계: Security Features
소프트웨어 보안은 보안 소프트웨어가 아닙니다. 여기서는 인증, 액세스 제어, 기밀성, 암호화, 권한 관리 등의 항목에 대해 설명합니다.
Access Control: SecurityManager Bypass
Abstract
신뢰할 수 없는 코드에 이 함수를 호출하면 공격자가 제한된 패키지에 접근할 수 있고 임의의 코드를 실행할 수 있는 능력을 갖게 됩니다.
Explanation
즉각적인 호출자의 클래스 로더 검사 사용 작업을 수행하는 Java API는 주의해서 사용해야 합니다. 이러한 API는 실행 체인의 모든 호출자가 필요한 보안 권한을 부여받도록 보장하는 SecurityManager 검사를 무시합니다. 즉각적인 호출자의 클래스 로더에 대한 액세스 확인만으로 실행 체인의 일부 호출자가 필요한 권한 없이 리소스에 접근할 수 있게 되는 권한 상승 문제가 유발될 수 있습니다. 따라서 이러한 API는 시스템 보안을 손상시킬 수 있으므로 신뢰할 수 없는 코드 대신에 호출하지 말아야 합니다.
이러한 API에 접근 가능한 신뢰할 수 없는 소스 또는 신뢰할 수 없는 환경의 Java Applet은 악성 코드를 실행하고 시스템 보안을 손상시킬 수 있습니다.
이러한 API에 접근 가능한 신뢰할 수 없는 소스 또는 신뢰할 수 없는 환경의 Java Applet은 악성 코드를 실행하고 시스템 보안을 손상시킬 수 있습니다.
References
[1] Secure Coding Guidelines for the Java Programming Language, Version 4.0
[2] CVE 2012-1682
[3] CVE 2012-4681
[4] SEC05-J. Do not use reflection to increase accessibility of classes, methods, or fields CERT
[5] ACCESS-8: Safely invoke standard APIs that bypass SecurityManager checks depending on the immediate caller's class loader Oracle
[6] ACCESS-9: Safely invoke standard APIs that perform tasks using the immediate caller's class loader instance Oracle
[7] ACCESS-10: Be aware of standard APIs that perform Java language access checks against the immediate caller Oracle
[8] ACCESS-11: Be aware java.lang.reflect.Method.invoke is ignored for checking the immediate caller Oracle
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-001764, CCI-001774, CCI-002165
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), CM-5 Access Restrictions for Change (P1), CM-7 Least Functionality (P1), IA-2 Identification and Authentication (Organizational Users) (P1), IA-11 Re-Authentication (P0), SC-3 Security Function Isolation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, CM-5 Access Restrictions for Change, CM-7 Least Functionality, IA-2 Identification and Authentication (Organizational Users), SC-3 Security Function Isolation, SC-11 Trusted Path
[13] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[14] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[16] Standards Mapping - OWASP Top 10 2013 A7 Missing Function Level Access Control
[17] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002360 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002360 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002360 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002360 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002360 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002360 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002360 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002360 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002360 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002360 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002360 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002360 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002360 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001410 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001540 CAT I, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001410 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001540 CAT I, APSC-DV-002360 CAT II
[42] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[43] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.java.access_control_securitymanager_bypass_applet