TypicallyIn Java SE 6, privileged code either uses the AccessController mechanism or needs to be signed by the owner (or provider) whom a user of the code can trust. An adversary is capable of linking privileged code with malicious code if some privileged code directly or indirectly uses code present within another package. This is called a mix and match attack. A mix and match attack is not possible if the code is signed because by default, the jarsigner tool signs the finished manifest that contains the names of the included classes along with their digests.
...
This noncompliant code example uses a doPrivileged block and calls a method defined in a class that exists in a different, untrusted package which is untrusted. An attacker can provide an implementation of class RetValue so that the privileged code uses the wrong return value. If class MixMatch trusted only signed code, even then an attacker can cause this behavior by maliciously using deploying a legibly signed class and linking it to the privileged code.
| Code Block | ||
|---|---|---|
| ||
package trusted;
import untrusted.RetValue;
public class MixMatch {
private void privilegedMethod() throws IOException {
try {
FileInputStream fis
= (FileInputStream) AccessController.doPrivileged(
new PrivilegedExceptionAction() {
public FileInputStream run() throws FileNotFoundException {
return new FileInputStream("file.txt");
}
}
);
RetValue rt = new RetValue();
if(rt.getValue() == 1) {
// do something with sensitive file
}
} catch (PrivilegedActionException e) {
/*/ forward to handler and log */
}
}
public static void main(String[] args) throws IOException {
MixMatch mm = new MixMatch();
mm.privilegedMethod();
}
}
package untrusted;
class RetValue {
public int getValue() {
return 1;
}
}
|
...
This compliant solution combines all privileged code into the same package. To Sealing the package is necessary to prevent attackers from inserting any rogue classes, sealing the package is necessary.
| Code Block | ||
|---|---|---|
| ||
package trusted;
public class MixMatch {
// ...
}
package untrusted;
package trusted;
class RetValue {
// ...
}
|
...
Failure to place all privileged code together, in one package and then sealing the package can lead to mix and match attacks.
...