Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security SecProg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Java Inner Classes Insecure?

from [Michael Silk] Network Security [Permanent Link]
Subject: RE: Java Inner Classes Insecure?
Date: Fri, 26 Nov 2004 11:41:58 +1100 
Hi,

        Well you said it yourself ... The private methods become package-level.

        Are you concerned about other classes in your package ? If you are
you're in trouble. Consider reducing the size of your packages, bundle
them into little groups, etc.

-- Michael
PS: You might like to have a look at the java forum:
http://forum.java.sun.com/ issues like this have been discussed there.
Specifically: 
http://forum.java.sun.com/thread.jspa?threadID=549556&start=15&tstart=0

-----Original Message-----
From: Craig E. Ward [mailto:cew@ACM.ORG] 
Sent: Thursday, 25 November 2004 5:34 AM
To: secprog@securityfocus.com
Subject: Java Inner Classes Insecure?

If the list needs something to talk about, I have a question about
Java and inner classes. (Back in 2000 there was a Security Focus
thread on this topic, but things may have changed.)

Some of the security guidelines contain an item that inner classes (or
at least public, non-static inner classes) are to be avoided. The
alleged problem is that a Java compiler has to change the access
modifiers of any members accessed by the inner class because the JVM
can't treat an inner class any differently from a regular class. A
private member will be recast into package scope, that is, what a
class as marked as private becomes accessible to any class in the
package.

As far as I can tell, this item comes from a set of guidelines written
by Gary McGraw and Edward Felten back in 1998.
(http://www.javaworld.com/javaworld/jw-12-1998/jw-12-securityrules_p.html)
I don't have a Java 1.1 compiler to experiment with, but the Java 1.4
compilers (Sun's javac and IBM's jikes) do not seem to actually change
the access specifier, according to javap.)

What these compilers do is add new static access methods that the
inner classes can call to do things with the private members of the
outer class. The inner class gets an extra member that is a reference
to the outer class so it knows which instance of the outer class it
belongs to.

The counter argument asserts that what this really shows is that the
Java language is treating all class members orthogonally, which is a
good thing. A class member is a class member. (In C++, inner classes
do not get this access to the outer class automatically. This is an
indicator that C++ is less orthogonal in its treatment of class
members and this is a weakness in the language.)

Although I haven't actually made it work, it seems to me that calls to
these access methods used by the inner classes could be inserted into
third party classes. Does anyone know of a case where this has been
done? Are the problems with inner classes historical or do they still
exist?

Craig
--
Internet: cew@ACM.ORG
"There are 10 kinds of people in the world: Those who understand
binary and those who don't."
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: .Net and security, Damhuis Anton
Next by Date:  RE: Is this list still active?, Alexander Klimov
Previous by Thread:  Re: Java Inner Classes Insecure?, Steffen Dettmer
Indexes:  [Date] [Thread] [Top] [All Lists]