This talk will present the results of our security research project which has lead to the discovery of 50 security vulnerabilities in Java implementations coming from Oracle, IBM and Apple. The primary goal of the talk is to twist your mind and show you how challenging and tricky Java security can be.
During the talk, certain key details pertaining to Java VM security model and its operation will be presented. This will be followed by a detailed discussion of certain problems related to Java SE security.
The talk will disclose the methodology taken and technical information of several sample (most interesting) vulnerabilities found during our research. This will include information about the critical issue found recently and affecting all Java SE versions 5, 6 and 7 provided that the weakness will be fixed by the time of a conference.
Along with that, the talk will disclose several previously unpublished exploitation techniques allowing for a complete Java VM security sandbox escape.