对象反射的安全风险是什么? [英] What is the security risk of object reflection?
问题描述
因此,经过几个小时的解决方法,目前在Google App Engine上禁用了Reflection的限制,我想知道是否有人可以帮助我理解为什么对象反射会成为威胁。是因为我可以检查一个类的私有变量还是有其他更深层的原因?
So after a few hours of workaround the limitation of Reflection being currently disabled on the Google App Engine, I was wondering if someone could help me understand why object reflection can be a threat. Is it because I can inspect the private variables of a class or are there any other deeper reasons?
推荐答案
1 - 反射(如一个概念确实与安全性/安全性正交。
1 - Reflection (as a concept) is indeed orthogonal to safety/security.
java的设计非常强调使其成为一个安全的平台,静态类型,安全管理员,严格使用类加载器,无法搞砸指针/ 内存。您可以在编程主题中阅读James Gosling的采访,这很有趣。
There was a big emphasis in the design of java to make it a safe platform, with static typing, security manager, disciplined usage of class loader, and no way to screw pointers/memory. You can read the interview of James Gosling in Masterminds of programming, which is interesting about that.
但是你越强大反思的力量就越难以保证事情的安全。反射失败,特别是静态类型,可能导致运行时错误。
But the more reflective power you have the harder it is to ensure things are safe as they should. Reflection defeat notably static typing and can lead to run-time errors.
但也可能发生更微妙的事情。例如,类加载器 - 可以被认为是系统中的反射钩子 - 在早期版本的Java中没有正确设计,导致潜在的类型替换。 Gilad Bracha撰写的文章 JVM中的动态类加载对此类问题充满洞察力。
But more subtle things can happen as well. For instance class loaders -- which can be considered as reflective hook in the system -- were not designed properly in the early version of Java leading to potential type replacement. The article Dynamic class loading in the JVM, by Gilad Bracha, is insightful on such issues.
无法完全关闭反射;它总是可以反映自己的公共领域/方法。但是,对于具有 AccessibleObject.setAccessible 的私有结构的反思可以被禁用,因为它会破坏封装。通过访问私人领域等,可以检查和修改内部数据。它可能导致各种恶意攻击,例如:
Reflection can not be turned off altogether; it's always possible to reflect on its own public fields/methods. Reflection on private structures with AccessibleObject.setAccessible can however be disabled, because it breaks encapsulation. With access to private fields, etc. inspection and modification of internal data is possible. It can lead to various malicious exploits, e.g.
-
字符串不再是不可变的,可以更改(参见问题) - 你可以揭示你不拥有的物品的合理信息
- ...其他漏洞......
stringsare not immutable anymore and can be changed (see this question)- you can reveal sensible information of objects you don't own
- ... other exploits ...
最后还有其他机制使安全性处于危险之中,特别是 sun.misc.Unsafe ,它可以直接访问内存 - 指针又回来了。
Finally there are other mechanism that put security in jeopardy, notably sun.misc.Unsafe which gives direct access to the memory -- pointers are back.
2 - 现在,问题是反思(实际上)是否会导致很多风险。
2 - Now, the question is whether reflection (in practice) leads to that many risks.
I已经阅读了 @dbyrne 但主要是关于.net。另外,我不确切知道Google App的禁用内容。是 ReflectPermission ,或安全管理员的其他权限?一个危险显然是访问文件系统并乱七八糟。
I've read the link pointed by @dbyrne but it's mostly about .net. Also I don't know exactly what is disabled for Google App. Is it the ReflectPermission only, or other permission of the security manager? One danger is clearly to get access to the file system and mess around.
在实践中可以讨论访问私有数据和打破封装的问题。编写安全代码确实非常困难,即使不更改访问修饰符,您也可以以不恰当的方式对类进行子类化 - 除非它们是 final ,或者更好,密封 - 并传递给他们。这就是 防守复制 尝试防范。
The problem of access to private data and breaking encapsulation can be argued in practice. Writing secure code is indeed extremely hard, and even without changing the access modifier you can subclass classes in an inappropriate way -- unless they are final, or even better, sealed -- and pass them around. This is for instance what defensive copying try to protect against.
由于向下传播,类型安全也无论如何都受到运行时错误的威胁,所以这一点也可以争论。
Type-safety is also anyway threatened by run-time error because of downcast, so this point can also be argued.
在共享/托管环境中,安全性是相对的。在语言级别,您可以例如不阻止模块表单消耗100%的CPU或消耗所有内存,直到 OutOfMemoryException 。这些问题需要通过其他方式解决,通常是在操作系统级别,虚拟化和配额。
In a shared/hosted environment, the security is relative. At the language level, you can for instance not prevent a module form consuming 100% of CPU or consuming all memory up to a OutOfMemoryException. Such concerns need to be addressed by other means, typically at the OS level, with virtualization and quotas.
所以我的个人答案是:反射是一个安全风险,但与其他潜在的攻击媒介相比,实际上并没有那么大。
So my personal answer, would be: reflection is a security risk, but not that big in practice if compared to other potential attack vectors.
这篇关于对象反射的安全风险是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
