avalon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Noel J. Bergman" <n...@devtech.com>
Subject RE: [patch] Add listeners for logger creation
Date Tue, 04 Feb 2003 01:00:56 GMT
> If you declare state members as private, the bytecode gets hacked around
> during compilation to enable package level  access so that the inner
> class can access the private members it is referencing.  If you use
> reflection you can access methods and members that you figured where
> private at design time.

Is that all?  A friend of mine hacks the JVM all the time.  Maybe I've just
gotten jaded, but the JVM just isn't secure enough that way to worry about
it.

For example:

victim.java:
public class victim
{
	public String mc = "Can't touch this.";
}

attacker.java:
public class attacker
{
	static public void main(String[] args)
	{
		System.out.println((new victim()).mc);
	}
}

Compile both.  Change victim so that mc is private.  Recompile victim only.
Run attacker.  And this doesn't even include all of the fun I can have with
dynamically generated bytecodes.  :-)

If you want to even try to have security in Java, you have to really use the
security manager, which would allow you to supress reflection, and you have
a raft of other restrictions.  See the
http://java.sun.com/blueprints/qanda/ejb_tier/restrictions.html for more
that you may want to know (but then again, since it refers to EJB
Containers, perhaps you do  :-)).

	--- Noel


---------------------------------------------------------------------
To unsubscribe, e-mail: avalon-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: avalon-dev-help@jakarta.apache.org


Mime
View raw message