[security-dev 00022]: Re: Loading an unverified class
Thomas Hawtin
tackline at tackline.plus.com
Tue Oct 30 11:41:55 UTC 2007
Nuno Cruces wrote:
>
> The interpreter calls "native" methods using reflection, which works
> in all but one situation: non-virtual calls on the super instance.
> Static methods, interface methods, virtual methods all work.
> Constructors and private methods, also work (private methods thanks to
> setAccessible), and are non-virtual. It doesn't seem possible,
> however, to make the non-virtual call to a public/protected method,
> required to implement invokespecial on the super instance.
Not a direct answer, but there is one place in the JDK where this is
done. Deserialisation requires calling the no-arg constructor of the
most derived, non-Serializable class. Obviously you can't do this with
the public reflection API or verifiable bytecode. So that would be a
good place to start looking.
Tom Hawtin
(thomas.hawtin at sun.com)
More information about the security-dev
mailing list