Reflection Security Issues
Java reflection is a mechanism used by Java programs given them the ability to change the runtime actions of the application running within the Java Virtual Machine (JVM). It makes it easier for developers to write programs because it helps gather information to implement proper analysis by the software itself (Schildt, 2011), however it compromises the systems because malware can easily bypass the security around the JVM.
Two security vulnerabilities found regarding the use of Java Reflection are CVE-2012-4681 and CVE-2012-5076. Both of them are related to Java Applets and another common factor is the use of Java reflection.
What to look in the code
In order to avoid this security issues, make sure that
- Java Runtime Environment (JRE) is higher that Java SE 7 Update 6 version
- Correct implementtion of classes such as com.sun.beans.finder.ClassFinder.findClass
- Avoid Private structure using AccessibleObject.setAccessible because it breaks the encapsulation
- Avoid Use of sun.misc.Unsafe because it provides direct access to memory
- Verify correct Implementation of java.lang.reflect.ReflectPermission following best practices as described in Oracle Documents, September 2011
Schildt Hebert, 2011 ‘Java: The complete Reference, 8th Edition ‘ McGraw-Hill
Common Vulnerabilities and Exposure, 2012 ‘CVE-2012-4681’, available at (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4681) last viewed on October 3rd, 2013
Oracle Documents, 2011 “Permissions in the Java 2 SDK’ available at http://docs.oracle.com/javase/1.4.2/docs/guide/security/permissions.html#ReflectPermission, last viewed on October 3rd, 2013