Full Disclosure mailing list archives
SEC Consult whitepaper :: The Source Is A Lie
From: SEC Consult Vulnerability Lab <research () sec-consult com>
Date: Tue, 17 Apr 2012 16:01:04 +0200
SEC Consult Vulnerability Lab released a new whitepaper titled: "The Source Is A Lie" Abstract: --------- Backdoors have always been a concern of the security community. In recent years the idea of not trusting the developer has gained momentum and manifested itself in various forms of source code review. For Java, being one of the most popular programming languages, numerous tools and papers have been written to help during reviews. While these tools and techniques are getting developed further, they usually focus on traditional programming paradigms. Modern concepts like Aspect Oriented Programming or the Java Reflection API are left out. Especially the use of Java's Reflection API in conjunction with the lesser known 'string pool' can lead to a new kind of backdoor. This backdoor hides itself from unwary reviewer by disguising its access to critical resources like credential through indirection. To raise the awareness about this particular kind of backdoor, this paper will: * Provide a short introduction to the string pool. * Show how reflection can be used to manipulate it. * Demonstrate how a backdoor can abuse this. * Discuss how it can be uncovered. In the end, there is one more attack vector the reviewer has to consider. Time will show if automated analyses will be able to detect this threat but up to this point knowledge, experience and intuition of a human reviewer are the only defense. Whitepaper URL: --------------- https://www.sec-consult.com/en/whitepapers.html => https://www.sec-consult.com/files/SEC_Consult_The_Source_Is_A_Lie_V1.0_PUBLIC.pdf Author: ------- Andreas Nusser SEC Consult Vulnerability Lab ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com https://www.sec-consult.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- SEC Consult whitepaper :: The Source Is A Lie SEC Consult Vulnerability Lab (Apr 17)