WebApp Sec mailing list archives
Re: Java Code Scanning
From: Gary Ellison <gary.ellison () sun com>
Date: Fri, 9 Jan 2004 17:10:26 -0800
" " == Peter Lee <Peter> writes:
Hi there and a good day to you, Cutting to the chase; if I am to do a textual scan of a piece of Java application code for potential malicious code embedded, what are the key words to scan for?
For example in the case of C/C++ program; I might look for memory handling code i.e memcpy(), strcpy(), strdup(), memset(), system execution code sys(), exec(), fork(), etc. IPC & RPC calls. Codes which try to access password directory that sort of thing.
The idea is not to look for bad code writing, but to identify/flag code which may have security implications for more detailed sturdy or even code walkthrough.
Anyone have a list of keywords to search with?
You may want to have a look at the secure coding guide http://java.sun.com/security/seccodeguide.html To get a deeper understanding of permissions the paper by Kovad, Pistoia and Kershenbaum is quite detailed. http://domino.watson.ibm.com/library/cyberdig.nsf/1e4115aea78b6e7c85256b360066f0d4/1930f3644fb16b5b85256b8900685c78?OpenDocument -- mailto: <first>_DOT_<last>_AT_sun_DOT_com http://tinyurl.com/yrbj6 "Bootsy!" "Yeah, Bootsy's cool. Huh, huhhuhuh." "Bootsy! He's from outer space. Heh, henh, henh, henh." Beavis & Butthead
Current thread:
- Java Code Scanning Peter Lee, Kah Chen (Jan 07)
- Re: Java Code Scanning Grega Bremec (Jan 07)
- Re: Java Code Scanning Francisco Andrades (Jan 09)
- Re: Java Code Scanning Gary Ellison (Jan 09)
- <Possible follow-ups>
- RE: Java Code Scanning Scovetta, Michael V (Jan 07)
- RE: Java Code Scanning Mark Curphey (Jan 07)
- RE: Java Code Scanning Robert Paris (Jan 07)