Noel J. Bergman wrote:
If you declare state members as private, the bytecode gets hacked around
during compilation to enable package level access so that the inner
class can access the private members it is referencing. If you use
reflection you can access methods and members that you figured where
private at design time.
Is that all? A friend of mine hacks the JVM all the time. Maybe I've just
gotten jaded, but the JVM just isn't secure enough that way to worry about
it.
For example:
victim.java:
public class victim
{
public String mc = "Can't touch this.";
}
attacker.java:
public class attacker
{
static public void main(String[] args)
{
System.out.println((new victim()).mc);
}
}
Compile both. Change victim so that mc is private. Recompile victim only.
Run attacker. And this doesn't even include all of the fun I can have with
dynamically generated bytecodes. :-)
I'm aware of the EJB stuff - but I wasn't aware of the above scenario ...
This is nasty!
Cheers, Steve.
--
Stephen J. McConnell
mailto:[EMAIL PROTECTED]
http://www.osm.net
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
