WebApp Sec: RE: Java Code Scanning

["Scovetta, Michael V" <Michael.Scovetta () ca com>]

Peter,
   If your application is running in a "secure" context (applet or with
a specific security manager in place) then there shouldn't be anything that
could be malicious (you can disable the ability to access the filesystem and
network). If not, then you might want to look for calls using:
   java.io.File
   java.net.*
   keyword 'native' (implied JNI calls, which are not protected
                     by the Java security model)
   java.lang.Process
   java.lang.Runtime

I'm sure there are more, but other than running up your CPU, if an application
can't use the network or the file system, can't break out to another process,
and can't use JNI, I think you might be maybe 90% safe. 

Michael Scovetta

-----Original Message-----
From: Peter Lee, Kah Chen [mailto:peterlee () crimsonlogic com]
Sent: Wednesday, January 07, 2004 1:57 AM
To: webappsec () securityfocus com
Subject: Java Code Scanning


Hi there and a good day to you,

Cutting to the chase; if I am to do a textual scan of a piece of Java
application code for potential malicious code embedded, what are the key
words to scan for?

For example in the case of C/C++ program; I might look for memory
handling code i.e memcpy(), strcpy(), strdup(), memset(),  system
execution code sys(), exec(), fork(), etc. IPC & RPC calls. Codes which
try to access password directory that sort of thing.

The idea is not to look for bad code writing, but to identify/flag code
which may have security implications for more detailed sturdy or even
code walkthrough.

Anyone have a list of keywords to search with?

Thanks!

Peter