[prev in list] [next in list] [prev in thread] [next in thread]
List: webappsec
Subject: Re: Java Code Scanning
From: Gary Ellison <gary.ellison () sun ! com>
Date: 2004-01-10 1:10:26
Message-ID: 16383.20738.451591.696135 () gargle ! gargle ! HOWL
[Download RAW message or body]
> > > > > " " == Peter Lee <Peter> writes:
> Hi there and a good day to you,
> Cutting to the chase; if I am to do a textual scan of a piece of Java
> application code for potential malicious code embedded, what are the key
> words to scan for?
> For example in the case of C/C++ program; I might look for memory
> handling code i.e memcpy(), strcpy(), strdup(), memset(), system
> execution code sys(), exec(), fork(), etc. IPC & RPC calls. Codes which
> try to access password directory that sort of thing.
> The idea is not to look for bad code writing, but to identify/flag code
> which may have security implications for more detailed sturdy or even
> code walkthrough.
> Anyone have a list of keywords to search with?
You may want to have a look at the secure coding guide
http://java.sun.com/security/seccodeguide.html
To get a deeper understanding of permissions the paper by Kovad,
Pistoia and Kershenbaum is quite detailed.
http://domino.watson.ibm.com/library/cyberdig.nsf/1e4115aea78b6e7c85256b360066f0d4/1930f3644fb16b5b85256b8900685c78?OpenDocument
--
mailto: <first>_DOT_<last>_AT_sun_DOT_com http://tinyurl.com/yrbj6
"Bootsy!"
"Yeah, Bootsy's cool. Huh, huhhuhuh."
"Bootsy! He's from outer space. Heh, henh, henh, henh."
Beavis & Butthead
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic