Don’t hack the JVM? β˜ οΈπŸ’£πŸ’₯

Jan Ouwens

April 4, 2018

ΰ² _ΰ² 

About me πŸ€“

Jan Ouwens

jqno

EqualsVerifier


EqualsVerifier.forClass(Foo.class)
              .verify();

About this talk

Happy accidents

About this talk

Evil consequences

Things you shouldn’t mess with RIGHT NOW:

  • Language β€˜features’
  • Reflection
  • Annotations
  • External libraries

Ratings

  • ☠️
  • β˜ οΈπŸ’£
  • β˜ οΈπŸ’£πŸ’₯

☠️ Language β€˜features’

True Lambda

Demo

True Lambda

  • Hard to type
  • Hard to read
  • Rating: ☠️

False is True

Demo

False is True

Rating: β˜ οΈπŸ’£

☠️ Reflection

Introducing: Reflector

Show me the code

Loopy

Demo

Loopy

Was this hack evil? βœ‹

Are Calendars and arrays evil? βœ‹

Are JPA entities evil? πŸ‘Ή

Loopy

Rating: β˜ οΈπŸ’£πŸ’₯

Interning

Demo

Interning

  • Fun way to mess up unit tests!
  • Rating: β˜ οΈπŸ’£

Oh man πŸ˜’

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by demos.reflection.Reflector (file:/Users/jqno/w/personal/dont-hack-the-platform-talk/target/classes/) to field java.lang.String.value
WARNING: Please consider reporting this to the maintainers of demos.reflection.Reflector
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

--add-opens java.base/java.lang=ALL-UNNAMED

dirty_CLASS

Demo

You should probably

  • Call close() on URLClassLoader
  • Report compilation errors with CompilationTask
  • Handle exceptions


Β―\_(ツ)_/Β―

Multi-release JAR file

EqualsVerifier

@Test
public void equalsverifierSucceeds_whenOneOfTheFieldsIsSynthetic() {
    if (!isJava8Available()) {
        return;
    }

    Class<?> java8ClassWithSyntheticField = compile(JAVA_8_CLASS_WITH_SYNTHETIC_FIELD_NAME, JAVA_8_CLASS_WITH_SYNTHETIC_FIELD);
    EqualsVerifier.forClass(java8ClassWithSyntheticField)
            .verify();
}

private static final String JAVA_8_CLASS_WITH_SYNTHETIC_FIELD_NAME = "Java8ClassWithSyntheticField";
private static final String JAVA_8_CLASS_WITH_SYNTHETIC_FIELD =
        "\nimport java.util.Comparator;" +
        "\nimport java.util.Objects;" +
        "\n" +
        "\npublic final class Java8ClassWithSyntheticField {" +
        "\n    private static final Comparator<Java8ClassWithSyntheticField> COMPARATOR =" +
        "\n            (c1, c2) -> 0;   // A lambda is a synthetic class" +
        "\n" +
        "\n    private final String s;" +
        "\n    " +
        "\n    public Java8ClassWithSyntheticField(String s) {" +
        "\n        this.s = s;" +
        "\n    }" +
        "\n    " +
        "\n    @Override" +
        "\n    public boolean equals(Object obj) {" +
        "\n        if (!(obj instanceof Java8ClassWithSyntheticField)) {" +
        "\n            return false;" +
        "\n        }" +
        "\n        return Objects.equals(s, ((Java8ClassWithSyntheticField)obj).s);" +
        "\n    }" +
        "\n    " +
        "\n    @Override" +
        "\n    public int hashCode() {" +
        "\n        return Objects.hash(s);" +
        "\n    }" +
        "\n}";

JavaCompiler

Rating: β˜ οΈπŸ’£πŸ’₯

☠️ Annotations

Lombok 🌢

use annotations

to trick the Java compiler

into generating bytecode

that does something else

Spring & Hibernate

use annotations

to trick the Java runtime

into generating bytecode

that does something else

Boring

Rating: ☠️

☠️ External libraries

Objenesis

Constructors are tedious

Demo

Constructors are tedious

Rating: ☠️

Enums

β€œ[An enum] provides an ironclad guarantee against multiple instantiation, even in the face of sophisticated serialization or reflection attacks.”

– Joshua Bloch, Effective Java 3rd Edition

πŸ˜‡

Confusing card game

Confusing card game

Demo

Confusing card game

Rating: β˜ οΈπŸ’£πŸ’₯

External libraries

ByteBuddy

&

ByteBuddy Agent

Disclaimer

Use cases for agents

  • there are many
  • they’re legitimate

Time Traveling πŸ•™πŸ•š

Demo





Idea shamelessly stolen from
/TOPdesk/time-transformer-agent

Time Traveling πŸ•™πŸ•š

  • Unit testing legacy code
  • Messing up any code
  • Rating: β˜ οΈπŸ’£πŸ’₯

But wait

There’s more

Victim / Attack

Demo



mvn clean package

mvn exec:java -DmainClass=demos.libraries.remote.Attack -Darg0=target/dont-hack-the-platform-0.1-SNAPSHOT.jar -Darg1=???

Victim / Attack

Rating:

😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱

Awareness

Unicode

  • Checkstyle
  • SonarQube

Reflection and libraries

  • Security manager
  • Modularisation

Security manager

Modularisation

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by demos.reflection.CallOfTheVoid (file:/Users/jqno/w/personal/dont-hack-the-platform-talk/target/classes/) to constructor java.lang.Void()
WARNING: Please consider reporting this to the maintainers of demos.reflection.CallOfTheVoid
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

--illegal-access=deny

Do try this at home!

Maybe not at work though?

Questions?



slides & code at
/jqno/dont-hack-the-platform-talk

I’m at
jqno