Jump to content
Excelsior Forums
Sign in to follow this  
lylez

Preventing reflection attacks

Recommended Posts

There's been some discussion about reflection, but it's either sparse or rather old, so I'll pose this question here. Can a user-program perform a reflection attack against a JET-compiled program sold to said user? See below.

I'm thinking of writing an application in Java, compiling it to an executable using JET, and having it invoke user-created classes that invoke an interface. Something like:

public class ShippedProgram // compiled with JET and shipped on CD

{

public static void main ( String[] args )

{

String program = new String ("UserWrittenProgram1"); // In real life, this string would be acquired at run time.

Class<?> c = Class.forName ( program );

Constructor<?> constructor = c.getConstructor ( new Class [] {String.class} );

Object obj = constructor.newInstance (new Object[] { "Some string argument to user program" });

if ( obj instanceof IUserProgram){

IUserProgram userProgram = (IUserProgram) obj;

userProgram.method1(1); // invoke some method declared in IUserProgram and implemented in UserWrittenProgram1

}

}

}

public interface IUserProgram{

// Ship the .class file for this interface - no JET compilation.

void method1 (int i);

}

// This would be in a user-created file.

public class UserWrittenProgram1 implements IUserProgram

{

private String m_str;

public UserWrittenProgram1 (String str)

{

m_str = str;

// Question: Can this constructor use reflection examine the methods and fields of ShippedProgram

// if ShippedProgram is compiled to machine code using JET?

}

public void method1 ( int i)

{

// user-defined method declared in IUserProgram. Can this examine ShippedProgram?

System.out.println ("i = " + i); // in real life, it would be a little more interesting

}

}

Share this post


Link to post
Share on other sites
// Question: Can this constructor use reflection examine the methods and fields of

// if ShippedProgram is compiled to machine code using JET?

Yes, it can if you mean "get names and signatures of methods/fields" under "examine".

// user-defined method declared in IUserProgram. Can this examine ShippedProgram?

Obfuscate names as describe in this KB article and let it examine.

B)

The strength of native compilation is ultimate code obfuscation: it's hard to comprehend what a particular method does looking at its (highly optimized) native code. I must say that it's often hard even for the Excelsior's compiler engineers who created the engine.

B)

You may find more details at this page.

Share this post


Link to post
Share on other sites

Yes, it can if you mean "get names and signatures of methods/fields" under "examine".

Yes, that's what I meant. How could this be done? Correct me if I'm wrong (and I very well could be) but I tried to discover the structure of ShippedProgram from inside UserWrittenProgram1 just to make sure it couldn't be done, and I wasn't able to figure out how to do it. Specifically, I added this to the constructor of UserWrittenProgram1:

Class<?> classInstance = this.getClass ();

if (classInstance.getEnclosingClass () != null)

out.println("enclosing class = " + classInstance.getEnclosingClass ().getCanonicalName ());

if (classInstance.getDeclaringClass () != null)

out.println("enclosing class = " + classInstance.getDeclaringClass ().getCanonicalName ());

In both cases, the "!= null" test failed, so nothing was printed.

I'm still confused as to exactly what a hacker attempting to reverse engineer my code could actually get. Would my approach outlined in my original posting make my source code more vulnerable than a Java program compiled with JET that did not invoke a user program via reflection?

thanks

Lyle

Share this post


Link to post
Share on other sites

Please contact Excelsior Support Dept. (java at excelsior-usa.com) to continue discussing this topic.

And, please, do not forget to introduce yourself.

Hope for your understanding.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×