How did we get to the point where someone could invoke arbitrary bytecode? On Sun, Nov 8, 2015 at 2:47 PM James Carman <[email protected]> wrote:
> Runtime.exec can be prevented though > > On Sun, Nov 8, 2015 at 2:31 PM Thomas Neidhart <[email protected]> > wrote: > >> On 11/08/2015 08:20 PM, James Carman wrote: >> > I think this entire thing can be prevented with a security manager and a >> > proper policy in place. Nobody does that, though >> >> You cannot prevent the use of reflection for public methods via a >> SecurityManager. >> >> If you then look at the different provided payloads you can see that an >> attacker can inject arbitrary bytecode that is being loaded. >> >> How would you prevent that such code is able to do anything harmful, >> especially considering that it is being executed in the security context >> of some trusted component? >> >> Thomas >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >>
