Talk:CSC/ECE 517 Fall 2009/wiki1a 10 wolf27-Manhattan

From Expertiza_Wiki
Revision as of 07:13, 5 September 2009 by Wolf27 (talk | contribs) (Java Security Features)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Programs are not allowed to access arbitrary memory locations.
 For example, casting between an int and an Object is strictly illegal in Java.

Variables may not be used before they are initialized.
 If a program were able to read the value of an uninitialized variable, the effect would be the same as if it were able to read random memory locations. A Java class wishing to exploit this defect might then declare a huge uninitialized section of variables in an attempt to snoop the memory contents of the user's machine. To prevent this type of attack, all local variables in Java must be initialized before they are used, and all instance variables in Java are automatically initialized to a default value.

Objects cannot be arbitrarily cast into other objects.
 Consider the below example.

public class CreditCard {
private String acctNo;
}

public class CreditCardSnoop {
public String acctNo;
}

Then the following code will not be allowed execute:

CreditCard cc = Wallet.getCreditCard( );
CreditCardSnoop snoop = (CreditCardSnoop) cc;
System.out.println("Ha! Your account number is " + snoop.acctNo);

Java does not allow arbitrary casting between objects; an object can only be cast to one of its superclasses or its subclasses.

To satisfy the compiler code can be changed as follows:
Object cc = Wallet.getCreditCard( );
CreditCardSnoop snoop = (CreditCardSnoop) cc;

In this case, the virtual machine will throw a ClassCastException when the snoop variable is assigned to thwart the attack.

Retrieved from "https://wiki.expertiza.ncsu.edu/index.php?title=Talk:CSC/ECE_517_Fall_2009/wiki1a_10_wolf27-Manhattan&oldid=17586"