WebApp Sec mailing list archives
Re: [WEB SECURITY] Java -noverify PoC
From: Stephen de Vries <stephen () corsaire com>
Date: Thu, 4 May 2006 10:43:16 +0700
Hi Dinis,There's an easier way of doing this, without having to get down and dirty with byte codes, by splitting the two classes into separate files you can manipulate and compile them independently:
Create a file called MyData.java in a folder called verifytest2:
package verifytest2;
public class MyData {
private String name;
public MyData() {
name = "No one can read me";
}
public String getName() {
return name;
}
}
Create another file called Main.java in the same folder:
package verifytest2;
public class Main {
static Main m;
public Main() {
MyData d = new MyData();
System.out.println(d.getName());
}
public static void main(String[] args) {
m = new Main();
}
}
Compile both classes:
javac verifytest2/*.java
(Should be no problems as it's valid in all respects)
Now edit the MyData class and change the access permissions of the
getName() method from public to private, i.e.:
private String getName() {
return name;
}
Recompile only this class:
javac verifytest2/MyData.java
and run...
[~/data/dev/verifytest2/src]java -cp . verifytest2.Main
No one can read me
[~/data/dev/verifytest2/src]java -cp . -verify verifytest2.Main
Exception in thread "main" java.lang.IllegalAccessError: tried to
access method verifytest2.MyData.getName()Ljava/lang/String; from
class verifytest2.Main
at verifytest2.Main.<init>(Main.java:23)
at verifytest2.Main.main(Main.java:36)
[~/data/dev/verifytest2/src]
And just to demonstrate that -verify is a separate thing from the
security manager, I created a very restrictive policy file that
denies everything:
grant {
};
called it .java.policy.none.
Then ran with the security manager active and using this policy:
[~/data/dev/verifytest2/src]java -Djava.security.manager -
Djava.security.policy==file:/Users/stephen/.java.policy.none -cp .
verifytest2.Main
No one can read meSo the program still runs without reporting an access error even with a security manager defined. You need to explicitly add -verify to ensure type (and access) safety:
[~/data/dev/verifytest2/src]java -Djava.security.manager - Djava.security.policy==file:/Users/stephen/.java.policy.none -verify - cp . verifytest2.Main
Exception in thread "main" java.lang.IllegalAccessError: tried to access method verifytest2.MyData.getName()Ljava/lang/String; from class verifytest2.Main
at verifytest2.Main.<init>(Main.java:22)
at verifytest2.Main.main(Main.java:35)
--
Stephen de Vries
Corsaire Ltd
E-mail: stephen () corsaire com
Tel: +44 1483 226014
Fax: +44 1483 226068
Web: http://www.corsaire.com
-------------------------------------------------------------------------
Sponsored by: Watchfire
The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online
despite security executives' efforts to prevent malicious attacks. This
whitepaper identifies the most common methods of attacks that we have seen,
and outlines a guideline for developing secure web applications.
Download this whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9r --------------------------------------------------------------------------
Current thread:
- Java -noverify PoC Dinis Cruz (May 04)
- Re: [WEB SECURITY] Java -noverify PoC Stephen de Vries (May 04)
- Re: [WEB SECURITY] Java -noverify PoC Jim Halfpenny (May 04)
- Re: [WEB SECURITY] Java -noverify PoC Stephen de Vries (May 04)