The paper presents an overview of 61 unique exploits against java's security isolation (reduced to their core mechanism from 87 exploits found on publicly available sources such as Metasploit, Exploit-DB and Packet-Storm) targeting the IBM and Oracle JDKs.
The paper includes an introduction to Java's security model, and discusses the classified weaknesses & related exploits in this context. Statistics for the the classifications of exploit are included.
- The paper create a useful scheme/"meta model" for categorising exploits by primitives, attack vectors, and then grouping by a more abstract set of 9 weaknesses (e.g. "W5: Unauthorized use of restricted classes", or "W2: Confused deputies") from 33 different "attack vectors". By aggregating the large collection of exploits into these categories, it is easier to see the general security issues that need to be fixed, and to back decisions on prioritising focus with statistics on their use.
- The paper discusses potential solutions to the discussed weaknesses. For example suggesting adding the class initiating a thread to the thread's stack to limit some "W3: Privileged Code Execution" exploits. Another example in is in "W5: Unauthorized use of restricted classes" where the paper identifies restricted packages as a major surface area for attack, that has expanded from 4 in
1.7.0to 47 in1.8.0u92). It clearly identifies the potential solution in the Java Module System proposals. - The .NET CLR is discussed as a different runtime that also uses stack-based access control. The abstraction of exploits into attack vectors and weaknesses also ensure some discussion is applicable across languages/implementations.
- The paper included exploits up to a recent version of java for the time, including Java
1.8.0u92released on 19/04/2016, with the paper released in October that year. - The introduction to java's security model is concise & provides sufficient context to understand the rest of the paper.
- The paper claims "We make the full documentation of the exploit sample set publicly available along with this paper" with the source repository https://github.com/pholzinger/exploitstudy. However this repository only contains a readme, and the Download Additional Artifacts download link is broken. I was unable to find the artifacts on the Wayback machine (earliest scan in 2019)
- The paper does not present new information beyond their simple "meta-model" and the statistics for the categories selected. It is suitable only as a summary.
- The paper contains a mix of solved and unpatched vulnerabilities to the range of java versions it analyses. For example the "W7: Serialization issues and type confusion" weakness involves exploit
CVE-2013-1489, though the paper does not make it clear that this exploit was present in java1.7.0u10and1.7.0u11fixed with many other exploits (see Oracle Java SE Critical Patch Update Advisory - February 2013) on 01/02/2013, more than 3 years before this paper was released. This caused me some confusion as to which exploits were for historical discussion & were already fixed, and which were unresolved as of the paper's release. - The paper contains no discussion or statistics on the use of these exploits. While providing statistics for weaknesses in a batch of weaknesses they have scraped (of unknown bias) is useful, some exploits may be used far more than others, and therefore carry more weight as an issue, than a weakness exploited rarely.
- The title of the paper provides a vague time range for the exploits discussed, though it is mentioned some exploits work against Java 1.6 (initially released approximately 10 years before the paper), no exact update or update version is specified (updates for Java 6 were released from 2006 to 2018)
- Make the source for the paper available (including the vulnerabilities, reduced code, categorisations and backing of the statistics presented in the paper).
- Clearly denote which discussed vulnerabilities have been resolved (possibly discussing how & whether "security patches literally only “patch” the discovered hole without addressing the actual underlying security problem" - from introduction).
- Investigate exploits on android (mentioned as a possible path to explore by the paper).
- Provide some form of statistics, or measure of popularity of exploits to supplement the frequency of weaknesses used by exploits in the exploit databases. Many exploits may use a weakness, but if they are not frequently used / only applicable in rare circumstances, then the weaknesses' popularity in an exploit database may overstate its importance.
- Follow up the paper with a new analysis to determine how java security has improved.