WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

SEC Consult whitepaper :: The Source Is A Lie

From: SEC Consult Vulnerability Lab <research () sec-consult com>
Date: Tue, 17 Apr 2012 16:01:04 +0200
SEC Consult Vulnerability Lab released a new whitepaper titled:
"The Source Is A Lie"


Abstract:
---------
Backdoors have always been a concern of the security community. In
recent years the idea of not trusting the developer has gained momentum
and manifested itself in various forms of source code review. For Java,
being one of the most popular programming languages, numerous tools and
papers have been written to help during reviews. While these tools and
techniques are getting developed further, they usually focus on
traditional programming paradigms.
Modern concepts like Aspect Oriented Programming or the Java Reflection
API are left out. Especially the use of Java's Reflection API in
conjunction with the lesser known 'string pool' can lead to a new kind
of backdoor. This backdoor hides itself from unwary reviewer by
disguising its access to critical resources like credential through
indirection. To raise the awareness about this particular kind of
backdoor, this paper will:

  *  Provide a short introduction to the string pool.
  *  Show how reflection can be used to manipulate it.
  *  Demonstrate how a backdoor can abuse this.
  *  Discuss how it can be uncovered.

In the end, there is one more attack vector the reviewer has to
consider. Time will show if automated analyses will be able to detect
this threat but up to this point knowledge, experience and intuition of
a human reviewer are the only defense. 

Whitepaper URL:
---------------
https://www.sec-consult.com/en/whitepapers.html

=>
https://www.sec-consult.com/files/SEC_Consult_The_Source_Is_A_Lie_V1.0_PUBLIC.pdf


Author:
-------
Andreas Nusser
SEC Consult Vulnerability Lab



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
https://www.sec-consult.com



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: