Re: Java Code Scanning

[Grega Bremec <grega.bremec () noviforum si>]

...and on Wed, Jan 07, 2004 at 02:57:16PM +0800, Peter Lee, Kah Chen used the keyboard:
> The idea is not to look for bad code writing, but to identify/flag code
> which may have security implications for more detailed sturdy or even
> code walkthrough.
>
> Anyone have a list of keywords to search with?

You might want to tackle this a bit differently:

    - compile the code with debugging options (including line number
      and method info)
    - start with an empty ~/.java.policy file (i.e. minimum security
      permissions for a running JVM)
    - add permissions as suitable for the purpose of your application

Stack traces from "SecurityException"s caused by unauthorized operation
attempts should give you enough information to inspect the relevant bits
of code this way.

You can be very well sure that it's next to impossible to escape the
sandbox imposed by the Java security policy as it presents limitations
enforced by the JVM, so the programmer has no means of escalating
the privileges of a running application programmatically.

See more about it in the Security section of your Java2 SDK Standard
Edition Guide, downloadable from http://java.sun.com/, more specifically:

    Security Section, <docroot>/guide/security/index.html
    Policy Permissions, <docroot>/guide/security/permissions.html
    Default Policy Implementation and Policy File Syntax,
        <docroot>/guide/security/PolicyFiles.html

or the Java2 Platform Security trail of the Java Tutorial, available from
http://java.sun.com/docs/books/tutorial/security1.2/index.html.

Hope this helps,
-- 
    Grega Bremec
    Sistemska administracija in podpora
    grega.bremec-at-noviforum.si
    http://najdi.si/
    http://www.noviforum.si/

Attachment: _bin
Description: