Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [aspectj-users] Virus / unwanted code modification

AspectJ neither adds any security risk to Java and does not make it easier to write Java viruses.

Since Java was designed for safe network download of code, it's a poor medium for viruses.  The scenario you describe is possible, but expensive and easily subverted through standard Java security practices.  As Nick suggests, Java uses signed and sealed jars/packages to prevent man-in-the-middle attacks of the kind you mention, so your scenario applies only to applications deployed without that.  Further, it requires code run with VM permissions to read and write to the filesystem (e.g., not applet or web applications), which users/sysadmins are supposed to grant only to valid code.  

Further, the virus would have to haul around a bytecode weaver, aspects, and the runtime jar, which would make it fairly big and recognizable (and might make an ordinary application run out of memory *smile*).  A virus would more likely dump all that and do the bytecode rewriting directly.

Wes

> ------------Original Message------------
> From: Nicolai Kuntze <g-8@xxxxxxx>
> To: aspectj-users@xxxxxxxxxxx
> Date: Fri, Jul-9-2004 7:49 AM
> Subject: Re: [aspectj-users] Virus / unwanted code modification
>
> If I look at page 442 in AspectJ in Action there is an option to weave 
> precompiled classes. Ladded writes:"This enables you to apply 
> crosscutting concerns without needing access to the source files. 
> [...]" So if I add the the aspectjrt.jar to the target jar file and 
> modify the respective main method everything is fine. An infection 
> could go this way
> - get the compiler
> - search every java application
> - and weave it with the infection aspect
> - add aspectjrt.jar into the infected jar
> 
> Where is my fault?
> 
> Yours,
> Nicolai
> 
> Am 09.07.2004 um 16:23 schrieb Nicholas Lesiecki:
> 
> > At this point, the only way to have AspectJ affect your code is to:
> >
> > a) Use the AspectJ compiler to compile it
> > b) Use a load-time weaver (weaving classloader)
> >
> > Since both of these modes of action imply significant control over an 
> 
> > application, AspectJ seems an unlikely choice for the basis of any 
> > virus. Furthermore, AspectJ does nothing to subvert Java's security 
> > model, which I understand is quite tight.
> >
> > Cheers,
> > Nick
> >
> > On Jul 9, 2004, at 6:01 AM, Nicolai Kuntze wrote:
> >
> >> Hi,
> >>
> >> working on my thesis I got the thougth someone could use aspectj as 
> >> the basetechnology for some kind of virus.
> >>
> >> Are there any papers in this direction?
> >>
> >> Yours,
> >> Nicolai Kuntze
> >>
> >>
> >> ---- Diese Nachricht wurde auf Viren und andere gefaehrliche Inhalte 
> 
> >> sowie Spam untersucht.
> >>
> >>
> >> _______________________________________________
> >> aspectj-users mailing list
> >> aspectj-users@xxxxxxxxxxx
> >> http://dev.eclipse.org/mailman/listinfo/aspectj-users
> >>
> >>
> > Nicholas Lesiecki
> > Software Craftsman, specializing in J2EE,
> > Agile Methods, and aspect-oriented programming
> >
> > Books:
> > * Mastering AspectJ: http://tinyurl.com/66vf
> > * Java Tools for Extreme Programming: http://tinyurl.com/66vt
> >
> > Articles on AspectJ:
> > * http://tinyurl.com/66vu and http://tinyurl.com/66vv
> >
> > _______________________________________________
> > aspectj-users mailing list
> > aspectj-users@xxxxxxxxxxx
> > http://dev.eclipse.org/mailman/listinfo/aspectj-users
> >
> 
> 
> ---- 
> Diese Nachricht wurde auf Viren und andere gefaehrliche Inhalte sowie 
> Spam untersucht.
> 
> 
> _______________________________________________
> aspectj-users mailing list
> aspectj-users@xxxxxxxxxxx
> http://dev.eclipse.org/mailman/listinfo/aspectj-users
> 



Back to the top