WebApp Sec mailing list archives
Re: Java Code Scanning
From: Grega Bremec <grega.bremec () noviforum si>
Date: Wed, 7 Jan 2004 17:53:03 +0100
...and on Wed, Jan 07, 2004 at 02:57:16PM +0800, Peter Lee, Kah Chen used the keyboard:
The idea is not to look for bad code writing, but to identify/flag code which may have security implications for more detailed sturdy or even code walkthrough. Anyone have a list of keywords to search with?
You might want to tackle this a bit differently: - compile the code with debugging options (including line number and method info) - start with an empty ~/.java.policy file (i.e. minimum security permissions for a running JVM) - add permissions as suitable for the purpose of your application Stack traces from "SecurityException"s caused by unauthorized operation attempts should give you enough information to inspect the relevant bits of code this way. You can be very well sure that it's next to impossible to escape the sandbox imposed by the Java security policy as it presents limitations enforced by the JVM, so the programmer has no means of escalating the privileges of a running application programmatically. See more about it in the Security section of your Java2 SDK Standard Edition Guide, downloadable from http://java.sun.com/, more specifically: Security Section, <docroot>/guide/security/index.html Policy Permissions, <docroot>/guide/security/permissions.html Default Policy Implementation and Policy File Syntax, <docroot>/guide/security/PolicyFiles.html or the Java2 Platform Security trail of the Java Tutorial, available from http://java.sun.com/docs/books/tutorial/security1.2/index.html. Hope this helps, -- Grega Bremec Sistemska administracija in podpora grega.bremec-at-noviforum.si http://najdi.si/ http://www.noviforum.si/
Attachment:
_bin
Description:
Current thread:
- Java Code Scanning Peter Lee, Kah Chen (Jan 07)
- Re: Java Code Scanning Grega Bremec (Jan 07)
- Re: Java Code Scanning Francisco Andrades (Jan 09)
- Re: Java Code Scanning Gary Ellison (Jan 09)
- <Possible follow-ups>
- RE: Java Code Scanning Scovetta, Michael V (Jan 07)
- RE: Java Code Scanning Mark Curphey (Jan 07)
- RE: Java Code Scanning Robert Paris (Jan 07)