WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Java Code Scanning

From: Mark Curphey <mark () curphey com>
Date: Wed, 07 Jan 2004 12:49:40 -0500 (EST)
I am sure you understand the limitations of just grepping for strings etc but that said a while back when I was 
teahcing myself Java I wrote a small app to automate finding the Ten Issues in the Securing Java book.

www.securingjava.com

I checked the online version and I can't see the checks now but . the app I wrote is ....

http://cvs.sourceforge.net/viewcvs.py/owasp/codespy/

It looks for things like access modifiers and so on. May be of help.

---- "Scovetta, Michael V" <Michael.Scovetta () ca com> wrote:

Peter,
   If your application is running in a "secure" context (applet or with
a specific security manager in place) then there shouldn't be anything that
could be malicious (you can disable the ability to access the filesystem and
network). If not, then you might want to look for calls using:
   java.io.File
   java.net.*
   keyword 'native' (implied JNI calls, which are not protected
                     by the Java security model)
   java.lang.Process
   java.lang.Runtime

I'm sure there are more, but other than running up your CPU, if an application
can't use the network or the file system, can't break out to another process,
and can't use JNI, I think you might be maybe 90% safe. 

Michael Scovetta

-----Original Message-----
From: Peter Lee, Kah Chen [mailto:peterlee () crimsonlogic com]
Sent: Wednesday, January 07, 2004 1:57 AM
To: webappsec () securityfocus com
Subject: Java Code Scanning


Hi there and a good day to you,

Cutting to the chase; if I am to do a textual scan of a piece of Java
application code for potential malicious code embedded, what are the key
words to scan for?

For example in the case of C/C++ program; I might look for memory
handling code i.e memcpy(), strcpy(), strdup(), memset(),  system
execution code sys(), exec(), fork(), etc. IPC & RPC calls. Codes which
try to access password directory that sort of thing.

The idea is not to look for bad code writing, but to identify/flag code
which may have security implications for more detailed sturdy or even
code walkthrough.

Anyone have a list of keywords to search with?

Thanks!

Peter
Previous By Date Next
Previous By Thread Next

Current thread: