All geek questions in one place

Is there a set of old security issues with describing and using code for the Java platform?

I am wondering if there is an educational collection of examples of how security in the JVM has been compromised in older versions.

After reading the articles on the IKVM blog, I got the feeling that I would learn more by understanding past cases of security issues, instead of reading some simple “Do and Dont” (it seems like most interesting articles have pulled out what a shame).

Is there something like this somewhere?

Maybe my expectations are too strong: I don’t care about any script-kiddy material, but I’m looking for quality content that goes in depth about

  • How was a security issue discovered?
  • What will the code look like?
  • What does the wrong code look like?
  • How is the bug fixed?
  • How can I check for an error?
  • What were the reasons behind the security problem? (Sheer laziness, performance problems, wrong assumptions, ...)
  • What are the lessons as an application developer, library developer, VM engineer?

Is there something similar on the net?

+6
source share
1 answer

I think there is very little research on JVM exploits. What do you want to do exactly?

  • Break the standard Java programming restrictions: easy to do, as you can access everything by running standard bytecode.
  • Bypassing Java security policies when executing Java code (for example, exiting a sandboxed browser program): this has very little to do with the JVM; this is often a combination of browser-based exploits and other exploits to be able to launch the applet and include the bootstrap path of the standard JVM.
  • Launch a buffer overflow attack on the OS from the JVM.

Often shutting down the browser sandbox is trivial and has nothing to do with the JVM itself: http://jouko.iki.fi/adv/javaplugin.html

Best information will be available from an open source JVM, such as BlackDown. Find the words “exploit”, “bug”, “sandbox” in the list of SVN changes and look at SVN Diff's.

+2
source

Source: https://habr.com/ru/post/905886/

More articles:


All Articles