[1453] in java-interest
Re: Third Party Library Loading
daemon@ATHENA.MIT.EDU (Chuck McManis)
Sun Sep 3 16:39:26 1995
Date: Sun, 3 Sep 1995 10:49:46 -0700
From: cmcmanis@scndprsn.Eng.Sun.COM (Chuck McManis)
To: gandalf@viman1.viman.com, johnm@emf2-003.emf.net
Cc: java-interest@java.Eng.Sun.COM
Matt Cline writes:
> If you download an app which needs to use a native mehtod, it goes to one
> of the trusted hosts to get it.
>
> Would this have even a chance of working?
No, address spoofing is a well known (and used) technique. Without binding
something to the binary itself you are at risk. An alternative solution
would be to compute a strong message digest and distribute it widely
(thus making it harder to spoof) The acquiring program could try to
get digests for the binary from several sources (making it more
difficult to spoof the guards as it were) and verify the binary
using the digest. Clearly the mechanism is fairly heavyweight.
--Chuck
-
Note to Sun employees: this is an EXTERNAL mailing list!
Info: send 'help' to java-interest-request@java.sun.com
