WebApp Sec mailing list archives
Re: [WEB SECURITY] Java -noverify PoC
From: Stephen de Vries <stephen () corsaire com>
Date: Thu, 4 May 2006 10:43:16 +0700
Hi Dinis,There's an easier way of doing this, without having to get down and dirty with byte codes, by splitting the two classes into separate files you can manipulate and compile them independently:
Create a file called MyData.java in a folder called verifytest2: package verifytest2; public class MyData { private String name; public MyData() { name = "No one can read me"; } public String getName() { return name; } } Create another file called Main.java in the same folder: package verifytest2; public class Main { static Main m; public Main() { MyData d = new MyData(); System.out.println(d.getName()); } public static void main(String[] args) { m = new Main(); } } Compile both classes: javac verifytest2/*.java (Should be no problems as it's valid in all respects)Now edit the MyData class and change the access permissions of the getName() method from public to private, i.e.:
private String getName() { return name; } Recompile only this class: javac verifytest2/MyData.java and run... [~/data/dev/verifytest2/src]java -cp . verifytest2.Main No one can read me [~/data/dev/verifytest2/src]java -cp . -verify verifytest2.MainException in thread "main" java.lang.IllegalAccessError: tried to access method verifytest2.MyData.getName()Ljava/lang/String; from class verifytest2.Main
at verifytest2.Main.<init>(Main.java:23) at verifytest2.Main.main(Main.java:36) [~/data/dev/verifytest2/src]And just to demonstrate that -verify is a separate thing from the security manager, I created a very restrictive policy file that denies everything:
grant { }; called it .java.policy.none. Then ran with the security manager active and using this policy:[~/data/dev/verifytest2/src]java -Djava.security.manager - Djava.security.policy==file:/Users/stephen/.java.policy.none -cp . verifytest2.Main
No one can read meSo the program still runs without reporting an access error even with a security manager defined. You need to explicitly add -verify to ensure type (and access) safety:
[~/data/dev/verifytest2/src]java -Djava.security.manager - Djava.security.policy==file:/Users/stephen/.java.policy.none -verify - cp . verifytest2.Main
Exception in thread "main" java.lang.IllegalAccessError: tried to access method verifytest2.MyData.getName()Ljava/lang/String; from class verifytest2.Main
at verifytest2.Main.<init>(Main.java:22) at verifytest2.Main.main(Main.java:35) -- Stephen de Vries Corsaire Ltd E-mail: stephen () corsaire com Tel: +44 1483 226014 Fax: +44 1483 226068 Web: http://www.corsaire.com ------------------------------------------------------------------------- Sponsored by: Watchfire The Twelve Most Common Application-level Hack AttacksHackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. This whitepaper identifies the most common methods of attacks that we have seen, and outlines a guideline for developing secure web applications. Download this whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r --------------------------------------------------------------------------
Current thread:
- Java -noverify PoC Dinis Cruz (May 04)
- Re: [WEB SECURITY] Java -noverify PoC Stephen de Vries (May 04)
- Re: [WEB SECURITY] Java -noverify PoC Jim Halfpenny (May 04)
- Re: [WEB SECURITY] Java -noverify PoC Stephen de Vries (May 04)