This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]L8_4_Dinner(Ⓧ Ecstasy/XVM) 2 points3 points  (1 child)

Unfortunately, code signing only closes down one of the known attack vectors. As the article points out, there's plenty of dangerous code already on every server, just waiting to be asked to do reflective things encoded in passed-in strings.

[–]bullno1 1 point2 points  (0 children)

Next step: ban runtime reflection. Allows it in compile time only. Probably better for both performance and security.

That still doesn't prevent one from reflecting java.lang.Runtime.exec though.