WHEN JAVA WAS ONE: THREATS FROM HOSTILE BYTE CODE

摘要: In Java’s first year it has become clear that many of the problems posed by executable content have not been solved. The almost exclusive focus Java community on left numerous avenues unexplored for threats. It observed there is no one-to-one correspondence between source code (programs) and byte (class files). While every program written in can be compiled to a compiler, possible create class files which compiler produce, yet, pass Verifier with flying colors. This fact one very serious implication No matter what claims are made, even formally demonstrated, security language, all bets off when comes running Virtual Machine. paper will explore some implications this curious lack coherence code. also illustrate how easy alter malicious purposes. 1. THE STATE OF JAVA SECURITY programming language recently turned old. its year, had number spectacular holes punched model Ed Felten Safe Internet Programming Team at Princeton University [McGF]. Since February 1996 Hostile Applets Home Page Georgia Institute Technology’s School Mathematics featured collection evil applets (with complete code), yet Sun Microsystems corporate partners shown little progress combatting hostile [LaD1, LaD2]. A ago, was gaining notoriety, few people imagined so flaws would surface quickly, fewer believed threats from persist. power complexity make extremely likely continue appear years come. files) [McGF, LaD4]. WHEN WAS ONE: THREATS FROM HOSTILE BYTE CODE Such said deviant. Not only deviant files, simple do so, these noncompiler greatly exceeds those producible compilers. Deviant exploit unenforced, or improperly implemented, rules potential reduce Security rubble. Note applies as well most untrusted (which programs downloaded run automatically browsers) does applications set up more traditional ways). inadvertently trusting application lead ruin, accidentally downloading applet exploits increased over Thus distinction unimportant present context. Until new threat fully understood explored, wise regard suspicion than ever before. Section 2 contains an overview salient facts about file format. highlights ease altered things beyond 3 describes problem incoherence points out several surprising properties unenforced Verifier, could breaches. 4 then introduces examples order One particularly interesting example considered length HoseMocha.java, applied applets, making them impervious celebrated Mocha decompiler. Finally, 5 recounts recent experience rudimentary Platform viruses, assesses possibility virulent 2. AN OVERVIEW CLASS FILE FORMAT When compiled, result file, having .class extension containing platform-independent specific should regarded stream 8-bit bytes, 16-bit, 32-bit, 64-bit quantities being constructed big-endian two, four, eight consecutive respectively. Machine (JVM) Specification represents C-like structure notation follows [Lind]: