Jump to content
Excelsior Forums


  • Content count

  • Joined

  • Last visited


Everything posted by lylez

  1. There's been some discussion about reflection, but it's either sparse or rather old, so I'll pose this question here. Can a user-program perform a reflection attack against a JET-compiled program sold to said user? See below. I'm thinking of writing an application in Java, compiling it to an executable using JET, and having it invoke user-created classes that invoke an interface. Something like: public class ShippedProgram // compiled with JET and shipped on CD { public static void main ( String[] args ) { String program = new String ("UserWrittenProgram1"); // In real life, this string would be acquired at run time. Class<?> c = Class.forName ( program ); Constructor<?> constructor = c.getConstructor ( new Class [] {String.class} ); Object obj = constructor.newInstance (new Object[] { "Some string argument to user program" }); if ( obj instanceof IUserProgram){ IUserProgram userProgram = (IUserProgram) obj; userProgram.method1(1); // invoke some method declared in IUserProgram and implemented in UserWrittenProgram1 } } } public interface IUserProgram{ // Ship the .class file for this interface - no JET compilation. void method1 (int i); } // This would be in a user-created file. public class UserWrittenProgram1 implements IUserProgram { private String m_str; public UserWrittenProgram1 (String str) { m_str = str; // Question: Can this constructor use reflection examine the methods and fields of ShippedProgram // if ShippedProgram is compiled to machine code using JET? } public void method1 ( int i) { // user-defined method declared in IUserProgram. Can this examine ShippedProgram? System.out.println ("i = " + i); // in real life, it would be a little more interesting } }
  2. lylez

    Preventing reflection attacks

    Yes, that's what I meant. How could this be done? Correct me if I'm wrong (and I very well could be) but I tried to discover the structure of ShippedProgram from inside UserWrittenProgram1 just to make sure it couldn't be done, and I wasn't able to figure out how to do it. Specifically, I added this to the constructor of UserWrittenProgram1: Class<?> classInstance = this.getClass (); if (classInstance.getEnclosingClass () != null) out.println("enclosing class = " + classInstance.getEnclosingClass ().getCanonicalName ()); if (classInstance.getDeclaringClass () != null) out.println("enclosing class = " + classInstance.getDeclaringClass ().getCanonicalName ()); In both cases, the "!= null" test failed, so nothing was printed. I'm still confused as to exactly what a hacker attempting to reverse engineer my code could actually get. Would my approach outlined in my original posting make my source code more vulnerable than a Java program compiled with JET that did not invoke a user program via reflection? thanks Lyle