An Example of Type Confusion in Java

Printer QR in Java An Example of Type Confusion
An Example of Type Confusion
Denso QR Bar Code Reader In Java
Using Barcode Control SDK for Java Control to generate, create, read, scan barcode image in Java applications.
Drew Dean discovered a typical type-confusion attack, based on Java's handling of array types. Java allows a program that uses a type T to use the type array of T. These array types are not explicitly declared by the programmer, but exist automatically. The Java Virtual Machine defines them automatically when they are needed. These array types are defined by the VM for internal use. Java gives them a name beginning with an open square bracket ([). As this character is not allowed to be the first character of a programmer-defined classname, there is no danger of conflict. Dean discovered, however, that in Netscape Navigator 3.0beta5, a Java byte code file could declare its own type name to be one of the special array type names. Attempting to load such a class would generate an error, but the Java VM would install the name in its internal table anyway. This redefined one of Java's array types and created a classic type-confusion scenario: Java considered the object an array, but it actually had some other type. The result was full system penetration. This problem was fixed in Navigator 3.0beta6.
QR Generator In Java
Using Barcode maker for Java Control to generate, create QR Code JIS X 0510 image in Java applications.
The Type-Confusion Toolkit
Reading QR Code In Java
Using Barcode reader for Java Control to read, scan read, scan image in Java applications.
The Princeton team, as a feasibility demonstration, created a toolkit that allows any type-confusion attack to be turned into a disarming of Java's security. In other words, the toolkit serves as a way of turning a small security breach into a complete system penetration. The type-confusion toolkit has not been released to the public and is considered too dangerous to describe in any detail here. The toolkit was recently revised to work against Java 2 systems.
Bar Code Printer In Java
Using Barcode drawer for Java Control to generate, create bar code image in Java applications.
Search the Book
Barcode Recognizer In Java
Using Barcode reader for Java Control to read, scan read, scan image in Java applications.
Previous Page
Making QR-Code In C#.NET
Using Barcode maker for .NET Control to generate, create QR Code JIS X 0510 image in .NET framework applications.
Search Help
Making QR-Code In Visual Studio .NET
Using Barcode drawer for ASP.NET Control to generate, create QR image in ASP.NET applications.
Next Page
Encoding QR Code JIS X 0510 In .NET Framework
Using Barcode drawer for .NET framework Control to generate, create Quick Response Code image in .NET framework applications.
... Preface -- 1 -- 2 -- 3 -- 4 -- 5 -- 6 -- 7 -- 8 -- 9 -- A -- B -- C -- Refs
QR Code Encoder In VB.NET
Using Barcode drawer for Visual Studio .NET Control to generate, create QR Code ISO/IEC18004 image in VS .NET applications.
Front -- Contents -- Help
Print Data Matrix In Java
Using Barcode generator for Java Control to generate, create DataMatrix image in Java applications.
Copyright 1999 Gary McGraw and Edward Felten. All rights reserved. Published by John Wiley & Sons, Inc.
Bar Code Generation In Java
Using Barcode drawer for Java Control to generate, create barcode image in Java applications.
Attack Applets: Exploiting Holes in the Security Model
Encode Bar Code In Java
Using Barcode maker for Java Control to generate, create barcode image in Java applications.
Previous Page
Generating British Royal Mail 4-State Customer Barcode In Java
Using Barcode generator for Java Control to generate, create British Royal Mail 4-State Customer Barcode image in Java applications.
CHAPTER SECTIONS: 1 / 2 / 3 / 4 / 5 / 6 / 7 / 8 / 9 / 10 / 11 / 12 / 13 / 14 / 15 / 16 / 17 / 18 / 19 / 20
Scan ANSI/AIM Code 39 In Visual Studio .NET
Using Barcode reader for Visual Studio .NET Control to read, scan read, scan image in VS .NET applications.
Next Page
Data Matrix 2d Barcode Generation In .NET Framework
Using Barcode generation for ASP.NET Control to generate, create Data Matrix image in ASP.NET applications.
Section 6 -- Slash and Burn
Encoding Code 128B In Visual C#
Using Barcode generation for Visual Studio .NET Control to generate, create Code128 image in Visual Studio .NET applications.
The second set of attacks involves Java code that passes itself off as belonging to the browser. In early versions of the JDK (before Java 2), code that came with the browser was assumed to be safe (see 2 and [McGraw and Felten, 1996]). The original built-in code distinction was scrapped with the introduction of code signing, and these days very little code is trusted (see 3). In any case, the Slash and Burn fraud allows the malicious code access it would not ordinarily have. It could, for example, access files on the local disk. In order to properly understand this attack, you need to understand how Java works. In particular, examine how Java accesses its own code on the browser's local disk.
ANSI/AIM Code 39 Maker In C#.NET
Using Barcode creation for .NET Control to generate, create Code 39 Extended image in .NET framework applications.
Where Java Code Comes From
DataMatrix Recognizer In Visual Studio .NET
Using Barcode decoder for VS .NET Control to read, scan read, scan image in .NET framework applications.
When a Java applet runs, many Java classes (pieces of Java code) are loaded and run. Some applet-related classes are loaded by the applet, using the Web server. Other classes are part of the browser itself. Browserrelated code is stored with the browser on the local disk. Netscape, for example, keeps its Java class files zipped up in an archive called classes.zip. When Netscape is installed, the class archive needs to be put somewhere special, like /usr/local/lib/netscape on Unix machines. Because the browser classes were considered part of the trusted browser program, they were given more privileges. (This is no longer the case.) In general, before JDK 1.1, Java treated code loaded from the local disk as trusted, and code loaded over the Net as untrusted. That meant if an attacker could somehow get some malicious code loaded from the local disk, the attacker was home free. The original system was changed significantly with the introduction
EAN-13 Supplement 5 Generation In Visual Basic .NET
Using Barcode generator for .NET Control to generate, create GTIN - 13 image in Visual Studio .NET applications.
of JDK 1.0.2, which stopped treating code loaded off the disk as trusted. This change was made behind the scenes with little fanfare. As the Cache Cramming attack (explained later) shows, many people were confused by the change. From our discussion of the Java class loader in 2, we know that when Java needs to find a piece of code, say, for a class MyClass, it first looks on the local disk for a file called MyClass.class. If Java fails to find an appropriate file on the local disk, then it tries to fetch the file from the Web server that originally provided the applet. We've glossed over one key issue at this point: How does Java know what class to look for The answer is that a class is only loaded when it is mentioned by another class already resident. This is called dynamic loading. The name of the mentioned class is stored in the Java code for the mentioning class. Java classes have names like security.book.chapter5. When the Java system wants to look up a class on the disk, it translates the dots in the class name into backslashes. The name security.book.chapter5 becomes security\book\chapter5.2 This transformed name is the filename used to search for the file on the local disk.
Bar Code Generation In Visual Studio .NET
Using Barcode creation for ASP.NET Control to generate, create bar code image in ASP.NET applications.