Permission Name | Permission Allows | Risks |
---|
createClassLoader |
creation of a class loader |
a class loader can load rogue classes which bypass all security
permissions |
getClassLoader |
retrieval of the class loader for the calling class |
rogue code could load classes not otherwise available |
setContextClassLoader |
allows the setting of the context class loader used by a thread |
rogue code could change the context class loader needed by system
threads |
setSecurityManager |
allows the application to replace the security manager |
the new manager may be less restrictive, so that rogue code can
bypass existing security checks |
createSecurityManager |
allows the application to create a new security manager |
rogue code can use the new security manager to discover information
about the execution stack |
exitVM |
allows the application to halt the virtual machine |
rogue code can mount a denial-of-service attack by killing the
virtual machine |
shutdownHooks |
allows registration and modification of shutdown hooks |
rogue code can add a hook that interferes with clean
virtual machine shutdown |
setFactory |
allows the application to set the socket factory for socket,
server socket, stream handler, or RMI socket factory. |
rogue code can create a rogue network object which mangles or
intercepts data |
setIO |
allows the application to set System.out, System.in, and
System.err |
rogue code could sniff user input and intercept or mangle
output |
modifyThread |
allows the application to modify any thread in the virtual machine
using any of the methods stop , resume ,
suspend , setPriority , and
setName of classs Thread |
rogue code could adversely modify system or user threads |
stopThread |
allows the application to stop any thread it has
access to in the system |
rogue code can stop arbitrary threads |
modifyThreadGroup |
allows the application to modify thread groups using any of the
methods destroy , resume ,
setDaemon , setMaxPriority ,
stop , and suspend of the class
ThreadGroup |
rogue code can mount a denial-of-service attack by changing run
priorities |
getProtectionDomain |
retrieve a class's ProtectionDomain |
rogue code can gain information about the security policy, to
prepare a better attack |
readFileDescriptor |
read a file descriptor |
rogue code can read sensitive information |
writeFileDescriptor |
write a file descriptor |
rogue code can write files, including viruses, and can modify the
virtual machine binary; if not just fill up the disk |
loadLibrary. library name |
dynamic linking of the named library |
native code can bypass many security checks of pure Java |
accessClassInPackage. package name |
access to a package via a ClassLoader |
rogue code can access classes not normally available |
defineClassInPackage. package name |
define a class inside a given package |
rogue code can install rogue classes, including in trusted packages
like java.security or java.lang |
accessDeclaredMembers |
access declared class members via reflection |
rogue code can discover information, invoke methods, or modify fields
that are not otherwise available |
queuePrintJob |
initiate a print job |
rogue code could make a hard copy of sensitive information, or
simply waste paper |