Java Threads mailing list archive

The aliasing error

From: Oyvind Teig <Oyvind.Teig@autronica.no>
Date: Tue, 4 Feb 1997 08:08:50 +0100

--1F3cBTuJXLhikXD7oa7MRogy9cJVKsKv
Content-type: text/plain; charset="us-ascii"

                                                   3. Feb.1997
The aliasing error                             

I have studied the aliasing error again, trying to find out more
by studying hashCodes. I thought, maybe the name clash showed up
on the hashCodes? As expected (in retrospect) it didn't. Or,
I don't know how to have it show up.

Code attached.

Has Peter Welch reported this aliasing error to the Java Security group
at Princeton? It doesn't seem to have been discoved by them! Is it possible
to find a security-hole through this mechanism?

Cheers,   > 0yvind Teig, Autronica, Trondheim, Norway <
Oyvind    > Oyvind.Teig@autronica.no                  <
          > Tel.: +47 73 58 12 68                     <
          > Fax.: +47 73 91 93 20                     <

--1F3cBTuJXLhikXD7oa7MRogy9cJVKsKv
Content-type: text/plain; charset="us-ascii"

import java.util.*;

//{{{  class MyInteger
class MyInteger
{
   int y;
   public MyInteger (int v)
   {
      y = v;
   }
   public int Get ()
   {
     return (this.y);
   }
   public void Set (int v)
   {
      this.y = v;
   }
}
//}}}  
//{{{  class Store_X
class  Store_X
{
   MyInteger X; // Proper object, not just "int"

   public Store_X (int v)
   {
      X = new MyInteger (v);
   }
   public Store_X (MyInteger V)
   {
      X = V;
   }
   public int hashCode_X ()
   {
      return (X.hashCode());
   }
   public static void Alias (Store_X x1, Store_X x2)
   {
      // Works ok:
      // x1.X.Set (x1.X.Get() + (x2.X.Get() - x2.X.Get()));

      x1.X.Set (x1.X.Get() + x2.X.Get());
      x1.X.Set (x1.X.Get() - x2.X.Get());
   }
}
//}}}  
//{{{  class Alias_error
class  Strange_alias {
   Strange_alias (int a, int b)
   {
      MyInteger A = new MyInteger (a); // Let's try to instanciate it on the outside
      MyInteger B = new MyInteger (b); // -"-

      Store_X obj1 = new Store_X (A);  // Store_X (a); Works just the same
      Store_X obj2 = new Store_X (B);  // Store_X (b); -"-

      System.out.println ("Initially:         obj2=" + obj2.X.Get() + " obj1 = " + obj1.X.Get());

      Store_X.Alias (obj1, obj2);
      System.out.println ("Different objects: obj2=" + obj2.X.Get() + " obj1 = " + obj1.X.Get());

      Store_X.Alias (obj1, obj1);
      System.out.println ("Same objects:      obj2=" + obj2.X.Get() + " obj1 = " + obj1.X.Get());

      //{{{  Hastable
      Hashtable ht = new Hashtable();
      {
         ht.put   ("obj2   ", new Integer (obj2.hashCode()));
         ht.put   ("obj1   ", new Integer (obj1.hashCode()));
         ht.put   ("obj2.X ", new Integer (obj2.hashCode_X()));
         //ht.put ("B      ", new Integer (B.hashCode()));      // Same as line above
         ht.put   ("obj1.X ", new Integer (obj1.hashCode_X()));
         //ht.put ("A      ", new Integer (A.hashCode()));      // Same as line above

         // Too messy:
         // System.out.println ("  Hashtable:      " + ht.toString() + "\n");

         System.out.println ("\nHashtable:");

         Enumeration elements = ht.elements();
         Enumeration keys     = ht.keys();
         while (elements.hasMoreElements())
         {
            System.out.println ("  " + keys.nextElement() + " = " + elements.nextElement());
         }
      }
      //}}}  
   }
}
//}}}  
//{{{  class Alias_n with main
//{{{  Doc
/**
 * Aliasing error in Java, study of hashCode (=physical address of object).
 *
 * The purpose of this program is to use the Java hashCode to exploit the
 * aliasing error that P.Welch has pointed out.
 * His example uses an int that is used in a simple formula: <B>x = x + (a - a)</B>
 * to prove that the result is either <B>x</B> (correct) or <B>0</B> (wrong).
 * A simple int has no hashCode.
 * I have read that the hashCode is in fact the physical address of the object.
 * Instead of an int, this program uses the class MyInteger, which does
 * have a hashCode.
 * The same aliasing error arises here as in Welch's original program.
 * <B>The example below really shows that the aliasing error is a Java naming
 * problem, the objects pointed to do have different hashCodes, as expected.
 * In all cases, the aliasing error is present.</B>
 * <PRE> </PRE>
 * <B>Has Peter Welch reported this aliasing error to the Java Security group
 * at Princeton? It doesn't seem to have been discoved by them! Is it possible
 * to find a security-hole through this mechanism?</B>
 * <PRE>
 * Output dump (with Store_X method hashCode overridden):
 * .
 * Aliasing error in Java
 *   Study of hashCode (=physical address of object)
 * Peter Welch, UKC (orig) and Oyvind Teig, Autronica (hashCode)
 * 3.Feb.1997
 * .
 * Initially:         obj2=2 obj1 = 1
 * Different objects: obj2=2 obj1 = 1
 * Same objects:      obj2=2 obj1 = 0
 * .
 * Hashtable:
 *   obj2.X  = 20527224
 *   obj2    = 20527224
 *   obj1.X  = 20527208
 *   obj1    = 20527208
 * </PRE>
 *
 * @author  Peter Welch, UKC (orig) and Xyvind Teig, Autronica (hashCode)
 * @version 1.0 -- 3.Feb.1997
 */
//}}}  
public class  Alias_n
{
   public static void  main (String argv [])
   {
      System.out.println ("\nAliasing error in Java");
      System.out.println ("  Study of hashCode (=physical address of object)");
      System.out.println ("Peter Welch, UKC (orig) and Oyvind Teig, Autronica (hashCode)");
      System.out.println ("3.Feb.1997\n");

      Strange_alias test = new Strange_alias (1, 2);
   }
}
//}}}  

--1F3cBTuJXLhikXD7oa7MRogy9cJVKsKv--

	


Last updated: Tue Nov 2 12:11:28 1999
Maintained by Peter Welch.