Don’t hack the platform? β˜ οΈπŸ’£πŸ’₯

Jan Ouwens

17 April, 2018

ΰ² _ΰ² 

About me πŸ€“

Jan Ouwens

jqno

EqualsVerifier


EqualsVerifier.forClass(Foo.class)
.verify();

About this talk

Happy accidents

About this talk

Evil consequences

Things you shouldn’t mess with RIGHT NOW:

  • Language β€˜features’
  • Reflection
  • Annotations
  • External libraries

Ratings

  • ☠️
  • β˜ οΈπŸ’£
  • β˜ οΈπŸ’£πŸ’₯

☠️ Language β€˜features’

True Lambda

Demo

Demo

Unicode symbols

  • Hard to type
  • Hard to read
  • Rating: ☠️

False is True

Demo

False is True

Scala demo

False is True

Kotlin demo

False is True

Rating: β˜ οΈπŸ’£

Unicode converter

Demo

Unicode escapes

  • Harder to type and read
  • Maven says Β―\_(ツ)_/Β―
  • Rating: β˜ οΈπŸ’£

Emoji

Demo

Emoji

  • Rating: πŸŽ‰

Hash-code

Demo

Hash-code

  • Fun when coworkers insist on hashCode as key
  • Rating: ☠️

However…

☠️ Reflection

Introducing: Reflector

Demo

Call of the Void

Demo

Oh man πŸ˜’

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by demos.reflection.CallOfTheVoid (file:/Users/jqno/w/personal/dont-hack-the-platform-talk/target/classes/) to constructor java.lang.Void()
WARNING: Please consider reporting this to the maintainers of demos.reflection.CallOfTheVoid
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

--add-opens java.base/java.lang=ALL-UNNAMED

Call of the Void

Rating: ☠️

Loopy

Demo

Loopy

Was this hack evil? βœ‹

Are Calendars and arrays evil? βœ‹

Are JPA entities evil? πŸ‘Ή

Loopy

Rating: β˜ οΈπŸ’£πŸ’₯

Interning

Demo

Interning

  • Fun way to mess up unit tests!
  • Rating: β˜ οΈπŸ’£

dirty_CLASS

Demo

You should probably

  • Call close() on URLClassLoader
  • Report compilation errors with CompilationTask
  • Handle exceptions


Β―\_(ツ)_/Β―

Multi-release JAR file

EqualsVerifier

@Test
public void equalsverifierSucceeds_whenOneOfTheFieldsIsSynthetic() {
if (!isJava8Available()) {
return;
}
Class<?> java8ClassWithSyntheticField = compile(JAVA_8_CLASS_WITH_SYNTHETIC_FIELD_NAME, JAVA_8_CLASS_WITH_SYNTHETIC_FIELD);
EqualsVerifier.forClass(java8ClassWithSyntheticField)
.verify();
}
private static final String JAVA_8_CLASS_WITH_SYNTHETIC_FIELD_NAME = "Java8ClassWithSyntheticField";
private static final String JAVA_8_CLASS_WITH_SYNTHETIC_FIELD =
"\nimport java.util.Comparator;" +
"\nimport java.util.Objects;" +
"\n" +
"\npublic final class Java8ClassWithSyntheticField {" +
"\n private static final Comparator<Java8ClassWithSyntheticField> COMPARATOR =" +
"\n (c1, c2) -> 0; // A lambda is a synthetic class" +
"\n" +
"\n private final String s;" +
"\n " +
"\n public Java8ClassWithSyntheticField(String s) {" +
"\n this.s = s;" +
"\n }" +
"\n " +
"\n @Override" +
"\n public boolean equals(Object obj) {" +
"\n if (!(obj instanceof Java8ClassWithSyntheticField)) {" +
"\n return false;" +
"\n }" +
"\n return Objects.equals(s, ((Java8ClassWithSyntheticField)obj).s);" +
"\n }" +
"\n " +
"\n @Override" +
"\n public int hashCode() {" +
"\n return Objects.hash(s);" +
"\n }" +
"\n}";

JavaCompiler

Rating: β˜ οΈπŸ’£πŸ’₯

☠️ Annotations

Lombok 🌢

use annotations

to trick the Java compiler

into generating bytecode

that does something else

Spring & Hibernate

use annotations

to trick the Java runtime

into generating bytecode

that does something else

Boring

Rating: ☠️

☠️ External libraries

Objenesis

Constructors are tedious

Demo

Constructors are tedious

Rating: ☠️

Singletons

β€œ[An enum] provides an ironclad guarantee against multiple instantiation, even in the face of sophisticated serialization or reflection attacks. […] A single-element enum type is often the best way to implement a singleton.”

– Joshua Bloch, Effective Java 3rd Edition

πŸ˜‡

Singletons

Demo

Singletons

Rating: β˜ οΈπŸ’£

Confusing card game

Confusing card game

Demo

Confusing card game

Rating: β˜ οΈπŸ’£πŸ’₯

Messing with Scala

Demo

Messing with Scala

Rating: β˜ οΈπŸ’£

External libraries

ByteBuddy

&

ByteBuddy Agent

Disclaimer

Use cases for agents

  • there are many
  • they’re legitimate

Time Traveling πŸ•™πŸ•š

Demo





Idea shamelessly stolen from
/TOPdesk/time-transformer-agent

Time Traveling πŸ•™πŸ•š

  • Unit testing legacy code
  • Messing up any code
  • Rating: β˜ οΈπŸ’£πŸ’₯

But wait

There’s more

Victim / Attack

Demo



mvn clean package

mvn exec:java -DmainClass=demos.libraries.remote.Attack -Darg0=target/dont-hack-the-platform-0.1-SNAPSHOT.jar -Darg1=???

Victim / Attack

Rating:

😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱

Awareness

Emoji & unicode

  • Checkstyle
  • SonarQube

Security manager

Demo



System.setSecurityManager(new SecurityManager());

Security manager

Modularisation

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by demos.reflection.CallOfTheVoid (file:/Users/jqno/w/personal/dont-hack-the-platform-talk/target/classes/) to constructor java.lang.Void()
WARNING: Please consider reporting this to the maintainers of demos.reflection.CallOfTheVoid
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

--illegal-access=deny

Do try this at home!

Maybe not at work though?

Questions?



slides & code at
/jqno/dont-hack-the-platform-talk

I’m at
jqno