Don’t hack the Platform? ☠️💣💥

Jan Ouwens

ಠ_ಠ

About me 🤓

Jan Ouwens

jqno

EqualsVerifier


EqualsVerifier.forClass(Foo.class)
              .verify();

About this talk

Things you shouldn’t mess with:

  • Language ‘features’
  • Reflection
  • Annotations
  • External libraries

Ratings

  • ☠️
  • ☠️💣
  • ☠️💣💥

☠️ Language ‘features’

True Lambda

Demo

True Lambda

Java 17!

In fact… Java 19!

Generics

Demo

Unicode symbols

  • Hard to type
  • Hard to read
  • Rating: ☠️

False is True

Demo

False is True

Rating: ☠️💣

Unicode converter

Demo

Unicode escapes

  • Harder to type and read
  • Maven says ¯\_(ツ)_/¯
  • Rating: ☠️💣

☠️ Reflection

Loopy

Demo

Oh man 😒

Exception in thread "main" java.lang.reflect.InaccessibleObjectException: Unable to make field private final int java.lang.Integer.value accessible: module java.base does not "opens java.lang" to unnamed module @2a0a80c0

--add-opens java.base/java.lang=ALL-UNNAMED

Loopy

Demo

Loopy

Was this hack evil? ✋

Are Calendars and arrays evil? ✋

Are JPA entities evil? 👹

Loopy

Rating: ☠️💣💥

Interning

Demo

Interning

  • Fun way to mess up unit tests!
  • Rating: ☠️💣

dirty_CLASS

Demo

You should probably

  • Call close() on URLClassLoader
  • Report compilation errors with CompilationTask
  • Handle exceptions


¯\_(ツ)_/¯

Multi-release JAR file

EqualsVerifier

@Test
public void equalsverifierSucceeds_whenOneOfTheFieldsIsSynthetic() {
    if (!isJava8Available()) {
        return;
    }

    Class<?> java8ClassWithSyntheticField = compile(JAVA_8_CLASS_WITH_SYNTHETIC_FIELD_NAME, JAVA_8_CLASS_WITH_SYNTHETIC_FIELD);
    EqualsVerifier.forClass(java8ClassWithSyntheticField)
            .verify();
}

private static final String JAVA_8_CLASS_WITH_SYNTHETIC_FIELD_NAME = "Java8ClassWithSyntheticField";
private static final String JAVA_8_CLASS_WITH_SYNTHETIC_FIELD =
        "\nimport java.util.Comparator;" +
        "\nimport java.util.Objects;" +
        "\n" +
        "\npublic final class Java8ClassWithSyntheticField {" +
        "\n    private static final Comparator<Java8ClassWithSyntheticField> COMPARATOR =" +
        "\n            (c1, c2) -> 0;   // A lambda is a synthetic class" +
        "\n" +
        "\n    private final String s;" +
        "\n    " +
        "\n    public Java8ClassWithSyntheticField(String s) {" +
        "\n        this.s = s;" +
        "\n    }" +
        "\n    " +
        "\n    @Override" +
        "\n    public boolean equals(Object obj) {" +
        "\n        if (!(obj instanceof Java8ClassWithSyntheticField)) {" +
        "\n            return false;" +
        "\n        }" +
        "\n        return Objects.equals(s, ((Java8ClassWithSyntheticField)obj).s);" +
        "\n    }" +
        "\n    " +
        "\n    @Override" +
        "\n    public int hashCode() {" +
        "\n        return Objects.hash(s);" +
        "\n    }" +
        "\n}";

JavaCompiler

Rating: ☠️💣💥

☠️ Annotations

Lombok 🌶

use annotations

to trick the Java compiler

into generating bytecode

that does something else

Spring & Hibernate

use annotations

to trick the Java runtime

into generating bytecode

that does something else






Boring

☠️ External libraries

Objenesis

Constructors are tedious

Demo

Constructors are tedious

Rating: ☠️

Singletons

“[An enum] provides an ironclad guarantee against multiple instantiation, even in the face of sophisticated serialization or reflection attacks. […] A single-element enum type is often the best way to implement a singleton.”

– Joshua Bloch, Effective Java 3rd Edition

😇

Singletons

Demo

Singletons

Rating: ☠️💣

External libraries

ByteBuddy

&

ByteBuddy Agent

Disclaimer

Use cases for agents

  • there are many
  • they’re legitimate

Confusing card game

Confusing card game

Demo

Confusing card game

Rating: ☠️💣💥

Confusing card game

But wait

There’s more

Victim / Attack

Demo



mvn clean package

jbang Attack.java target/payload-X.jar ???

Victim / Attack

Rating:

😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱😱

</>

Awareness

Unicode tricks

  • Checkstyle
  • SonarQube

Security manager

Demo: Intern



System.setSecurityManager(new SecurityManager());

Security manager

Security manager

Java 17: Deprecated

FOR REMOVAL

Modularisation

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by demos.reflection.Reflector (file:/Users/jqno/w/personal/dont-hack-the-platform-talk/target/classes/) to field java.lang.String.value
WARNING: Please consider reporting this to the maintainers of demos.reflection.Reflector
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

--illegal-access=deny

Just be careful

Who has access to PROD?

Do try this at home!

Maybe not at work though?

Questions?



slides & code at
https://jqno.nl/talks/dont-hack-the-platform/

I’m at
jqno