lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20120417160104.133689d3@sec-consult.com>
Date: Tue, 17 Apr 2012 16:01:04 +0200
From: SEC Consult Vulnerability Lab <research@...-consult.com>
To: <full-disclosure@...ts.grok.org.uk>, <pen-test@...urityfocus.com>,
	<websecurity@...appsec.org>, <webappsec@...urityfocus.com>
Subject: SEC Consult whitepaper :: The Source Is A Lie

SEC Consult Vulnerability Lab released a new whitepaper titled:
"The Source Is A Lie"


Abstract:
---------
Backdoors have always been a concern of the security community. In
recent years the idea of not trusting the developer has gained momentum
and manifested itself in various forms of source code review. For Java,
being one of the most popular programming languages, numerous tools and
papers have been written to help during reviews. While these tools and
techniques are getting developed further, they usually focus on
traditional programming paradigms.
Modern concepts like Aspect Oriented Programming or the Java Reflection
API are left out. Especially the use of Java's Reflection API in
conjunction with the lesser known 'string pool' can lead to a new kind
of backdoor. This backdoor hides itself from unwary reviewer by
disguising its access to critical resources like credential through
indirection. To raise the awareness about this particular kind of
backdoor, this paper will:

  *  Provide a short introduction to the string pool.
  *  Show how reflection can be used to manipulate it.
  *  Demonstrate how a backdoor can abuse this.
  *  Discuss how it can be uncovered.

In the end, there is one more attack vector the reviewer has to
consider. Time will show if automated analyses will be able to detect
this threat but up to this point knowledge, experience and intuition of
a human reviewer are the only defense. 

Whitepaper URL:
---------------
https://www.sec-consult.com/en/whitepapers.html

=>
https://www.sec-consult.com/files/SEC_Consult_The_Source_Is_A_Lie_V1.0_PUBLIC.pdf


Author:
-------
Andreas Nusser
SEC Consult Vulnerability Lab



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
https://www.sec-consult.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ