Plugin Security (was: RE: Squeak viruses (was Re: [VIRUSWARNING] Re: Check this))

Dan Ingalls Dan.Ingalls at
Fri Mar 3 06:24:56 UTC 2000

"Mark van Gulik" <ghoul6 at> wrote...
>Here's a favorite attack of mine (pardon the VisualWorks 3.0 dialect - my
>guess is this will work in Squeak).  Currently, it just determines the
>address of an object, but with a little imagination...

This is a good one -- thanks for the enlightenment!

Obviously, become: should require compatible object memory formats (pointer/bits/long/short info) for its two arguments.

	- Dan ( wearing my almost-unused spoilsport hat ;-)
>'From VisualWorks¨, Release 3.1 of March 1, 1999 on March 2, 2000 at
>10:33:00 pm'!
>Object subclass: #ObjectAddressFinder
> instanceVariableNames: 'object '
> classVariableNames: ''
> poolDictionaries: ''
> category: 'Nasty Hacks'!
>!ObjectAddressFinder methodsFor: 'private'!
>whereIs: anObject
> "Private - see my Metaclass.  Destroys the receiver."
> | bytes |
> bytes := UninterpretedBytes new: 4.
> self become: bytes.
> "We're still in this method but the receiver is (now) an UninterpretedBytes, so writing
>  to the instance variable will clobber the first four bytes of the UninterpretedBytes..."
> object := anObject.
> "The clobbering mentioned above has occurred at this point.  But, of course, self and bytes
>  have changed places, so self is the UninterpretedBytes and bytes is the ObjectAddressFinder."
> ^self unsignedLongAt: 1! !

More information about the Squeak-dev mailing list