throwpoint tests for Mauve. There's a list of every throwpoint at http://tinyurl.com/o2ttz and what I do is pick a class and write a Mauve test for it. Sometimes it's easy, other times whether or not a check happens is governed by some really bizarre logic and getting it right is a fiddle. If you want to write throwpoint tests then that'd be really helpful. There's a list of what's done and what's not at http://tinyurl.com/egrve (updated nightly) so pick something that's not done and have a go. Currently I'm looking at AWT: that, java.net and java.security are the gaping holes at the moment. Most of the dirty work happens in TestSecurityManager2. First you call its prepareChecks() to tell it what permissions you expect to be checked, then you call whatever should perform the check, and finally you call its checkAllChecked() method. Any unexpected checks will cause a SecurityException to be thrown. As well as a list of must-check permissions you can supply prepareChecks() with some permissions that may be checked (there's some cases where Sun or IBM check something incidental that Classpath does not) and there's also a different way of running checks to allow stuff like System.exit() to be tested without actually exiting the VM. gnu/testlet/java/io/FileInputStream/security.java is a nice simple one to base things on. Some stuff requires different classloaders or different threads and if you need that then look at gnu/testlet/java/lang/Thread/security.java to see what I mean. The "// throwpoint:" comments are for the nightly status page. Of course, there's always PR libgcj/13603 if you don't fancy throwpoint tests... Cheers, Gary ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: SecurityException throwpoint audit 2006-05-18 11:40 ` Gary Benson @ 2006-05-24 12:53 ` Olli Vertanen 2006-06-02 11:55 ` Gary Benson 0 siblings, 1 reply; 9+ messages in thread From: Olli Vertanen @ 2006-05-24 12:53 UTC (permalink / raw) To: mauve-discuss; +Cc: classpath Gary, Thanks for your reply! So throwpoint checks are in these security.java testlets under various directories? Do you have a driver that could run just the security tests and nothing else? If not, what would be best strategy to implement one? I can try to write some tests, but your report list seems to be a bit broken right now. I'm interested in the security manager and the access controller. You seem to check unexpected exceptions (I looked at FileInputStream/security.java) but what about checking that expected exceptions are thrown? Olli > Hi Olli, > > Yeah, I'm working on it, slowly but surely. Currently the > only information online is the automatic status page at > http://people.redhat.com/gbenson/throwpoint-report.html. > I have some stuff I wrote the other day for Tom Tromey > and Anthony Green which I'm tidying up for the wiki but > I've attached it below in case you're interested. > > Cheers, > Gary > > ----- Forwarded message from Gary Benson ----- > Date: Mon, 15 May 2006 16:51:31 +0100 > From: Gary Benson <gbenson@redhat.com> > To: Tom Tromey <tromey@redhat.com> > Cc: Anthony Green <green@redhat.com> > Subject: Re: question about security stuff... > > Hi Tom, Anthony, > > Most of the security work I've been doing is driven by writing > throwpoint tests for Mauve. There's a list of every throwpoint > at http://tinyurl.com/o2ttz and what I do is pick a class and > write a Mauve test for it. Sometimes it's easy, other times > whether or not a check happens is governed by some really bizarre > logic and getting it right is a fiddle. > > If you want to write throwpoint tests then that'd be really > helpful. There's a list of what's done and what's not at > http://tinyurl.com/egrve (updated nightly) so pick something > that's not done and have a go. Currently I'm looking at AWT: > that, java.net and java.security are the gaping holes at the > moment. > > Most of the dirty work happens in TestSecurityManager2. > First you call its prepareChecks() to tell it what permissions > you expect to be checked, then you call whatever should perform > the check, and finally you call its checkAllChecked() method. > Any unexpected checks will cause a SecurityException to be > thrown. As well as a list of must-check permissions you can > supply prepareChecks() with some permissions that may be checked > (there's some cases where Sun or IBM check something incidental > that Classpath does not) and there's also a different way of > running checks to allow stuff like System.exit() to be tested > without actually exiting the VM. > > gnu/testlet/java/io/FileInputStream/security.java is a nice > simple one to base things on. Some stuff requires different > classloaders or different threads and if you need that then > look at gnu/testlet/java/lang/Thread/security.java to see what > I mean. The "// throwpoint:" comments are for the nightly > status page. > > Of course, there's always PR libgcj/13603 if you don't fancy > throwpoint tests... > > Cheers, > Gary > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: SecurityException throwpoint audit 2006-05-24 12:53 ` Olli Vertanen @ 2006-06-02 11:55 ` Gary Benson 0 siblings, 0 replies; 9+ messages in thread From: Gary Benson @ 2006-06-02 11:55 UTC (permalink / raw) To: mauve-discuss, classpath Hi Olli, Sorry for the slow response: I've not been too well this week. There's no driver for running just the throwpoint checks, or just the security-sensitive checks (though pretty much anything can be security-sensitive). The easiest way to do it would be I guess to tag the relevant tests with a "throwpoint" or "security" tag and use the existing tags mechanism to run them. A tag for these tests is long overdue actually. Actually, most of the tests I've written have no tags at all, which I think is wrong. Perhaps someone can enlighten me here. Expected exceptions are checked: it all happens in the the calls to sm.checkAllChecked(). And I fixed the report page -- the machine that generated them had a disk crash a week or so ago, and something got locked up somewhere. Cheers, Gary Olli Vertanen wrote: > Gary, > > Thanks for your reply! > > So throwpoint checks are in these security.java testlets under > various directories? Do you have a driver that could run just the > security tests and nothing else? If not, what would be best strategy > to implement one? > > I can try to write some tests, but your report list seems to be a > bit broken right now. I'm interested in the security manager and the > access controller. > > You seem to check unexpected exceptions (I looked at > FileInputStream/security.java) but what about checking that > expected exceptions are thrown? > > Olli > > > Hi Olli, > > > > Yeah, I'm working on it, slowly but surely. Currently the > > only information online is the automatic status page at > > http://people.redhat.com/gbenson/throwpoint-report.html. > > I have some stuff I wrote the other day for Tom Tromey > > and Anthony Green which I'm tidying up for the wiki but > > I've attached it below in case you're interested. > > > > Cheers, > > Gary > > > > ----- Forwarded message from Gary Benson ----- > > Date: Mon, 15 May 2006 16:51:31 +0100 > > From: Gary Benson <gbenson@redhat.com> > > To: Tom Tromey <tromey@redhat.com> > > Cc: Anthony Green <green@redhat.com> > > Subject: Re: question about security stuff... > > > > Hi Tom, Anthony, > > > > Most of the security work I've been doing is driven by writing > > throwpoint tests for Mauve. There's a list of every throwpoint > > at http://tinyurl.com/o2ttz and what I do is pick a class and > > write a Mauve test for it. Sometimes it's easy, other times > > whether or not a check happens is governed by some really bizarre > > logic and getting it right is a fiddle. > > > > If you want to write throwpoint tests then that'd be really > > helpful. There's a list of what's done and what's not at > > http://tinyurl.com/egrve (updated nightly) so pick something > > that's not done and have a go. Currently I'm looking at AWT: > > that, java.net and java.security are the gaping holes at the > > moment. > > > > Most of the dirty work happens in TestSecurityManager2. > > First you call its prepareChecks() to tell it what permissions > > you expect to be checked, then you call whatever should perform > > the check, and finally you call its checkAllChecked() method. > > Any unexpected checks will cause a SecurityException to be > > thrown. As well as a list of must-check permissions you can > > supply prepareChecks() with some permissions that may be checked > > (there's some cases where Sun or IBM check something incidental > > that Classpath does not) and there's also a different way of > > running checks to allow stuff like System.exit() to be tested > > without actually exiting the VM. > > > > gnu/testlet/java/io/FileInputStream/security.java is a nice > > simple one to base things on. Some stuff requires different > > classloaders or different threads and if you need that then > > look at gnu/testlet/java/lang/Thread/security.java to see what > > I mean. The "// throwpoint:" comments are for the nightly > > status page. > > > > Of course, there's always PR libgcj/13603 if you don't fancy > > throwpoint tests... > > > > Cheers, > > Gary ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2006-06-02 11:55 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2005-11-21 16:58 SecurityException throwpoint audit Gary Benson 2005-11-22 16:27 ` Gary Benson 2005-11-25 0:02 ` Mark Wielaard 2005-11-25 19:30 ` Tom Tromey 2005-11-28 14:04 ` Gary Benson 2006-05-17 20:39 Olli Vertanen 2006-05-18 11:40 ` Gary Benson 2006-05-24 12:53 ` Olli Vertanen 2006-06-02 11:55 ` Gary Benson
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).