You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Marsh David W Maj AFIT/ENG <Da...@afit.edu> on 2006/01/10 16:40:15 UTC
Security Assurance
Tomcat Developers,
I'm early in some research focusing on software analyses, specifically
those related to data security. As a part of this work I'd like to show
through the theory and application that there is in fact no way for
protected information to "leak" out from that code designated to handle
the protected information. Passwords would definitely be protected as
would, perhaps, the code segments designed to manipulate the passwords.
While I understand that the libraries and extensions used by Tomcat
*should* provide that assurance, what would happen if someone
inadvertently wrote some code that could create a new object with rights
never intended by developers? My question really is whether or not the
development community considers the particular question interesting or
relevant, as I look at Tomcat as a possible test case for my analysis.
David
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Security Assurance
Posted by Mladen Turk <mt...@apache.org>.
Marsh David W Maj AFIT/ENG wrote:
> Tomcat Developers,
>
> While I understand that the libraries and extensions used by Tomcat
> *should* provide that assurance, what would happen if someone
> inadvertently wrote some code that could create a new object with rights
> never intended by developers?
What I would consider useful is a 'compile time note'
that the code might be insecure, but trying to forbid
any code during execution time beyond existing
execution security level is both out of spec as well as
completely useless.
So, if you find a way to introspect the possible
harmful user written code during compilation time,
only then it would make some sense.
Regards,
Mladen.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org