[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20120417160104.133689d3@sec-consult.com>
Date: Tue, 17 Apr 2012 16:01:04 +0200
From: SEC Consult Vulnerability Lab <research@...-consult.com>
To: <full-disclosure@...ts.grok.org.uk>, <pen-test@...urityfocus.com>,
<websecurity@...appsec.org>, <webappsec@...urityfocus.com>
Subject: SEC Consult whitepaper :: The Source Is A Lie
SEC Consult Vulnerability Lab released a new whitepaper titled:
"The Source Is A Lie"
Abstract:
---------
Backdoors have always been a concern of the security community. In
recent years the idea of not trusting the developer has gained momentum
and manifested itself in various forms of source code review. For Java,
being one of the most popular programming languages, numerous tools and
papers have been written to help during reviews. While these tools and
techniques are getting developed further, they usually focus on
traditional programming paradigms.
Modern concepts like Aspect Oriented Programming or the Java Reflection
API are left out. Especially the use of Java's Reflection API in
conjunction with the lesser known 'string pool' can lead to a new kind
of backdoor. This backdoor hides itself from unwary reviewer by
disguising its access to critical resources like credential through
indirection. To raise the awareness about this particular kind of
backdoor, this paper will:
* Provide a short introduction to the string pool.
* Show how reflection can be used to manipulate it.
* Demonstrate how a backdoor can abuse this.
* Discuss how it can be uncovered.
In the end, there is one more attack vector the reviewer has to
consider. Time will show if automated analyses will be able to detect
this threat but up to this point knowledge, experience and intuition of
a human reviewer are the only defense.
Whitepaper URL:
---------------
https://www.sec-consult.com/en/whitepapers.html
=>
https://www.sec-consult.com/files/SEC_Consult_The_Source_Is_A_Lie_V1.0_PUBLIC.pdf
Author:
-------
Andreas Nusser
SEC Consult Vulnerability Lab
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH
Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
https://www.sec-consult.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists