Andreas Raab wrote:

>I don't think you are right. Please try to give me an example where you
>don't go through any primitive that can be trivially secured (e.g., don't
>use the FFI - this one will *never* count as secure ;-) I would even argue
>that you can't even create an oop from within Squeak that points somewhere
>outside Squeak memory. If you can, please show us how.


Here's a favorite attack of mine (pardon the VisualWorks 3.0 dialect - my
guess is this will work in Squeak).  Currently, it just determines the
address of an object, but with a little imagination...



'From VisualWorks®, Release 3.1 of March 1, 1999 on March 2, 2000 at
10:33:00 pm'!

Object subclass: #ObjectAddressFinder
 instanceVariableNames: 'object '
 classVariableNames: ''
 poolDictionaries: ''
 category: 'Nasty Hacks'!


!ObjectAddressFinder methodsFor: 'private'!

whereIs: anObject
 "Private - see my Metaclass.  Destroys the receiver."

 | bytes |
 bytes := UninterpretedBytes new: 4.
 self become: bytes.
 "We're still in this method but the receiver is (now) an
UninterpretedBytes, so writing
  to the instance variable will clobber the first four bytes of the
UninterpretedBytes..."
 object := anObject.
 "The clobbering mentioned above has occurred at this point.  But, of
course, self and bytes
  have changed places, so self is the UninterpretedBytes and bytes is the
ObjectAddressFinder."
 ^self unsignedLongAt: 1! !
"-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- "!

ObjectAddressFinder class
 instanceVariableNames: ''!


!ObjectAddressFinder class methodsFor: 'locating'!

whereIs: anObject
 "Answer an integer representing the address of the receiver at this time.
This method
  might actually be safe, but I doubt it.  Also, you'd have to have a REALLY
good excuse
  for using this routine.  No guarantees.  The representation will probably
be a direct
  translation of a pointer field, using the current platform's endianness."
 "[ObjectAddressFinder whereIs: nil]"

 ^self new whereIs: self! !