Re: Security code verification for JAVA

[11a () GMX NET (Bluefish)]

Numerous security issues cannot be automaticly detected, so a security
officer *really* should know programming (and preferably java) to analyze
a design though.

However, tools are quite helpfull sometimes. In C you could (among other
things) grep for dangerous functions, and in Java you could do the same as
well I suppose. The only dangerous stuff I'm aware of is exec in
java.lang.Runtime (as it escapes the controll of the JVM and should be
carefully implemented). Obviously one should also think twice about how
the JVM is executed, because on most unixes it will run as your uid. A
badly coded deamon with write ability or exec ability has almost the same
vulnerabilities as a C-program which does the same thing.

I'm not aware of more code which could be detected automaticly as
dangerous, but I'm no java expert. To detect weather such code is 'safly'
or 'dangeously' coded, seems like a hard task though.

In my computer security class the teacher intentionally created
exploitable code by sending strings to a unix shell (using exec) which is
a really bad idea since you get good old problems with unix expansion.

According to Pfleeger, Security in Computing, there are a number of
problems with java. The security model is complex (too many calls),
logging of security failures not being done, etc etc. It also points out a
number of problems which seems to assume that the attacker has the ability
to modify your system. (which is rather weird, because it's widely known
that if the trusted computing base is unsafe so is all applications
executed upon it as well!)

How much that has happended since the book was printed I have no idea
about though.

>  Do you know of a program that can check JAVA code for potential
> security threats? This program would be used by the security
> officer who doesn't know JAVA.

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team