Skip to content
Go to file

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

An In-Depth Study of More Than Ten Years of Java Exploitation

Philipp Holzinger, Stefan Triller, Alexandre Bartel, Eric Bodden

CCS’16, October 24 - 28, 2016, Vienna, Austria


When created, the Java platform was among the first runtimes designed with security in mind. Yet, numerous Java versions were shown to contain far-reaching vulnerabilities, permitting denial-of-service attacks or even worse allowing intruders to bypass the runtime's sandbox mechanisms, opening the host system up to many kinds of further attacks.

This paper presents a systematic in-depth study of 87 publicly available Java exploits found in the wild. By collecting, minimizing and categorizing those exploits, we identify their commonalities and root causes, with the goal of determining the weak spots in the Java security architecture and possible countermeasures.

Our findings reveal that the exploits heavily rely on a set of nine weaknesses, including unauthorized use of restricted classes and confused deputies in combination with caller-sensitive methods. We further show that all attack vectors implemented by the exploits belong to one of three categories: single-step attacks, restricted-class attacks, and information hiding attacks.

The analysis allows us to propose ideas for improving the security architecture to spawn further research in this area.

Additional artifacts

Download additional artifacts here.


No description, website, or topics provided.



No releases published


No packages published
You can’t perform that action at this time.