Skip to main content
Sven Ruppert
  1. Posts/

CWE-1123: Excessive Use of Self-Modifying Code for Java Developers

·12 mins
Java Secure Coding Practices Security Code Injection Attack CWE-1123 Java Remote Code Execution Security
Sven Ruppert
Author
Sven Ruppert
20+ years of Java, specialised in Security, Vaadin and Developer Relations. When not coding, you’ll find me in the woods with an axe.
Table of Contents

Self-modifying code refers to a type of code that alters its own instructions while it is executing. While this practice can offer certain advantages, such as optimisation and adaptability, it is generally discouraged due to the significant risks and challenges it introduces. For Java developers, using self-modifying code is particularly problematic because it undermines the codebase’s predictability, readability, and maintainability, and Java as a language does not natively support self-modification of its code.

  1. Risks
  2. Examples of Risky Practices
    1. Example
    2. Mitigation Strategies
  3. Example
    1. Mitigation Strategies
  4. Mitigation Strategies
  5. CVE-2014-0114
  6. CVE-2013-2423
  7. CVE-2015-1832
  8. CVE-2012-0507
  9. CVE-2019-12384
  10. Mitigation Strategies
  11. Code Injection Attacks
  12. Remote Code Execution (RCE)
  13. Privilege Escalation
  14. Dynamic Code Loading Attacks
  15. Polymorphic Malware
  16. Evasion of Security Mechanisms
  17. Backdoors and Rootkits
  18. Tampering with Security Features

Risks
#

Unpredictable Behavior: Self-modifying code can lead to unexpected program behaviour, making diagnosing and fixing bugs difficult.

Security Vulnerabilities: Code that modifies itself can be a vector for various security attacks, including injection attacks and malware.

Maintenance Difficulty: Such code is difficult to read and understand, making it more difficult to maintain and update.

Performance Issues: Self-modifying code can cause performance degradation due to the additional overhead of modifying and interpreting the changes at runtime.

Examples of Risky Practices
#

Dynamic Class Loading: Java allows classes to be loaded at runtime using mechanisms such as reflection or custom class loaders. While dynamic class loading itself is not inherently wrong, using it excessively or without apparent necessity can lead to self-modifying behaviour.

Bytecode Manipulation: Using libraries like ASM or Javassist to modify Java bytecode at runtime can lead to self-modifying code. This practice is highly discouraged unless essential.

Reflection: While reflection is a powerful feature, it can be misused to modify private fields, methods, or classes, leading to behaviour that is hard to trace and debug.

Example
#

An example of risky self-modifying behaviour in Java using bytecode manipulation:

import javassist.ClassPool;
import javassist.CtClass;
import javassist.CtMethod;
public class SelfModifyingExample {
 public static void main(String[] args) {
   try {
     ClassPool pool = ClassPool.getDefault();
     CtClass cc = pool.get("TargetClass");
     CtMethod m = cc.getDeclaredMethod("targetMethod");
     m.insertBefore("{ System.out.println(\"Method modified at runtime\"); }");
     cc.toClass();
     TargetClass target = new TargetClass();
     target.targetMethod();
   } catch (Exception e) {
     e.printStackTrace();
   }
 }
}
class TargetClass {
 public void targetMethod() {
   System.out.println("Original method execution");
 }
}

In this example, the TargetClass method targetMethod is modified at runtime to include an additional print statement. This kind of modification can lead to the aforementioned risks.

Mitigation Strategies
#

Avoid Runtime Code Modifications: Design your system in a way that minimises or eliminates the need for runtime code modifications.

Use Design Patterns: Employ design patterns such as Strategy or State patterns that allow behaviour changes without altering the code at runtime.

Proper Use of Reflection: Use reflection sparingly and only when no other viable solution exists. Document its usage thoroughly.

Static Code Analysis: Use static code analysis tools to detect and prevent the introduction of self-modifying code.

Excessive use of self-modifying code in Java is fraught with risks that can compromise your applications’ security, maintainability, and performance. By adhering to best practices and using design patterns that promote flexibility and adaptability without modifying code at runtime, you can avoid the pitfalls associated with CWE-1123.

A Reflection Example
#

Reflection in Java allows for introspection and manipulation of classes, fields, methods, and constructors at runtime. While powerful, excessive or improper use of reflection can lead to self-modifying behaviours, which aligns with CWE-1123. This can result in unpredictable behaviour, security vulnerabilities, and maintenance challenges.

Example
#

Below is an example demonstrating the excessive use of reflection to modify a class’s behaviour at runtime, which can be considered a form of self-modifying code.

import java.lang.reflect.Field;
import java.lang.reflect.Method;
public class ReflectionExample {
 public static void main(String[] args) {
   try {
// Original object creation
     MyClass original = new MyClass();
     original.printMessage();
// Using reflection to modify the behavior at runtime
     Class<?> clazz = Class.forName("MyClass");
     Method method = clazz.getDeclaredMethod("setMessage", String.class);
     method.setAccessible(true);
// Modify the private field value using reflection
     Field field = clazz.getDeclaredField("message");
     field.setAccessible(true);
     field.set(original, "Modified message");
// Verify the modification
     original.printMessage();
   } catch (Exception e) {
     e.printStackTrace();
   }
 }
}
class MyClass {
 private String message = "Original message";
 public void printMessage() {
   System.out.println(message);
 }
 private void setMessage(String message) {
   this.message = message;
 }
}

In this example, the ReflectionExample class:

Creates an instance of MyClass and prints the original message. It uses reflection to modify the private field message and the private method setMessage of MyClass. Changes the value of the message field and prints the modified message.

This example showcases how reflection can alter an object’s behaviour and state at runtime, leading to the issues outlined in CWE-1123.

Mitigation Strategies
#

Minimise Reflection Use: Avoid using reflection unless absolutely necessary. Prefer alternative design patterns that allow for flexibility without modifying the code at runtime.

Access Control: Ensure that fields and methods that should not be modified are kept private and final where possible to prevent unintended access.

Static Analysis Tools: Use static analysis tools to detect excessive use of reflection and other risky practices in the codebase.

Code Reviews: Conduct thorough code reviews to identify and mitigate the use of self-modifying code through reflection.

Reflection is a powerful tool in Java, but misuse can lead to the risks associated with CWE-1123. By adhering to best practices and minimising the use of reflection to modify code at runtime, developers can maintain the security, predictability, and maintainability of their applications.

Example of Dynamic Class Loading
#

Dynamic class loading in Java refers to the ability to load and unload classes at runtime. While this can be useful in specific scenarios, excessive or improper use can lead to self-modifying code behaviours, which align with CWE-1123. This can introduce risks such as unpredictable behaviour, security vulnerabilities, and maintenance challenges.

Below is an example demonstrating the excessive use of dynamic class loading to modify a class’s behaviour at runtime, which can be considered a form of self-modifying code.

public class DynamicClassLoadingExample {
 public static void main(String[] args) {
   try {
// Load the original class
     ClassLoader classLoader = DynamicClassLoadingExample.class.getClassLoader();
     Class<?> loadedClass = classLoader.loadClass("MyClass");
// Create an instance of the loaded class
     Object instance = loadedClass.getDeclaredConstructor().newInstance();
// Invoke the original method
     loadedClass.getMethod("printMessage").invoke(instance);
// Dynamically load the modified class
     classLoader = new CustomClassLoader();
     loadedClass = classLoader.loadClass("ModifiedClass");
// Create an instance of the modified class
     instance = loadedClass.getDeclaredConstructor().newInstance();
// Invoke the modified method
     loadedClass.getMethod("printMessage").invoke(instance);
   } catch (Exception e) {
     e.printStackTrace();
   }
 }
}
// Original class definition
class MyClass {
 public void printMessage() {
   System.out.println("Original message");
 }
}
// Custom class loader to simulate loading a modified class
class CustomClassLoader extends ClassLoader {
 @Override
 public Class<?> loadClass(String name) throws ClassNotFoundException {
   if ("ModifiedClass".equals(name)) {
// Define a modified version of MyClass at runtime
     String modifiedClassName = "ModifiedClass";
     String modifiedClassBody = "public class " + modifiedClassName + " {" +
         "    public void printMessage() {" +
         "        System.out.println(\"Modified message\");" +
         "    }" +
         "}";
     byte[] classData = compileClass(modifiedClassName, modifiedClassBody);
     return defineClass(modifiedClassName, classData, 0, classData.length);
   }
   return super.loadClass(name);
 }
 private byte[] compileClass(String className, String classBody) {
// Simulate compiling the class body into bytecode (in a real scenario, use a compiler API)
// This is a placeholder for demonstration purposes
   return classBody.getBytes();
 }
}

In this example, the DynamicClassLoadingExample class:

Loads an original class MyClass and invokes its printMessage method. Dynamically loads a modified version of the class, ModifiedClass, using a custom class loader. Creates an instance of the modified class and invokes its printMessage method, which prints a different message.

This example showcases how dynamic class loading can alter a program’s behaviour at runtime, leading to the issues outlined in CWE-1123.

Mitigation Strategies
#

Avoid Unnecessary Dynamic Loading: Use dynamic class loading only when it is indispensable and cannot be avoided through other design patterns.

Secure Class Loaders: Ensure custom class loaders are secure and do not load untrusted or malicious classes.

Static Analysis Tools: Use static analysis tools to detect excessive use of dynamic class loading and other risky practices in the codebase.

Code Reviews: Conduct thorough code reviews to identify and mitigate the use of self-modifying code through dynamic class loading.

Java-based CVEs based on CWE-1123
#

While there might not be specific CVEs (Common Vulnerabilities and Exposures) explicitly labelled as being caused by CWE-1123 (Excessive Use of Self-Modifying Code), several Java-related vulnerabilities can arise from practices associated with self-modifying code. These typically involve dynamic class loading, reflection, and bytecode manipulation issues. Here are some examples of Java-based CVEs that relate to these practices:

CVE-2014-0114
#

Description: Apache Commons Collections Remote Code Execution Vulnerability

Issue: This vulnerability involves using reflection to manipulate serialised data, leading to arbitrary code execution. It was found in the Apache Commons Collections library, where certain classes could be used to execute arbitrary code when deserialised. This is a form of self-modifying behaviour, as the serialised data could alter the program’s execution flow.

Impact: Attackers could exploit this vulnerability to execute arbitrary commands on the server running the vulnerable application.

CVE-2013-2423
#

Description: Oracle Java SE Remote Code Execution Vulnerability

Issue: This vulnerability arises from improper handling of certain methods in Java, leading to the execution of arbitrary code. It leverages reflection and class-loading mechanisms to inject and execute malicious code.

Impact: Exploiting this vulnerability allows remote attackers to execute arbitrary code on the affected system, potentially leading to total system compromise.

CVE-2015-1832
#

Description: Android Remote Code Execution Vulnerability in Apache Cordova

Issue: This vulnerability involves dynamic class loading and improper validation of inputs. It allowed attackers to inject malicious code into an Android application built with Apache Cordova by exploiting the WebView component.

Impact: Successful exploitation could result in arbitrary code execution within the context of the affected application, leading to potential data leakage or further exploitation.

CVE-2012-0507
#

Description: Oracle Java SE Remote Code Execution Vulnerability

Issue: This vulnerability involves using reflection and dynamic class loading to exploit a flaw in the Java Runtime Environment (JRE). The vulnerability allows an untrusted Java applet to break out of the Java sandbox and execute arbitrary code.

Impact: Exploiting this vulnerability could allow an attacker to execute arbitrary code on the host system with the user’s privileges running the Java applet.

CVE-2019-12384
#

Description: FasterXML jackson-databind Deserialization Vulnerability

Issue: This vulnerability involves the unsafe handling of deserialisation using the jackson-databind library. By exploiting polymorphic type handling, attackers could inject malicious code that gets executed during deserialisation.

Impact: Successful exploitation could result in arbitrary code execution, leading to potential data breaches and system compromise.

Mitigation Strategies
#

Avoid Self-Modifying Code Practices: Do not use dynamic class loading, reflection, or bytecode manipulation unless absolutely necessary. When required, ensure proper validation and security measures are in place.

Use Safe Deserialisation: Avoid deserialisation of untrusted data. If deserialisation is necessary, libraries and techniques that enforce strict type checking and validation should be used.

Apply Security Patches: Regularly update and patch libraries and frameworks to protect against known vulnerabilities.

Code Reviews and Static Analysis: Conduct thorough code reviews and use static analysis tools to detect and mitigate the use of risky code practices.

Security Best Practices: To reduce the attack surface, follow security best practices, such as least privilege, input validation, and secure coding guidelines.

What kind of attacks or infection methods are based on CWE-1123?
#

CWE-1123 (Excessive Use of Self-Modifying Code) can lead to several types of attacks and infection methods due to such code’s unpredictable and dynamic nature. Here are some common attack vectors and infection methods associated with this vulnerability:

Code Injection Attacks
#

Attackers exploit self-modifying code to inject malicious code into a program. This can occur through various means, such as manipulating input data that gets executed or modifying code at runtime to include harmful payloads.

Example:

SQL Injection: If an application dynamically constructs SQL queries using user input and modifies these queries at runtime, an attacker can inject malicious SQL commands to alter the behaviour of the database operations.

Remote Code Execution (RCE)
#

Self-modifying code can enable Remote Code Execution by allowing attackers to modify or load classes and methods at runtime. This makes it easier to introduce and execute arbitrary code.

Example:

Deserialization Vulnerabilities: When an application deserialises data without proper validation, an attacker can inject objects that modify the code flow, leading to the execution of arbitrary code.

Privilege Escalation
#

Attackers can exploit self-modifying code to escalate their privileges within a system. They can bypass security checks and gain higher-level access by dynamically altering the code.

Example:

Reflection Attacks: Using reflection, attackers can modify private fields and methods to escalate privileges, accessing parts of the system that would otherwise be restricted.

Dynamic Code Loading Attacks
#

Self-modifying code often involves dynamic loading of classes or bytecode manipulation, which can be exploited to load malicious code at runtime.

Example:

Dynamic Class Loading: Attackers can trick the application into loading a malicious class that performs unwanted actions, such as exfiltrating data or modifying system files.

Polymorphic Malware
#

Self-modifying code is commonly used in polymorphic malware, where the malware changes its code to evade detection by security software.

Example:

Polymorphic Virus: A virus that encrypts its payload and changes its decryption routine with each infection, making it difficult for antivirus programs to detect the malware’s signature.

Evasion of Security Mechanisms
#

Self-modifying code can be used to evade security mechanisms such as firewalls, intrusion detection systems (IDS), and antivirus software by altering its code structure dynamically.

Example:

Metamorphic Malware: Similar to polymorphic malware, metamorphic malware reprograms itself completely with each infection, ensuring that no two copies of the malware are identical, thus evading signature-based detection.

Backdoors and Rootkits
#

Attackers can use self-modifying code to install backdoors or rootkits that alter the behaviour of the operating system or application to provide persistent unauthorised access.

Example:

Rootkits: A rootkit can use self-modifying code to hide its presence by altering kernel or application code to prevent detection by security tools.

Tampering with Security Features
#

Self-modifying code can be used to tamper with security features such as authentication mechanisms, encryption routines, and access controls.

Example:

Tampering with Authentication: By dynamically modifying authentication checks, an attacker can bypass login mechanisms and gain unauthorised access to the system.

By understanding these attack vectors and implementing mitigation strategies, developers and security professionals can reduce the risks associated with self-modifying code and improve the overall security of their applications.

Happy Coding

Sven

Related

CWE-416: Use After Free Vulnerabilities in Java

·12 mins
Java Secure Coding Practices Security CWE-416 Java Secure Coding Practices Security
CWE-416: Use After Free # Use After Free (UAF) is a vulnerability that occurs when a program continues to use a pointer after it has been freed. This can lead to undefined behaviour, including crashes, data corruption, and security vulnerabilities. The problem arises because the memory referenced by the pointer may be reallocated for other purposes, potentially allowing attackers to exploit the situation.

CWE-787 - The Bird-Eye View for Java Developers

·14 mins
Java Secure Coding Practices Security CWE-787 Include Java Offheap Performance Secure Coding Practices Security
The term “CWE-787: Out-of-bounds Write " likely refers to a specific security vulnerability or error in software systems. Let’s break down what it means: Out-of-bounds Write : This is a type of vulnerability where a program writes data outside the boundaries of pre-allocated fixed-length buffers. This can corrupt data, crash the program, or lead to the execution of malicious code.

Secure Coding Practices - Input Validation

·18 mins
Java Secure Coding Practices Security Java Secure Coding Practices Security
What is - Input Validation? # Input validation is a process used to ensure that the data provided to a system or application meets specific criteria or constraints before it is accepted and processed. The primary goal of input validation is to improve the reliability and security of a system by preventing invalid or malicious data from causing errors or compromising the system’s integrity.