[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [equinox-dev] Using the org.eclipse.osgi.jar.verifier

equinox-dev-bounces@xxxxxxxxxxx wrote on 2005-11-21 09:10:22 AM:

> BJ, according to the OSGi spec is the Framework required to verify 
> to whole jar each time the Framework is started?  The current 
> implementation verifies each entry of the bundle as it is loaded on 
> demand (e.g. when a class/resource is loaded).  We do not 
> aggressively verify the complete jar at startup.  This would effect 
> startup time in an unacceptable way.  Imagine verifying 1000 jar 
> files at startup.  It would take over 10 minutes just to startup!! 

Well unless the framework keep the bundles in a tamperproof store, not 
verifying them is an excellent attack technique! I can replace a verified 
jar with my attack jar and then when Eclipse restarts, I am free to 
attack.

> 
> Andre, you may want to try running Eclipse with the property osgi.
> checkConfiguration=true set.  This should cause any bundles which 
> get modified to be reinstalled.  Similar to -clean except only for 
> the bundles which got modified. 

Perhaps this is the answer. I am not sure how you detect modification when 
it happens outside of the running Eclipse.

> 
> Tom 
> 
> 
> 


BJ Hargrave
Senior Technical Staff Member, IBM
OSGi Fellow and CTO of the OSGi Alliance
hargrave@xxxxxxxxxx
Office: +1 407 849 9117 Mobile: +1 386 848 3788