Hardening Java's Access Control by Abolishing Implicit Privilege Elevation
Offered By: IEEE via YouTube
Course Description
Overview
Explore a comprehensive analysis of Java's access control vulnerabilities in this IEEE Symposium on Security & Privacy conference talk. Delve into the study of shortcuts that bypass stack-based access control, leading to implicit privilege elevation and potential security risks. Examine the consequences of these shortcuts, including their impact on software maintenance and the introduction of confused-deputy vulnerabilities. Learn about a proposed solution involving a tool-assisted adaptation of the Java Class Library to implement explicit privilege elevation. Discover how these changes can significantly enhance the security of Java applications by hindering new vulnerabilities and restricting attacker capabilities. Gain insights into usability considerations and performance implications of implementing faithful stack-based access control in Java.
Syllabus
Introduction
Joint Work
Java Security Model
Information Checks
Model Deviation
Example
Permission Check
Shortcut
Consequences
Shortcuts prevent
Shortcut example
System class example
Sample exploits
Moving from Implicit to Explicit
Removing Conditionals
Implementation
General Lessons
Questions
Taught by
IEEE Symposium on Security and Privacy
Tags
Related Courses
BaRMIe - Poking Java’s Back Door44CON Information Security Conference via YouTube Penetration Testing Considered Harmful
44CON Information Security Conference via YouTube New Exploit Technique in Java Deserialization Attack
Black Hat via YouTube An In-Depth Study of More Than Ten Years of Java Exploitation
Association for Computing Machinery (ACM) via YouTube Finding and Exploiting Novel Flaws in Java Software
SyScan360 via YouTube