Invoking Untrusted Mobile Code

From Guidance Share

Jump to: navigation, search



This process will download external source or binaries and execute it.

Applies To

  • Languages: Java and C++
  • Operating platform: Any


The following Java code downloads untrusted mobile code:

URL[] classURLs= new URL[]{new URL(“file:subdir/”)};
URLClassLoader loader = nwe URLClassLoader(classURLs);
Class loadedClass = Class.forName(“loadMe”, true, loader);


  • Access Control: Untrusted mobile code will often run with the privileges of the calling process. This can allow the equivelent of a privilege escalation attack for the developer of the untrusted code.


  • Invoking mobile code without ascertaining trust or running within a sandboxed environment.


  • Implementation: Avoid running mobile code without proper cryptographic safeguards to ensure the trusted origination of the code.
  • Implementation: Run untrusted code in a sandbox that reduces the damage it can cause.

Vulnerability Patterns

How Tos

Personal tools