Re: [SC-L] By default, the Verifier is disabled on .Net and Java

[Stephen de Vries <stephen () corsaire com>]

Stephen de Vries wrote:
> With application servers such as Tomcat, WebLogic etc, I think we have a
> special case in that they don't run with the verifier enabled - yet they
> appear to be safe from type confusion attacks.  (If you check the
> startup scripts, there's no mention of running with -verify).

OK.

> The difference between the app servers and a regular compiled Java app
> is that the servers load  code dynamically and use reflection to access
> fields and methods, so the app servers have no static knowledge of the
> types defined in user code.

Apologies for the above incorrect statement.  App servers _do_ have
knowledge of the static type since they define the base classes in the
servlet and other API's.

> The IllegalAccessError is generated when you try and access a private
> method through the reflection API - and since the type checking is done
> dynamically, it would be difficult (impossible?) to perform a type
> confusion attack on code that isn't statically typed.  Code below
> illustrates reflection access control in a simple app.

So, I'll rephrase this as: The Tomcat error looks suspiciously like a
reflection access control error, but it could be down to the type
checking done through the dynamic class loading - and not necessarily
the reflection API.

> package classloader;
>
> import java.lang.reflect.Method;
> import somepackage.MyData;
>
> public class Main {
>
>     public Main() {
>     }
>
>     public static void main(String[] args) {
>         try {
>
>             Class myClass = MyData.class;
>             Object obj = myClass.newInstance();
>             Method m = myClass.getDeclaredMethod("getName", new Class[] {});
>             System.out.println(m.invoke(obj, new Object[] {}).toString());
>         } catch (Exception e) {
>             e.printStackTrace();
>         }
>     }
>
> }
>
> package somepackage;
>
> public class MyData {
>     private String name;
>
>     public MyData() {
>         name = "No one can read me";
>     }
>
>     private String getName() {
>         return name;
>     }
> }
>
> Executing the app produces:
>
> java.lang.IllegalAccessException: Class classloader.Main can not access
> a member of class somepackage.MyData with modifiers "private"
>         at sun.reflect.Reflection.ensureMemberAccess(Reflection.java:65)
>         at java.lang.reflect.Method.invoke(Method.java:578)
>         at classloader.Main.main(Main.java:41)


-- 
Stephen de Vries
Corsaire Ltd
E-mail: stephen () corsaire com
Tel:    +44 1483 226014
Fax:    +44 1483 226068
Web:    http://www.corsaire.com

-------------------------------------------------------------------------
Sponsored by: Watchfire

Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web 
application security assessments should be considered a crucial phase in 
the development of any web application. What methodology should be 
followed? What tools can accelerate the assessment process? 
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9h
--------------------------------------------------------------------------