avalon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stephen McConnell <mcconn...@apache.org>
Subject Re: [patch] Add listeners for logger creation
Date Tue, 04 Feb 2003 03:04:03 GMT


Noel J. Bergman wrote:

>>If you declare state members as private, the bytecode gets hacked around
>>during compilation to enable package level  access so that the inner
>>class can access the private members it is referencing.  If you use
>>reflection you can access methods and members that you figured where
>>private at design time.
>>    
>>
>
>Is that all?  A friend of mine hacks the JVM all the time.  Maybe I've just
>gotten jaded, but the JVM just isn't secure enough that way to worry about
>it.
>
>For example:
>
>victim.java:
>public class victim
>{
>	public String mc = "Can't touch this.";
>}
>
>attacker.java:
>public class attacker
>{
>	static public void main(String[] args)
>	{
>		System.out.println((new victim()).mc);
>	}
>}
>
>Compile both.  Change victim so that mc is private.  Recompile victim only.
>Run attacker.  And this doesn't even include all of the fun I can have with
>dynamically generated bytecodes.  :-)
>  
>

I'm aware of the EJB stuff - but I wasn't aware of the above scenario ...
This is nasty!

Cheers, Steve.

-- 

Stephen J. McConnell
mailto:mcconnell@apache.org
http://www.osm.net




---------------------------------------------------------------------
To unsubscribe, e-mail: avalon-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: avalon-dev-help@jakarta.apache.org


Mime
View raw message