Hijacking .NET

Matt Solnit writes "What can I say - Dan Appleman never fails to please. In this e-book, he takes a look at 'hijacking' .NET by accessing private members in .NET classes. Private members are, in essence, pieces of code that you don't want other programmers to access. You use them to support your own code, and you make public the pieces that you want to make available to other developers. Typically, a language ensures that a member marked as private is hidden from anyone who doesn't have your source code, but Appleman shows how in .NET it's not so." Read on for more of Matt's review of this guide to tricking private members to do your bidding. Hijacking .NET - Volume 1 author Dan Appleman pages 46 publisher Dan Appleman rating 10 reviewer Matt Solnit ISBN (N/A) summary An eye-opening look at how you can use undocumented and private features from the .NET framework.

In the .NET Framework, it's possible to access a private member of any class -- your own, another developer's, or even the classes in the .NET Framework itself! Appleman demonstrates this with a great example that uses private members to get the list of groups that the current user is a member of -- in a single line of code -- by accessing a private member that is not exposed by the .NET Framework.

Appleman also explains the tradeoffs of using this technique. The code you're using is not documented, and it's not guaranteed to be present in future versions. He describes how to deal with these problems, and how to make the most of the technique while remaining relatively safe.

Once the basic technique is explained, Appleman takes you into how to find out what private members are available, and how to call them. He shows how to use the object browser available in Visual Studio .NET and the Microsoft IL Disassembler, freely available in the Framework SDK, to discover the private members in a class and determine how to call them correctly.

The example is great -- Dan shows you how he used "hijacking" with a collection of private members to develop a FileAccessControlList class that can be used to manipulate ACL's on Windows files. This is a piece of functionality that is not included with the .NET Framework, but developers have a need for all the time. To write the code from scratch would take days, including translating Windows API declarations to C# or another .NET language and poring over MSDN documentation. As it turns out, all the pieces are in the Framework -- they're just not public. Appleman accomplishes the task in under 200 lines of code, all of which is included with the e-book. As a bonus, you get a great introduction to how Windows security works, and how the example could be extended to other ACL-controlled things like Registry keys.

The fact that private in .NET isn't really private is something that isn't well known, and even if you're not interested in security, this e-book is worth a read just to get some insight into what you can do with the .NET framework, and what other people might someday try to do to your code.

As far as the author's writing style, I will say that Dan has a great knack for intuiting what needs to be explained and what doesn't. His laid-back approach makes everything seem fun -- this is a book you could read on a Saturday afternoon in a hammock.

This e-book is not for beginning .NET programmers, but should be easy for intermediate developers to understand. The whole text weighs in at just under 50 pages, and is well worth the cost of $9.95. Sample code is provided in both C# and VB .NET.

This e-book can be purchased and downloaded immediately from amazon.com or through the author's web site.

My thoughts:

you fucking faggot cumdumpster moderators - go ahead, use your mod points here. better here than modding down the opinions of people you don't agree with simply because they employ logic and aren't pansy faggots that worship all things linux and bash all things microsoft. by the way, you're commie scum you faggot moderators.

Make any private member acessible.

[D4MO]

Use a memory hex editor!

Re:Make any private member acessible.

[scorp1us]

You still have to have rights to the memory though. That depends on OS and MMU.

Re:Make any private member acessible.

It actually has nothing to do with the os and nothing to do with the mmu. The only thing that matters is the compiler you are using, so that you can calculate the byte offset into an object where the method lies. You can do this in c++. If there is a private method foo() on object Bar you can instantiate an instance of Bar, declare a function pointer and set it to point at foo() and execute it. That simple. The reason why it's so easy in c# is beacuse te binary format of compiled objects is well documented whereas c++ objects are obfuscated with gcc differently with each version and make it difficuly to determine where a function lies within an object. Not to mention that you are supplied with Developer Studio tools to disassemble binary code and .NET objects support introspection.

I doubt you could ever accomplish this if the method is abstract and the object being referenced is of an unknown sub-type.

Conclusion

[borgdows]

If you code in a Microsoft programming language, you can't even trust your own code!

Re:Conclusion

[VAXGeek]

This isn't really any different from C/Perl. (At least until Palladium comes out.)

Re:Conclusion

[JanneM]

I thought so too at first, but I believe it's not really the same thing here. Neither Perl nor C stuff depends on this encapsulation for any security stuff. For instance, Perl has sandboxing through taint checking and the safe module, and they do not assume that the potentially malicious code cannot access private members. Indeed, the filosophy in Perl is quite different - you are free to access any member function you want, or even 'private' data; it is assumed, though, that you know what you're doing in that case and won't come crying if things break for you as a result.

Re:Conclusion

Microsoft has secuirty holes in there software.. No, I refuse to believe that

Re:Conclusion

[badboy_tw2002]

What security stuff does .NET depend on using encapsulation?

Re:Conclusion

[NecroPuppy]

Just off the top of my head, data encryption.

I certainly wouldn't want to transmit unencrypted SSNs, credit card numbers, or passwords.

IHNPW.NET (I have never played with .Net), so I may be completely off base here.

Re:Conclusion

[hal200]

Also, if you want your variables to be EXTRA private in Perl, there are tricks you can use, such as closures to make it non-trivial (but not impossible) to access those variables.

Damian Conway's book, Object Oriented Perl is a really good, of occasionally scary look at the deeper mysteries of doing OOP with Perl.

Re:Conclusion

[dash2]

Not entirely true. The default way to build objects in Perl exposes private functions and members, and just trusts the API user to be sensible. But there are well-documented ways to create truly private functions and members - like using file-scoped variables or anonymous file-scoped subroutines. Damian Conway's book (Object-Oriented Perl) describes this in detail.
Perhaps there are still ways to get round this security by something more lowlevel, like peeking directly into RAM, but they certainly aren't at all easy.

Re:Conclusion

[ProfKyne]

Neither Perl nor C stuff depends on this encapsulation for any security stuff.

Perl and C programmers are not target demographic of the .NET initiative.

Re:Conclusion

[iang]

This is of course also true in Java - there are a variety of ways you can get to private members there too. And of course in C++ you can always get at whatever you like by using pointers. .NET does at least improve upon traditional C++ in that your code can only get at private members if the security policy permits it. Code downloaded from the Internet for example (e.g. a .NET component running in a web browser like a Java applet would) is not, able to access private members in this way.

Re:Conclusion

Microsoft has secuirty holes in there software.

So as long as I run it here, I'm OK. Is that what you are saying?

Re:Conclusion

[JanneM]

Yep. But (as Srinivasan writes in Advanced Perl Programming), making a closure like that will generate a new piece of code for each instance. Not a problem if the code snippets are reasonably small and the number of instances aren't huge, but something to bear in mind anyway.

I haven't actually read Conway - maybe I should.

Re:Conclusion

[MSBob]

Depends on your security policy settings. You can restrict your policies so that nobody can get private member/field access through reflection.

Re:Conclusion

[Ralph+Wiggam]

So what is the target demographic, mechanics? Albino carpet cleaners? Of course it's Perl and C programmers.

-B

Re:Conclusion

[EnderWiggnz]

try VB and Java programmers.

Re:Conclusion

[Mark+Pitman]

I guess that's why they have Perl.Net and Managed Extensions for C++, huh?
PerlNet

Re:Conclusion

Word or Excel "programmers"

Re:Conclusion

[chromatic]

That may have been true when the book was first written, but it's not true now. The code (a CV) is shared. Only the associated lexical pad differs.

Re:Conclusion

"Perl and C" <-- Someone has been using Unix too long and it's infected their brainstem.

Re:Conclusion

But let's try to understand the purpose of "information hiding" in OO programming. There's a difference between "hide as in obfuscate" and "hide as in abstract".

The point of private members is that I don't care what's private in a class. I only care that the public interface to that class works as intended.

For the non-programmers out there, think of it like this: Slashdot's IP address is "private", and their URL is "public". You're expected to use the "public interface" (ie. the URL) to access the website. Put that in your "Favorites" list. Sure, with a simple "hack" (like ping), you could find out the IP address, and put that in your "Favorites" list instead. But what if they move to a new server and change the IP address? Suddenly your "Favorite" doesn't work anymore. Hmmm, should'a used the "public interface".

The fact that you can get at the IP address is not a security hole. Who cares if you can get at it? The point is, you shouldn't, because there's a better way to do it (better for you).

Re:Conclusion

[badboy_tw2002]

Well, to answer my own question, nothing. IHPW.NETA (I have played with .NET alot), and there aren't any security features that would be hidden by encapsulation. That would be rediculous. Basically, this is something you can fiddle around with in memory, just like any C++ object. Anyone trying to pull it of as a security hole instead of a clever hack to expose some hidden .NET functionality is spreading FUD.

Re:Conclusion

[mniskin]

Oh god, you fucking prick. You should run it in your ass and you'll be fine. I bet you correct all of your pals when they say 'who' in place of 'whom', and feel nice and smart for yourself. Well I, for one, am not impressed with your genius. If you pulled that shit anywhere near me I'd punch you right in the face. Petty little retard that you are.

Re:Conclusion

Petty little retard that you are.

Dude, that's a sentence fragment. Oh, and God should be capitalized.

Re:Conclusion

[ProfKyne]

So what is the target demographic, mechanics? Albino carpet cleaners? Of course it's Perl and C programmers.

Give me a break. MS isn't going to make much money coming up with the next Perl or C. Perl is used for two very good reasons: devotion of the user base, and the CPAN. MS couldn't replicate either of those under any circumstances, and there isn't much money to be made in trying. C, on the other hand, is primarily used for writing Unix software. (Note that I did not say C++.) Not much of a market for Microsoft either.

.NET is targetting the Java market, pure and simple.

Re:Conclusion

[ProfKyne]

• Perl.Net -- not a Microsoft product, therefore not related to the discussion ("target demographic of .NET initiative").
• Managed Extensions for C++ -- not C, therefore not related to the discussion (I said "C programmers" and in another branch of this thread I make it clear that I used C and not C/C++ for an explicit reason).

Is this a C# or a .NET problem?

[Dominic_Mazzoni]

Is this a limitation of C# or of .NET?

What does this mean for the security of .NET programs? I thought it was supposed to be possible to run .NET programs in a sandbox, protecting you from malicious code. It seems that being able to access private members in the .NET framework opens up a whole new world of possibilities for security holes...

Re:Is this a C# or a .NET problem?

[TopShelf]

It sounds like a .NET issue, which makes it more fundamental. So much for that Secure Computing initiative outta Redmond...

Re:Is this a C# or a .NET problem?

[iceburn]

Since the sample code is both C# and VB.NET, it sounds like this is a problem with the CLR.

Re:Is this a C# or a .NET problem?

This is no security hole. If you're able to run code on the target machine then you can do pretty much anything you want (or can) already.

Just because you can find out some "inner state" of an object doesn't mean that you're God now.

Oh, and the same "exploit" can be done with C++ - does this have a negative affect on security? No.

Encapsulation was never meant to be a security feature.

Re:Is this a C# or a .NET problem?

[Erv+Walter]

Keep in mind that there is not always a sandbox for .NET applications. The security policys being enforced are configurable, but by default, installed applications running off your hard drive essentially have no sandbox. On the other hand, applications running from the network or within a browser have a much more restrictive sandbox and these "hacking .NET" techniques would be caught (assuming the private code being called is inapproriate for the sandbox).

The .NET CLR does runtime checks to verify that code is not doing things it's not allowed to do (aka, code can't leave the "sandbox"). Accessing private methods using this technique does not circumvent these checks--the CLR will detect and prevent *inappropriate* accesses.

Re:Is this a C# or a .NET problem?

This whole story is hilarious. All (decent) languages let you hide implementation details from the end user. Finding them isn't `hacking` - its `stupid` as it means that if a chunk of code is changed to use, say, a doubly linked list rather than an array, your code would break, whereas it wouldn't if you accessed only the public methods/variables.
This `exploit` is laughable, pointless and ultimately going to waste your time. The sort of coders who could use it would have the skill to figure it out in the first place anyway.

Re:Is this a C# or a .NET problem?

[1000StonedMonkeys]

Not quite true. .NET has a fine-grained security mechanism that allows code to execute with specific priviledges. It can do that because .NET, like Java, is run by a VM. What the original poster is getting at is that you might be able to bypass these access controls if you're able to access the private data members of .NET system classes.

Re:Is this a C# or a .NET problem?

[Shaleh]

eh? In C++ the compiler will not let you access private methods or variables. The author is talking about writing code that the is allowed by the .NET runtime/compiler to access supposedly hidden data.

The .NET issue *CAN* be a security hole if people were incorrectly led to believe that private meant private.

Re:Is this a C# or a .NET problem?

Check this post for a suitable reply.

Re:Is this a C# or a .NET problem?

Classes reside in memory. You have the base pointer for an object. What's stopping you from using pointer arithmetic to access private members of that class?

You do know what a pointer is right?

Re:Is this a C# or a .NET problem?

[John+Miles]

In C++ the compiler will not let you access private methods or variables

Ridiculous.

class hidden
{
private:
int frotz;
int ozmoo;
};

class hack_o_matic
{
public:
int frotz;
int ozmoo;
};

int main(void)
{
hidden H;
hack_o_matic *V = (hack_o_matic *) (ampersand) H;
printf("Hidden frotz member = %d",V->frotz);
}

The poster above who pointed out that both the review and its subject are goofy is correct. Data-hiding is an OOP convention, not a security feature.

C++ is a particularly good example (for values of 'good' that approximate 'horribly broken'), because the only way you can expose a class's public functionality is through a declaration of the entire class that includes all of its private members, which can subsequently be accessed through pointer hacks like the above. If you want to hide data for security purposes, as opposed to hiding data for design purposes, you have no choice but to use wrappers.

Re:Is this a C# or a .NET problem?

[jalilv]

It is same in .NET too. .NET just provides classes for Reflection and Run-Time Type Information which will provide all the information about an object in memory. This information is available as a bunch of objects like MemberInfo, MethodInfo, PropertyInfo, ParameterInfo, FieldInfo etc. It is possible to change the values of private fields or invoke methods using these objects. It is in no way a security problem and relating it to sandbox is totally offtopic too. The runtime just provides the information, what you do with the information is upto you. As pointed out by others, it is possible to access private members in C++ too using some pointer artihmetic. Oh btw, it is possible to override private virtual method of a base class in a derived class in C++. Feeling surprized, aren't ya ?

- Jalil Vaidya

Re:Is this a C# or a .NET problem?

Initiative from Redmond: Secure Computing or Shameless Corruption?

Re:Is this a C# or a .NET problem?

You can access private members in C++ and C#. You can't in C though, this makes C superior!

Re:Is this a C# or a .NET problem?

[tshak]

So much for that Secure Computing initiative outta Redmond...


The encapsulation of class members has nothing to do with security. Everything is still executing within a sandbox. This is essentially a hack that has similar functionality for the "friend" keyword in C++.

Re:Is this a C# or a .NET problem?

Sounds more like FUD from the *nix crowd.

"The C++ access control mechanisms provide against accident - not against fraud. Any programming language that supports access to raw memory will leave data open to deliberate tampering..." The Annotated C++ Reference Manual, p 239.

Encapsulation has NOTHING to do with security.

Re:Is this a C# or a .NET problem?

I'm not yet that familiar with CLR, but one of the tenets of Java security is that only "new" or native methods can create object references, and valid JVM bytecode can only copy them around and cast them to compatible types. Converting an int to a reference is Right Out. The cool thing is you don't even need to use the MMU to enforce very fine-grained security.

Re:Is this a C# or a .NET problem?

no, he doesnt know what a pointer is, he's using c#... its all references, remember?

Re:Is this a C# or a .NET problem?

[Methiphisto]

It's questionable whether this is actually a problem at all. Language access specifiers should never be used to enforce security, but rather, to try and enforce good design principles such as encapsulation. The fact that it is so easy to do in .NET may become a problem if it encourages developers to use undocumented private methods who otherwise would not do such a thing. Overall, though, it poses no more of a security threat than that which has already existed with C++. Basically, if you are using language access specifiers to enforce security, your security is already broken and open to exploitation.

Re:Is this a C# or a .NET problem?

Now, what happens when class hidden overloads operator ampersand? Oops! Didn't think of that now did you. :-)

Re:Is this a C# or a .NET problem?

[Vej]

Well, you could use static methods if you wanted to allow some access without instantiation.

Re:Is this a C# or a .NET problem?

[Arkaein]

Except your example doesn't work, reliably at least.

I compiled it using g++, but with a constructor:

hidden()
{
frotz = 10;
ozmoo = 20;
}

added to initialize the variables. frotz corretly is printed as 10.

But then I switched the ordering of the declarations of frotz and ozmoo in hidden. Now frotz is 20! What is happening?

The cast of this type is a reinterpret_cast in C++, because there is no direct relationship between the classes hidden and hack_o_matic. Therefore the accessor to hack_o_matic just reads the data at the position in memory where a pointer to hack_o_matic expects frotz to be, though it is actually ozmoo.

If you have the code to the class with private members this won't happen, however you're probably out of luck (or in for some reverse engineering of field layout in memory) if you want to do this for classes in pure object libraries in C++.

Re:Is this a C# or a .NET problem?

The cast of this type is a reinterpret_cast in C++, because there is no direct relationship between the classes hidden and hack_o_matic. Therefore the accessor to hack_o_matic just reads the data at the position in memory where a pointer to hack_o_matic expects frotz to be, though it is actually ozmoo.

I think I speak for all of us when I say, DUH! Seriously, if all you can do is point out the obvious, then maybe you could spend your time better making fun of the other fat kids in the computer lab with you right now.

Re:Is this a C# or a .NET problem?

Hmm... I thought this was an implementation issue.

In Delphi, you can access private data if all the class declarations are in the same unit (i.e., file).

Re:Is this a C# or a .NET problem?

[cpeterso]

Don't forget:


#define private public
#include "class_with_private_members.h"


ta-da! The caller can now freely access the included class' "private" members.

Re:Is this a C# or a .NET problem?

Microsoft claims .NET is more secure than Java!

We'll wait and see.

Re:Is this a C# or a .NET problem?

[1000StonedMonkeys]

Ah, in that case kudos to microsoft for doing things the right way.

Re:Is this a C# or a .NET problem?

[the_arrow]

What about if you do not know about the layout of the private data in class hidden? For example, if I use a library (stripped of all debugging info), and the only interface I have is a header file which only shows the public members (and protected if the class is intended to be inherited), it will take a lot of work to find out what private data there is.

Re:Is this a C# or a .NET problem?

[Kj0n]

This is not a security hole if you look at the concepts behind .NET. However, Java does over the power to protect your system from code running on it.

For a number of applications, this is quite handy. For instance, in a large application we once build we wanted to offer to our customers the possibility to add their plugins to our framework. Using Java security it waspossible to specify what they can and what the can't. Unfortunatly, it is not something that is very easy to configure.

Another area where this is handy is when you want to be able to run small applet or agent-like programs, for instance in a browser or on a cell phone or PDA. By offering the correct protection you can have their functionality without having to fear that they will do something wrong.

Re:Is this a C# or a .NET problem?

If you're using a header file that differs from that of the class' compiled members, the behavior is undefined. The language simply doesn't allow that, though you can often get away with it because C++ offers no runtime safety.

Posted on BugTraq

[oliverthered]

Isn't this a security bug, you think that you've hidden some code, but infact it isn't.

Re:Posted on BugTraq

It's not a bug, it's a feature!

Re:Posted on BugTraq

[Zeinfeld]

Isn't this a security bug, you think that you've hidden some code, but infact it isn't.

No, not really, the private keyword is not meant to be a security mechanism. If you want to secure the data from program access you have to do it at the Kernel level.

You can view this info in the debugger if you have the source for the class.

The reason for making a method private is that the programmer does not undertake to preserve the API contract in future releases. So basically what this guy is doing is no different from those early MSDOS programs that bypassed the BIOS calling interface to call code directly. It was fast, you avoided the overhead of the context switch. However it also meant that the code was likely to fail on the next release of the PC.

Re:Posted on BugTraq

No, god damn it. I hate it when people talk about things like they know what it means.

Go get yourself a copy of IDA Pro and disassemble any executable. Whoops! Look at all that code! Isn't all that code supposed to be hidden in the file? This is madness!

Calling this a "security bug" would be a lot like writing a list of passwords on a sheet of paper and taping it to the side of your house a "security bug." The code is already there to look at, unless the executable is protected in some way..and even then, a nice bit of work can overcome that. I suggest you read some documentation on C# (or Java, really), figure out what public and private -means-, then come back here and try to have an informed discussion.

Re:Posted on BugTraq

No matter how much you clueless linux zealots would like to read this and say "Look, ANOTHER microsoft security hole!" it just ain't so. Private is an OOP construct and not a security feature. The classes that allow one to look at these private methods (the reflection classes) was written with exactly that in mind. Wasn't even a mistake.

So linux zealots who don't know anything about programming... Please stick to what you know and try not to comment on things you have NO CLUE on.

Re:Posted on BugTraq

[buffer-overflowed]

Do you have the faintest idea what the private keyword was designed to do?

Access control had nothing really to do with, it was primarily put into place to prevent some idiot from overwriting a crucial function or changing the type of data (IE static array to double linked list) and causing your program to crash.

I'm not to up on C#, but in C++ there are already ways to circumvent private and protected class members, and I assume this is also true in Java. You just don't do it unless you really know what you're doing. In C++ you could use pointer arithmetic, modified header, hell even the inline assembler.

If you want to make sure no one can access your private members, use C, there's no way to do so.

Re:Posted on BugTraq

[miu]

Access control had nothing really to do with, it was primarily put into place to prevent some idiot from overwriting a crucial function or changing the type of data (IE static array to double linked list) and causing your program to crash.

Actually it is not even designed to protect against stupid inheritance tricks. 'private' is a hint to the class user that the data or method is an implementation detail that should be ignored. 'protected' is hint that it is an implementation detail that may need to be changed in derived classes. The fact that the compiler enforces those keywords is just gravy.

Re:Posted on BugTraq

No, JVMs implement their sandboxes in Java, and protection of private and package members is a critical part of security. Apparently CLR doesn't take their sandbox seriously.

Re:Posted on BugTraq

[Golthar]

"Do you have the faintest idea what the private keyword was designed to do?"

Originaly as an hint to programmers (do not call, this can change dissapear or cause devils to pop out of your pc)

But in the context of a sandbox it is also crucial to security.
For example, if you run two programs in the same VM, you need to enforce this level of security or else programs can mess with other programs' memory.

We have grown to expect these kinda things

From microsoft, right?

By design?

[DrTentacle]

Is this behaviour by design, or merely a side effect of the implementation? If it's a side effect, then don't rely on the support for this "feature" to continue in future releases of the .NET framework. MS has a nasty habit of changing undocumented features...

Re:By design?

[d_lesage]

I completely fail to see what's nasty about it. If it's not documented, you just plain should not rely on it. Isn't hat the way all code works?

Re:By design?

[Jellybob]

Everybody has a habit of changing undocumented features.

If something is undocumented, that means that the author didn't think it was worth of documentation - possibly because it was a temporary hack they intend to clean up.

Re:By design?

[Sique]

I completely fail to see what's nasty about it. If it's not documented, you just plain should not rely on it. Isn't hat the way all code works?

The problem is the same like the old one which let you disassemble VisualBasic programs back to the sourcecode about some years ago.

If you put a trade secret inside your code, it is now much easier to access by an outsider because she doesn't have to rely on the binary code alone, but can spy on the structure of the program. This gives her a pretty good clue which algorithm was used and which data structures were used.

Basicly it makes everything you do in .NET a "half open source" program.

Re:By design?

Let me get this straight. You're bitching because the internal code of a class is undocumented and it might change?

Geez.. stop the press!!!

Re:By design?

[los+furtive]

I am curious as to how much code you write. This isn't an undocumented feature, this is a serious security issue. An undocumented feature would be having access to a method that was not described in an API, but which is still public. When it is private, the developer does not wish you to have access whatsoever.

Re:By design?

I'm sorry, but you're wrong. I really wish sometimes that people knew what they were talking about before they start spouting off without really knowing how something is supposed to work. Just because you can now access a private member doesn't mean you're getting some top-secret code that nobody should be seeing, it just means that you're going to violate the program's design and possibly use a private member/function when you are only supposed to be touching the public functions. Private functions are like little helper functions that nothing outside of the class should be calling; changing or running something private will just make the program unstable. If you had something coded in C++ and used private members, you could hack through the code and get the private members..

Re:By design?

Microsoft has a history of creating undocumented functions in their "runtime environments" (OS) and using them in MS's own programs. This means that these programs won't run in other runtimes, even if they are perfect implementations of the runtime specification. If they "leak" information about these possibly useful but still unofficial functions to other software houses (those which are sworn in on the MS line), many important programs won't run on third-party runtimes. Not only can MS give pro-MS software houses competitive advantages in the application development market, they can also monopolize the runtime environment despite providing an open specification and freely licensing it.

Re:By design?

[Sique]

You were quite short on reading my posting. I was just saying that with this technique the black box a compiled object with a known interface should be is more a darkish grey instead, where you could make out some shadows, the private members. For some algorithms those information gives you some clue how the object works.

Of course you could always analyze the binary code instead and thus figuring the things you are eager to find out. But knowing about the private methods and variables gives you a shortcut. You still have to analyse what happens inside a method, and you still have to find all the places which affect a variable, but at least you get a basic structure.

I know some languages which are object oriented and compile to byte code instead of a binary which enforce the 'private' modifier more strictly and throw a 'security violation' error if you try to access a private member this way. I also know some ways to trick those languages in violating their own rules, but for most of them you have to know the name of the private member beforehand.

Re:By design?

[Eskarel]

This isn't really the case at all. Being able to call the private data members(which you could already do if you were sneaky anyway), isn't going to seriously alter the security of your code. Yes it could theoretically be a problem in cases where the algorithm is known but the constants used in said algorithm(or even some of the variables) are not known. This is more applicable to DRM techniques than anything else, but as we've seen with DeCSS it doesn't take .NET to crack those.

The only case I can think of where you could have any serious assistance as to what the algorithm does is if you knew the programmer who wrote it very well. I know that for school projects I've implemented algorithms right next to someone who was implememnting the same algorithm and in the end our structures were not even remotely similar.

The biggest problem with this is that some idiot is going to think it's a great technique for use in programming and will start writing code which uses private methods. This sort of thing is basically going to throw a good chunk of the value of OOP(not that anyone writes real reusable OOP anyway) out the window at least for that programmer. Private methods exist for a reason and it's not particularly for security purposes but because code may not work properly if they aren't made private.

Re:By design?

[bratmobile]

And how is this any different from Java, or half a dozen other common languages?

This is just anti-Microsoft rhetoric. All of this is a known aspect of language design. It isn't a bug.

Re:By design?

[jalilv]

It is neither an undocumented feature nor a security issue. I haven't read the book in question but if the author says that it is an undocumented feature then I don't know where he got this idea from. The feature is well documented on MSDN and explained in number of advanced .NET books and articles. The classes that provide this information are part of System.Reflection namespace and for your reference here is the documentation for MemberInfo class which can give further information about the object. Reflection and Introspection has legitimate uses such as RTTI, Code Generation, AOP etc. ASP.NET heavily uses runtime code generation which is possible through these reflection classes in .NET framework.

- Jalil Vaidya

Re:By design?

[mingot]

Sorry, but no. It's a documented feature. The reflection classes are documented to specifically allow you to access private fields and members of a class. There is no security breach here, sorry :/

And if you DO consider it a security issue, then nearly every other programming language suffers from it. See other articles in this thread for examples on accessing private members in C++.

Re:By design?

[daytrip00]

In fact, Microsoft ships a lite obfuscator with VS.NET 2003. I don't think most other IDEs do. You can buy better ones too if you really want to protect your source code.

Re:By design?

I reverse engineer binary code for a living. I have been doing it for years. If you release any software at all, you might as well release it as open source. With the right tools (IDA, SoftICE, etc), it's very easy to determine algorithms and datastructures in binary code. There are no such things as "trade secrets" if you produce software.

Open source is for pansies that can't read assembly or use an assembly-level debugger. I hate when people complain that certain MS APIs are undocumented. You have the full system on your machine! Get out a debugger! People reverse engineer the APIs all the time!

Re:By design?

[msuzio]

Umm... I'm real curious as to how much code you write. Or have written. I'm guessing, not very much. Or not much in 'the real world'. "private" is, at it's heart, just syntactic sugar. No more, no less. It's an aid to you, the programmer/designer, to indicate the bits of an object that you don't consider to be part of the essential agreement it makes with those who call it. Those bits are "private" not because I think I'm getting any security by doing so... they're "private" because they're not something I want you to worry about (e.g., it doesn't matter to you if I hold my list of objects in a Java class in an ArrayList or a LinkedList, and I reserve the right to change my mind in future releases) -or- they're not something I want you to mess with (e.g., I don't want you to access that object list directly, because then you have to use the accessor methods I wrote, and those methods can handle things like cache management or logging that access to a remote system, etc).

I use "private" methods all the time in classes I write purely for internal code, among a team of 3 people total! These aren't people I'm trying to be "secure" against, that's not the purpose! The purpose is to encapsulate the API, and only 'expose' the pieces of an object that *matter*. Yes, it's nice to have the compiler check that, but I also wrote large amounts of OOP Perl code for years that used a 'private' methodology that consisted of merely prepending an '_' to the method names and putting a comment block before them indicating this was an 'internal' detail!

So, serious security issue? Please! Don't be naive! Private methods have *nothing* (repeat, **nothing**) to do with security. Never have, never will -- they *cannot* be a security measure when decompilation and debuggers exist!

Re:By design?

Java security relies on the JVM's enforcement of access to package and private members. In fact the sandbox is written in Java. Decompilers don't matter (the point is that you can't run the method, not that you can't see what it does) and debuggers can't be used from the sandbox.

Re:By design?

[los+furtive]

- they're not something I want you to mess with (e.g., I don't want you to access that object list directly, because then you have to use the accessor methods I wrote, and those methods can handle things like cache management or logging that access to a remote system, etc).

That's exactly what I'm talking about. Something I don't want others to mess with is private. If people can mess with blocks of code marked private, then how can I guarantee my product will work for them? As for security, I mean security as in SCOPE, not as in "you'll never see my code 'cause all my methods are private".

Re:By design?

[Golthar]

I write a lot of Java code.
Let me give an example of where this work out.

I create a program that uses plugins to enhance functionality.
Now somewhere in the base system of the program, I have a class with some information that is defined private.

In C++ I'd be left out in the cold, but a VM has to enforce this not only as a language feature, but also as a security feature.

Supose I have credit card info that is set to private, now a module needs to go through a public function to get this information (this is documented to the outside world)

Now supose module_1 can retrieve the creditcard info, but module_2 cant.

My public code makes an internal check and if everything is ok, it returns the value of the private String creditcard info.

But module_2 is malicious and tries to circumvent this system by using reflection to gain access to this variable.
The security in the VM (if set up) will now throw an exception at the code (with the only minor issue that the malicious code can catch this exception, hence the end user might never know)

Ofcourse you can still decompile the binaries or use a debugger to get the values, but the VM is only suposed to protect against inside attack (the code its running) not the external world

Re:By design?

[los+furtive]

My point exactly. Thank you.

Re:By design?

[YellowElectricRat]

...and .NET has exactly the same capability to prevent this with its own code permission framework.

Re:By design?

It's a little of both. The private-method-accessible "bug" has been known/documented since the release of .NET 1.0, It's also been fixed/changed in .NET 1.1 which kinda makes his effort a moot point.

Re:By design?

Well, there is the difference that documentation tells what you can expect to happen with a different version of the software. Or at least obsolete mainframe-level documentation told you such things, modern Microsoft users laugh at such antiquated concepts.

So .Net is like C++?

[Ed+Avis]

In Java, the bytecode interpreter makes sure you can't access private class members. This is needed for security - creating the 'sandbox' which is most well-known from applets, and IMHO isn't used enough elsewhere.

OTOH in C++ the public/protected/private distinction is enforced solely by the compiler, and code has full access to the machine.

Obviously in .NET you don't have the same raw hardware access, but it looks like for speed Microsoft omitted to check access qualifiers at run time. But I wonder, is this part of the .NET specifications, or is it just an implementation oversight? Does the same trick work on Mono for example?

Re:So .Net is like C++?

In Java the check is usually done only at compile time. Starting the VM with "-Xfuture" as an argument will force the checks to happen at runtime as well.

Re:So .Net is like C++?

[DanielDittmar]

Java has the .setAccessible methods that allow access to private members via reflection. These methods are subject to the security context, so they probably won't work in applets. And of course information about private members can be extracted by tools that are freely available from well known cracker sites like java.sun.com.

Re:So .Net is like C++?

[Erv+Walter]

This .NET behavior is not a security hole.

The .NET CLR does runtime checks to verify that code is not doing things it's not allowed to do (aka, code can't leave the "sandbox"). Accessing private methods using this technique does not circumvent these checks--the CLR will detect and prevent *inappropriate* accesses.

The key point is that .NET applications can be running in many different security environments. Installed applications running off your hard drive essentially have no sandbox. Applications running from the network or within a browser have a much more restrictive sandbox and these "hacking .NET" techniques would be caught (assuming the private code being called is inapproriate for the sandbox).

Re:So .Net is like C++?

[arabung]

You can access private fields/methods in Java with reflection and a modified policy file. This is done by modifying your policy file (granting ReflectPermission or something), and calling setAccessible(true) on the Field and Method objects you want to invoke.

On a side note, this is the worst idea I've ever heard.

Re:So .Net is like C++?

[patniemeyer]

In the first chapter of my book, Learning Java I make this comparison and show an example of how trivial it is to forge a pointer in C++.

The thing that many people still just don't get about Java is that it was designed to supply this kind of safety *without* impacting performance. In Java byte code verification happens statically, before the code is executed using a kind of theorem prover.

With certain concessions from the byte code you can prove that various types of problems (stack overflows/underflows, incorrect casts, etc.) cannot happen and you don't have to check for them at runtime. Of course in OO languages let you do things that require runtime checks, but at the bottom level Java can be statically compiled and optimized amost as far as C/C++ (only runtime array bounds checks are required) and because Java contains so much more information at runtime the new generation of profiling runtimes can do further optimizations dynamically that cannot be done in C/C++ (e.g. optimistically inlining methods and profiling garbage collection routines).

Pat Niemeyer
Author of Learning Java, O'Reilly & Associates and the BeanShell Java scripting language.

Re:So .Net is like C++?

[Ed+Avis]

Of course you can disassemble a class and find what its private members are. You can do that in any language; relying on people not figuring things out from the object code is just trying to get security through obscurity.

Re:So .Net is like C++?

[kahei]

In Java, the bytecode interpreter makes sure you can't access private class members.

Unless you use one that doesn't :D

Re:So .Net is like C++?

Java has the "Reflection API", which can be used to access private members which you normally aren't allowed to access, so no, the verification is not in the bytecode interpreter (in the precise sense). The SecurityManager (of the runtime environment) decides whether this access is allowed or not. See here for an example and further explanations.

The fact that this feature is controlled by the SecurityManager in Java hints at possible security implications, if this kind of access isn't restricted. The private declaration is mostly a tool for the programmer which prevents him from using unspecified API elements. In a normal program, there is no security reason why he shouldn't access every bit of every class of his program. It is merely a coding discipline measure. But what happens when the program is handed a linked list by the runtime environment? With access to private members the program can unlink some elements, even if that possibility is not exposed in the API and therefore not expected by the programmer of the "other program". When different programs interact by passing objects, protection of private members from access by other objects is a security feature.

Re:So .Net is like C++?

[jeffy124]

every presentation I've seen on .NET, C#, etc, have all had curious parallels to Java. What MS calls the CLR, Sun calls the JVM. What MS calls IDL, Sun calls bytecode. What MS calls Just-In-Time compiling, Sun calls HotSpot. All three pairings are the same basic ideas, and there are more of them.

It's mostly a set of renamed technologies and concepts and MS is trying to push it as being totally new and previously unheard of. This is why Sun is pissed at MS for the whole Microsoft & Java issue, as .NET is simply all of Sun's research and development work embraced (and not even extended) by Microsoft.

As for scoping, in Java, visibility scoping (ie, public vs private) is checked by the compiler (and will refuse to compile if there are errors), but this also has to be enforced at runtime, sandbox or no sandbox. My (educated) guess is that the spec would stipulate enforcement, though MS's .NET implementaion simply either doesnt enforce it at all or blatently ignores visibility scoping. My (also educated) guess is that the OSS community knew that scope checking was necessary, and hence implemented it in Mono regardless of what the spec says.

Re:So .Net is like C++?

Actually, you can access private scoped members in Java at runtime depending on how the sceurity manager is configured. Obviously you can't do it directly with a standard compiler because it would crap out. But...using the java.lang.reflect.AccessibleObject.setAccessible(b oolean) method in a JVM with a lax security profile will let you violate encapsulation to your heart's content.

I love Java, but this makes me _real_ nervous.

Re:So .Net is like C++?

Does this happen in the java -> bytecode stage, or the bytecode -> native JIT compiled stage?

Re:So .Net is like C++?

[ipjohnson]

"The thing that many people still just don't get about Java is that it was designed to supply this kind of safety *without* impacting performance."

Hmmm without "performance impact" .... I've never seen a program written in java that didn't have a performance impact ...

And don't give me this crap of oh its "fast enough" or "you can just throw more horsepower/ram at it" ... I've never seen a java program compete on the same ground as a C/C++ counterpart.

Re:So .Net is like C++?

[gidds]

Unless you use one that doesn't :D

...in which case it's not Java.

Re:So .Net is like C++?

[Monkius]

Designed to, and achieved, seem to be materially different, in this case?

Re:So .Net is like C++?

[Ed+Avis]

Of course, the same applies to straightforwardly compiled languages: you can prove at compile time that stack overflows and underflows won't happen in C++, unless the programmer deliberately chooses to scribble over the stack. The difference is that Java has a two-stage compilation, first from source code to bytecode (which is pretty trivial) and then a second 'compilation' or at least semantic check before interpreting the bytecode.

Re:So .Net is like C++?

[kahei]

I don't think the user's choice of interpreter affects whether your program is Java or not.

I can't really think of many cases where calling private methods on C# or Java classes would be either difficult or useful. Either way, only those most desperate to find some .NET FUD would call it a security issue, which is why we are assured of a great big rush of people all calling it a security issue ;)

Re:So .Net is like C++?

[bmillerward]

In Java, the bytecode interpreter makes sure you can't access private class members. Java's reflection API allows this check to be disabled, via the Member.setAccessible() method.

Re:So .Net is like C++?

[axlrosen]

But for applets, where it's most needed, this check is done at runtime too, so they're safe. Class-file verification (which does the checking) is always turned on for applets, but by default is turned off when running local code, because local code is assumed to be trusted. The probably only comes when you've got a local app that can download and run untrusted code. (Then you need to turn on -Xfuture or -Xverify:all. A future version of Java might have this turned on for all apps.)

http://www.cafeaulait.org/reports/accessviolatio ns .html

Re:So .Net is like C++?

[gidds]

I don't think the user's choice of interpreter affects whether your program is Java or not.

Maybe not, but if it doesn't follow the Java Virtual Machine Specification, then it's not Java.

In any case, as you say, being able to bypass the access control is unlikely to be useful, safe, or worthwhile other than as (maybe) a security risk.

Re:So .Net is like C++?

[Coward+the+Anonymous]

He's not saying Java is fast because of this. What he is saying is that for this particular case, Java is not impacted like out languages. That doesn't make Java faster than C++ overall, just faster at doing this one thing.

Re:So .Net is like C++?

So if you tamper with the Trusted Computing Base you can make the JVM insecure. That stands to reason. But is there a similar change that makes the CLR secure?

Re:So .Net is like C++?

In between, at load time. The source->bytecode stage is under control of the attacker, and the bytecode->native stage doesn't always happen (for lightweight implementations or seldom-used code).

Re:So .Net is like C++?

Java can be statically compiled and optimized amost as far as C/C++ (only runtime array bounds checks are required)

That's ridiculous. Anything that requires late binding is done at run time. As soon as you use the reflection interface, or load a class determined at run time you have start checking types. In fact, types are checked all the time at run time, because the compiler can't know everything.

Re:So .Net is like C++?

Types are checked at load time, except for reflection (which is why that's so slow).

Re:So .Net is like C++?

[patniemeyer]

That's what I meant by doing the types of things that OO languages let you do... If you use reflection you're clearly stepping outside of the realm of compiled code... at least for now. But in the normal case, and with the exception of the array bounds checking, I believe it's true that Java can be compiled down to native code and optimized to the same degree as C/C++ and still retain the type safety... that's what's really novel about Java.

And again, that's just the start... at runtime you can make further optimizations based on the *behavior* of the code... things you can't do statically.

Pat

Re:So .Net is like C++?

[senderista]

Your "guess" is anything but "educated". Why don't you take about 30 seconds on Google to "educate" yourself before spewing yet more uninformed tripe onto this site. It's people like you that make this site such a chore to wade through in search of the rare informed, intelligent opinion. You really think MS spent 4 years and several million $ on design and implementation of .NET and overlooked something this basic? And if you think .NET is just a carbon copy of Java, you have even less of a clue than I thought. Try reading up on the security, versioning, and deployment features of .NET - Java doesn't even come close.

Re:So .Net is like C++?

[jeffy124]

Excuse me while I interrupt your flaming rant, but I have spent several years working with both Java and Java Security, including research on how static analysis (better known as reverse engineering) can improve code security. This includes READING research papers (you know, from academic journals) that would make the normal person's head spin. Point: I know a lot more than the typical slashdotter, which is what you appear to be given your childish flamage.

I've also spent more years in Object-Oriented languages where the terms public, private, and protected are used to control the scope of a class attribute (it's called encapsulation, in case you've never heard of it). Having it be so simple to violate the protection on a private attribute as easily as it was described to do in .NET is a complete atrocity and undoes the concept and idea of OO-design and it's principles.

I have no idea what you refer to as "versioning", not to mention it wasnt discussed in my post. Deployment was also never discussed in my post.

MS's "millions of dollars" of work was just a rehashing and facelifting of the real grunt work done by Gosling and others at Sun Microsystems. Do you know who James Gosling is?

Perhaps it would help you to know that .NET's security model is so complex it's near impossible to get working correctly (it's been described as having too many bells and whistles). I've seen demonstrations (by MS employees) that would not work because of a security glitch that caused the user to be denied access.

Re:So .Net is like C++?

[Bodrius]

What are you talking about?

You are aware that Java is NOT part of .Net and therefore doesn't have this problem with its sandbox model, don't you?

Re:So .Net is like C++?

[Pseudonym]

This, of course, misses the point of C++'s protection mechanisms.

Yes, it's easy to forge a C++ pointer, but a) it's usually not portable, and b) you have to go out of your way to do it. In C++, it's hard to inadvertantly forge a pointer (assuming you're really programming in C++ and not just C with single line comments; real C++ programmers avoid naked pointers unless they're absolutely necessary).

C++ protection mechanisms are to protect the programmer from themselves, not from an outside attacker. It's a safety net, not a padlock.

Re:So .Net is like C++?

[dthable]

Instead of flaming, why not try to educate us on what .Net is and how it's better?

Re:So .Net is like C++?

i got a question for you: are you a moron?

Re:So .Net is like C++?

[Commutative+Monoid]

research on how static analysis (better known as reverse engineering) can improve code security

Static analysis is better known as static analysis. Perhaps you should read those research papers a little better in the future.

Also, please provide sources for material you've read, and a summary of each source and its significance. Don't make baseless claims as an attempt to lend support to your position, it's not useful.

Having it be so simple to violate the protection on a private attribute as easily as it was described to do in .NET is a complete atrocity and undoes the concept and idea of OO-design and it's principles.

You can disregard access levels in Java through SecurityManager policies. You can disregard access levels in C++ with a pointer. An entire class of Object Oriented languages don't even have access levels as part of their mechanism for encapsulation. Encapsulation is not a practical means of securing access to regions of memory or code. Accessing sections of data not part of the official interface of an object violates the principles of encapsulation, being able to do so is called reality.

MS's "millions of dollars" of work was just a rehashing and facelifting of the real grunt work done by Gosling and others at Sun Microsystems. Do you know who James Gosling is?

I think the question really is, do you know who James Gosling is? Better yet, do you know who Urs Hölzle, David Ungar, Craig Chambers, Brian Cox, Bertrand Meyer, and Alan Kay are? You have some fairly deluded concept of Java and its creators, and I wouldn't infer anything more than your typical dotter's understanding of CS, or its history from your posts. Perhaps after "years" of more "research," you'll have a more grounded position.

As an exercise, compare the CLR to the JVM. Compare the common set of functionality provided by the CLR for languages that target the CLR, optionally considering the extensions that will be provided through by the work of Don Syme and Andrew Kennedy. Discuss the effects of the different design ideals on the languages' respective frameworks, and how they will influence resource consumption, safety, and productivity.

Perhaps it would help you to know that .NET's security model is so complex it's near impossible to get working correctly

Discuss at length the security policies of the CLR and the JVM. Outline the strengths and weaknesses of both, and discuss this significance for implementations.

Re:So .Net is like C++?

[RodgerDodger]

Not quite true.

The Java language ensures that, via normal constraints, you can't access members that you're not supposed to. However, it is still possible, via reflection, to access these members if you know what you're doing. This is probably equivalent to the tricks that are Dan Appleman is describing in .NET (I haven't read the book).

Where the bytecode interpreter comes in is that the use of reflection like this can be prohibited using the JVM security policies. By default, however, it is permitted.

The question is: does MS have similar support in the .NET framework for such security restrictions?

Re:So .Net is like C++?

[reidbold]

Is that documented anywhere? Or a 'feature, not a bug'? I'd say any accessing of a private variable is inappropriate, i don't know why it wouldn't be, otherwise declaring it public would make more sense.

Re:So .Net is like C++?

short answer:

FUCK YOU

Re:So .Net is like C++?

Your "post" is anything but "intelligent." Why dont you take 30 seconds on Google to "educate" yourself on how little research goes into posting on this "site." It's people like you who make this site such a chore to wade through in search of the flame-free and name-calling-less opinion and information. You really think the guy isn't "educated" and made reasonable "guess"es overlooked something this basic? And if you think this post is just a carbon copy of yours, you have even less of a clue than I thought. Try reading up on thoughtful communication, intellectual debate, and other features of writing. You'll see you dont even come close.

Re:So .Net is like C++?

[Ed+Avis]

I believe it's true that Java can be compiled down to native code and optimized to the same degree as C/C++ and still retain the type safety... that's what's really novel about Java.

Er... C and C++ can be 'compiled down to native code' and 'still retain the type safety'. C++ in particular has a lot more type safety than Java, if you use the STL's typesafe containers and other well-written libraries. This is changing with the introduction of templates in the latest Java version, I know. But still I wouldn't place Java ahead of C++ for safety, just roughly equal at best. Unless you define type safety as making it impossible to circumvent the type system even deliberately, rather than just making it hard to have type errors accidentally.

(Does the latest Java version have 'const', for example? That always seemed to be a big omission. How about declaring a parameter that must not be null? (in C++ you use references to state that)?)

at runtime you can make further optimizations based on the *behavior* of the code... things you can't do statically.

This is true. But then again you can have profile-driven optimizers for C and other compiled languages.

Re:So .Net is like C++?

[Ed+Avis]

Encapsulation is not a practical means of securing access to regions of memory or code.

I assume by encapsulation you mean access control, so that methods or fields marked 'private' cannot be used by just anyone. This is one tool you can use to provide encapsulation, but the tool is not the same as the idea (you can write well-encapsulated libraries in any language).

But access control does seem to work fairly well with Java applets. It may not be the one and only way to control access: it would be difficult to control file permissions by changing method access control (though possible, in some wacky highly-dynamic OO environment). But you do need access controls as a basis to build more sophisticated access controls. Consider the classic Unix kernel - it has public functions (system calls) and internal kernel functions and data structures. There could be no security without access control to stop people calling the internal functions directly.

Re:So .Net is like C++?

[Commutative+Monoid]

I'll just ignore your attempt at illiteracy, and hope for the best.

What's different between between language access levels in C++ and Java? What's different between JVM access levels when run with a security manager and C++ access levels? What's different between C++ access levels and hardware memory protection? What's different between Java access levels and hardware memory protection? What's the different between C# access levels and Java access levels? What is different between JVM and CLR security managers? What's different between a lexical closure, an aluminum can, and an encrypted profanity?

Re:So .Net is like C++?

[julesh]

The thing that many people still just don't get about Java is that it was designed to supply this kind of safety *without* impacting performance. In Java byte code verification happens statically, before the code is executed using a kind of theorem prover.

I think you miss the point of what 'this kind of safety' is. What we're talking about here is using the reflection API to gain access to a private member. In Java, there is a run time check that prevents this. It doesn't use a theorem prover that checks that all the possible calls to the reflection API cannot result in this, because to do that would require knowing the program's input. The check that .NET is not making here is made at run time in Java, not during class verification.

Re:So .Net is like C++?

[Ed+Avis]

I don't understand why the questions you ask are germane to this particular point. I just wanted to pick up on your remark about 'encapsulation is not a practical means of securing access control'. Access control to private members seems to work well enough in Java for applets, and so it would seem to be 'practical' for that application at least. Of course if encapsulation via access control is checked only by the compiler, and ignored by the runtime system, then it is useless for security. That is obvious.

Could you explain what you meant by 'encapsulation is not a practical means...'?

Re:So .Net is like C++?

[Commutative+Monoid]

Answering the questions should result in reaching a conclusion that is my point.

Also don't misquote people, it's rude.

Could you explain what you meant by 'encapsulation is not a practical means...'?

Perhaps after you get it you'll understand.

Re:So .Net is like C++?

[Ed+Avis]

One or two rhetorical questions is okay but you asked such a large number of them.

- What's different between between language access levels in C++ and Java? Not very much if you take the language definitions themselves. In C++ you are able to 'cheat' more easily by compiling your own code with different headers, at least for most current implementations of C++ where the check is done at compile time.

What's different between JVM access levels when run with a security manager and C++ access levels? - I think the answer to this is the same as above.

- What's different between C++ access levels and hardware memory protection? Access levels are a language feature. If they are enforced for all running code, they provide relatively fine-grained access control over resources. Hardware memory protection provides control over reading or writing whole pages, and doesn't correspond closely to most language constructs (apart from 'const' maybe).

- What's different between Java access levels and hardware memory protection? I assume you mean the access checking done at runtime (or at bytecode verification time) by some JVMs. Well, again it is finer-grained and can be done statically. Then again, it's possible to prove statically that a valid C or C++ program does not transgress hardware memory protection, unless it uses a lot of pointers (most C++ code does not).

- What's the different between C# access levels and Java access levels? I don't know, I am not familiar with C#. But the point we are discussing should be valid with Java as well?

- What is different between JVM and CLR security managers? Ditto.

- What's different between a lexical closure, an aluminum can, and an encrypted profanity? Don't see the relevance, none of these three language features are present in Java or C++ (although Perl has two of them).

Now can you explain what you meant by saying (and I quote it correctly this time, sorry) 'Encapsulation is not a practical means of securing access to regions of memory or code.' By 'encapsulation' did you mean the access control mechanisms in Java or similar languages? If not, what did you mean by it?

Re:So .Net is like C++?

[Commutative+Monoid]

unless it uses a lot of pointers (most C++ code does not).

Right...

What's different between a lexical closure, an aluminum can, and an encrypted profanity? Don't see the relevance, none of these three language features are present in Java or C++ (although Perl has two of them).

Think harder.

Re:So .Net is like C++?

[Ed+Avis]

I'm sorry I can't think any harder. Since Slashdot is a public forum, you might assume that at least some of the readership (although maybe only a small part) is as stupid as I am and equally unable to work out the riddle. So please, explain the answer and justify your statement about encapsulation.

Re:So .Net is like C++?

[Commutative+Monoid]

Think harder. My meaning is clear. If you don't get it, it's not my problem. I tried to give you everything you need to answer your own question, and that's the best effort I can do.

Re:So .Net is like C++?

[Ed+Avis]

OK, we will have to disagree. I think that the practical example of Java shows that public/protected/private access control is a good mechanism for controlling access to resources and providing security.

Re:So .Net is like C++?

[Commutative+Monoid]

Please be my guest. Someday we'll have the same conversation.

Re:So .Net is like C++?

[Hard_Code]

"However, it is still possible, via reflection, to access these members if you know what you're doing."

No. Not unless the JVM is broken. These are caught at runtime by the security manager and IllegalAccessException should be thrown.

Re:So .Net is like C++?

[RodgerDodger]

Um, did you read my entire post? Like, oh, the next paragraph, when I said that?

And you do know that, by default, there is no security manager for a Java application (as opposed to an applet)?

Re:So .Net is like C++?

[Vulture_]

Actually, to my knowledge, Sun's JVM always does bytecode verification, even for local code. Since the verification step will (correctly) reject code that tries to access private members, you don't have this hole. And since verification is very fast and happens at class load time (so no checking of access permissions is necessary at run time), this is not a performance hit.

Re:So .Net is like C++?

[Vulture_]

Crap. This post is in need of revision. I didn't read enough before posting it; sorry.

Sun's JVM always does bytecode verification, which stops access to private members that way, but as with .NET, the reflection API will let you access private members if you have access (i.e., no sandbox, or there is but the SecurityManager lets you do it anyway).

So this .NET behavior is really no different from Java.

Re:So .Net is like C++?

Any class that defines static void main(String[]) is an "application". It's a JVM that has no security manager by default, but that's just so that you're allowed to run code to install one. Proceeding without a security manager is ridiculous. What do you think Java is for?

Re:So .Net is like C++?

boy you are smug

Dan 'Obvious' Appleman

[playtime222]

Anyone who's looking into reflection at any depth knows that private members can be found and used without too much trouble. The only thing he's done here is actively tried to use the private functions of code he didn't right. What a genuis :-/

Re:Dan 'Obvious' Appleman

[pfharlock]

You misspelled write.

Re:Dan 'Obvious' Appleman

[playtime222]

Bugger :( I'm ill. I only got out of bed to check email. That'll teach me.

Re:Dan 'Obvious' Appleman

[scythian]

Hey, if you're gonna rag on the man at least get your grammar correct, ass.
-Rob

Re:Dan 'Obvious' Appleman

[TummyX]

Dan's target audience has always been VB programmers.

I'm often amused at how easily he can "wow" them with his "magic".

Re:Dan 'Obvious' Appleman

[TummyX]

Oh, and it's nice to see that he's ensuring the next generation of VBers will continue to write broken code by encouraging them to access and utlilise private members.

Re:Dan 'Obvious' Appleman

[rnd()]

I'm sure a lot of slashdotters will now be inspired to try .net

C++

This is nothing new - you can do the same thing in C++. It's easy to access private variables or functions by manipulating a pointer.

So what's the big deal?

Re:C++

[VAXGeek]

I'm probably going to get modded down but anyway: the big deal is that Microsoft champions C#, while Open Source champions C++. Therefore, nothing can POSSIBLY be wrong with C++. At least C# doesn't have some awful templating system. (Watch me get replies from people claiming to enjoy templates).

Re:C++

No, I think you're quite right. While I havn't taken the time to learn C# I have no intentions of jumping on the "Its Microsoft so it must be crap" bandwagon. At the same time I do know enough C++ to be dangerous, and I also know it has holes and problems of its own.

Out of interest, how would you access a private method from outside of the class? I'm guessing you could overwrite the vtable or a pointer if you knew the exact entry point of the private method, but how could you determine this at runtime?

Re:C++

Templates are OK as long as you don't try any of that whacky meta-programming stuff. That's just nuts.

Re:C++

(Watch me get replies from people claiming to enjoy templates)

I don't use them much, but I like them a lot. They're very handy when you need them. At least C++ doesn't force you to use them.

Re:C++

[crazyphilman]

I don't think you should be modded down. It's an interesting point. Open source types do sometimes tend to "overlook" the shortcomings of C++ (and their other favorite languages like Perl, Python, Ruby, etc) because it's a political thing for them, and you end up getting into these big propaganda wars. You could say they're "drinking the kool-aid", just like all the frothing, rabid managers back in the dot-com days used to.

But I think most open-sourcers are a little more sedate than that; they like C++ because C++ is completely free and nonproprietary (gcc is GPL, and C++ has been an ANSI standard for way over a decade, hasn't it?). So, in a sense, it's a language that no one can ever take away from you, and which has been more or less frozen in its current state (new functionality is generally handled with additional libraries) for years. C# and Java, on the other hand, are proprietary languages, so it is theoretically possible for the companies that own those technologies to change them on a whim, or even kill them off. I sympathize with this view somewhat, but I don't fully agree with it.

Is the "freeness" of a tool enough to support its use? Should we choose our tools based on how free they are, or on how useful they are to us? How do you pick a compiler, really? It's interesting.

I like Java, personally. It has pretty nice features and a rich API. I lust after C# somewhat, but my boss won't let me use it (he likes VB.Net -- pity me).

Re:C++

[WWE-TicK]

> C++ has been an ANSI standard for way over a
> decade, hasn't it

No, since 1998.

Re:C++

ok, I'll bite.
I like templates. They let you write type-safe generic code. Read Alexandrecu's _Modern C++ Design_ for some really cool stuff.

Of course, you don't have to use any of it if you don't want to. But it might take you a lot longer to get anything done.

At the very least, it's a nice tool to have available.

Re:C++

try
#define private public

private is a compile time modifier.

Re:C++

[jared_hanson]

OK, here's the big deal as far as I see it, to silence all those people who feel this article justifies shameless Microsoft bashing.

When running C++ code, you have raw access to the entire machine. You can do whatever you want to memory, hardware, etc. without any restrictions. Granted, the OS may try to limit you to a certain memory space, and segfault, but this is moot. You can still access private data in your own memory space by manipulating pointers. This is the same for Microsoft or Open Source software.

The reason getting access to privates in C# is a big deal is that it is a language that is supposed to be protected by a runtime. This runtime should protect the integrity of the code at all times, thus eliminating a certain amount of security issues. Not doing this is a huge issue, and something that those programming for .NET should be aware of. Thus, people have a right to bitch about it.

Incidently, Microsoft touts the speed of .NET over Java. I wonder if these benchmarks would still hold up if MS's runtime did the proper checking and verification that Sun's runtime does.

Re:C++

[crazyphilman]

That's it? I thought it was longer; maybe it was in the works for a while. I seem to remember people talking about it from way back.

Re:C++

[yanestra]

This is nothing new - you can do the same thing in C++. It's easy to access private variables or functions by manipulating a pointer.

<yawn>
In C and C++, there are no security measures, and these languages are quite near to the hardware.
BUT... Java and C# came up with the intention to create a safe, controlled and interpreted environment, in which it is technically impossible to use pointer and stack techniques to gain control over structures you don't own.

Re:C++

The privateness in C++ is merely to protect the programmer from itself and to be able to implement abstractions correctly. Privateness of variables is NOT and has NOTHING TO DO with security as it is talked here all the time. Wake up. Its only a feature of a programming language to ensure correct design.

If you were to implement this kind of check, EVERYTHING but the most trivial applications would slow down to crawl.

Re:C++

Therefore, nothing can POSSIBLY be wrong with C++

LOL! Have you not seen the various language advocates? I mean, sure C++ will be pushed above C#, but not much else. (personally, I think C++ is a decent language.)

At least C# doesn't have some awful templating system. (Watch me get replies from people claiming to enjoy templates).

The idea of templates is superb. The implementation is almost universally despised.

Re:C++

C++ is constantly evolving. The introduction of templates created an entirely new paradigm. Even C++ "gurus" and "experts" were able to take their skills to the next level years after the language's introduction. C#'s templates are coming and it will be amazing! Java could benefit from them too, IMHO. Let's hope someone sees the light!

To change your C++ coding life, read:

Modern C++ Design: Generic Programming and Design Patterns Applied
by Andrei Alexandrescu

http://www.amazon.com/exec/obidos/tg/detail/-/02 01 704315/qid=1053537524/sr=8-1/ref=sr_8_1/002-640708 6-1656863?v=glance&s=books&n=507846

Re:C++

C++ data hiding mechanism isn't for security. Private member parts are to seperate the interface of an object from the implementation of it; this is to enable the "application programmer" of a "library" to not worry about changing all his/her code because library2.0 comes out with better implementation. Though I don't use C#, I imagine it's similiar as the article points out.

Appleman also explains the tradeoffs of using this technique. The code you're using is not documented, and it's not guaranteed to be present in future versions. He describes how to deal with these problems, and how to make the most of the technique while remaining relatively safe.

Make sense?

OT: C++ is a language that lets your friends play with private parts.

Re:C++

[v_1_r_u_5]

Out of interest, how would you access a private method from outside of the class? I'm guessing you could overwrite the vtable or a pointer if you knew the exact entry point of the private method, but how could you determine this at runtime?

You do a little pointer manipulation. In general, point to a public member, increment/decrement the pointer by the distance the desired private member is located in the class, and enjoy. The catch is that you need to know the address of the private member, which may or may not be available. Here is a c++ example that, through a bit of 'cheating', accesses a private member where it shouldn't be doing so via pointer manipulation:

#include <stdio.h>
#include <stdlib.h>

int distance; // distance between public and private functions

class Test{
int privateFoo();
public:
int publicFoo();

Test();
};
typedef int (Test::*TestFn)();

int Test::privateFoo(){
printf("Hello from privateFoo!\n");
}

int Test::publicFoo(){
printf("Hello from publicFoo!\n");
}

Test::Test(){
TestFn privateFooPointer = (TestFn) (&Test::privateFoo);
TestFn publicFooPointer = (TestFn) (&Test::publicFoo);

printf("privateFoo's address: %d\n", privateFooPointer);
printf("publicFoo's address: %d\n", publicFooPointer);

char temp[100];
int privateFooAddress, publicFooAddress;

sprintf(temp, "%d", privateFooPointer);
sscanf(temp, "%d", &privateFooAddress);

sprintf(temp, "%d", publicFooPointer);
sscanf(temp, "%d", &publicFooAddress);

distance = publicFooAddress - privateFooAddress;
}

int main(int argc, char **args){
TestFn functionPointer = (TestFn) (&Test::publicFoo);

Test *instance = new Test();
(instance->*functionPointer)();

char temp[100];

sprintf(temp, "%d", functionPointer);
int publicFooAddress;
sscanf(temp, "%d", &publicFooAddress);
/* have to use strings because the compiler won't let you directly manipulate the pointer via math operators*/

int privateFooAddress = publicFooAddress-distance;

functionPointer = (TestFn) privateFooAddress;
(instance->*functionPointer)();
/* hello from privateFoo!! */
}

Re:C++

You're not actually bypassing the encapsulation to access private members though then, are you? All you've done is make the private members public.

You can't do that at runtime, either.

Re:C++

[buffer-overflowed]

huh? C++? Most OSS programs I've seen are written in good old, plain vanilla C.

Are you saying something bad about K&R?

Re:C++

[mingot]

The reason getting access to privates in C# is a big deal is that it is a language that is supposed to be protected by a runtime

Not really. The language is not supposed to be protected. But other processes are. And they are. What this feature (and it IS a feature, more on that later) does is lets you break OOP encapsulation. It certainly gives you the power to access fields and members that the original author did not mean for you to access. It lets you write code that depends on those items not changing. And when they do you're certainly going buy yourself an exception. But this exception is not going to bring down your system. Is using this facility willy nilly bound to make your code less stable? Of course. But under the CLR unstable does not equate to insecure like it does in a language like C++. Because the CLR is still protecting memory and Reflection is not going to let you get around that.

This runtime should protect the integrity of the code at all times, thus eliminating a certain amount of security issues.

And it does. When it reaches code that is doing things that the user does not have the security to do exceptions are thrown. Breaking encapsualtion does not break that. Not doing this is a huge issue, and something that those programming for .NET should be aware of.

We are aware of it. At least any of us who are doing things above and beyond "Hello World". Reflection is explained in most books that are above a "For Dummies" level. Most of us never use those features of reflection, but most of us at least know they exist.

I'd seriously suggest that you get a bit more educated about the CLR before you do a whole lot more bashing.

Re:C++

[Tyler+Durden]

Public/private/protected access in C++ is a programming convention, not a security feature. It was never meant to be a security feature, so this is not a weakness of C++. Classes are written to provide tools for another programmer. If he wants to be "malicious" with the provided tools then the only person he's being malicious to is himself.

I'm not sure whether access levels in C# is meant to be a security feature or not. If it is, then Microsoft screwed up, if not then they didn't.

Writing templates in C++ is never fun. However using a well-written set of templates (ie. STL ) is heaven.

Re:C++

[rnd()]

Wasn't C++ invented by Bell Labs like C was? As someone in a parallel thread pointed out, C++ became an ANSI standard in 1998. C# was registered with ECMA as a standard since its inception. That means, anyone (including and especially Miguel) can create their own implementation of it. Of course, much of what is snazzy about C# has to do with the rest of the .net framework, but it's a very nice language in and of itself, and could be useful in all sorts of ways even without .NET

Re:C++

[Darren+Winsper]

Generics will be in Java 1.5.

Re:C++

This is a silly assertation. Microsoft is one of the biggest C++ shops on the planet.

Re:C++

[anshil]

"""Should we choose our tools based on how free they are, or on how useful they are to us"""

Well in the case is the freedom not just a special kind of usefullness? Especially if usefullness is weighted in a longer term

Re:C++

[crazyphilman]

Yes, but the problem with C# is that the usefulness of C# comes from its libraries, which haven't been opened up as an ECMA standard. And, I'd bet they're protected in a variety of IP-related ways by Microsoft. So it's not like anyone who wants to can just roll his own full-featured C#. Even Borland, which came out with their own C# IDE recently, uses the Microsoft compiler behind the scenes (and if even Borland doesn't try to roll their own, do you think very many others will?). So C# isn't the open standard you might think it is -- it is definitely proprietary.

Re:C++

[crazyphilman]

I think you can make a case that the relative freedom of C++ *does* make it more useful in a certain sense, i.e. the sense that it's yours forever and no one can take it away from you, so if you build that skill, it never has to become obsolete... I really do see how attractive that is, especially with all the corporate nefariousness going around. Plus, they're coming out with some pretty cool libraries for C++, all available on Sourceforge. I don't know if I'd say they're as good as the huge libraries you get with Java, but still. They're there, they're free, forever. That's pretty significant I think.

You might be right; I like your point of view.

Re:C++

[axonis]

"C# and Java, on the other hand, are proprietary languages"

Yes, Java is proprietary ,... NO, C# is now an ISO standard along with IML .... BIG Difference !

Re:C++

[spongman]

At least C# doesn't have some awful templating system. (Watch me get replies from people claiming to enjoy templates).

Well, I'm a fan of C++, C# and Java, and while they all have their good points, the single thing that sets C++ apart from the rest IMO is templates (and no, the generics in future versions of C# & Java aren't even close).

For an excellent example of the power of C++ templates and oft-maligned operator overloading, take a look at Boost's brilliant Spirit Library that allows you to write EBNF-style grammars in C++. eg:

rule<> group = '(' >> expression >> ')';
rule<> factor = integer | group;
rule<> term = factor >> *(('*' >> factor) | ('/' >> factor));
rule<> expression = term >> *(('+' >> term) | ('-' >> term));
bool valid = parse ("(1+2)*3", expression, space_p).full;

Re:C++

[Kumkwat]

C# does have generics now, so the one area C++ did have a slight advantage over C# in is now gone.

Check out the gyro release at MS Research for a copy of the new C# compiler.

Re:C++

So you using the .NET platform but he's making you use VB instead of C#. Sucks to be you.

Re:C++

[crazyphilman]

The base language C# is, but not the libraries you'd use to build actual software. Those are still entirely proprietary, so if you want to actually *do* things, you'll need to use a proprietary tool (a library). This implies some degree of dependence on the vendor that supplies that tool, which is what a lot of people don't like about proprietary languages.

However, there is one nice thing about C#; since it's been accepted as a standard, the language itself won't be likely to change very often. So, really, you are just getting new libraries when you add functionality to it -- which is a very cool thing.

But I'd like to see an open-source, public implementation of the library. That would really be a nice thing.

Re:C++

[crazyphilman]

An A/C said: "So you using the .NET platform but he's making you use VB instead of C#. Sucks to be you."

Tell me about it. Here's something funny: the reasoning for this decision was as follows:

1. We have lots of VB6 guys around, and most of them are pure-VB guys. So they learned programming by learning VB, and only know the "VB way" to do things (can you say, ".Net disaster in the making"?).

2. If we move to C#, all the VB programmers will find this intimidating. Plus, we won't be able to find anyone to take over a project if a programmer leaves, is fired, or gets hit by a bus. (the fact that the VB6 guys won't be able to take over a VB.Net project either, because it's totally different from VB6, well, that isn't being acknowledged).

3. VB.Net is, according to several people in my organization, "just like C# anyway, except for the syntax" so my boss doesn't see any reason to choose C#.

I think the whole thing centers around some kind of weirdo psychological, subconscious name recognition thing. They've got the "VB" mantra going in their heads. There's no escape.

Sigh... At least I can code in Java at home. That keeps me sane.

Maybe the title should be changed

[julesh]

Maybe the title of this book should be changed to "1001 ways to write bad code". Relying on undocumented private members of classes violates encapsulation and pretty much guarantees that your code will not work with (a) compatible implementations on other platforms, and probably also (b) future versions on the same platform. Just Say No, is my advice.

Re:Maybe the title should be changed

[Jack+William+Bell]

You beat me to the post I wanted to make. Now the most I can do is say "Mod this up!"

Re:Maybe the title should be changed

[elmegil]

Of course if you're a cracker, you're more interested in doing things you ought not be able to do than writing good code.

Re:Maybe the title should be changed

[Jerf]

If the alternative to writing a quick ACL changer is multiple days of intense hacking, vs. a couple hours with the right pokes at private members, it will take a lot of internal interface changes before the amount of time spent tracking the internal API exceeds the time it would have taken to do it right the first time. Since the capability doesn't officially exist, your (a) point is meaningless (even this platform doesn't officially support it) if you can assert that everybody will use the same platform, and given we're talking .Net the odds that a an awful lot of .Net programs will run only on Microsoft's implementation anyhow is pretty high, and odds are (b) doesn't bother you because it may never happen (changing the internals like that also implies work for that developer, so it's not a bad bet they won't be in a hurry to change the internals for their own sake), and even if it doesn your probably still ahead.

Encapsulation is not an absolute law, it's a risk that must be analysed like any other risk, and treating it like an absolute law will sometimes cause you to do sub-optimal things. I can't be 100% certain with the given information, but odds are that the choice to use internal private methods and data to do ACL manipulation are a good bet. Yes, you may lose, but implementing ACL manipulations yourself may lose too: If the ACL system changes, you have to track it yourself, while the odds are decent that the internal private members will automatically track the changes!

Violating encapsulation is almost always bad, but that's a long way from "always bad".

Re:Maybe the title should be changed

[SkywalkerOS8]

Am I crazy because I read that title as "nine ways to write bad code"?

Re:Maybe the title should be changed

[julesh]

That makes you akin to the chat room addict who thinks in third person.

(eg. /me thinks you might be just a little bit...)

Re:Maybe the title should be changed

[recursiv]

I always thought /me was a reference to the irc command /me.

Actually, maybe you do mean that.

I guess the irc command does show the name of the executing party. OK, nevermind.

Duh. Its called reflection

[Asmodeus]

..and is a very old technique.
Java, Modula2, Lisp and smalltalk all allow
this.
RTFM

Re:Duh. Its called reflection

[Asmodeus]

uuups. That should be Modula-3 not modula-2

Re:Duh. Its called reflection

[code_nerd]

The issue is not that the private members of a class can be seen, it is that they can be directly accessed. While you can do this in, say, C++, C or Perl, none of those languages advertise a JVM-style secure-sandbox environment, which is how MS pitches the CLR. The big worry is of course that you can think you have hidden code from unauthorized access.

Re:Duh. Its called reflection

[Ageless]

I can't speak for anything but Java, but in Java reflection does not allow you to access private members. That's part of the security of Java.

Re:Duh. Its called reflection

It does *if* you have the correct permissions. Just like .Net.

If you're running a .Net app off a webpage, it won't have private reflection permission either.

Re:Duh. Its called reflection

[krumms]

IIRC, although you can access member NAMES using reflection in Java, you can't actually access the values at runtime without crazy exceptions being thrown - IllegalAccessException or something like that.

Which is, y'know, nice.

To take my dig, I don't think being able to access private member variables is too much of a problem. Unless you're a fool, and have private member variables like 'private string rootPassword', 'private boolean allowHax0ring' or 'private int numSecurityFlaws', your code should generally be unaffected. So this just proves to be a neato trick I guess - with limited scope for malicious use.

Re:Duh. Its called reflection

[Ageless]

No, it doesn't. With Java reflection you can access the exact same methods that you can access via compiled code. It's just done at runtime. The article/book points out a flaw in .Net that allows code to access private methods that it would not normally be able to access through normal access control. This flaw does not exist in Java.

Re:Duh. Its called reflection

[lurp]

Actually, Java does let you access private members through reflection. See java.lang.reflect.AccessibleObject.

Access can be controlled by a security manager; but the default for a java application is to allow access.

Re:Duh. Its called reflection

[imurchie]

it certainly does allow you, under default conditions. you just need to set the accessibility flag (which you can do at will from the client code).

reflection in java gives you a lot of rope with which to shoot yourself in the foot.

Re:Duh. Its called reflection

[Delirium+Tremens]

java.lang.reflect.AccessibleObject

You were saying?

Re:Duh. Its called reflection

[egomaniac]

I love it when a flat-out wrong post gets modded to 5. You most fucking certainly can access private methods and fields from within Java.

For instance, to set the private field "x" on a Component:

import java.awt.*;
import java.lang.reflect.*;

public class YouAreWrong {
public static void main(String[] arg) throws Exception {
Button youAreWrong = new Button();
System.out.println("Button.getX() == " + youAreWrong.getX()); // youAreWrong.x = 5; would result in a compile error, as x is a private field
Field x = Component.class.getDeclaredField("x");
x.setAccessible(true);
x.set(youAreWrong, new Integer(5));
System.out.println("Button.getX() == " + youAreWrong.getX());
}
}

Go try it and see what happens.

Re:Duh. Its called reflection

[mik]

Excuse me? Yes, you can see the member, but you cannot invoke/access it without being explicitly granted additional privileges - the default is certainly not to allow free access to private members.

Re:Duh. Its called reflection

In C#, to call a private method "privateMethod" in Class2:

(typeof(Class2)).GetMethod("privateMethod",Bindi ng Flags.NonPublic|BindingFlags.Instance).Invoke(Acti vator.CreateInstance((typeof(Class2))),null);

Re:Duh. Its called reflection

[vsprintf]

reflection in java gives you a lot of rope with which to shoot yourself in the foot.

So, since it's impossible to shoot yourself with a rope, it's not a problem with Java? I've got it . . . I think.

Re:Duh. Its called reflection

[tcopeland]

Or you can do the same thing using JNI. You can even change the values of final fields using JNI.

As a previous poster stated, this isn't a security hole - it's an OOP convention.

Yours,

Tom

Re:Duh. Its called reflection

[mnmoore]

This is not necessarily true.

If a SecurityManager is installed (as one would be in the applet environment or any other environment running less-than-completely-trusted code) Class.getDeclaredField() for a non-public member may throw a SecurityException (depending upon the policy enforced by the particular SecurityManager).

Re:Duh. Its called reflection

[addaon]

First off, it does. But second off, there's another way to deal with this that's quite trivial in any language (such as java) that supports serialization. You serialize an object to a bytestream in memory, change whatever data you want (public or private) and unserialize it. Or, to access private code, instead of data, you serialize it, create (on the fly is easy enough) an equivalent class with all public members, change the headers of the serialized data, and unserialize it as a member of the new class. This can be prevented, somewhat, by having the class non-serializable and by having it final (so it can't be extended with a serializable version), but it's trivial to make a class loader that just un-finals all classes.

Re:Duh. Its called reflection

[egomaniac]

Well, sure. But you might as well say "Nuh-uh! System.exit(0) won't necessarily work if a security manager is installed!" I didn't bother to mention it because I consider it pretty obvious.

Re:Duh. Its called reflection

[gh]

Here's a juicier example for Java...

"hi there".equals("cheers !") == true

Not only does Heinz Kabutz demonstrate accessing private members, he shows how one can alter the behavior of interned Java strings!

Re:Duh. Its called reflection

[BurritoWarrior]

After reading this thread I am pretty sure I now know why my computer crashes. :-)

Yes it does. Not it doesn't. Yes it does. No it doesn't. Yes it {comment.pl has caused a fatal exception in mozilla.exe at afE46628222837}

Re:Duh. Its called reflection

In Java there's no good reason for a security manager to allow untrusted code to do that. But apparently CLR code is allowed by default.

Re:Duh. Its called reflection

Nobody with a clue expects the JVM sandbox to protect you from malicious native code. Half of the reason to have the JVM is that proving what arbitrary IA32 machine code will and won't do is almost impossible.

Re:Duh. Its called reflection

[tcopeland]

Right... there are a bunch of ways to circumvent the "private" modifier, one of which is JNI.

Tom

Re:Duh. Its called reflection

Hehe, that's a good one. What was the movie where a barkeep always got his wisdoms confused... was it Boondock Saints?

Re:Duh. Its called reflection

It depends on the context of the executable. The context that allows private reflection also allows interop and other unsafe things. Sandboxed contexts do not allow private reflection.

Re:Duh. Its called reflection

[lurp]

You may call setAccessible(true) on a private member to gain access to it. The default security manager for an application allows this; I'm not sure what the default applet security manager does, but I'd imagine it allows that too.

Re:Duh. Its called reflection

Wrong and wrong. java.lang.SecurityManager does enforce the policy files. However, if you start a VM without defining java.security.policy then there is no security manager (unless your code installs one). And nobody with a clue would write a security manager for applets that lets them tamper with the sandbox implementation!

Re:Duh. Its called reflection

Hi dickwad - we're all still waiting for you to comment on the multiple rebuttals to your clueless posts about how Java is so much better than .NET.

Go ahead, make our day.

Re:Duh. Its called reflection

[tcopeland]

Here's some sample code munged from one of Bruce Eckel's excellent tomes:

#include <jni.h>
extern "C" JNIEXPORT void JNICALL
Java_UseObjects_changeObject(
JNIEnv* env, jobject, jobject obj) {
jclass cls = env->GetObjectClass(obj);
jfieldID fid = env->GetFieldID(cls, "aValue", "I");
int value = env->GetIntField(obj, fid);
printf("Native: %d\n", value);
env->SetIntField(obj, fid, 6);
}

No sweat, huh?

Yours,

tom

Re:Duh. Its called reflection

[mik]

Well, yes, sortof and no.

Yes: you can indeed call setAccessible(true) on a private member (which you got from the getDeclared*() methods) as long as there isn't a SecurityManager or the SecurityManager enforces a policy which includes supressAccessChecks.

Sortof: there is no SecurityManager installed by default for applications. If there isn't a SecurityManager, there there isn't any Security.

No: the SecurityManager base class forbids this access.

IANASP (I Am Not A Sun Poobah), but I'd rather have a default SecurityManager installed than none at all - allowing use of setAccessible to break language semantics just seems like a bad idea for naive application developers.

Re:Duh. Its called reflection

Now, get yourself a lightbulb....

Re:Duh. Its called reflection

[RodgerDodger]

No, it's not obvious.

The fact that .NET allows reflection, and that via reflection you can bypass the language access constraints, isn't a big deal.

However, if this can not be prevented by appropriate security constraints, which the running code can not bypass, then that's a big bloody problem.

So, the question of what happens if a security manager is installed is the crux of the debate, not what fancy tricks you can do with reflection.

Re:Duh. Its called reflection

Idiot.
RTFM

Harumph

[renehollan]

...and here I thought that
((<sneaky_private_type_I_wanna_access> *)<void_starish_opaque_handle>)-><ha_take_that_hid den_member> = 0; was bad style.

Re:Harumph

I once saw the following hack to access a private member in a thirdparty library on the IRIX platform :

#define private public

Worked like a charm. A hack of some type was needed since the class in question did not release resources properly.

Re:Harumph

[renehollan]

Geez man! That's like making the wearing of clothng illegal instead of just undressing the girl you want to see naked...

It gets the job done, but there are a lot of ugly fat people out there... do you really want to look at them naked too?

(In defense of the political incorrectness in this post, I will hastily admit that I am an ugly skinny person).

Re:Harumph

With all those angle brackets around your identifiers, it is.

More version incompatible program

[plcurechax]

I suspect the most common use of this is not attempts at bypassing poorly thought out security. I hope MSFT programmers are not hiding passwords in .NET classes. The most common usage will be "tweaks" and such that will be dependent on a specific .NET framwork version/release.

By delving into the private classes, you might be able to get speedups on a specific (or common) platform, say MSFT's .NET framework version 1.0 for Windows 2000/XP, but come next release, these tweaks are likely to break. That's why private members of classes are private, because they are not part of the documented API.

Re:More version incompatible program

[pbur]

Um, I think the point should be that private members shouldn't even be visible. That's why their private! At compile time, runtime or anytime, private or protected elements should remain that way. Otherwise, what's the point of marking them that way?

Re:More version incompatible program

[yatest5]

oh yeah, private STRING importantPassword="xxxxx"

because THATS HOW PASSWORDING WORKS!

Re:More version incompatible program

[tshak]

I hope MSFT programmers are not hiding passwords in .NET classes.

Even if they were, all you'd need is the dissasembly tool "ILDASM" which comes with the .NET Framework SDK as all static strings are viewable in plaintext.

Re:More version incompatible program

[arkanes]

As (dozens) of other people have said, it's a convenience. The .NET framework prevents unsafe code from running even in private members - they have no special rights - so it's only a "security" flaw as far as your application level security goes. Since application level security that's this primitive is trivially hackable in ANY language, people who do it should be smacked, and .NET shouldn't be bashed for it, since it's not a flaw.

Compiler enforcement of public/private seperation is gravy - it's main use is to notify client programmers that they are not to use those methods, and, in certain compilers/languages/frameworks/IDEs to remove the temptation by not even showing you the method.

Private methods and

[yatest5]

members are set as such not as some security method but to protect users of a class from using them. The fact this can be *programmed around* is irrelevant.

Standard users, using standard techniques are only allowed to use public members and this is correct.

I think you'll find that if you're willing to write your own compiler, you can access provate methods in any language you care to name.

As such, this artile is irrelevant, an really just another pathetic excuse for a load of whingers to make cheap attacks on MS when they could *actually be contributing some effort* to the OS movement.

Carry on guys, good work.

Re:Private methods and

[Ageless]

This is not true in Java. No matter what the compiler spits out it is verified by the VM before it is executed and if the bytecode is trying to access something it is not allowed to the VM will cause that code to fail. This is part of the security that Sun touts about Java.

Re:Private methods and

[yatest5]

Er, write your own VM then. Client-side security is no security at all i.e. you're free to fuck up your own computer any which way you want.

Re:Private methods and

[Xrikcus]

Well yes, but if you rely on Sun's VM, then you expect it to run securely.

If you write your own insecure VM then obviously it's insecure, but you might as well take your hard drive out and throw it at a wall if you want to do some real damage, it's easier!

Re:Private methods and

[aug24]

'Standard users'? Does that include black hats? If you can't see that this is going to result in security holes then

If you write your own compiler, as you say, then you need the source code. The fact that reflection gives you private member access at /runtime/ is clearly a problem.

Justin.

Re:Private methods and

Absolutely correct.

Re:Private methods and

[HisMother]

> members are set as such not as some security method but to protect users of a class from using them. The fact this can be *programmed around* is irrelevant.

Sorry, but no. This is true for C++, but it's not supposed to be true here. As others have already pointed out, .NET and the CLI are supposed to act like the JVM, allowing "sandboxing" of untrusted code.

The JVM prevents access to private data as a fundamental part of its security mechanisms. This is what makes the whole concept of running untrusted code in a "sandbox" possible. If it's possible to access private members in other classes, then no untrusted code can ever be run safely.

Re:Private methods and

[lynx_user_abroad]

Standard users, using standard techniques are only allowed to use public members and this is correct.

I think you're missing something, but not in the programming realm. When speaking of control, reality trumps perception.

If you've written a class with a private member, I would be a fool to use it (for example, to increase performance in my game) as I risk unspecified behavior if you change the implementation. A prudent me would say "I don't control the private member, so I should not rely on it."

But I only lose if you change the implementation. If I have a guarantee from you that your implementation will not change without notice, (which is to say, if I have control over the private member, despite its being marked private) it's really a public (to me) function that's just marked private for everyone else. It's not the public/private marking which I use to decide access, my decision turns on the control I have.

This could be leveraged into the same old behaviors Microsoft has been accused of in the past: declare a slow public member and a fast private member. Since Microsoft ultimately has control of both the public and private members of the classes it creates, anyone non-Microsoft must (prudently) use the slow public members, but anyone "in the know" can use the fast private members without risk, giving an unfair advantage to Microsoft and associated developers.

It's also a predictor of the historical situation as well; if developers can gain performance and the expense of robustness, they will. Historically, this left Microsoft in the unenviable position of being unable to evolve their products in the direction their business objectives demand for fear of breaking compatibility with deployed applications using the fast, private members.

I sense the perception had been that private members could not be used at all. This article exposes the reality that under .NET, some private members (the ones over which you can presume you have control) are actually public; its up to the developer to guess which ones. (Or maybe that should read (with apologies to Monty Python/Life of Brian) "its okay to make their privates public for a game"

It has short-term advantages, and long-term consequences. If Microsoft is smart, they'll declare this a bug (regardless of original intent) and take steps to ensure no one can use these interfaces, even if this means they cannot (mis)use private members themselves.

Re:Private methods and

[mingot]

Sorry, but no. This is true for C++, but it's not supposed to be true here. As others have already pointed out, .NET and the CLI are supposed to act like the JVM, allowing "sandboxing" of untrusted code.

And how does this break 'sandboxing', exactly? Can you show me an example of how using this *documented feature of the common runtime library* allows a program to break out of it's sandbox and perform something (for which these is security) that would have not have been allowed by the security system otherwise?

And don't try to use "access a private member" as you answer, either. That's not something the runtime secures. It's simply an OOP construct.

Re:Private methods and

[code_nerd]

It may not allow the app to break out of the VM space directly, but it certainly breaks sandboxing in another respect: it breaks your ability to restrict access to specific methods or variables. In, say, an class that handles authentication or authorization, this will be important.

Re:Private methods and

[Jabes]

This is exactly the same in .NET - the security model evaluates security on a per function basis at JIT time and will throw a security exception if you're trying to do anything you're not allowed to.

The security control is extremely fine grained, and there are permissions to allow or disallow unsafe code (pointer manipulation), interop with unmanaged code (after all this could do anything), network services (and here there is even a distinction about who you can connect to), file access, etc etc.

Re:Private methods and

[code_nerd]

OK, that was a poor example. Never mind.

Re:Private methods and

[mingot]

So I am writing code that is calling a DLL that has some .NET code in and I find the magic isAuthenticated private variable and use my code to jiggle it to true and viola I have just violated some (shitty) security that some developer implemented (poorly) and this is somehow the frameworks fault?

Sure, it may be possible to break user written security schemes via reflection. But then I could have also just dumped the exe/dll out to IL and made modifications to the code and re-assembled it. So if the user is using this sort of (crap) security it's going to get broken with or without.

Try harder. Try to show me how this lets someone "root" a box, or write to a file in a directory that the user doesn't have access to. Something.

The simple fact is that the CLR does not use ecapsulation as a security mechanism. It's a coding construct and that's all it is and all it was meant to be.

Re:Private methods and

[HisMother]

Just a few of the more obvious issues:

• Any class that has a private data member representing a file (file name, descriptor, whatever) can never be sure that that value hasn't changed out from under it. Therefore, if the sandbox wants to restrict file access, it can't trust the member data it contains to tell it what files are accessible.
• Ditto network connections.
• In Java, untrusted applet windows are decorated with warning symbols so they can be distinguished. If the GUI toolkit's private data were accessible, the untrusted code could remove these symbols.

If there is no private data, then only cryptographic security is even conceivable The last time I checked, cryptographically protected file systems, GUIs, and TCP stacks were not the norm. Even this is questionable, since private keys are often stored on disk (a la SSH).

Re:Private methods and

What does whether I have access to a file have to do with anything? If untrusted code can use all my privileges, what's the point of running the CLR?

Re:Private methods and

[arkanes]

You can't break anything except application level security with this. That means it might be good for defeating very naive copy protection or other forms of DRM. You can't use it execute unsafe code or adversely affect anything outside the sandbox - there's no security risk from it.

Re:Private methods and

What is the sandbox, if not application level security? What's stopping untrusted code from tampering with its policy?

Re:Private methods and

[mingot]

Any class that has a private data member representing a file (file name, descriptor, whatever) can never be sure that that value hasn't changed out from under it. Therefore, if the sandbox wants to restrict file access, it can't trust the member data it contains to tell it what files are accessible.

The CLR "sandbox" doesn't control access to files. The operating system does based on the privelege of the user running the .NET application.

Ditto for network connections.

Oh, and there is no private data in java, either. It's a little harder to inspect, but it surely isn't private :)

Re:Private methods and

[HisMother]

> The CLR "sandbox" doesn't control access to files. The operating system does based on the privelege of the user running the .NET application.
> Ditto for network connections.
Not really a sandbox at all, then, is it? It means that Joe Blow can't run untrusted code unless Joe Blow has no files of value on the system. And last time I checked, Windows didn't have a privileges system that restricted network connections, so untrusted code could go wild sending death threat emails to the president in Joe Blow's name.

Regarding private data in Java: so, go ahead. Write a Java applet that munges private data in a system class when running in a browser. Post it here when you're done. You'll be famous!

Re:Private methods and

[mingot]

It means that Joe Blow can't run untrusted code unless Joe Blow has no files of value on the system.

Well, first things first. I was talking about writing/running a client side .NET _application_ (and I sure as shit called it an _application_, no?). I don't know a thing about .NET's capacity to run as an applet.

So, if Joe Blow downloads a .NET application and installs it then he'd better trust the source of his program because by default it sure will have access to all of his files.

And it could send emails threatening the death of the president. Which is fine. I was not aware that the .NET framework was supposed to do handle this in an application that a user runs from his security context. I've downloaded and run a few Java applications. They wrote files and used network connections just fine.

Regarding private data in Java: so, go ahead. Write a Java applet that munges private data in a system class when running in a browser. Post it here when you're done. You'll be famous!

Do the same thing with .NET for me first. I tend to think that while running under a browser that the System.Security.Permissions.Reflection* classes would stop you. But who knows, give a try.

Re:Private methods and

[Golthar]

Ok, I'll bite.

In Java (which I assume works the same way with security) your security context gets saved on your running threads.

This data is private, but can actualy be read if you don't have the security system set up to deny attempts at accessing private data.

This might not let you r00t the machine, but for example, I could bypass the entire security on the VM (and start overwriting stuff)

private is not suposed to be accessed outside its own class.
Now other languages (C++) have no trouble with this and let you read/overwrite whatever you want.
But Java, being used in a web environment has stricter security requirements

Re:Private methods and

[mingot]

This data is private, but can actualy be read if you don't have the security system set up to deny attempts at accessing private data.

Yeap, and in the .NET framework you can also set security to disallow using the reflection classes so I'd guess there is not a problem and we can safely call the majority of the messages in this thread FUD spread by the uneducated.

Re:Private methods and

I'm really suprised that NO ONE (including the author) even BOTHERS to check MS's changelist and compatibility guide for .NET 1.1 - They've known about this since .NET 1.0.

In .NET 1.0 you could link private methods to delegates outside of your own class.

Ex: Object Button has delegate BOnClick OnClick
Object SomeShit has private/protected method called DoSomeShit(). You could create a new BOnClick delegate from the private/protected method within a method from Object SomeShit, and attatch this to OnClick. It basically generates the same effect as the reflection.

This has been CHANGED in .NET 1.1 to DISALLOW calling of private methods even though you got the reference from someone else. This also has been controllable through the Security features of .NET as well.

Encapsulation is not a security construct, but a programming construct - Any .NET program with the right permissions could just emit its own IL and read out the entire heap to disk - That's why you don't let untrusted code run in your app's context, and that's why you have PERMISSIONS and a SECURITY MODEL.

Re:Private methods and

[aug24]

"No security risk", "except application level security".

I'm a web developer and I really don't fancy telling my customers that one!

J.

Re:Private methods and

[arkanes]

This doesn't apply to web forms, or ASP.NET, or even .NET ActiveX controls (for normal use, anyway. Someone intentionally trying to crack your ActiveX control probably can. If you're relying on them to be secured from the client machine they're running on, stop doing that). So as a web developer this has nothing to do with you.

Umm.. and

[DaLiNKz]

and you actually expected something from Microsoft secure...? ..cough..

Microsoft Security

[rossz]

As a bonus, you get a great introduction to how Windows security works

How is that possible. By his own statements he proves that Microsoft security DOES NOT work.

Re:Microsoft Security

[p3d0]

No, security obviously doesn't rely on the inaccessibility of private members. Just like C++: if you use "private" for security, you're in for a surprise when someone adds "#define private public" before including your header file.

Re:Microsoft Security

And by your own statement you are an idiot. This is not a security issue at all. All programming languages have the same "problem" including C++ and Java. "private" does not in any language mean "secure" or "invisible".

This entire article is flamebait.

Re:Microsoft Security

[euxneks]

"#define private public"

If the language lets you do that, then you shouldn't be programming security in that language in the first place.

Re:Microsoft Security

You fuck dunno what ya talkin bout. Java zealot?

He just violated the DMCA!!!!!!!!!

[DailyGrind]

This is Microsofts secret attempt at putting all anti-MS developers in jail. They pick up the book, try to access private functions and data and presto --> just broke the law.

Soon the only developers that are not breaking the law will be those working for MS or using .NET

Re:He just violated the DMCA!!!!!!!!!

[smittyoneeach]

Mr. Softy obviously read the libretto that came with Joe's Garage by Frank Zappa.
Zappa explores the doctrine of Total Criminalization, where they make enough laws that everbody violates something. A Visionary, yet not impervious to prostate cancer, alas. -1 Offtopic.

Why should they always bypass logic?

[ptaff]

So, a private member is not private.

All this fighting for Intellectual Property, for information privacy, DRM, to discover that actually, behind the scenes, in the Microsoft world,

a private member is not private

Look, ma, we'll sell this slow API, and on our side we'll use undocumented features, make private members public, get a performance boost and say afterwards we've got a better product and that it was all fair play.

Innovation, would say Ballmer.

Re:Why should they always bypass logic?

[Drakonian]

Innovation, would say Ballmer.

Don't worry, they copied it from every other language. Private members != security on any languge.

Washington Strikes Again (see prior story)

[rc5-ray]

Read on for more of Matt's review of this guide to tricking private members to do your bidding.

In related news, Washington State has banned the sale of this book because of gratuitous discussion of "private members".

How it's done

[Jabes]

This will be done using reflection. It's pretty easy to instantiate private objects, and call private members using the reflection functions in .net (System.Reflection) I'll post an example if anyone is that interested, but there are quite a few examples kicking around on the net.

However, the security model of .net only allows you to make these reflection calls if your application is running in "full trust". There is a very finely grained security model in .net, and applications can be trusted to make certain calls depending on the location they're running from (eg over the internet from an http:// address, on a network share, on the local disk); on whether the application is signed; by the vendor of the application; or even down to just a single program.

At the moment .net programmers mostly assume they're running in full trust mode (which if its on the local hard disk, they are). But this is a poor assumption which will fall by the wayside in the future as .net takes off.

To do other "unsafe" things (like use pointers, or interop into unmanaged code, generate dynamic code) you also need high permission levels.

Now let's compare this with the unmanaged world. I can load up a DLL and call what the hell I want. I can even jump right into the middle of a function if I want. I can over-run buffers and blow my stack. I can do what the hell I want within my virtual address space. I can send messages to other applications and make them do screwy things. And I'm probably running as a local administrator so I can do things to other processes too.

So is this a security concern? I don't think so.

I must admit, I haven't read the book - and I'm not going to shell out $10 to find out if I'm right.

Must be a typo..

[Gibble]

"As a bonus, you get a great introduction to how Windows security works"

Should read: "...how Windows security doesn't work."

Not unique to .NET

[joshtimmons]

I'm not sure this would be unique to .NET. With all compiled languages (java is an interesting exception), the protected members are only protected by the compiler at compile time. There's nothing stopping you from hijacking the vtable in C++ or locating the function entry point in general and then executing directly in whatever manner you prefer. It's all machine code at that point and the CPU doesn't care who executed it or how they got there.

People who rely on protected/private to be a security feature are making a mistake. Its really just an organizational tool offered by the language.

Re:Not unique to .NET

[KrispyKringle]

If my understanding is correct, though, C# and .NET is supposed to be using some sort of VM or other (I could be way off here, or at least, someone will say I'm way off), as I remember it is supposed to run in a "sandbox." This would be fairly similar to the reason Java isn't vulnerable to this, that is, Java is compiled into bytecode but run in a VM, making it semi-interpreted. The fact that this can happen in .NET, which should be able to do the same safety measures as Java, is somewhat discouraging.

On the other hand, someone posted above that this was only possible in local applications running with the highest security levels. I don't know enough about .NET (I know virtually nothing about it, in fact) to say if this is the case, but it seems reasonable and somewhat reassuring.

Re:Not unique to .NET

[SuiteSisterMary]

Yes, and the docs for that sandbox clearly state that System.Reflection lets you access private members and what not, at the higher security levels, and if you don't want this to happen, don't let the code run at certain security levels.

Security

[cooldev]

Private members aren't for hiding code or data from other malicious programs; if they're being used in that way that's a flaw.

It's simply a compile-time verification that you're using the object through it's intended public interface instead of relying on the internal implementation. If you disregard it you just end up throwing away a lot of the benefits of OO and you build fragile apps.

That said, people should be aware of this so they don't mistakenly think that "private string m_password" is a secure way to store data.

BTW: A long time ago I did this in Java by programmatically altering the bytecode of a .class file from another app.

Re:Security

Okay, so just how do you suppose that the malicious application is going to access the private data pages (memory) of the shopping cart application? I mean isn't that where your credit card information is, in memory? (If it was written to disk, then the good guys really f'd up.) In that case it's the responsibility of the OS to ensure that the access does not occur.

Here is a scenario that more closely models the supposed hole that you claim exists: you download a plug-in to said shopping cart application and run it in the same process. Now, assuming that you have given full trust to the .NET application that you downloaded (and just why in the world would you do that?, you would give it "Internet Trust" wouldn't you?) then it would be possible using Reflection for the malicious plugin to access the private members of the CreditCard object.

The points are a) why would you give full trust to any application (or assembly, because yes, .NET has security at the assembly version, so you can run the plug-in in a fully trusted application at the trust level you like) you download? b) as several people have pointed out this type of hack is possible in many other languages (Java, C++, Perl, etc.)

So read the threads above some more, read up on the .NET security and generally pull your head out.

Re:Security

[Greyfox]

I would hope goodguys.com would store your CC number long enough to run the requisite transactions and then immediately delete it.

Sure that forces you to type your credit card number in every time. If you think that's inconvenient, try clearing up the mess a stolen number leaves.

Re:Security

[arkanes]

.NET provides access the OS security API for storing things like credit card numbers. There's certainly no reason for persisting it in a private member and then serializing it! And, in any case, .NET DOES provide a way of preventing reflection, just as Java does - the "exploit"[documented quite clearly on MSDN] only works if you're running under full trust.

Private members in .NET don't have any special exemption from the other security and access checks the runtime provides (just as public members in C aren't any more secure - calling sprintf without bounds checking is a flaw no matter where you call it from).

The most you can do with this flaw is violate APPLICATION security, and if you can even do that it's the application programmers fault.

Making a member private does not provide security. Nobody has ever said it does - in ANY language. Assuming it does means you're making naive and unsafe security decisions - it's YOUR fault, not the language or the runtimes.

Re:Security

[Ed+Avis]

Yes, you can trick your way around private in C++, and that is a security weakness of C++.

Hardly - in a C++ program running on almost any OS, the libraries execute with the same privelege level as the code which calls them. There is nothing you can do by bypassing the 'private' access controls that you couldn't do anyway. Now, if the libraries executed with elevated privilege, for example a device driver library which had direct access to certain ports while the code calling it did not, it would certainly be a security hole to poke directly into the private data of that library. But when you have one process, one address space and one privilege level, no amount of private data access control is going to make things any more secure.

and the point being?

Jeez, we're suppose to do what now, run and scream in terror? Bitch Microsoft?

I would like to understand, because I just don't see what's the problem here. I understand the use for private class members, and how it's a Good Thing for overall code stability, but to claim that this is some kind of security issue is simply misleading. Its not like the idea is new: Python also have a system of "yea, they're private but you can always call them if you really really want to" class members, and I don't see anybody making a scene about it.

I mean, if the security of your application is assured by denying access to private members, you've got way more serious design problems, and the language you use should be the least of your worries.

Am I missing something here?

Re:and the point being?

[mydigitalself]

i pretty much agree with your sentiment. VS.NET doesn't encourage one to do this; the fact that somebody had to write a 50 page ebook on how to do it shows that it is clearly not encouraged.

similarly, i think that if you are going through these steps you are well aware of what you are doing and would understand the pitfalls of utilising other private member functions.

of course the fact does remain that its possible to do at all which, at first glance, i thought was scary. but other, more hardcore coders in the /. community have pointed out that this is achievable in many other open source languages as well.

anyway, just another excuse to do some m$ bashing i guess...

Re:and the point being?

[KrispyKringle]

I only know a small amount of Python, so I can't comment there, but its more than just a Good Thing to keep private members private. If someone accesses something they shouldn't, reliability and predictability are down the tubes. Who knows what will happen when people start directly accessing components of an Abstract Data Type or mucking about with methods they shouldn't have any access to. It's really just asking for it.

What's really damning here is that this wasn't the intent, apparently. It's not like MS said, "yeah, we'll make them accessible if you really want to, because, hey, its not a big deal and we love our customers." It's more like they documented them as private (which typically means not accessible) and then they weren't, at least, not entirely.

This may not be security per se; end user security is rarely related to one coder abstracting something or hiding a method from another coder (since most applications are compiled into binaries first), after all, but more a bit of a diversion from standard OO coding practices and just a bad idea overall. Private methods are crucial to maintaining method and data abstraction; which does translate directly into reliability and stability, if not security itself (though in this case he did use it to determine information from the .NET framework istalled, the user's groups, which should in fact be hidden from the running .NET application).

Re:and the point being?

http://msdn.microsoft.com/library/default.asp?url= /library/en-us/cpref/html/frlrfsystemsecuritypermi ssionsreflectionpermissionclasstopic.asp

In terms of your comment about intent...

"Code with the appropriate ReflectionPermission has access to the public, protected, and even private members of any loaded Type. This includes access to Module, Assembly, BaseType, and GetInterfaces.

CAUTION Because ReflectionPermission can provide access to private class members and metadata, it is recommended that ReflectionPermission not be granted to Internet code."

Security by obscurity...

[vierja]

How many times we'll have to see this again... security by obscurity is not the way to go. Doesn't seem strange of Microsoft though...

Sweet!

[mschoolbus]

I can finally call the BSOD member! uh.. nevermind...

Re:Sweet!

[Repugnant_Shit]

I have several programs that can acccess this function. One's called Word, another's called Outlook, and there's a few more I forgot.

Stop the anti-MS BS all the damned time

[fzammett]

This is NOT a security issue... A number of other languages allow this, most notably Java.

Making a member private is NOT a security mechanism. It is a DESIGN mechanism. The point is to enforce a public interface to a class, not absolutely securing internal data or functions from external callers. Yes, they are similar and in some cases pretty damn close to synonymous, but they are still different goals.

This isn't a flaw in .NET, unless MS says that in fact they want to doubly use the private mechanism as a security measure. No other language that I'm aware of does this, you could even argue that it would be a plus in .NET's favor.

If you want to say this design pattern is stupid, by all means do so. I would tend to agree. But if you want to use this as an opportunity to simply bash MS and .NET, your simply ignorant or just want to toss mud.

Re:Stop the anti-MS BS all the damned time

nice grammar,
your post awesomes.

Re:Stop the anti-MS BS all the damned time

[Get+Behind+the+Mule]

This is NOT a security issue... A number of other languages allow this, most notably Java.

Making a member private is NOT a security mechanism. It is a DESIGN mechanism.

Uh, if you put an intemperate heading over your post, perhaps it would be better if you refrain from putting nonsense into its body.

Java certainly does not allow access to private class members from client code. That will cause a compiler error, end of story. The only way it could conceivably be done is through object serialization and deserialization, since the serialized form must respect the class definition, and deserialization must restore objects to their original state. The default serialization code makes it possible, but cautious programmers can prevent serialization from exposing private members by writing their own readObject() or readResolve() methods. (See chapter 10 of Joshua Bloch's Effective Java.)

And yes, exposing private members certainly is a security issue, because it gives client code the ability to manipulate the implementation of a class, which is meant to be encapsulated. The code can be made to do things that the programmer did not intend, and that is one of the things that makes software insecure.

Re:Stop the anti-MS BS all the damned time

[RHIC]

About bloody time someone posted this! I'm not sure why I even bother coming to Slashdot, all the anti-MS comments just piss me off. As for Java being "more secure" simply because it doesn't allow you to compile code to access private members, that's bullshit. There are a load of Java decompilers out there, and it's hardly difficult to decompile, change "private"s to "public"s, and recompile, is it?

Re:Stop the anti-MS BS all the damned time

[Delirium+Tremens]

Java certainly does not allow access to private class members from client code. That will cause a compiler error, end of story. The only way it could conceivably be done is through object serialization and deserialization... [Pedantic emphasis added]

Ever heard of AccessibleObject, JVMPI or Custom ClassLoaders? There, you have at least 3 ways to access private fields in Java besides your 'only way'.

Re:Stop the anti-MS BS all the damned time

[Laplace]

I think that you have to answer a question though. Does Microsoft market their handling of private members in a class as a way to improve product security? If the answer is "yes," then some criticism of Microsoft if warranted. Not every programmer in Microsoft's target market for .net will have the tools to distinguish marketing from design.

Re:Stop the anti-MS BS all the damned time

[Zopilote]

Yes, if you have that much access to the system, you can do all that. In fact, if you have that much access to the system, you can do pretty much anything you want.

However, your average applet or application running under the security model does not have this kind of permission. Moreover, the JVM restricts you from running core Java library classes (java.*, javax.*) that you yourself compiled. And the core libraries are the ones where the security matters most.

The reality is that Java has a very secure model for executing untrusted code, whereas .NET has been shown here to have a serious security flaw that Java does not.

Why can you not accept that a company whose priority is catering to the lowest common denominator of users would have trouble in general with security issues? Microsoft's record with security is abysmal. That is not to say that other companies (i.e. Sun) do not ever have security lapses, but in general they make a much more genuine, well-thought out effort to create secure software. Most of their security lapses are small mistakes that are easily patched, whereas Microsoft's security problems usually stem from a flawed model from the get-go, which is much harder to fix. Have you been paying attention to Windows Update these days? It seems that every week there is a new security patch that you absolutely MUST download!

Add it all together, and to most of us it is not surprising to hear of this fundamental flaw in .NET's security.

Re:Stop the anti-MS BS all the damned time

[M.C.+Hampster]

Does Microsoft market their handling of private members in a class as a way to improve product security?

No. Thank you for playing though.

Re:Stop the anti-MS BS all the damned time

[GnrcMan]

The problem with what you are saying is that you are wrong. The trick only works when executing trusted code. If you are executing untrusted code, the .NET security checks kick in and they will not let you access the private members. The reality is that you are making statements about .NET security vs. Java security without knowing the facts. The reality is that the .NET security model is actually pretty good.

Re:Stop the anti-MS BS all the damned time

[addaon]

Also native methods, the debugger interface (or is that jvmpi?), and just using a recompiled vm.

Re:Stop the anti-MS BS all the damned time

[sheldon]

"Stop the anti-MS BS all the damned time"

No, keep it going. It helps us in selling Microsoft solutions to business to point out how mentally deranged the competition is. :)

Re:Stop the anti-MS BS all the damned time

[fstaes]

Yes, but this requires YOU to control the virtual machine. If I'm an applet developer, I don't control your VM, and I cannot use any of your techniques to access private members.

Re:Stop the anti-MS BS all the damned time

[TummyX]

And the same reflection security policies apply to .net assemblies running of the internet.

Re:Stop the anti-MS BS all the damned time

[Spirald]

Ever heard of AccessibleObject, JVMPI or Custom ClassLoaders? There, you have at least 3 ways to access private fields in Java besides your 'only way'.

Untrusted, sandboxed code in Java is not permitted to use these features.

The point here is to secure a user's own trusted hardware and software (including the VM) from some developer's untrusted code. Access modifiers are an important part of the 'sandbox via encapsulation' model which is fundamental to Java security. The Java sandbox will not allow untrusted code to access private members of trusted code, or to do anything to circumvent such a restriction, such as change the access modifier through reflection.

If an untrusted developer can tunnel out of the sandbox in .NET by bypassing lax enforcement of access modifiers, that would be a serious security hole.

For some reason people here seem to be making the misinterpretation that the point is to secure some developer's compiled code and runtime context from another user's or developer's hardware and software, which is patently ridiculous. You can't secure something from the mechanism responsible for enforcing security. If you are going to let your code run on someone elses machine/VM in the first place, you are going to have to tolerate it when that machine/VM decides to not follow your instructions.

Basically, whoever owns the machine (physical, OS, or VM) gets to provide the security, normally by relying on software mechanisms like sandboxing external code. This issue is about trusting the these mechanisms to keep your machine secure, NOT about keeping your code secure from untrusted machines. THAT can only be done by keeping your code off of those machines entirely.

Re:Stop the anti-MS BS all the damned time

Untrusted, sandboxed code in .NET is not permitted to use these features either.

Re:Stop the anti-MS BS all the damned time

[arkanes]

Give me an example of using this flaw to do something "bad" to my machine (assuming that I've granted the applet permission to use reflection but not to, say, use p/invoke or run unsafe code).

Re:Stop the anti-MS BS all the damned time

[mattypants]

Actually, it is a security issue, but only because the vast majority of programmers will unwittingly treat private members as secure. Programming languages, like spoken languages, are hostage to the skills of their users. MS know this, but they choose to ignore the fact that nearly all programmers will fail to have a deep understanding of these features and gave them the tools to make weak programs. Let's consider pointers in C# for a moment... hmm, shite strikes twice in the same place, methinks.

Probably by design

[burgburgburg]

Microsoft has always used undocumented little tricks like this. The fact that they are potentially opening major security holes throughout their systems is handled with the brilliant "Don't tell anyone. Shhhhh." technique.

Unfortunately for them, this has somehow slipped into the general public. They'll have to use the even more secure "Take it out right now and put it back when everyone is looking at some other security problem." technique.

Re:Probably by design

[tha_mink]

Where the fuck is the security hole?

Re:Probably by design

[mingot]

Microsoft has always used undocumented little tricks like this.

Except that it's not undocumented. The fact that someone is charging 10 bucks for a tutorial on System.Reflection when all the docs are sitting on msdn.microsoft.com as plain as day strikes me as amusing.

Not a security issue

[Jeffrey+Baker]

People seem to be making this into a big security issue, but I don't see it that way at all. Private declarations shouldn't be used to provide security. You can assume that if you put a piece of code or data into a computer, other programs may be able to access the storage thereof. No big surprise there. This is true of introspection techniques, self-modifying code, and related styles of programming.

The declaration of something as private, or not exported, or static, or the analog provided by your favorite programming language is a tool for the programmer, not the computer. It tells the programmer that this interface or piece of data is not be used by anyone but the author. It means that the interface or data could change at any time, and any use of it is a hack in the classic sense. It will probably work, in appearance or in actuality, but it will break unpredictably.

Private declarations may be enforced with varying vigor by compilers or runtimes, but usually there is a way around such enforcements. At the extreme, you can usually just directly access the memory in question, if the kernel allows that (or even if it doesn't, in the case of a super-user).

Re:Not a security issue

The Java sandbox is implemented in Java, which only works because private members really are secure. Unless your security manager doesn't grant inappropriate permissions to untrusted code, but you have bigger problems then....

Sigh

[kahei]

typically, a language ensures that a member marked as private is hidden from anyone who doesn't have your source code,

No, typically the process of compilation does that for a compiled language that is naturally hard to read, and an obfuscator is used to do it for interpreted languages that keep type information or are otherwise easy to read.

If you use a language that stores lots of rich metadata in the executable (like .NET), and that has a clear and readable bytecode (like .NET or Java), then you should use an obfuscator if you don't want anyone to be able to see your code.

This being slashdot, though, naturally it's all Microsoft's fault. But there's still an element of fun in deciding *why* it's all their fault! Is it:

1 -- MS's fault for not obfuscating code by default?
2 -- MS's fault for including metadata?
3 -- MS's fault for not having .NET compile to x86 assembly language?
4 -- MS's fault for not simply holding all compiled .NET assemblies in escrow on behalf of their authors, releasing them only to trusted parties?
5 -- MS's fault for not changing the nature of information itself to make this particular information hard to interpret?

Re:Sigh

[enjo13]

Your missing the actual point. This does not describe a method for reading private implementation details, but a method for directly ACCESSING them.

class
{
private:
myMethod(); //Can be accessed in .NET
}

This means that not only can I discover the private implementation of a class, but then I can turn around and make direct calls on it.

This IS Microsofts fault, and it IS potentially quite dangerous. It means that interface code that performs sanity checks/permission checks/etc.. can be bypassed at the whim of a programmer. It means that security mechanisms built into the class can actually be bypassed by directly calling the underlying functions. This isn't a pretty scenario.

Obsfucation is helpful, as it will generally manipulate the actual names of the private methods. However, it still doesn't prevent those obsfucated method names from being called.

Java, on the other hand, DOES prevent this kind of acces. It qualifies scope (at RUNTIME) to ensure that no private methods or members can be actively called from outside of the class that contains them. That's the key difference here.

Re:Sigh

[kahei]

This does not describe a method for reading private implementation details, but a method for directly ACCESSING them.

Just as one can in C++ etc. I know.

It means that interface code that performs sanity checks/permission checks/etc.. can be bypassed at the whim of a programmer.

Well, programmers who want stable, flexible code shouldn't do that. If they do, though, it's a quality issue for them, not a security issue for the C# team.

It means that security mechanisms built into the class can actually be bypassed by directly calling the underlying functions. This isn't a pretty scenario.


Indeed not. You are postulating a programmer so improbably dumb that (s)he uses the privateness of a method to provide actual data security! A programmer, in other words, who does not understand the difference between 'private' in a programming and 'private' in a security sense! Scary thought.

Of course, you wouldn't make that sort of mistake, would you?

Re:Sigh

[TummyX]

Java, on the other hand, DOES prevent this kind of acces. It qualifies scope (at RUNTIME) to ensure that no private methods or members can be actively called from outside of the class that contains them. That's the key difference here.


The key difference is that you don't know what you're talking about. .NET uses a similar security model to Java. You can choose to allow or deny private member acccess using security policies.

<file name="A.java">
public class A
{
private int x = 10;
}
</file>

<file name="B.java">
import java.*;
import java.lang.reflect.*;

public class B
{
public static void main(String[] args)
throws Exception
{
Field[] fs;
A a = new A();
Class c = A.class;

fs = c.getDeclaredFields();
fs[0].setAccessible(true);

System.out.println(fs[0].getInt(a));
}
}
</file>

xxx@xxx ~/tmp
$ javac -classpath . B.java

xxx@xxx ~/tmp
$ java -classpath . B
10

Oh look, I just access a private member in Java. I must be a l33t hax0r now.

Re:Sigh

In Java, "private" is a security mechanism enforced by the platform. Even the sandbox relies on this.

You misspelled write.

[pfharlock]

Ok, I'm trying to be original. By the way, to anyone actually reading this, this is so slashdot will post this message.

Completely Irrelevant

[sethamin]

Oh for god's sakes people, this is just dumb. There's no real reason to take the performance hit and enforce this at run-time, because the protection of private member variables are there for your benefit. If you want to access undocumented variables that were never meant to be exposed, you're just asking for bugs and future incompatibility.

Oh, and BTW, this has nothing to do with actual security. Relying on access level specifiers to protect sensitive data in memory is lunacy. The standard coding technique for dealing with things like passwords is to keep them around for as short a period of time as possible and then overwrite that memory afterwards with random bits. If you're storing them long term cleartext in memory then you've got bigger problems.

Re:Completely Irrelevant

Relying on "private" to protect members from untrusted code is perfectly sensible in Java, since the platform itself enforces this. That's how the sandbox itself is protected.

Obligatory Beevis Quote:

Obligatory Beevis Quote:
"hheh hheh... You said private Member... heh heh"

So you plan to make any private mameber accessible. No thanks!

Awwwww...

[Rumbler]

Shit, now every slimey nerd is gonna have his hands on my private member... that's just gross...

Have some Java - Invoke Me Privates

[snatchitup]

You can do it with the right permissions in Java.

You don't have a chance in an enterprise clustered environment.

But you can if you're tooling around.

Same goes with Protected and Friendly.

Re:dual

Yes. You are jealous. I love it.

A first post regarding first posts. Poetry.

Insert 0dd tr0ll chatter here.

AC

in Mother Russia...

private members access you!

scenario

[Eudial]

You drive around in your brand new .NET. Suddenly a man rips open the door, and points a gun at you, commanding you to sit down quietly amongst the other passengers. He drives off, parks it, and makes a phonecall. He demands a $70'000'000 ransom -- otherwise he will start to kill hostages, and he will start of with the women and children.

Don't do that!!!!

[Rajesh+Raman]

You'll be arrested for breaking the DMCA!! After all what is a private method? Code that has access protection!

Besides, it's impolite to access stranger's privates if you weren't supposed to. If you're a 'friend', on the other hand, you presumably have access to all the privates of interest.

Re:Don't do that!!!!

Just shows that the terminology was invented by someone off the mainstream sexual conduct... Around here you have to be a lot more than a friend to access another's privates. At the minimum, the C++, Java and C# standards should be changed to use special_other instead of friend, but the preferable solution is to enforce a single male class and a single female class in each private-access relationship, one designated "wife" and another designated "husband".

It is all by design...

[CrazyJ020]

Access modifiers (public, private, protected, internal, etc) are not designed for security! Code access security is intended for this purpose. With that said, you can still use code access security to prevent access to private members. Access to these members can be only done with reflection classes. The ReflectionPermission can be utilized to prevent code from accessing private members. From the document:

CAUTION Because ReflectionPermission can provide access to private class members and metadata, it is recommended that ReflectionPermission not be granted to Internet code.

Re:It is all by design...

[mrright]

Mod this up!

This has to be the most stupid slashdot posting I ever saw. There is a mechanism in place so that only fully trusted code can use private members, but still you get the impression that this is some kind of huge security hole.

Maybe some people should try think before they embarass themselves.

Idea - I'll use this to.....

[snatchitup]

I'll use this to develop an application that launches any application, but has some UI hooks to bring up my application, which allows the user to walk through the private values of any application, etc. of classes.

Oh wait........ That's already been done before.

This is one of the main ways a debugger is written, right?

That would be true...

[oliverthered]

But .NET runs in a VM and is supposed to be sandboxed.
The VM should be responsible for preventing access to private members, this ability breaks the sandbox model (private means private) and is a security issue.
just like calling
sendmessage(some_handle_i_dont_own,larlar lar)

Re:That would be true...

If you're using public and private as a security feature, you're probably too stupid to be programming in the first place. Public and private instances being exposed isn't a security issue. If anything it's just a waste of memory, and at worst might let you call some piece of code that's only supposed to run internally. Big fucking deal.

Again, go read up on it before you speak.

Re:That would be true...

[Zeinfeld]

But .NET runs in a VM and is supposed to be sandboxed.

Actually the .NET code model is not a VM. The only reason you think that is that you believe the FUD that .NET is simply a Java copy. It isn't.

There is a sandbox, but it is enforced by the O/S controls not the byte loader. The security model does not undertake to protect private members.

Re:That would be true...

[dna_(c)(tm)(r)]

aah, it's FUD alright, to deny that. They just changed the terminology (VM+core classes == CLR, IL == bytecode, JIT == JIT, ...). The only difference being not to have to use one syntax (java C#, VB, ...) BUT it's not the platform they recreate, just a similar but different syntax: their VM uses statically typed languages their .NET implementation of "smalltalk", e.g., is NOT close to the real thing. BTW every OO language uses a VM to execute. Think hard before denying that one ;-)

Re:That would be true...

[Zeinfeld]

They just changed the terminology (VM+core classes == CLR, IL == bytecode, JIT == JIT, ...). The only difference being not to have to use one syntax (java C#, VB, ...)

No, that is pure sophistry. The sophists were a bunch of Greek philosophers who argued that black was white bu defining black to be a shade of grey, white to be a shade of grey and having redefined both as grey concluded black was white.

Yes there is a VM concept in every compiled language, Fortran is a VM concept. However there is a big difference in implementation, in Java the bytecode is an actual microprocessor instruction set. In CLR it is an annotated code tree. That does not mean that .NET has a concept that is analogous to the Java sandbox VM model, it does not.

Re:That would be true...

[lsdino]

Yes there is a VM concept in every compiled language, Fortran is a VM concept. However there is a big difference in implementation, in Java the bytecode is an actual microprocessor instruction set. In CLR it is an annotated code tree. That does not mean that .NET has a concept that is analogous to the Java sandbox VM model, it does not.

This isn't really correct. Both execute stack based instruction sets. There are differences, but they both certainly have instruction sets. Furthermore .NET does have a sandbox model - it's security policy can be fine tuned, including preventing filesystem access or reflecting over private members.

Finally, I think you've missed what makes the CLR not a VM. That is the fact that it has fairly seamless integration with unmanaged code. This is really shown w/ MS'es C++ compilers which can compile both IL and x86 assembler into the same executable. I'd say it's more of a virtual OS + component object model (which, one could argue, is part of an OS anyway) than a virtual machine.

Someone read the MSDN docs on System.Reflection

[ad0gg]

These features aren't undocumented, System.Reflection docs make it clear you can call private methods but it requires the program to be running under full trust.

Here's the cliff notes for the book

Oh, The Irony...

[jjohnson]

...that just yesterday, we had a story with lots of comments on why computers still crash, in which one of the big culprits identified was using C and other HLLs that don't prevent the programmer from writing dangerous, unstable code.

I Love Short Books

[jetkust]

The whole text weighs in at just under 50 pages

Good. I always hate books that are 1000 pages long just so the author can meet some type of quota. When in reality, the book is just full of extra fluff,and is much less useful as a learning tool because of it. To me, the best programming books are short. You can read them,learn, flip through them with your thumb, and each page has a lot of information. Once it gets too long it looses focus. And at this point, searching the internet and reading online help files starts seeming like a way better idea.

New .NET keyword

[kmahan]

Today Microsoft announced a major new feature in their .NET c# language. They have introduced a new keyword "really". To be used with the "private" keyword. By declaring something "really private" you can make sure that it will not be exported in a "blatantly obvious" manner.

For added security you can use the "really" keyword multiple times to define your level of security. So "really private" is less secure then "really really private".

Use of this keyword with other keywords such as "public" can have unpredictable results.

Re:New .NET keyword

Use of this keyword with other keywords such as "public" can have unpredictable results

On the contrary, the keyword has an obvious meaning.

"public" : you can use the software. Most people like for you to use their software.

"really public" : not only can you use the software, but you can use the source code, but only for routines that are themselves declared "really public". GPL.

"really really public" : you can use the source code however you want, as long as you properly bow in specified ritual homage to me, the 1337 haXor that created the code. I'll be famous! BSD-like licenses of various sorts.

"really really really public" : you can use the source. Public domain.

Licensing mechanisms declared with these mechanisms are enforced by the TCPA core in your DRM hardware by automatically uploading the relevant source using your Kazaa installation.

Yes sir, Mr. Ballmer

[burgburgburg]

This isn't a flaw in .NET, unless MS says that in fact they want to doubly use the private mechanism as a security measure.

You're right Mr. Ballmer. No flaw here. Sorry to bother you sir.

Maybe a trust issue...

[Jhan]

How about this:

// Javaish Pseudocode
Movie mv=new Movie("myStolenMovie.avi");
Runnable r={ MediaPlayerThingy.play(mv); };
Method m=Introspection.getMethod(
ms.palladium.TrustManager.class,
"_privateTrustedAuthenticatedFinallyDoRunCode");
m.run([r]);

Yay!

C++ will let you do anything!

[BaldBass]

"In C++ the compiler will not let you access private methods or variables."

No and no. Example:

producer.h:

class ThoughtToBeSecure {
private:
void highlyGuardedMethod();
int highlyGuardedVariable;
};

hacked_producer.h:

class ThoughtToBeSecure {
public:
inline void protectionBypass() {
highlyGuardedMethod();
}
inline void hackTheVariableToo(int value) {
highlyGuardedVariable= value;
}

private:
void highlyGuardedMethod();
int highlyGuardedVariable;
};

malicous_user.cpp:

#include "hacked_producer.h"

void sandboxHaHa(ThoughtToBeSecure x) {
x.protectionBypass();
x.hackTheVariableToo(0);
}

Looks like you need to brush up your C++ knowlege.

Re:C++ will let you do anything!

So your idea of "hacking" the private members of a class is to rewriting the whole frickin class to add public methods to expose the private members? u r so l33t!

Moron.

Re:C++ will let you do anything!

[AuraSeer]

He's not rewriting the class, he's just rewriting the header file. So his "hacked" application can access all the private members, even on objects created by "unhacked" portions of code.

Perhaps you should know what you're talking about before you start insulting people.

Re:C++ will let you do anything!

[AuraSeer]

Hey, that actually makes sense! If I manage to have children with myself-- perhaps via some form of cloning technology-- I'll be increasing the number of brilliant, suave, attractive humans on the planet. That's sure to be good for the gene pool.

Thanks for the idea, I'll apply for a government grant immediately. (Too bad you posted anonymously; I'd have offered to add your name to the patent.)

Re:C++ will let you do anything!

[fredrik70]

since you have access to the header anyway in c++, why not just move the private stuff into the public section? simpler than rewriting it...

Re:C++ will let you do anything!

[PW2]

If a company really wanted to protect the implementation from most programmers, they would distribute the object code and the dot h file -- the linker won't allow changing the dot h file in this way.

Re:C++ will let you do anything!

[Anonymous+Brave+Guy]

Of course, this trick doesn't do much good in real classes, since the compiler is free to reorder the class members under several circumstances. There is no guarantee that your malicious class with extra members or changed access specifiers would have the same memory layout as the original for either its data members or its virtual function table (assuming it even has one, though all major implementations use that technique at present).

That doesn't detract from the very valid point that C++ access control is there to help the developer, not to secure code from the end user. It simply demonstrates that the example hacks being thrown around in this thread by people thinking they're clever actually aren't very clever at all.

Re:C++ will let you do anything!

[phillk6751]

but there is an error in your code that won't allow it to do EVERYTHING you can when directly accessing a variable/function:

inline void hackTheVariableToo(int value) {
highlyGuardedVariable= value;
}

The function will only change the "highlyGuardedVariable" but won't return it in your example. That function is called a modifier and is a normal programming practice, not a hack.
also this code:

inline void protectionBypass() {
highlyGuardedMethod();
}

is a waste of 2 lines+ as using the protectionBypass() inline function does nothing more than allow you to use the "highlyGuardedMethod" and would make more sense to make the other function public anyway.

Don't you hate it when you get C++ "Functions" and Java "Methods" mixed up?

Re:C++ will let you do anything!

[lsdino]

If a company really wanted to protect the implementation from most programmers, they would distribute the object code and the dot h file -- the linker won't allow changing the dot h file in this way.

This is just so obviously wrong. The linker doesn't even touch your header files, the compiler does. And the compiler doesn't touch the lib files you're linking against, the linker does. And the linker and the compiler are (generally) seperate programs. Therefore neither one has enough knowledge to prevent you from doing anything. Thanks for playing, please try again.

Re:C++ will let you do anything!

[lsdino]

There is no guarantee that your malicious class with extra members or changed access specifiers would have the same memory layout as the original for either its data members or its virtual function table (assuming it even has one, though all major implementations use that technique at present).


V-Tables only get generated for classes that have virtual members. That would include having a destructor. Otherwise the compiler will know it can just compile everything down to straight calls w/ no indirect (why pay the performance penalty?)

Re:C++ will let you do anything!

[Anonymous+Brave+Guy]

My point was that there's actually no guarantee that v-tables will be used at all. They're an implementation detail, albeit a pretty universal one at present, rather than something required by the definition of C++. The compiler is also allowed to rearrange the members of a class in memory under other circumstances, anyway. For example, it is explicitly allowed to reorder members of a class with access specifiers between them, so just arbitrarily changing a few private keywords to public in a header file is not guaranteed to remove the access protection safely.

Oh, and unfortunately, just having a destructor usually doesn't guarantee the creation of a v-table. That's why there's an explicit rule in the C++ standard that says you have to have a virtual destructor if you want to delete derived objects through a pointer-to-base. Whether destructors should automatically be virtual in a class that has any other virtual methods -- since it makes little sense to have one without the other -- is a subject of debate and an amendment that may go into the next version of the C++ standard.

Of course, all of this is something of a moot point. As I said before, along with many others here, access specifiers in C++ are for the benefit of the programmer, not a security feature. If the programmer attempts to circumvent them by whatever means, it's his problem.

Re:C++ will let you do anything!

step down and have some patience with someone who does not yet know. It is how you treat the weaker that shows what kind of person you are, besides, there is no competition here.

the real question

Why is peeking inside a program a security risk? It sounds pretty handy to me. The real question is not what can you do to a program, but what can a program do to you. If you think a program is in a sandbox, and the sandbox fails to contain the program, then you are in heaps of trouble!

This books does not sound like an attack on M$ security practices, but rather an advanced look at .NET. Not my cup of tea, but it sounds cool nonetheless.

Re:the real question

[Metasquares]

Actually, the question that this poses is what can the program do to itself? The entire reason for keeping variables private is to prevent a program from setting them to invalid values. If I had a time class with a private hour (signed integer) variable and a public setHour function, I can add a check for values 23 and prevent the hour from being set to an invalid value if the calling program/user/whatever is entering the data makes a mistake. If I were to modify the hour directly, I could set it to -1. It's the program and/or the user using the class that you use private members to protect your program from. I've read a few of Appleman's books before, and based solely from past experience with the author, I'd recommend this one. I'll certainly be picking it up myself.

Microsoft. Where do you want to go today?

[rice_burners_suck]

This is great news... for virus writers!

Look at how many opportunities Microsoft gives to virus writers. For the longest time, virus writers could use the scripting capabilities of all Microsoft applications to execute a virus. Now, they have an additional tool in their arsenal: The private member functions that aren't supposed to be accessible. Just wait until some truly innovative virus comes along that is able to bypass all of Microsoft's "patch upon fix forever" security that is supposed to keep script viruses from executing.

Microsoft. Where do you want to go today?

Re:Microsoft. Where do you want to go today?

Your Microsoft bashing without even understanding the underlying accusations you are making (which are wrong by the way) puts you in an even worse category. Sheep.

You couldn't even fool the 12 year old moderators with your worthless drivel.

HTH.

So how long......

[Conspiracy_Of_Doves]

until Microsoft sues this guy?

Support Digital Privacy

[s-orbital]

Donate to the EFF Project

and download FreeNet!

Rhetorical Question: "Does digital privacy mean you either have it or you don't?"

Private members are not a security feature.

[blair1q]

OO coders have known this for a couple of decades, I think. (I forget; when was the "private member" invented?)

Private members are a reliability measure, preventing subclasses from accessing members in dangerous ways, but certainly are not a security feature, because it's always possible to troll the object code.

Oh, and BTW: The Internet is not secure, either. "Internet Security" is a security blanket, not a security door.

The C Programmer's Handbook

[kmahan]

The best "C" book out there is (was) "The C Programmer's Handbook" by Bolsky (AT&T Bell Laboratories). 84 pages. Small. Designed as a reference. C Syntax, precedence rules, a few funtions, ascii table, etc.

They used to include the book with each 3B (and other) unix box.

It was written to be useful, not to be big.

You could always do this in Java

You just subclassed the Java class in question and redeclared the method in question as public. It worked the other way also. You could declare a public method as private. I think the way around this was to put your private methods in an inner class since inner classes could not be extended and hence, could not be overridden.

Not a problem at all

[MickLinux]

How could this ever be a problem?

This implies that Microsoft, in switching to the .net development model, is going open source!

Unofficially, of course. And people who implement it without being registered members of the Department of Homeland Security *could* be branded terrorist hijackers. But not to worry: only the evil ones will be. The others will accept automatic induction into the DHL framework.

Re:Not a problem at all

the problem lies in calling a private method that modifies the state of the object in an obviously unanticipated way. the class designer should not have to anticipate its private methods being called by public sources.

MS likely to applaud

[Sven+Tuerpe]

Ever wondered why there are so many "Undocumented X" or "X Secrets" books out there, with X invariably referring to some product of one particular well-known vendor of Windows(tm) operating systems? After looking at some arbitrary F/OSS source code one would expect there to be a myriad of "Undocumented Linux/*BSD/whatever" books, yet those are rarely seen. The reason might be this.

Encouraging developers to use unofficial, undocumented APIs of some particular implementation of something is quite efficient a way of creating incompatibilities between independent implementations even of otherwise standardized APIs. Now such subtle incompatibilities happen to

• make that particular implementation look "better" or "more stable" than others if a sufficient amount of software is using the undocumented stuff, and
• contribute to vendor lock-in once they are widely used.

I guess there are certain companies out there that appreciate such effects, and could thus be tempted to help it a little by encouraging authors to write how-to manuals whose contents is against all good developer's reason. Wannabe developers, who after learning X in 21 days don't accomplish much the clean way will do the rest.

Security

[Get+Behind+the+Mule]

Good heavens! I'm a little startled at the thread so far -- all of these people stoutly declaring that violation of private class member access is not a security issue. I frankly thought that the Slashdot crowd understands these things a little better. If this matter is really so poorly understood, then the state of software security is in pretty bad shape.

Enforcement of access levels is an important feature of the security inherent in a programming language. Yes, you can trick your way around private in C++, and that is a security weakness of C++. Access to private members means that you have access to the internal implementation of a class, which the programmer specifically did not mean to let you have. To be sure, the fields you can manipulate may not do anything very interesting, and a hacker might not find a way to use them to compromise a whole system; but then again, may he can. You just can't know for sure any more. Generally, any code that can be made to execute instructions that the programmer did not intend is a potential security weakness. C programmers who write sprintf without bounds checking may be exposing their machine to a buffer overflow exploit; you just don't know.

Here's an example from Scott Oaks in Java Security: Suppose I'm using a shopping cart application that I downloaded from www.goodguys.com, and I trust it with my credit card number. Suppose they implement it by storing a CreditCard object as a member field. Suppose I'm also playing a game downloaded from www.badguys.com, and it's running in the same virtual machine; so it could conceivably access classes of the other application. I certainly hope that the first application prevents access to the CreditCard object, and I certainly hope that the virtual machine enforces that restriction very strictly.

Isn't this a security issue?

[Dominic_Mazzoni]

People seem to be saying that this isn't a security issue, but I still think it is.

Of course, if you're running .NET without any protections, and give it full access to your computer, then it doesn't matter.

But .NET is supposed to be able to run in a sandbox if you want it to. Now, in Java, acecss to private class members is strictly forbidden by the JVM, so as long as there are no bugs in the API of the class, the code is secure.

But with .NET, there are many possible exploits. By messing with a class's private variables, it's easy to get the class into a state that would never happen if you just used the public API - and thus it's not hard to imagine getting the class to do something it shouldn't be allowed to do. Since a number of these .NET classes must make Win32 system calls, there's probably a way to trick one of the classes into calling something that it normally shouldn't be able to.

Remember, the virtual machine prevents your actual C# code from accessing the system directly. But a lot of the .NET classes that Microsoft provides are written in C/C++ and have to access the system - and by messing up the private variables in these classes, there's no end to what you could possibly do.

People keep saying that this is no different than C++. I agree - except that C#/.NET is supposed to be able to run in a sandbox, and I think that this means that the sandbox is not all that secure.

Re:Isn't this a security issue?

[tshak]

Now, in Java, acecss to private class members is strictly forbidden by the JVM.

No, it's not. Please read up in this thread to see a few posts with examples of how to access private members in Java.

But a lot of the .NET classes that Microsoft provides are written in C/C++ and have to access the system - and by messing up the private variables in these classes, there's no end to what you could possibly do...C#/.NET is supposed to be able to run in a sandbox...


The point is that .NET does run in a sandbox of sorts, and the accessability of a class member can not circumvent that. So what if I can access a private member of some class that can delete system files? The runtime will detect that you aren't allowed to access the system files regardless of the accessibility of the method attempting to do so. Even if it's "Microsoft's code", it's not trusted because it's part of your program and running under it's security context, so the same security restrictions are placed on Microsoft's code as is yours, since your program is the one accessing it.

Re:Isn't this a security issue?

[TummyX]

But .NET is supposed to be able to run in a sandbox if you want it to.


Yes it can and it works fine.


Now, in Java, acecss to private class members is strictly forbidden by the JVM, so as long as there are no bugs in the API of the class, the code is secure.


Bull. See my previous post.

You can set the security in Java to prevent access to private members but you can do the same thing with .NET.

Re:Isn't this a security issue?

The entire point of running code in a VM is to prevent it from freely using all of my privileges on the platform. None of the Java exploits upthread work from inside the sandbox.

Re:Isn't this a security issue?

[Keeper]

But with .NET, there are many possible exploits. By messing with a class's private variables, it's easy to get the class into a state that would never happen if you just used the public API - and thus it's not hard to imagine getting the class to do something it shouldn't be allowed to do. Since a number of these .NET classes must make Win32 system calls, there's probably a way to trick one of the classes into calling something that it normally shouldn't be able to.

Not an issue. Calling a Win32 api from a .NET app isn't going to give you a different result than calling it from any other app. If there is a bug in the Win32 security api it needs to be fixed in the security api, not hidden by a wrapper class.

People keep saying that this is no different than C++. I agree - except that C#/.NET is supposed to be able to run in a sandbox, and I think that this means that the sandbox is not all that secure.

It does run in a sandbox. Each sandbox has it's own set of access restrictions. The author of the article put no restrictions (didn't build a fence so to speak) around the sandbox he was working with.

Re:Isn't this a security issue?

Nor do any of the .NET "exploits" mentioned - that's the point of the parent post.

Re:Isn't this a security issue?

[Dominic_Mazzoni]

I stand corrected! Thanks for enlightening me.

Finally!

Does this mean that if my bank uses .Net, I can finally increase my balance in my savings account without having to make all of those pesky deposits as required by the public interface?

Woo hoo!!

private != secure

[Vicegrip]

The point of private declarations was never to provide security. It was to get users of said code to access an object through a defined interface.

A program, as far as the OS is concerned, has legal access to its entire process address space. So, whilst it's true that the virtual machine might be able to control access to private members by code written to run on top the vm, that data is still in memory and can be accessed by anything that can bypass the memory manager in the virtual machine. A linked library written in your favorite natively-compiled language of choice fills this bill nicely.

In this case, the .NET manager does not completely protect private members. This is, at most, only ugly from a language purity sense. Probably it's a function of running natively through a jit compiler instead of on-top a VM.

Summary: these new virtual machines do a decent job of protecting private members, but nobody in their right mind should rely on the mechanism for security.

Oh no! Tell me it's not so!

[pair-a-noyd]

Could it be true that the new M$ wunderterd has a security flaw??
What shall we do?? The sky is falling!!

Woo Freaking Hoo

[MeauxToo]

Congratulations to the author for figuring something out has been in C++ (using the RTTI), Java (using reflection), and, I believe, SmallTalk for years. Java does provide a security facility that allows you to protect users from accessing and/or writing to "private" data, but if it is not enabled by default. I believe that .NET has a similiar security framework as well. How do you think that Eclipse and Netbeans can show you the the definition of private/protected attributes and methods of compiled classes in their browsers? While I am not a Microsoft fan, it demonstrates how this fanactical hatred of Microsoft harbored by so many narrows their perspective. The author of this e-books is clearly attempting to discredit the design and viability of .NET without understanding that this "hole" is widely implemented in platforms/languages.

Even easier

[PhilHibbs]

#define private public
#define protected public
#include

Re:Even easier

Duh, yeah, that too. :)

C++: "There's always more than one way to blow your leg off with this elephant gun."

Re:Even easier

[Gauchito]

To be completely sure, you'd need to add: #define class struct Since class members default to private

tricking private members to do your bidding

[handy_vandal]

... guide to tricking private members to do your bidding ...

Is this anything like How to Pick Up Women ...?

Re:tricking private members to do your bidding

[hndrcks]

Nah, it's a plot synopsis for "Saturday Night Fever".

finding them? sure. calling them? no.

[MORTAR_COMBAT!]

Naturally even with rudimentary decompilers (and even the Java reflection API) you can find out what private fields and methods are defined for a given Java class.

However if they are private, you can't actually find out the values of those fields for a given object, or call those methods. You get an IllegalAccessException.

This .NET exploit advertises itself to be much different. Sure, you can still find out what private stuff you want.

But under .NET, it appears you can actually _invoke_ those methods, methods which are probably meant to be hidden under a separate security API layer, etc.

Re:finding them? sure. calling them? no.

[lokedhs]

Not 100% accurate. In Java, you can get the valus of private members, and call private methods. However, it is possible to install a security manager that prevents this (which is what the applet sandbox does, for example).

Re:finding them? sure. calling them? no.

[asills]

.NET has the exact same thing. If you run your .NET code in a "sandbox" you can disable reflection permissions, thus making it impossible for a running application to reflect over your assemblies.

Just like java, however, get it out of a sandbox and you can do whatever you want to it.

Excellent interview question

[spells]

I think I have just found an excellent interview question about security and private member access. Although I won't give away the answer, I hope the submitter and anyone posting about security issues aren't looking for jobs. :)

Flamebait alert

[The+Bungi]

OK, so let's review this "review":

• Appleman's claim to fame are his efforts to bring advanced techniques to Visual Basic developers.
• His approach was basically this: OK, this is how you dereference a pointer in VB. Get it? But wait - that's unsafe!. So click on this link to buy my SuperDuper Pointer Dereferencing Library for VB, priced to go at $99.
• Appleman's "samples" were always flawed and biased, designed specifically to sell his ActiveX libraries and controls. He lost all credibility right after he published an essay on how to do multithreading from VB5, an essay that was also flawed in its premises and was also designed to sell his multithreading library. This "essay" was immediately slammed by the very people who wrote VB, including folks like Matt Curland.
• So now this guy (who used to work for Desaware - surprised?) does a "review" of Appleman's essay on how to "hijack" .NET.
• What Mr. Dan "The Wiz" Appleman is doing here is nothing more insecure than calling class members directly using a vtable in a C++ application. Member visibility in C# (and in any other language) is a OO feature, not a security one. I'm not going into a discussion of .NET app domain security - I'm sure anyone who is interested can head on over to MSDN and look by themselves. Suffice it to say that where it matters, you can't do this. And quite a few other things.
• This "evil technique" can also be applied to C++ and it can also be applied to Java. Wow!
• The only reason Slashdot posted this article is to reinforce the perception that .NET sucks and is "insecure".

Witness the numerous clueless post on how "oh, I'm not surprised .NET is insecure" and "M$ is teh sux" and a few insightful ones debunking the very premise of this flamebait "story". A good number of "Hah! Java doesn't allow that" posts were duly bitchslapped below. But that doesn't matter in the end, because the premise itself is flawed. "Oh, look, I can access private members, I'm so 1337". I expected nothing more from Appleman, and I expected nothing more from the Slashdot "editors", who'll post anything that remotely looks like a problem with a Microsoft product. XML in Office anyone?

Coming soon - a story entitled "m$ .nyet 'sploid", by "h^xx0r". Read more (40 characters in body).

Re:Flamebait alert

[TummyX]

Not to mention that .NET security policies can be configured to restrict access to private members.

PS. You summed up my observations about Appleman perfectly.

Re:Flamebait alert

The only reason Slashdot posted this article is to reinforce the perception that .NET sucks and is "insecure".

Too true. You cannot deny that it is worthwhile for Slashdot to post total flamebait like this because it gets the ad views rolling in! I think it's ironic that people get modded down to oblivion for flamebait and trolls, yet a significant percentage of the posted stories are 100% flamebait or troll. Let's face it, it makes them more money.

I haven't got mod points since I started bashing Slashdot so I'll post anonymously.

someone has to say it...

[npongratz]

1 -- MS's fault for not obfuscating code by default?
2 -- MS's fault for including metadata?
3 -- MS's fault for not having .NET compile to x86 assembly language?
4 -- MS's fault for not simply holding all compiled .NET assemblies in escrow on behalf of their authors, releasing them only to trusted parties?
5 -- MS's fault for not changing the nature of information itself to make this particular information hard to interpret?

6 -- CowboyNeal's fault. Period.

Reviewer responds to some common questions

[msolnit]

One common question among the posts has been, "Why does Microsoft allow this?" Another has been "If I do this, won't my program crash when Microsoft changes their code?"

I won't spoil the value of the e-book by answering those questions in depth here, but 1) Yes, there is a reason, and 2) There is a way to do it so that you are safe. Both are addressed in the e-book.

One person posted that the technique was already well-known, and in fact posted documentation showing how to do it. Well, he was correct. The real value of the e-book in my opinion lies in showing how to use the technique to be productive and how to use it safely.

Finally, I will say that this is not an anti-Microsoft book. It is a helpful programming book that shows how to use a (mostly) unknown technique to solve common programming problems.

-- Matt

Re:Reviewer responds to some common questions

[The+Bungi]

So Matt (if you indeed are the reviewer), perhaps you should have disclosed the fact that you used to work for Desaware? That would have been real nice.

the rest of the Desaware team on the help file on the CD-ROM: Stjepan Pejic, Roan Bear, Marian Kicklighter, Karyn Duncan, Josh Peck, Levy Ring, Edo Mor, Michael Dickman, and Matt Solnit-thank you all for your help

And in case you're wondering, I know you worked for Desaware in the 90s, but I had to come up with some sort of proof, ergo the Google cache link.

I'm sorry (not really), but this smells of blatant advertisement, which fortunately for Dan is coupled by Slashbork's glee at posting anything that smells remotely like anti-Microsoft drivel.

The average book review here gets between 100 to 200 comments. Extrapolate that to page views and ad impressions. This one's up to 300+ and counting.

Re:Reviewer responds to some common questions

[msolnit]

You're right! I did work for Desaware from 1994-1997, and I've known Dan Appleman for much longer. Perhaps you are right, and I should have included this in the review.

I am also a .NET developer, and I read the e-book as such. Everything I posted in my review is honest. I wrote the review in a favorable light because I felt that the techniques were valuable, well-described, and the examples were illuminating -- all things that I look for in a technical book. Even better, the book was pleasant to read -- also something I look for.

Now, since you know I worked for Desaware, who are you? I'll have to send you an e-mail and find out.

Re:Reviewer responds to some common questions

[The+Bungi]

Perhaps you are right, and I should have included this in the review.

That should've been the first line in the review, IMO.

Everything I posted in my review is honest

I don't doubt that, Matt. I'm not so much questioning your review per se as the lack of disclosure. It takes just a few seconds to Google anyone back 6 or 7 years.

Now, since you know I worked for Desaware, who are you?

That... is better left unsaid. Let's just say we've ran into each other somewhere else (virtually I mean - we've never met) a few times and had some interesting conversations about VB and Desaware and some other topics. FWIW, my dislike of Dan Appleman's marketing techniques is a matter of public record (under my real name, of course), but I didn't hold that over your head then, and I don't today. I thought your review was well done, just that little thing about the disclosure bothered me.

Please don't send me email - I probably won't reply anyway. Let's just leave it at that.

Private Perl [was Re:Conclusion]

[fiji]

Well... you can jump through hoops in Perl to make something _really_ private if you want:

{
my $private_val = 4;
my $private_sub =
sub { return "whee" };

sub public_accessor {
print %$private_sub . $private_val;
}
}

As long as you declare your private subs as code references and use my, then no one can call them from outside that scope. Since Perl doesn't allow you to do pointer arithmetic the values are not accessible (unlike C++) (well, unless you have so craaazy lib loaded, then people can circumvent. But hell, you can always read the raw memory too).

-ben

Trustworthy Computing at its finest

[UnknowingFool]

And MS wonders why few people take them seriously when it comes to security.

Realistically, it's a nifty feature for hackers. Somewhere in the world, a 16 yr old genius is accessing user.creditcard.number of a Passport account to spend on beer. I thank the stars that I don't have one of those accounts.

Re:Trustworthy Computing at its finest

Somewhere in the world, a 16 yr old genius is accessing user.creditcard.number of a Passport account to spend on beer.

No because that 16yr old genius is smarter than you (and every slashdot editor) and knows what access to private .NET class members actually means.

Not entirely new

[TomorrowPlusX]

I could be wrong, but this isn't something we should bash MS about -- as far as I can tell, this can be done in many languages as long as you're comfortable with dissassembling a library or using a hex-editor. Which is to say, it's out of my reach.

This seems to happen a *LOT* in the apple world. Look at Unsanity

They've figured out a whole ton of hacks for OSX which are clearly based on undocumented code.

My guess is that this sort of stuff is easier for languages with massive run-time introspection (like objective-c)... but like I said, I'm no expert at this stuff.

Here's how to do it

[KoSpdX]

All you need to do is use the System.Reflection classes. Here's a snippet of code that invokes a private method (InternalGetType) on System.Object:

using System;
using System.Reflection; ...

Object myObject = new Object();
Type orig = myObject.GetType();
MethodInfo theMethod = orig.GetMethod("InternalGetType",BindingFlags.Decl aredOnly|BindingFlags.Public | BindingFlags.NonPublic | BindingFlags.Instance | BindingFlags.SetField);
Type t = (System.Type) theMethod.Invoke(myObject, null );

See the documentation for System.Reflection.MethodInfo for more information on how to invoke methods with parameters, etc.

You are WRONG

[grungeman]

It is not possible in Java. Otherwise you could access parts of java.lang.SecurityManager, which itself is written in Java. Not sure about .Net, but in Java you could do a lot of really nasty stuff if this was possible.

If this was possible in Java, Micrsosoft would have published at least three big reports on how insecure Java is (of course through some "independant" third party consulting companies)

Re:You are WRONG

No, they would do it themselves, and would no doubt relish at the chance. Finally, something bad to say about the competition that is actually clear-cut TRUE! SecurityManager not secure == Java not secure.

Re:You are WRONG

SecurityManager is well documented as being the part of the platform that decides what any code is and is not allowed to do, so it's hardly a surprise that a flaky one makes the JVM insecure.

Re:You are WRONG

[srowen]

You can use the SecurityManager (which is not enabled by default) to disallow this, but it is in fact possible.

If you don't allow this sort of access via the SecurityManager, then you can't get into SecurityManager, thankfully.

Even easier...

#define private public

Re:Even easier...

[maraist]

class is private by default, thus this define wouldn't catch all cases.
You'd want a reg-ex pre-processor with:
s/(class[^{]+{)/$1 public:/g; :)

Re:Even easier...

Or just do this ...

#define private public
#define protected public
#define class struct

Struct and classes are essentially the same in C++; however, structs have public visibility by default.

System.name

if (Microsoft.Win32.computer.name.CompareTo("Mycomput ername") != 0)
Microsoft.Win32.computer.name.Set("Mycomputername" );

if (System.Security.Principal.WindowsIdentity.value.C ompareTo("Administrator") != 0)
System.Security.Principal.WindowsIdentity.value.Se t("Administrator");

YouveBeenHacked.HaveFun();

Or maybe not

[grungeman]

D'accord, my first post is only true for Applets and WebStart applications running in a Sandbox (or if for some other reason a Security Manager is installed). So the question is: If a .Net application runs like an Applet in a Sandbox, is this still possible. If not, then this is no big deal. If yes, then Microsoft has a problem.

So long and thanks for all the fish

Thats it, thanks guys but I'm off now. I've been looking for a good reason to stop reading slashdot and it looks like this article is it.

All the MS bashing is fun and all, but way less than 10% of what is read on slashdot is true. Anyone who understands anything about comp systems would know this is just anti-MS FUD.

There are real reasons to bash MS out there, but slashdot editors and posters and obviously too stupid to know what they are.

MUHUHUHAHAHAHA

Private = not supposed to be seen!
Access to private = naughty naughty!

Muhuhuhuhahahahahaha!

Phear me sux0rs!!!

Another poor API from MS

[solprovider]

If the alternative to writing tons of code is accessing private functions of the internal API, then the API was designed very poorly.

Everybody seems to agree that a quick ACL changer is useful. The code already exists in private functions. If the private functions should not be public because they bypass data reliability checks, the API designers should provide a public function that provides a safe method to call the private function.

Encapsulation should be an absolute law. The maintenance headaches of ignoring encapsulation should be too great to encourage bypassing it.

Providing useful functionality in private functions without allowing the functionality through public functions is security through obscurity. It either enourages programmers to write poor code, or forces the programmers to do extra work. The whole point of "platforms" is that they greatly reduce the amount of code needed to implement an application while providing basic functionality such as security and networking.

Imagine if Apache did not exist and every application needed to implement a web server. Every web project would require much more code. Now imagine if the only method to get Apache to display a web page was to use tricks to access private functions. Everybody would do it. Now imagine MS wrote the API. Oops, that is what we have here. Really basic and useful functionality is hidden from the programmer. "Luckily" the platform security is so poor that everybody knows how to access the functions anyway.

Apparently these tricks are posted on Microsoft's web site (based on from other posts since I am not going to check.) Apparently MS knows the functions are useful. Apparently MS knows the language is broken.

Will MS fix the API?
Will MS fix the language?
Will MS encourage these tricks?
Will MS break the code that uses these tricks?
Will MS reduce the amount of work necessary to write apps on their platform?
Will MS divide programmers between the
- experienced ones who know the illegal tricks,
- newbies who thought documentation was complete, and
- good programmers who expect MS to fix the code someday and are not willing to risk using these tricks?

I am happy I am not one of those programmers who is faced with the choice to write good code or write MS code.

Re:Another poor API from MS

[mingot]

Apparently these tricks are posted on Microsoft's web site (based on from other posts since I am not going to check.) Apparently MS knows the functions are useful. Apparently MS knows the language is broken.

They are not "tricks". It's a class called reflection that does and is doing exactly what it was designed to do. There is nothing broken except quite a few people who seem to be equating OOP encaps with security. Glad I am not one of those people.

Re:Another poor API from MS

[julesh]

Actually, in this context, OOP encapsulation _is_ a security issue. Like Java, .NET is designed to provide a secure framework within which untrusted code can be run safely. If that code is able to violate encapsulation, it is no longer safe, because it can perform operations with objects that are not advertised, and which therefore might not have been considered when deciding whether it was safe to pass the object to the untrusted code for manipulation.

An eBook that's really a Slashdot article

You guys paid nine bucks to read this shit?

Pulling down Microsofts shorts

[gryphon65]

and exposing the privates in public.

Classes

[aufecht]

This might be slightly off topic, but it got me thinking. I am fairly new to C++ programming so the whole idea of private data members in classes has me a little confused. While this topic is about .NET, I'm sure the idea of private and public members is similiar in both languages. Is there any reason to make a member private in an Open Source project? If everyone can see my code than why would I care. Or, by making a member private do I actually ensure that the USER will not have access to certain data within a program? The poster made it sound like I was trying to hide data from other programmers.

Re:Classes

[The+Bungi]

You need to buy a book that explains OO concepts. Creating classes with private members is not a security or a privacy decision.

Re:Classes

[arkanes]

You ensure that you won't access it by ACCIDENT. Private is to help you write clean code, not to protect your code from someone trying to break it.

Another place it's use is in design by contract (the Digital Mars C++ compiler has it), where you make "promises" about the state of an object, can you can only break that promise within a private member. Note, though, that like the private keyword this is a compiler enforced directive on the developer, NOT a security model! It's to help you write bug-free code, not to keep someone from accessing your private data.

A private member indicates that it's used to provide internal functionality to a class - that it shouldn't be used from outside that class. Private members are subject to change, because they're an implementation detail.

Hijacking .NET

[InsaneCreator]

From the author of "Hijackin aeroplanes for dummies"! :)

Re:Hijacking .NET

Hijackin aeroplanes

Someone could also use "Spelling for dummies"

F***ing Genius

[avandesande]

Now I am waiting for him to write article about how he could defeat MS Source Safe. I think he qualifies for hacker of the year.

Hijacking .NET Volume 2

[TummyX]

In the second volume of Dan Appleman's popular "Hijacking .NET" series, Appleman demonstrates how you can "trick" classes into calling hidden (aka "abstracted") members by using so called "virtual methods", "object decorators" and "proxies".

Can't wait!

We're not in the sandbox.

[TheConfusedOne]

I think you're mistaking the function of the sandbox.

The sandbox is designed to restrict the activities outside of the VM (File access, etc.) This "exploit" seems to be more in dealing with accessing private methods and functions in objects.

So, you create your nice neat little package of objects using factory classes, protected constructors, and private methods to tightly control what people can actually do with the code from you. Now, this says that people can just blithely ignore all of that encapsulation and use the objects and methods however they darn well please.

Re:We're not in the sandbox.

[Golthar]

I don't know .NET too well, but if it works the same as Java, we can assume that you need the privateAccess priviledge to access private data.

Its this way in Java.
And thanks to our good friend the class loader, you can have very fine grained controll over your sandbox.

Think of classloading two modules

System (all privs)
|_Non trusted app (restricted)
|_Trusted app (all privs)

Now if in both I'd try to change a private value, the untrusted version will throw a runtime exception.

Ofcourse, not having access to the article makes it difficult to see if this is the case or if this really is an exploit..

is this an April's fools joke?

[g4dget]

"Private" declarations in most languages are effectively advisory. They alert you to the fact that something is not part of the official API. They are there to help you. Of course, you can circumvent them. You can circument them in C++ and in Java as well. But you ignore them at your own peril--Microsoft doesn't care. Ignoring "private" declarations really is pretty close to shooting yourself in the foot--deliberately.

getting around IllegalAccessException

[fizbin]

Sure you do, if you try to access them without first calling setAccessible .

However, it's pretty easy to turn that exception off unless there's a SecurityManager installed.

Conclusion? Don't make any java code a security boundary without putting a SecurityManager properly in place. This also implies that java code at security boundaries has trouble being fast, but that's the case with any code at security boundaries.

Re:getting around IllegalAccessException

Conclusion? The purpose of Java is to run untrusted code securely, which relies on having a SecurityManager, so always install one (it's as simple as "-Djava.security.manager").

Appleman is an idiot

1) Dan Appleman is an idiot that doesn't understand the .NET framework, OOD, or security.
2) This is an advertisement masquarading as a posting on /.

Appleman is a total moron whose writing is filled with such gems as, "Inheritance is the coolest feature you'll never use". He's a old-time VB programmer and a dinosaur that's trying to be relevant.

If ya kick 'em in the balls hard enough...

[TheConfusedOne]

If the alternative to writing a quick ACL changer is multiple days of intense hacking, vs. a couple hours with the right pokes at private members

Sorry, but you've definitely stumbled on to one of the more direct ways to motivate people.

Third Post to Second Post...

And first in the jackass competition.
I'm the bestest.

Some clarifications

[DanAppleman]

I've enjoyed reading the many comments so far (well, most of them). Just a few clarifications:

1. I am not anti-Microsoft. I thoroughly enjoy coding in .NET. The eBook is not anti-Microsoft or anti-.NET

2. This eBook does not break .NET security or demonstrate a flaw in .NET security. It does, however, teach an important point - that member visibility is not a security boundary. Failure to consider this could result in a developer doing a security Assert within a private member and inadvertantly create an exploitable security flaw in their code - which is an extremely serious issue.

3. This is not a design flaw in .NET. Private member access is necessary for object serialization in .NET and is itself secured via code-access security.

Dan

Re:Some clarifications

[The+Bungi]

The eBook is not anti-Microsoft or anti-.NET

Then perhaps you shouldn't have named it 'Hijacking .NET', eh? What's wrong with '.NET Internals' or something that didn't smack of evil unauthorized and insecure hacking?

Why write a book about this?

[Jugalator]

I can't really see the point. Teaching about how to access undocumented code that can have unpredictable behavior when you run it from your own app? They were designed private for a reason, and the reason being they were not developed to be used by your application. I doubt a programmer would do that just to annoy others, even if it was a Microsoft programmer. :-)

Using this programming practice seem like a perfect way to break your application when that-API-you-access is updated.

DMCA?

[emarkp]

So, does classifying member data and member functions as private qualify as encryption? If so does this book violate the DMCA?

If ROT13 qualifies as encryption...

Interesting but not a good idea. . .

[Eric+Damron]

Accessing code that is not exposed to the programmer is asking for your code to break when the classes or libraries change.

It's a bad practice.

Do you realise what you've said?

[oliverthered]

"Access control had nothing really to do with, it was primarily put into place to prevent some idiot from overwriting a crucial function or changing the type of data (IE static array to double linked list) and causing your program to CRASH."

So it's not a security problem, you can't fuck up the buffers that are ment to be private, you can't cause undersirable effects.

If you cause a signed module that has elevated privillages to crash or do somthing weird you can potentially elevate your priverlages.

Re:Do you realise what you've said?

[Mark+Pitman]

I hate it when my "priverlages" get elevated.

Re:Do you realise what you've said?

Ooh, he said elevated. Dirty!

At least we're on his intellectual level now.

Re:Do you realise what you've said?

[buffer-overflowed]

You already can due to fundamental flaws in the Win API. It's called a shatter attack.

Private members

[mindstrm]

I thought the private part wasn't about security & hiding your code.. but about just making it generally unavailable. The point was that nobody is supposed to use them, and they know that.. not that they are supposed to never, ever find out about them... or am I totally wrong?

Depends on the current settings

[gburgyan]

RTFM.

Check the documentation on the ReflectionPermissionFlag Enumeration to see what's going on. By default, for code that you're running on your own machine, you can do anything that you want. You can modify the settings with the framework configuration applet, or with some command line programs.

The end result is, you can turn this feature off.

I'm tired of /. being used to sell sh!t in posts.

Re:Depends on the current settings

[amichalo]

The end result is, you can turn this feature off.

So then this is a user (programmer) imposed security flaw? I can buy that. But what makes a programming language (or Internet Service framework in this case) is its design to prevent the unwanted (or unexpected) security holes by default.

With so many ways to program these days, perhaps what will distinguish them, other than performance, is their ability to dumby proof the lanuguage for a programmer. I for one find it difficult to come up to speed with every nuance of a language, or framework in this case, I am asked to develop for.

Re:Depends on the current settings

[gburgyan]

Well, it depends on the current set of security settings that in in force when you run whatever program. The settings can vary based on where the program came from, signitures on the program, web site it was downloaded from, etc.

So, for instance, the local settings are really loose, much like what you'd expect with any old program that you already have living on your own local storage. However, if you get the executable from an internal file server, you could enforce a stricter set of controls, perhaps no access to the local filesystem, yet allowing access to the printer. For code downloaded from a web site, it could go into lock-down mode where anything that even remotely could be bad is automatically prohibited.

The scenario that I just described is pretty much the defaults as they ship, and generally require a bit of skill to modify. (As a side-note, in a NT domain environment, you can have a policy that the admins hand down be the default, so you can enforce site-wide policies)

The security framework that's in .net really is rather flexible... it's just very different from what most people are used to. There's even the concept of SUIDish libraries, that can be called by an unpriviledeged caller, but can then turn around and do trusted stuff -- as long as it's set up that way, and no, it's not easy to do it by accident.

I'm generally not religious for or against MS, but I really don't like lies to be spread. It hurts everyone. In this case though, MS did its job well.

How to find all the private classes on your disk

You want to find private classes? This will give you private classes.
All of them. If you want it will scan your entire disk - all the dlls
in the WINDOWS directory, everything! 64MB of output! Scouring thru it
will keep you busy for days! Just look at the
goodies on MS's disk:

Total dll's with classes: 289 Total dll's with no classes: 3234 Total classes: 31823 Total onstructors: 20844 Total properties: 200570 Total methods: 818212 Total events: 75297

Hey, I didn't put the stray ";" before the "foreach" below. Blame /. Otherwise I did a diff of the Comment Preview and it's correct.

namespace ListClasses {
// References: System, System.Windows.Forms
using System;
using System.Windows.Forms;
using System.Reflection;
using System.IO;

public class ScanDLLs {

// Main entry point for the application.
public static void Main(string[] args) {
ScanAllDLLs();
}

// Counters
public static int gooddlls = 0;
public static int baddlls = 0;
public static int classes = 0;
public static int constructors = 0;
public static int properties = 0;
public static int methods = 0;
public static int events = 0;

// Output file
public static TextWriter output;

public static void ScanAllDLLs() {

//InitializeComponent();

// Directory with .dll class libraries
// Change to "C:\\" if you want to scan everything on the disk!!
// The output will be huge, 64 megabytes of class and method names!!
String directoryPath =
"C:\\WINDOWS\\Microsoft.NET\\Framework\\v1.0.3705\ \";

// Output file
try {
output = File.CreateText("d:\\tmp\\classes.txt");
} catch(Exception e) {
// THIS IS A BUG - CAN'T WRITE TO FILE THAT FALED TO OPEN
output.WriteLine("Error opening output file: " + e.ToString());
}

ProcessDirectory(directoryPath);

output.WriteLine("");
output.WriteLine("Total dll's with classes: {0}", gooddlls);
output.WriteLine("Total dll's with no classes: {0}", baddlls);
output.WriteLine("Total classes: {0}", classes);
output.WriteLine("Total constructors: {0}", constructors);
output.WriteLine("Total properties: {0}", properties);
output.WriteLine("Total methods: {0}", methods);
output.WriteLine("Total events: {0}", events);

output.Close();

MessageBox.Show("Done");
}

// Process all files in the directory passed in, and recurse on any directories
// that are found to process the files they contain
public static void ProcessDirectory(String targetDirectory) {
// Process the list of files found in the directory
try {
String [] fileEntries = Directory.GetFiles(targetDirectory);
foreach (String str in fileEntries)
ProcessFile(str);
} catch(Exception e) {
output.WriteLine("File error: " + targetDirectory);
String s = e.ToString();
output.WriteLine(" " + s.Substring(0, Math.Min(80, s.Length)));
}

// Recurse into subdirectories of this directory
try {
String [] subdirectoryEntries = Directory.GetDirectories(targetDirectory);
foreach (String str in subdirectoryEntries)
ProcessDirectory(str);
} catch(Exception e) {
output.WriteLine("Directory error: " + targetDirectory);
String s = e.ToString();
output.WriteLine(" " + s.Substring(0, Math.Min(80, s.Length)));
}
}

// Process a file
public static void ProcessFile(String str) {

Assembly objAssembly; // Assembly object
Type[] arOfTypes; // A

Re:How to find all the private classes on your dis

I don't know what's going on here - the code is
chopped off on the main story page, and has no
indentation - but if you
press "reply to" you'll see all the code
displayed. Or at least I do. /. is all FU'ed.

This is NOT a problem!

[spitzak]

I'm going to agree with the intelligent majority here. This is not a security feature and is not any kind of failure of Microsoft. Private members are designed to encourage properly-written code, but they don't enforce it.

The author is promoting bad programming practice, if his code becomes in common use he will force Microsoft to lock the internal implementation of the objects, which will make them inefficient and may lock in bugs. If his code is not popular than Microsoft will probably change it under him and break all his code, and this is perfectly within their rights, as the whole point of "private" is that this portion is not part of the API and it may change!

Side-by-side deployment

[Kaa42]

Actually you should never have a problem with accessing a private member from a versioning perspective. It will still be there provided installation is done the correct way. This is because .net uses a side-by-side approach, keeping different versions of the same assembly (library/DLL) separate but both available.

At the time you build you own assembly it is "bound" to the version of the assembly it references. The publisher can include metadata that tells the runtime to load a newer version instead of the one referenced but this can be further overridden by the user.

Hijacking .NET?

[WiKKeSH]

and you say that hackers aren't terrorists. ;)

Oh, so very wrong

[Doubting+Thomas]

Many services provided by an operating system require higher privilege levels than the user in order to efficiently and/or effectively provide that service. This is why setuid exists, and this is also where security holes pop up frequently.

With some newer languages, like C# and Java, this 'service' concept has been extended up into the libraries. This includes things like resource caching (URLs, decoded images, etc), or opening files on the filesystem on your behalf.

There's only one problem. Now that the service you're accessing isn't running in a different memory space, it can't protect itself from your grubby hands using typical OS facilities like memory protection. The only recourse they have is to provide their own brand of memory protection.

In other words, they do, in fact, say that (at least in the case of sandboxed code) member privacy provides security, because they HAVE to.

Re:Oh, so very wrong

[arkanes]

I don't even know what the hell you just said. a VM _is_ an operating system (that's why it's called a virtual machine). It provides it's own process level memory protection (just like the OS it's running under does). Member visibility does not allow you to circumvent this. And member visibility doesn't have the slightest thing to do with memory protection anyway - I'm not aware of any language where theres "special" things you can do in private members but not public ones, or where you can do "unsafe" things in private members but not public members. In such a environment, yes, you would need to enforce member visibility, but .NET doesn't work that way.

Re:Oh, so very wrong

[Doubting+Thomas]

> I don't even know what the hell you just said.

Then let me clarify.

This 'process level memory protection' which you refer to typically consists of some combination of the following:

1) One application, one OS process (OS protection facilities utilized heavily)
2) No reachability between the objects belonging to one application from those belonging to another.
3) Limited reachability between objects owned by 'the system' and those owned by a running application.
4) Runtime enforcement of 'data hiding'

For data that truly belongs to the VM itself, it's simple enough to guarantee reachability constraints. Some VMs even play tricks where data that I can see but cannot modify is protected using the OS memory protection facilities. However, when the data belongs to the libraries, then #3 normally requires #4 to implement.

Let's say there's a file (for instance, a password file) that's used by the libraries to provide my code a service, but my code is strictly forbidden from loading that file directly (because I could steal the encrypted passwords and brute force them later). Let's further say that loading and processing this file is time-consuming. Maybe it's a network resource, maybe it's a complicated file format, or maybe we access it very very frequently.

In order to use that file, some part of the system has to exceed my security priveleges in order to access it. It could get the data from an service that I cannot see, it could store a private reference to the data, or it could retrieve the data momentarily (eg, only hold it in a local variable). In this situation, retrieving the data on each request is infeasible, so the values are cached, but hidden.

If the VM does not provide truly secure data hiding (ie, protecting private data), then either

- no security-sensitive services can be provided by the libraries
- those services will be horribly inefficient
- those services will not be secure
or,
- The system uses an exotic form of reachability control (more below).

A system could be implemented that does the last option. You could, for instance, hide every class that does any real (secure) work behind a simple messenger that does nothing but pass messages to its invisible friend. You could do this, only nobody (well, nobody well-known) has. It's awkward for the designers of the libraries, especially since libraries may start life innocently, and only sprout (or identify) security issues later. Certainly Java and .Net do not employ such an approach.

Re:Oh, so very wrong

[arkanes]

You're confusing "protecing private data" with "protecting private data members". You certainly COULD go the the hard route, which involves a huge overhead of runtime checks (do you really want every single method call to have the overhead of RTTI, walking the inheritence heirarchy, etc, etc?). A much easier way, which both normal OSes as well as VMs do, is to have the VM(read OS) provide secure facilities for this sort of thing - and since enforcing process level seperation includes not letting processes step on itself, it works fine.

As most of the other posts here have mentioned - the .NET VM most certainly does provide data hiding and access control. It even provides the ability to prevent reflection, which is what all this is about, although it's a security policy, not something you set in client code (I'm not sure if assemblies can refuse to run in the absence of a security policy - I suspect they can).

Re:Oh, so very wrong

[Doubting+Thomas]

You confessed earlier that you didn't know what I was talking about. Now, I guess it's my turn.

I certainly know the difference between private data and private data members. I'm aware that it's possible to design a language and VM such that all privileged data is kept apart from the user's code. Most of this isn't hardly germane to this discussion because the CLR is not such a VM (nor is the JVM).

Further, I know that it is not a 'huge overhead' to check field-level permissions at runtime - Java already does it. Read up, and maybe you'll learn something, like never to say never. Java has a security hole in this respect, sure, but that's -only- because someone decided it was necessary to provide an API call to allow trusted code to turn off access checks on a given field/method.

I'm also aware that the trend in language design is toward comparatively simpler languages and more complicated libraries, so you'd better get used to enforced data member privacy, because it's probably only going to become more common, not less.

Re:Oh, so very wrong

[arkanes]

There's nothing different about a "users code" and a libraries code - designing a VM such that there is is just asking for trouble. And yes, there is a signifigant overhead in a runtime security check. Java actually doesn't run the check at runtime - if you can get a pointer to a private method, you can call it. You just can't normally get one without either reflection or hacking your VM, and reflection provides the security check.

And, of course, it's NOT A SECURITY HOLE. You can't do anything in a private member you can't do in a public one. And if you're relying on VMs or libraries, either now or in the future to protect your code by making a private declaration a security measure you're in for a world of hurt. Use the OSes security measures, thats what they're for. As you say - it's possible to write a VM where all private data is kept apart from the users code, and, in fact, thats exactly what they do now! Except you don't use this feature with a private declaration. You use it by calling security APIs that the OS provides.

Or better yet, stop spending so much time trying to keep people from manipulating bytes on thier own machines.

Re:Oh, so very wrong

The goal isn't to stop the user from controlling their own machine, but to enable the user to stop other peoples' code from controlling their machine. And OS security is hopelessly inadequate for this--constant runtime checks and kernel space transitions are needed, there's no good way for a user to withhold some of their own access rights from a process, and many important objects don't even have ACLs (IP4 addresses and GUI windows, for example).

Re:Oh, so very wrong

[Doubting+Thomas]

You don't know what you're talking about, and I am unable to convince you of this, despite repeated attempts. But since I'm such a masochist, I'll try one last time. If you don't get it, that's your problem. I tried.

1) Java DOES do runtime checks. Want to see?
Make two classes, one with a public member field, and the other that accesses it. Compile. Change the member field to private. Only recompile that file, not the dependent one. You'll get an exception at runtime. Try the same thing with a method instead, and you'll get similar results. Because only the VM can modify the code once it's loaded, they need only check access rights once for each call site. If it succeeds, you don't need to check again, because the relationship between the caller and the callee is fixed at class resolution time.

2) Virtually every security concern in the JDK is protected by exactly this facility, either directly by 'owning' data that the callers have no rights to, or indirectly by checking ACLs, SecurityContexts, and/or Permissions, all of which are Java Objects that are themselves protected from tampering by these facilities. Despite several false starts in coming up with a reasonable security API for the JDK, the current facilities are more than adequate. In fact, they're quite powerful, expressive, and fine-grained, as the AC peer to this response says. All security infrastructures I've ever heard of, VM or OS, pale in comparison.

Re:Oh, so very wrong

Right, except those are load-time access checks. Only reflection slows you down at runtime.

Re:Oh, so very wrong

[Doubting+Thomas]

Sure, in most reasonable cases, static analysis can tell you that the access is safe, and so you can turn of the checks as the calling class is being resolved. If it's not clear (like due to the class version incompatibility example I mentioned above), then the check still needs to be made. But since 99% of the questionable accesses are actually going to throw an IllegalAccessException anyway, a few extra clock cycles for each of those checks is in the noise floor.

My point is, it's all amortized down to next to nothing, so you shouldn't lose any sleep over considering using such a technique.

subtitled...

[Royster]

...How to Write Code Guaranteed to Work Only with Microsoft's Implementatyion of .NET and Not Mono.

Re:subtitled...

[Miguel+de+Icaza]

:-) or ...How to find out how Microsofts really complicated classes actually work so we can build ip-free clones for mono.

El Stupido...

[Lodragandraoidh]

Seems like a bad thing to implement an interface to a non-documented API for mission essential code.

The problem with this is that Microsloth can easily change their non-public interface without telling anyone and your code will break. Other than the lack of security implied by accessing things that are supposed to be secure, this interoperability issue will come back to haunt anyone who implements these 'tricks' IMHO.

Don't put this in mission essential code, or you will recieve a phone call late one night by your operations staff for unknown reasons...you have been warned.

Re:El Stupido...

[White+Roses]

The problem with this is that Microsloth can easily change their non-public interface without telling anyone and your code will break.

I agree that this is a bad thing, but it seems you're kinda assuming that they won't change their public interface without telling anyone.

IIRC, the file formats between .NET 1.0 and .NET 1.1 changed with little or no documentation. Something like that anyway. I know we had problems here with our code base when we moved from one to the other.

You can't access private members without...

Apparently, none of you have ever used .NET. You can't access private members without ReflectionPermission. Only apps run locally with full trust have this permission by default. A sandboxed app wouldnt' be able to do this. The poster of this article is nothing more than a troll.

A pound of prevention vs a ton of cure

[Ashtead]

The example is great -- Dan shows you how he used "hijacking" with a collection of private members to develop a FileAccessControlList class that can be used to manipulate ACL's on Windows files. This is a piece of functionality that is not included with the .NET Framework, but developers have a need for all the time. To write the code from scratch would take days, including translating Windows API declarations to C# or another .NET language and poring over MSDN documentation. As it turns out, all the pieces are in the Framework -- they're just not public.

As has been noted, this remains useable until someone from MS changes the internal implementation and the application no longer can find the proper codes. Then the can of worms is open, and it becomes time to walk the long route of translating the Windows API etc.

Which process reminds me of the bad old days of 16-bit Windows, where useful implementations of such things as dealing with files or directories had to be done via Dos3Call( ) and assembly. At least that was documented, but it was far from pleasant.

Perhaps MS has a way of receiving feedback from developers so that they can extend the API in some durable manner?

Private members are design feature

[Teancum]

I'll have to put in my $0.02 here and totally agree with the parent message here.

When I design a class that I intend to be inherited from other classes, even when the other classes are being written by myself, I love to put in private members and methods simply to keep myself from overwriting critical memory locations or introducing new bugs that the base class didn't anticipate. On the whole it makes for a much cleaner final product.

On some very rare occasions I have gone back and "promoted" a method or member accessor (property... depends on the language you are talking about) for a specific implementation. (I.E. changing it from a private to a protected method, or even public if it is needed) When I've done this I've also reviewed the methods that I'm promoting and make a double check to see that inheriting classes aren't going to have any problems with the promotion.

If you are developing open source software this is just as critical and you should be just as cautious in doing this kind of promotion, with a full battery of software tests to verify the resulting changed base class as per your software testing requirements where you work.

The one problem with Microsoft is that there is some real harsh internal competition between various divisions, where developers deliberatly try to hide details even from other Microsoft developers (not to mention ordinary MS operating system users).

Many times there are problems where you very quickly hit the "end of the road" with Windows development when you are trying to tweak performance using the standard API calls. In some ways if you follow the official documentation you have to do so much pointer and handle calesthetics (I don't know a better word here) with a dozen or more different API calls that you really aren't even sure what you just accomplished. For example, write some code to identify the version information for any given application, as compiled into the application as a version information resource. Now try to get that from the current running process.

Often is it much easier to get data like this from an "undocumented" API call, or you can access resources that are otherwise unavailable simply because the current API library just won't give you the access you need. I'm not talking about security restrictions here, but deliberate obfuscation to keep you from accessing the hardware that you have access to on the PC in front of you that you have full administration privileges to. Sometimes calling these undocumented APIs is the only way to get the job done.

I think in this case with the Microsoft dotNet classes this is just more of the same.

Personally, if you want to get access to that kind of level, switch your development to Mono. That way you have direct access to the source code, you can distribute the DLLs that you've had to modify, and maybe give a little back to the software community.

But security is default under Java ;)

I mean, if you run a J2EE application / a Java WebStart / an Applet you already run a security manager that endure the security to be there !

Anyway, you also still have the class verifier that prevent user from trying to hijack the bycode (as far as i remember you've got 5 levels of security)!

MS.net just remove on of those steps to get more speed at the initialisation of the code. The result of it is that security does not meet the expectations :(

Anyway, who can still thinks MS.net as a future as a platform ;)

At least, the dotnet framework manage to get rid of the VB legacy :o)

-SLK

what is correct and what is fault ...

[pavel+sorejs]

First, some people don't undertand what means Private and Public Public means that the property (function/field...) is part of API or Interface if you want Private means that the property (function/field...) is NOT part of API or interface but it doesn't means that it is safe or 100% unacessible. Private DO NOT mean secure. so you can use private members if you want but it is like turning computer on by shorting wires inside the case when you can simply use switch. There was also some techniques in VB (non .net) called subclassing. And about the faults sombody there mentioned. 3 -- MS's fault for not having .NET compile to x86 assembly language? - i can only say RTFM and you will know. teher is one little thing. What means x86 ?? It means 386 and better so the code is usable also on 386 machines there is no instructions special for pentium and also no SSE or SSE2 or another else. So .NET just precompile the code and finishes it for the machine it runs on. (btw you dont need special versions for ia64 and so) 2 -- MS's fault for including metadata? this solves something called DLL HELL well known to windows programmers and also provides data for intelisence which is very usefull. Metadata is somethink like better .h file.

As I always say...

[xeon4life]

USE SCHEME! :)

Sometimes a cigar is not just a cigar

[IsoRashi]

First all this talk about homos, and now privates?! What's going on /.?

Website help

Hey, Im running a small website right now and I was wondering what is the best way I could unsure my safety for my site. Im running HTML,XML, and a little JAVA. It's has a forum and other chat programs. I'm new to this, but I understand a lot but I just dont know what to do to help. HELP?

Bullsh*t

Comeon. In every programming langauge if you supply the source you can expose every private member. Thats the point. If you don't but provide a compiled version it still isn't to hard to see. What is this hijaking!!

with these responses, no wonder most software sux

[_STL99]

I'm horrified at the number of people who would think this is an exploitable security hole. I honestly thought that gone were the days when people thought that private members were a means to implement security. Hopefully, these were questions raised by non-programmers or entry level coders; otherwise methinks you should find a new line of work.

Reflection classes

[solprovider]

From the Java API documentation:

Package java.lang.reflect Description

Classes in this package, along with java.lang.Class accommodate applications such as debuggers, interpreters, object inspectors, class browsers, and services such as Object Serialization and JavaBeans that need access to either the public members of a target object (based on its runtime class) or the members declared by a given class.

---
I believe the reflection classes exist specifically for tasks that require run-time access to the definitions of a class. It would be very difficult to build a generic debugger without them. If the application is not a tool to work with the programming language, then the reflection classes should be avoided.

Using reflection classes for normal operations is a hack. It ALWAYS means there is a lack of programming skill somewhere. In this case, the MS .net API designers forgot to make public methods to modify ACLs.

---
I tried to avoid the security discussion. If someone can modify the run-time environment to have access to the code, the application is already cracked. If the code is in a client, then the user is cracking his own data. If there is interaction with a server, it is the server's responsibility to verify incoming commands from all clients. If it is a P2P application, then every client performs as a server and must verify incoming commands.

There are only security considerations if this allows MS apps to break MS security. But it assumes the cracker has the ability to put code on the machine. If that assumption is correct, then security is broken with or without this ability.

This is not about security. It is about good programming.

Re:Reflection classes

[mingot]

Good post.

This is not about security. It is about good programming.

You'll get no argument from me there. For purposes other than writing a class browser I'd certainly NOT go around mucking with private members of classes. They're private for a reason and all you do is increase the chance that when the next version of the widget that you are "hacking" is released that your code is going to end up broken.

Re:Reflection classes

If the code is in a client, the code's author is cracking the user's data, which the user wants to prevent.

Yah, like, so what?

[inf0rmer]

Okay, so now I have your credit card details - am I really gonna get the stuph delived to my batchelor pad?

I don't think so!

So-called exploits in security are going to be around until the day we stop using computers. Being realistic about using most of them is a whole-nuther thing.


Stay cool...

I think he was referring to performance

[Trepidity]

The post he was responding to mentioned that Java was designed to provide this safety without impacting performance. The poster you responded to was most likely referring to Java's notorious slowness.

it's a programmer's tool, not a security tool

[Trepidity]

In the basic OOP model, private variables are a tool for the programmer, not a security tool -- they're there to prevent inadvertant private accesses, not malicious ones (that is, the programmer can't accidentally muck around with internals of a class that'd cause it to break, because the compiler won't let him). So the goal isn't to make it impossible, only hard enough that you can't do it accidentally.

So unless you're in a mode where there is a security layer added (which the parent poster mentioned .NET seems to have), there's no reason your system necessarily needs to catch at runtime funny things that result in accessing private members (unless that's part of the language specification, e.g. Java).

Not just from its libraries

[Trepidity]

Even as a language, C# is pretty interesting. Like Java, it basically tries to fix C++, and I think it does it in a way that in at least some cases is better than the way Java does it. Properties, delegates, events, and the parameter-passing modes are all interesting language features that I could see as being useful (and more elegant than the C++ analogues).

Re:Not just from its libraries

[crazyphilman]

Well, that's true, and I'll admit that C# seems to have taken all of the good things that were in Java while trying to avoid some of the bad. But if you want to actually *do* something with it, you'll need the libraries. And, the libraries are proprietary, which means that you could become dependent on them only to find out one day that they're no longer available (taken off the market, replaced by something else you don't like, etc). Private companies are fickle. They may or may not continue to support a product.

I'm not saying that'll happen here. And, of course, someone might come out with an open version of the libraries, which turns out to be just as useful as the proprietary version. That would be great. And, probably, C# will be just fine. I'm just saying I understand the point of view of people who like more freedom with their software. I think their main concern is securing their access to a tool indefinitely.

Re:Not just from its libraries

[rnd()]

I can see why some people might feel that way... although what it amounts to is making a decision to forego efficiency in the short term due to uncertainty about the future. Obviously, Microsoft wouldn't sell too much .net technology if people thought it was going to disappear any day. Of course, there will be some people who wait until every aspect of their software development is within their control (to the extent that the typcical programmer would actually be able to modify/update the source code to a component of his application if required).

My thought is that since C# represents a step forward technologically, it makes sense to embrace it today and begin benefitting from it immediately. If technology continues to improve, a rewrite in the next language/library system to come out won't likely be all that costly.

For example, porting a JAVA app to C# would likely be easier than porting a C++ app to C#, simply because of the greater similarity between Java and C# and the likely design consequences.

So, it really comes down to what is more costly: having to rewrite using slightly newer libraries, or having to potentially maintain very old source code.

Re:Not just from its libraries

[crazyphilman]

I agree with you that C# is a pretty cool language, and probably a "step forward" as you say, but the fact that only part of the language has been okayed by ECMA still bothers me somewhat. They should have standardized the libraries, too, with any new stuff they want to build going into add-on libraries. This doesn't mean I wouldn't use C#, of course. It's a nice language. I'm just saying I understand the point of view of people who would rather it were "free".

Java has some of the same problems, although the fact that there are more than one vendor supplying development kits makes Java a little "safer" (you've got Sun's JDK, Blackdown, and IBM, plus GCJ is in progress, etc). Plus, according to the Java license, once you've got a JDK, you can basically use it forever unless you violate it (by trying to "pollute" java, for instance). Client software doesn't understand java? Give them a JRE along with your app. See? It's a little "safer" in a sense, in that you can just say, "Ok, I'm going to stick with JDK 1.4, I've got the JDK and the JRE, and that's it". Even if Sun were to be sold, and the new owner were to try and kill off Java, it wouldn't work. I kinda like that.

With Microsoft, you might not be able to get away with that, because Windows Update changes all sorts of things, including the .Net framework, which could theoretically alter your programming environments one day. Also, their new EULAS indemnify them from any damages their updates might cause. So if they change everything and break all your old C# software, you end up having to either use an unpatched O/S with your old C# setup, or you have to bite the bullet and go along with their changes. This makes me a little nervous.

Still; I don't know if that's enough for me to give up on C#. It IS a cool language...

No Security Hole - Just a Hideous Idea

[Grunk]

First, let me say I have not read the ebook - just the abstract. I'm assuming it uses either Reflection or some technique that uses unverifiable code (which essentially means it can own your machine if you allow it to run).

As many people have already pointed out, this is not a security hole in the .NET Framework. Member visibility is a statement about what you intend to support and document, but is not strictly a statement of security. Additionally, the .NET Framework security model prohibits code like this from running, depending on security policy and where the code comes from.

That being said, let me show how this can be done, and how using code access security, you can prevent this. Note that the default policies for code from the Internet and Intranet zones will not allow this code to run.

Note that if you want to prevent member access, the .NET Framework does provide a way to do this, unlike other runtime environments or languages like Java or C++. Look at the strong name identity permission in the MSDN documentation or a great security book for more details.

As many have already pointed out, calling someone else's internal member is an excellent way of making your application fragile and adding a source of potentially incorrect behavior. There's no guarantee that someone else's private members will be there or work the same way in a future version (including a service pack) - that's why they're private.

The author's point of using P/Invoke declarations from the .NET Framework is also a very bad one, since they may change with no notice. For instance, any P/Invoke method that uses a handle may have accidentally used an Int32 for the handle type in V1. In V1.1, it might use a IntPtr, while in V2.0 it will likely use a subclass of SafeHandle, a new handle wrapper that doesn't exist in released versions.

About the only good reason to use Reflection to call private members is for hiding details of a Reflection-based set of functionality where the details of a particular implementation aren't interesting to users. An example would be TypeConverters. Here there's a general design pattern and you may write a TypeConverter for your type, yet you could mark it private if it is really not worth seeing in an object browser or Intellisense. Using Reflection, an instance of this class could be created. However, this isn't a generally recomended technique.

With this being said, here's an example of how to use Reflection to call private members, and shows that the .NET Framework does indeed do a security check here. This app should run correctly if you run it locally if you haven't modified your machine's security policy, but if it is run over a network share, it will fail.

using System;
using System.Reflection;
using System.Security.Permissions;
using System.Security;

public sealed class MyPublicClass
{
private static int PrivateFoo()
{
return 5;
}
}

public sealed class CallPrivateMemberTest
{
private static void CallPrivateMember()
{
// Remember that calling private members is a good way of building
// an incredibly brittle application. This is a hideously bad idea,
// outside of some well-constrained scenarios. And of course, you
// can use strong name identity permission to prevent people from
// calling private methods like this.
Type type = typeof(MyPublicClass);
MethodInfo mi = type.GetMethod("PrivateFoo", BindingFlags.Static | BindingFlags.NonPublic);
Object retVal = mi.Invoke(null, BindingFlags.Static | BindingFlags.NonPublic, null, null, null);
Console.WriteLine("Called private method. It returned: {0} [{1}

Sometimes it can save your life

[helgy]

Dan's example illustrates nothing indeed. Isn't it stupid to rely on private methods when robust solution may take just days. Write it once and forget about it.

But sometimes such hijacking might be worth doing. Here is the story. There is really painful (wellknown and confirmed) bug in .NET XSLT implementation (in both frameworks 1.0 and 1.1): one cannot return a nodeset from an extenstion function, because XSLT impl expects an instance of one of *internal* class! It's not private, just internal, but anyway how can you return it?

So, once you can instantiate internal class by reflection (and security permits that in your environment) you can workaround it. Of course it won't work probably in the next framework version, but who cares - it's bug's workaround - if bug will be fixed there will be no more need to hijack.

More details about this particular hijacking case at On returning nodeset from XSLT extension function in .NET.

Re:Sometimes it can save your life

[DanAppleman]

This statement:

"Isn't it stupid to rely on private methods when robust solution may take just days."

Strikes at the heart of the question. As a software designer, I totally agree with you. But as a software engineer, I'm also concerned about economics. If my cost to the company is $75/hour, do I choose the $300 solution, or the $2000 solution?

Ok, you might say - but what about the long term costs? It will cost much more to fix the problem later when MS breaks it, right?

Not necessarily. Because you can bind your app to a specific framework version, your risk of a sudden expensive break are slim.

But aren't you just deferring the problem? You'll want to update your software for the next version and you'll have to write it then, no?

Well, maybe not. Because MS will probably have a canned solution that, if you use propery OOP design, you'll be able to plug in easily.

So, we might well be talking lifetime cost savings of thousands of dollars here.

The purist in me dislikes this approach. But is that enough to write off these potential savings?

That is the question.

I can just see the headline

[Royster]

Microsoft Accuses Open Source Programmers of Peeking at Private members.

Re:with these responses, no wonder most software s

Some of us have graduated to safer runtimes on which "private" is actually enforced. How else do you run untrusted code on platforms that don't provide sandboxes to normal users?

Interesting article in UK magazine....

[bilgebag]

There's an interesting article in the May/June 2003 issue of SIGS Application Development Advisor here which discusses a problem in example code which Microsoft advocate for locking / synchronisation (aka critical sections in W32) where the 'this' object reference is used to handle the lock.

What amounts to a D.O.S exploit is explained, where client code locks the same object and never releases it. The suggested workaround is (of course) to use a private member object within your class to use for synchronisation. Hmm... 8-)

I think most people are missing the point...

[freeBill]

...here. What this book seems to be saying is twofold:

• .NET takes approach perl OO originally took to "private data members." I don't remember if it was Tom Christiansen or Larry Wall who said, "Perl doesn't think you should break into its house, but it's not going to rig up a shotgun to shoot you if you try." Or something like that.
• Sometimes you can save a bunch of hassle (and maybe even make your code run faster) if you break into MS's house and use some of the internals they're hiding from you.

Now, I don't think breaking encapsulation is a good idea if you want to write robust code. And I agree security should not depend on the rigorousness of the enforcement of encapsulation.

But the two items listed above do raise questions about whether one should use .NET.

Suppose you have an idea for a killer app you think will be the Next Big Thing. You decide to write it in C# on .NET (hey, that VisualStudio.NET is a nice IDE). You decide not use cheesy tricks like accessing MS's private variables to improve the performance of your program because you don't want to create a fragile program which will break on the next C# upgrade. You release your program and it takes off. Microsoft decides to compete with you and writes a C# program that does the same thing as yours does, but in order to make theirs "better" they cheat and use direct access to private variables. (They don't have to worry about C# upgrades. They can walk across the hallway and ask the C# people not to change the internals. In fact, they can ask the C# people to declare the hidden variable as a public variable in the next release.) You lose everything as the VCs run for the hills.

Since MS has been known to use this kind of tactic with the Win32 API, this is not an unreasonable set of conjectures.

The guy who wrote this book seems to be arguing the way to avoid this is to create fragile apps using undocumented hidden variables. I would argue it's better to use a language which a potential competitor cannot manipulate to gain competitive advantage. But that's just my personal preference.

well yeah

[Trepidity]

I probably wouldn't use C# either, primarily for that reason. I do think it's good as a language though, and would be happy to consider using it if there were a free/standard implementation of it (like C++'s STL libraries, though hopefully a little less ugly).

Re:well yeah

[crazyphilman]

It's not that I wouldn't use it, exactly... It's just that the libraries are proprietary and thus kind of an unknown factor that could be a problem down the road. But I agree with you 100% on the free/standard implementation point; if Microsoft were to submit the libraries to ECMA, for instance, or even totally free up all the libraries for use, C# would be a whole lot more desirable.

Security != Encapsulation

[_STL99]

Security and encapsulation are two different things. Access modifiers exist to provide a means to encapsulate. Sandboxing exists to provide a means to secure. Security features exist to protect your computer from harmful code. Encapsulation features exist to protect programmers from themselves.

.NET doesn't combine the two. It contains features for each respective purpose. Accessing a private member in .NET breaks encapsulation, not security. Any programmer worth his weight can do that on any platform.

Stupid Code Tricks

I thought the point of the article wasn't to say that .NET sucks, or is insecure. I thought the guys was trying to say:

"Hey! Microsoft wrote some pretty handy methods that they chose not to expose, and may not expose in the future either. Here's a tip on how to use 'em now."

Folks took that and ran. I think it's fair for folks to be surprised that private members can be exposed if their expectation was to the contrary. The surprise is understandable considering how widely touted .NET's security features are.

If some folks are balking, it might be due to the fact that Microsoft invited the impression that private members were not accessible. That is understandable, too. Imagine if Microsoft had put in the brochures:

"Great security. Can't beat it. Oh and--just to set expectations correctly--private members are accessible to third parties."

Microsoft made a defensable design decision in creating thier programming language. No fault there. My guess is, however, they just didn't want to be in the position of having to defend it. And that is understandable too, since they might have been concerned that some people would mistake encapsulation for security. Many of the posts here seem to verify that concern.

The bottom line is, however, the book reviewed seems to discuss way to leverage private members in the .NET libraries to get your stuff done, and the review seems to focus on that aspect. There is merit to that.

Submit an "Ask Slashdot" article to discuss whether or not any programming languages prevent private members from being accessed by third parties, and the relative merits of doing so (or not).

Re:Stupid Code Tricks

Encapsulation is security on this platform. Just like Java, critical security information is protected from non-system code by being private, and only idiots who run the VM with no security manager (without which, what's the point?) are vulnerable to this exploit.

Re:C++ piers haken like sto steal in any language

Well, I'm a fan of C++, C# and Java, and while they all have their good points, the single thing that sets C++ apart from the rest IMO is templates (and no, the generics in future versions of C# & Java aren't even close).

Stealing other people's code isnt a template, its property theft - in ANY language. Theif.