Web Application Security
SEC Consult whitepaper :: The Source Is A Lie Apr 17 2012 02:01PM
SEC Consult Vulnerability Lab (research sec-consult com)
SEC Consult Vulnerability Lab released a new whitepaper titled:
"The Source Is A Lie"

Backdoors have always been a concern of the security community. In
recent years the idea of not trusting the developer has gained momentum
and manifested itself in various forms of source code review. For Java,
being one of the most popular programming languages, numerous tools and
papers have been written to help during reviews. While these tools and
techniques are getting developed further, they usually focus on
traditional programming paradigms.
Modern concepts like Aspect Oriented Programming or the Java Reflection
API are left out. Especially the use of Java's Reflection API in
conjunction with the lesser known 'string pool' can lead to a new kind
of backdoor. This backdoor hides itself from unwary reviewer by
disguising its access to critical resources like credential through
indirection. To raise the awareness about this particular kind of
backdoor, this paper will:

* Provide a short introduction to the string pool.
* Show how reflection can be used to manipulate it.
* Demonstrate how a backdoor can abuse this.
* Discuss how it can be uncovered.

In the end, there is one more attack vector the reviewer has to
consider. Time will show if automated analyses will be able to detect
this threat but up to this point knowledge, experience and intuition of
a human reviewer are the only defense.

Whitepaper URL:


Andreas Nusser
SEC Consult Vulnerability Lab

SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com

This list is sponsored by Cenzic
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus