WebApp Sec mailing list archives
RE: Java Code Scanning
From: Mark Curphey <mark () curphey com>
Date: Wed, 07 Jan 2004 12:49:40 -0500 (EST)
I am sure you understand the limitations of just grepping for strings etc but that said a while back when I was teahcing myself Java I wrote a small app to automate finding the Ten Issues in the Securing Java book. www.securingjava.com I checked the online version and I can't see the checks now but . the app I wrote is .... http://cvs.sourceforge.net/viewcvs.py/owasp/codespy/ It looks for things like access modifiers and so on. May be of help. ---- "Scovetta, Michael V" <Michael.Scovetta () ca com> wrote:
Peter, If your application is running in a "secure" context (applet or with a specific security manager in place) then there shouldn't be anything that could be malicious (you can disable the ability to access the filesystem and network). If not, then you might want to look for calls using: java.io.File java.net.* keyword 'native' (implied JNI calls, which are not protected by the Java security model) java.lang.Process java.lang.Runtime I'm sure there are more, but other than running up your CPU, if an application can't use the network or the file system, can't break out to another process, and can't use JNI, I think you might be maybe 90% safe. Michael Scovetta -----Original Message----- From: Peter Lee, Kah Chen [mailto:peterlee () crimsonlogic com] Sent: Wednesday, January 07, 2004 1:57 AM To: webappsec () securityfocus com Subject: Java Code Scanning Hi there and a good day to you, Cutting to the chase; if I am to do a textual scan of a piece of Java application code for potential malicious code embedded, what are the key words to scan for? For example in the case of C/C++ program; I might look for memory handling code i.e memcpy(), strcpy(), strdup(), memset(), system execution code sys(), exec(), fork(), etc. IPC & RPC calls. Codes which try to access password directory that sort of thing. The idea is not to look for bad code writing, but to identify/flag code which may have security implications for more detailed sturdy or even code walkthrough. Anyone have a list of keywords to search with? Thanks! Peter
Current thread:
- Java Code Scanning Peter Lee, Kah Chen (Jan 07)
- Re: Java Code Scanning Grega Bremec (Jan 07)
- Re: Java Code Scanning Francisco Andrades (Jan 09)
- Re: Java Code Scanning Gary Ellison (Jan 09)
- <Possible follow-ups>
- RE: Java Code Scanning Scovetta, Michael V (Jan 07)
- RE: Java Code Scanning Mark Curphey (Jan 07)
- RE: Java Code Scanning Robert Paris (Jan 07)