In my previous post I mentioned that I got the Evil bit set. But I had to do that the long way round, as in, I actually changed the code in the OpenJDK of the following classes:
My PoC worked, but for every change I build into it, I had to wait for about 20 to 25 minutes on the compilation step. Which, of-course, for me is unacceptable but it did show that my initial feeling around the tainted String was correct. So now I made a newer version in which I use Javassist to build the modified classes based on the used JDK.
ClassPool cp = ClassPool.getDefault(); CtClass cc = cp.get("java.lang.String"); // add the new tainted field CtField f = new CtField(CtClass.booleanType, "tainted", cc); f.setModifiers(Modifier.PRIVATE); cc.addField(f); // generate getters and setters for the new field cc.addMethod(CtNewMethod.getter("isTainted", f)); cc.addMethod(CtNewMethod.setter("setTaint", f)); cc.writeFile(destPath);
This removes the dependency to my build version, but allows anybody to create their own SecureRT.jar file (ok, modified classes for now) and test their applications on the potential use of tainted strings.