Re: window of vulnerability

---

• From: "Daniel Pitts" <googlegroupie@xxxxxxxxxxxxx>
• Date: 27 Feb 2007 13:37:06 -0800

---

On Feb 27, 1:23 pm, mei <m...@xxxxxx> wrote:

Hello,
I heard several times people talking about a security issue known as
window of vulnerability.
I am not sure to be capable of explaining it correctly, but it is more
or less about having a concurrent thread accessing a code normally
protected, that would trigger within a window of vulnerability
eventually opened by the thread running the protection mechanism.
I would like to know if it is only a theoretical problem or if it can
happen on real conditions? In my mind, I think that we should be able to
enforce the executions in a particular order, and this depends on too
many parameters to be controlled.
Mei.

Thats just it, you *can* force order, but in a multi-threaded
environment, you have to worry about the order to force.

In a single threaded application, everything "seems" to happen in the
order you expect, the implicit order you asked for, the compiler, JVM,
and underlying CPU are designed to do this for you. However, they may
"reorder" certain instructions that don't interact with each other.
This gives them the ability to optimize pipelines, wait times, etc...
The effect is unobservable to a single threaded application.

However, there is no implicit order defined between two threads. You
have to be explicit by using some sort of synchronization. In Java,
that means using either synchronization and volatile variables, or
using the new in java.util.concurrency classes. More than just using
them, you have to use them correctly.

I recently picked up a copy of "Java Concurrency in Practice" <http://
jcip.net/> which discusses the pitfalls of using multi-threaded
applications without understanding the underlying behavior.

Hope this helps,
Daniel.

.

---

• Follow-Ups:
  • Re: window of vulnerability
    • From: mei

• References:
  • [security] window of vulnerability
    • From: mei

• Prev by Date: Re: simple java networked game
• Next by Date: Re: Do I need to keep all the Java updates?
• Previous by thread: [security] window of vulnerability
• Next by thread: Re: window of vulnerability
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: window of vulnerability ... I heard several times people talking about a security issue known as ... that would trigger within a window of vulnerability ... have to be explicit by using some sort of synchronization. ... (comp.lang.java.programmer) Re: window of vulnerability ... that would trigger within a window of vulnerability ... have to be explicit by using some sort of synchronization. ... my question is more oriented toward a security issue. ... (comp.lang.java.programmer) Re: Thread Problems ... draw thread can bail. ... window handle is generally a poor choice a lot of the time. ... try to avoid *needing* synchronization. ... The paint routine is a poor choice for learning threading. ... (microsoft.public.vc.mfc) SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass ... Advisory ID: SYMSA-2007-002 ... vulnerability to retrieve information from a locked device. ... This will open the Find window on the bottom half of the screen. ... Symantec Vulnerability Research Advisory Archive: ... (Bugtraq) [Full-disclosure] Computer Terrorism Security Advisory (Reclassification) - Microsoft Internet Explo ... Explorer JavaScript Window() DoS vulnerability, ... to an offset of which we have no control, ... clearly reflects the improbable scenario for remote code execution. ... (Full-Disclosure)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)