Vulnerability Development mailing list archives
Re: Security code verification for JAVA
From: 11a () GMX NET (Bluefish)
Date: Tue, 30 May 2000 06:23:35 +0200
Numerous security issues cannot be automaticly detected, so a security officer *really* should know programming (and preferably java) to analyze a design though. However, tools are quite helpfull sometimes. In C you could (among other things) grep for dangerous functions, and in Java you could do the same as well I suppose. The only dangerous stuff I'm aware of is exec in java.lang.Runtime (as it escapes the controll of the JVM and should be carefully implemented). Obviously one should also think twice about how the JVM is executed, because on most unixes it will run as your uid. A badly coded deamon with write ability or exec ability has almost the same vulnerabilities as a C-program which does the same thing. I'm not aware of more code which could be detected automaticly as dangerous, but I'm no java expert. To detect weather such code is 'safly' or 'dangeously' coded, seems like a hard task though. In my computer security class the teacher intentionally created exploitable code by sending strings to a unix shell (using exec) which is a really bad idea since you get good old problems with unix expansion. According to Pfleeger, Security in Computing, there are a number of problems with java. The security model is complex (too many calls), logging of security failures not being done, etc etc. It also points out a number of problems which seems to assume that the attacker has the ability to modify your system. (which is rather weird, because it's widely known that if the trusted computing base is unsafe so is all applications executed upon it as well!) How much that has happended since the book was printed I have no idea about though.
Do you know of a program that can check JAVA code for potential security threats? This program would be used by the security officer who doesn't know JAVA.
..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team
Current thread:
- Re: netscape 4.61 recognizes file.changed-doc/xls, (continued)
- Re: netscape 4.61 recognizes file.changed-doc/xls Dimitry Andric (May 25)
- Re: netscape 4.61 recognizes file.changed-doc/xls Gareth Jones (May 28)
- Re: netscape 4.61 recognizes file.changed-doc/xls Joseph, Lorne (May 25)
- Re: netscape 4.61 recognizes file.changed-doc/xls Nathan Einwechter (May 28)
- Outlook/HTML "proggie" methodman (Jan 29)
- Re: Outlook/HTML "proggie" Thierry Zoller (Mar 22)
- Re: Outlook/HTML "proggie" Knud Erik Højgaard (Apr 30)
- Re: Outlook/HTML "proggie" Blue Boar (May 31)
- Re: netscape 4.61 recognizes file.changed-doc/xls Su Wadlow (May 28)
- Security code verification for JAVA Martin M Samson (May 29)
- Re: Security code verification for JAVA Bluefish (May 29)
- Outlook/HTML "proggie" methodman (Jan 29)
- Re: netscape 4.61 recognizes file.changed-doc/xls John Brahy (May 29)
- Re: netscape 4.61 recognizes file.changed-doc/xls Su Wadlow (May 29)