From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 18763 invoked by alias); 18 May 2006 11:40:18 -0000 Received: (qmail 18755 invoked by uid 22791); 18 May 2006 11:40:18 -0000 X-Spam-Check-By: sourceware.org Received: from gbenson.demon.co.uk (HELO gbenson.demon.co.uk) (80.177.220.214) by sourceware.org (qpsmtpd/0.31) with ESMTP; Thu, 18 May 2006 11:40:15 +0000 Received: from slippy.wire.rat ([192.168.1.1]) by gbenson.demon.co.uk with esmtp (Exim 3.36 #1) id 1FggrT-0001dx-00; Thu, 18 May 2006 12:40:12 +0100 Received: from slippy.wire.rat (localhost.localdomain [127.0.0.1]) by slippy.wire.rat (8.13.1/8.13.1) with ESMTP id k4IBeBJi016580; Thu, 18 May 2006 12:40:11 +0100 Received: (from gary@localhost) by slippy.wire.rat (8.13.1/8.13.1/Submit) id k4IBe6lm016573; Thu, 18 May 2006 12:40:06 +0100 Date: Thu, 18 May 2006 11:40:00 -0000 From: Gary Benson To: mauve-discuss@sources.redhat.com Cc: classpath@gnu.org Subject: Re: SecurityException throwpoint audit Message-ID: <20060518114004.GA16538@redhat.com> Mail-Followup-To: mauve-discuss@sources.redhat.com, classpath@gnu.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-IsSubscribed: yes Mailing-List: contact mauve-discuss-help@sourceware.org; run by ezmlm Precedence: bulk List-Subscribe: List-Archive: List-Post: List-Help: , Sender: mauve-discuss-owner@sourceware.org X-SW-Source: 2006-q2/txt/msg00005.txt.bz2 Olli Vertanen wrote: > I just joined the list. I was browsing the archieves and found a > short discussion about SecurityException throwpoint audit. Anybody > working on that? Hi Olli, Yeah, I'm working on it, slowly but surely. Currently the only information online is the automatic status page at http://people.redhat.com/gbenson/throwpoint-report.html. I have some stuff I wrote the other day for Tom Tromey and Anthony Green which I'm tidying up for the wiki but I've attached it below in case you're interested. Cheers, Gary ----- Forwarded message from Gary Benson ----- Date: Mon, 15 May 2006 16:51:31 +0100 From: Gary Benson To: Tom Tromey Cc: Anthony Green Subject: Re: question about security stuff... Hi Tom, Anthony, Most of the security work I've been doing is driven by writing throwpoint tests for Mauve. There's a list of every throwpoint at http://tinyurl.com/o2ttz and what I do is pick a class and write a Mauve test for it. Sometimes it's easy, other times whether or not a check happens is governed by some really bizarre logic and getting it right is a fiddle. If you want to write throwpoint tests then that'd be really helpful. There's a list of what's done and what's not at http://tinyurl.com/egrve (updated nightly) so pick something that's not done and have a go. Currently I'm looking at AWT: that, java.net and java.security are the gaping holes at the moment. Most of the dirty work happens in TestSecurityManager2. First you call its prepareChecks() to tell it what permissions you expect to be checked, then you call whatever should perform the check, and finally you call its checkAllChecked() method. Any unexpected checks will cause a SecurityException to be thrown. As well as a list of must-check permissions you can supply prepareChecks() with some permissions that may be checked (there's some cases where Sun or IBM check something incidental that Classpath does not) and there's also a different way of running checks to allow stuff like System.exit() to be tested without actually exiting the VM. gnu/testlet/java/io/FileInputStream/security.java is a nice simple one to base things on. Some stuff requires different classloaders or different threads and if you need that then look at gnu/testlet/java/lang/Thread/security.java to see what I mean. The "// throwpoint:" comments are for the nightly status page. Of course, there's always PR libgcj/13603 if you don't fancy throwpoint tests... Cheers, Gary