close
close

Secure coding: CWE 1123 – If you change the vermeiden code yourself

Posted on by Sweet
Secure coding: CWE 1123 – If you change the vermeiden code yourself

Sich self modification Code ändert seine eigenen Anweisungen während der Ausführung. This market study is part of the practice of the advantage, and in a click on the analysis of standards or the optimization of codes. If this is the beginning of the last word – if it is already written – Risiken and Herausforderungen im Allgemeinen nicht uningeschränkt empfehlenswert. The application for developers and Java developers is the use of automatic code editing that is problematic, so code base analysis, reading and verification are integrated. Außerdem supports Java programming if it automatically modifies code that is not original. Common Weakness List CWE-1123 (Excessive Use of Self-Modifying Code) describes possible outcomes.

Anzeige


Since 1996, Sven Java has participated in industrial projects and worked for more than 15 years in branches such as automotive, automotive sector, purchasing services, banking, UN and banking worldwide. Since January 10, he has been in North America speaking at conferences and community events, arbitrating as developer advocate for JFrog and Vaadin, and regulating editorial and technology portal processes. Neben seinem Hauptthema Core Java is developed with TDD and Secure Coding Practices.

You risk modifying the code yourself

Unauthorized uses: Sich self ändernder Code kann zu unerwartetem Programmverhalten führen, was die Diagnose et das Beheben von Fehlern erschwert.

Security: The code, der sich verändert, can be an attack vector for multiple attacks within, a single injection and malware.

Tip life: Solcher Code is a reading and adaptation tool, which was designed for maintenance and updating.

Reading problem: Sich self ändernder Code may aufgrund des zusätzlichen Aufwands für die Änderung et deren Interpretation zur Laufzeit zu Leistungseinbusßen führen.

Examples of risky practices

Dynamic loading of classes: Java uses Klassen loading for provisioning mechanisms such as Reflection or Class Loader defined. If Klassen’s dynamic load is not problematic or there is a problem, there may be excessive or offensive use for multi-purpose use.

Handling of bytecode: Using the library by ASM or Javassist (Java Programming Assistant) for Java bytecode support can be done as long as the code is the same. We get bored with this practice, that’s when it’s possible to get out of it.

Reflection: Obwohl Reflection is a leistungsstarke function, which can also be missbraucht werden, etwa um private Felder, Methoden ou Klassen zu ändern. This is a check tool, quick fix and debug tool.

Example code for risks, self-modified in Java with bytecode manipulation:

import javassist.ClassPool;
import javassist.CtClass;
import javassist.CtMethod;
public class SelfModifyingExample {
 public static void main(String() args) {
   try {
     ClassPool pool = ClassPool.getDefault();
     CtClass cc = pool.get("TargetClass");
     CtMethod m = cc.getDeclaredMethod("targetMethod");
     m.insertBefore("{ System.out.println(\"Method modified at runtime\"); }");
     cc.toClass();
     TargetClass target = new TargetClass();
     target.targetMethod();
   } catch (Exception e) {
     e.printStackTrace();
   }
 }
}
class TargetClass {
 public void targetMethod() {
   System.out.println("Original method execution");
 }
}

In this show I will die TargetClass-Method targetMethod zur Laufzeit geändert, um eine zusätzliche print-Anweisung einzuschließen. A solution can be used to take risks.

Strategy for resource management

Vermeiden von Änderungen am Laufzeitcode: Gestalte das System so, dass die Notwendigkeit von Änderungen am Laufzeitcode minimiert oder ganz eliminiert wird.

Designmuster used: Set strategy development with a strategy or approach to the environment, without the code for implementation at the time.

Richtiger Einsatz von Reflection: Setze Reflection sparsam ein – idealerweise nur dann, wenn keine andere practical Lösung exists. Dokumentiere die Verwendung sorgfältig.

Statistical analysis of the code: Use statistical code analysis tools to automatically create and modify code.

Extensive use of automatic code editing in Java creates risks, safety, security and introductory lessons are possible. Through the development of best practices and the application of mutual aid principles, the flexibility and application of applicable hygiene measures, without the implementation code in the future, makes it possible to follow the process of fall predicted by CWE-1123.

An example of reflection

Reflection in Java ermöglicht die Selbstbeobachtung et Manipulation von Klassen, Feldern, Methoden et Konstruktoren zur Laufzeit. A striking addition, an excess or lack of interest of Reflection can be done from CWE-1123 to modify the code yourself. Die möglichen Folgen davon sind: unvorhersehbares Verhalten, Sicherheitslücken und Wartungsproblemen.

The demonstrated Codebeispiel of the excessive Einsatz von Reflection zur Änderung des Verhaltens einer Klasse zur Laufzeit – was also a form of sich self-änderndem Code trachtet werden kann:

import java.lang.reflect.Field;
import java.lang.reflect.Method;
public class ReflectionExample {
 public static void main(String() args) {
   try {
// Original object creation
     MyClass original = new MyClass();
     original.printMessage();
// Using reflection to modify the behavior at runtime
     Class> clazz = Class.forName("MyClass");
     Method method = clazz.getDeclaredMethod("setMessage", String.class);
     method.setAccessible(true);
// Modify the private field value using reflection
     Field field = clazz.getDeclaredField("message");
     field.setAccessible(true);
     field.set(original, "Modified message");
// Verify the modification
     original.printMessage();
   } catch (Exception e) {
     e.printStackTrace();
   }
 }
}
class MyClass {
 private String message = "Original message";
 public void printMessage() {
   System.out.println(message);
 }
 private void setMessage(String message) {
   this.message = message;
 }
}

Die ReflectionExample-Class: Sie erstelltt an Instanz von MyClass and druckt die ursprüngliche Nachricht. Das Beispiel verwendet Reflection, um die Private Feldnachricht et die Private Methode setMessage von MyClass anzupassen. Anschließend wird der Wert des Nachrichtenfelds geändert et die geänderte Nachricht gedruckt.

This overview of the times, like Reflection das Verhalten et den Zustand eines Objekts zur Laufzeit ändern kann, was found in CWE-1123 describing future issues.

Thinking Strategies for Reflection

Using Reflection Minimizations: Vermeiden Sie Reflection, at that moment, is endless. Please note that alternatively, the Flexibilität ermöglichen, ohne den Code zur Laufzeit zu ändern.

Control controller: Be sure that Felder and methods are not able to do this, nach Möglichkeit private and endgültig bleiben, um unbeabsichtigten Zugriff zu verhindern.

Statistical analysis tools: Use statistical analysis tools, effective thinking tool and other risky practices in the code base for users.

Code überprüfungen: Führen Sie gründliche Prüfungen des Codes durch, um die Verwendung von sich self modifizierendem Code by Reflection zu erkennen et einzudämmen.

Reflection is a revolutionary tool in Java, but Missbrauch can help you take risks with CWE-1123. By developing best practices and reducing code thinking activities for time implementation, you will be able to discover and deepen the security, security assurance and security of your interventions.

Klassen Dynamic Loading Example

Unter dynamischem Laden von Klassen versteht man in Java die Möglichkeit, Klassen zur Laufzeit zu laden und wieder zu entladen. Während dies in the best case without it being possible to blame an error or uncontrollable use due to automatic code modification – and the risk of the CWE-1123 being described as such: unvorhersehbares Verhalten , Security and war issues.

The code example demonstrates the optimal use of dynamic loads to support functions in a time class:

public class DynamicClassLoadingExample {
 public static void main(String() args) {
   try {
// Load the original class
     ClassLoader classLoader = DynamicClassLoadingExample.class.getClassLoader();
     Class> loadedClass = classLoader.loadClass("MyClass");
// Create an instance of the loaded class
     Object instance = loadedClass.getDeclaredConstructor().newInstance();
// Invoke the original method
     loadedClass.getMethod("printMessage").invoke(instance);
// Dynamically load the modified class
     classLoader = new CustomClassLoader();
     loadedClass = classLoader.loadClass("ModifiedClass");
// Create an instance of the modified class
     instance = loadedClass.getDeclaredConstructor().newInstance();
// Invoke the modified method
     loadedClass.getMethod("printMessage").invoke(instance);
   } catch (Exception e) {
     e.printStackTrace();
   }
 }
}
// Original class definition
class MyClass {
 public void printMessage() {
   System.out.println("Original message");
 }
}
// Custom class loader to simulate loading a modified class
class CustomClassLoader extends ClassLoader {
 @Override
 public Class> loadClass(String name) throws ClassNotFoundException {
   if ("ModifiedClass".equals(name)) {
// Define a modified version of MyClass at runtime
     String modifiedClassName = "ModifiedClass";
     String modifiedClassBody = "public class " + modifiedClassName + " {" +
         "    public void printMessage() {" +
         "        System.out.println(\"Modified message\");" +
         "    }" +
         "}";
     byte() classData = compileClass(modifiedClassName, modifiedClassBody);
     return defineClass(modifiedClassName, classData, 0, classData.length);
   }
   return super.loadClass(name);
 }
 private byte() compileClass(String className, String classBody) {
// Simulate compiling the class body into bytecode (in a real scenario, use a compiler API)
// This is a placeholder for demonstration purposes
   return classBody.getBytes();
 }
}

Die DynamicClassLoadingExample-Class: Sie lädt eine Originalklasse MyClass and I love you printMessage-Method auf. Let’s create a dynamically defined Class Loader in an original version of the class: ModifiedClass. We do not know if there is an instance of the current class and if it is left behind printMessage-Auf method, die eine andere Nachricht druckt.

Klassen dynamic load management strategy

Examples of Klassen dynamic loads: When Klassen’s dynamic load is not used, it is not available and is not due to other hindrances at the end.

Secure classloader: If you are sure, the precisely defined Class Loader is safe and should not be used wildly or loaded in class.

Statistical analysis tools: Use statistical analysis tools, one of Klassen’s most dynamic tools, and other risky practices in the codebase for users.

Code überprüfungen: Führen Sie gründliche Prüfungen des Codes durch, um die Verwendung von sich self änderndem Code durch dynamisches von Klassen zu identifizieren und einzudämmen.