From the post:
A first analysis of the Java 0Day exploit code, which is already publicly available, suggests that the exploit is rather hard to notice: at first glance, the dangerous code looks just like any other Java program with no trace of any exotic bytecode. According to Michael Schierl, who has discovered several Java holes himself, the code’s secret is that it does something which it isn’t allowed to do: it uses the internal
sun.awt.SunToolkitclass to disable the SecurityManager, and ultimately the sandbox of Java.The
sun.awt.SunToolkitclass gives public(public)access to a method calledgetField()that provides access to the private attributes of other classes. Technically speaking, untrusted code such as the exploit that is being executed in the browser shouldn’t be able to access this method at all. But Java 7 introduced a new method to the Expression class, .execute(), which allowed expressions created at runtime to be executed. Bugs in the implementation of the new method allows the code to gain access to thegetField()method.
I’m not going to make a habit out of reporting security issues, with Java or otherwise but this looked worth passing along.
Curious, with all the design pattern books, are there any design flaw pattern books?
Way back when I was a software tester at Microsoft, my team studied design patterns and we contemplated whether “test patterns” were a workable idea. I wasn’t sold on it, but I did think there was promise in the idea of “bug patterns”. Googling just now, I found these:
http://www.amazon.com/Bug-Patterns-Java-Eric-Allen/dp/1590590619
http://www.ibm.com/developerworks/java/library/j-diag1/index.html
The BugPatterns page at the Portland Pattern Repository says they are a type of AntiPattern:
http://c2.com/cgi/wiki?BugPattern
There are a few books on AntiPatterns, such as:
http://www.amazon.com/AntiPatterns-Refactoring-Software-Architectures-Projects/dp/0471197130
As well as a catalog of AntiPatterns at the PPR:
http://c2.com/cgi/wiki?AntiPatternsCatalog
Comment by marijane — August 29, 2012 @ 7:06 pm
Thanks marijane!
So the follow up question is:
If there are known “bug patterns,” such as buffer overflow, etc., why do they keep coming up?
The Java 0Day bug reminds me of the classic case where a certain combination of dial settings would enable an X-ray machine to burn patients. That’s old news (or should be).
True enough, exhaustive tracing of all possible combinations would be difficult, but this was what? 3 steps? Maybe 4?
Comment by Patrick Durusau — August 30, 2012 @ 3:13 pm