In the presence of a security manager, it is hard for malicious code to exploit Java's security model. For example, instantiating sensitive classes such as a ClassLoader is prohibited in the context of a web browser. It is critical to ensure that untrusted code does not indirectly use the privileges of legit code. Failure to do so can leave the code vulnerable to privilege escalation attacks. This is because, classes loaded by the same class loader exist in the same namespace. Consider for example, an untrusted method calling a class method which loads classes using its own trusted class loader. This is a problem as untrusted code's class loader may not have the permission to load the particular class. Also, if the trusted code accepts tainted inputs, it is susceptible to exploits resulting from malicious classes getting loaded.
The APIs tabulated here perform tasks using the immediate caller's, trusted class loader.
APIs |
|---|
java.lang.Class.forName |
java.lang.Package.getPackage(s) |
java.lang.Runtime.load |
java.lang.Runtime.loadLibrary |
java.lang.System.load |
java.lang.System.loadLibrary |
java.sql.DriverManager.getConnection |
java.sql.DriverManager.getDriver(s) |
java.sql.DriverManager.deregisterDriver |
java.util.ResourceBundle.getBundle |
...