Is there a collection of old security issues with description and exercising code for the Java platform?

Question

I'm wondering if there is an educational collection of examples on how security on the JVM was compromised in old versions.

After reading a bit of the articles on the IKVM blog, I have the feeling that I learn more by understanding past cases of security issues instead of reading some plain "Do's and Dont's" (looks like most of the interesting articles have been pulled, what a shame).

Is there something like that available somewhere?

Maybe I have too strong expectations: I don't care about some script-kiddy stuff, but I'm looking for quality content going into the depth about

• How was the security issue discovered?
• How would code exercising look like?
• How does the flawed code look like?
• How has the bug been fixed?
• How can the absence of the bug be verified?
• What were the reasons which caused the security issue? (Pure laziness, performance concerns, wrong assumptions, ...)
• What's the lessons, as an application developer, library designer, VM engineer?

Is there something like that available on the net?

Answer 1

I think there is very little research on JVM exploits. What do you want to do exactly?

• Break standard Java programming restrictions: easy to do, since you can access everything when running standard bytecode.
• Circumvent the Java Security Policy when executing java code (e.g. break out of the browser sandbox): This has very little to do with the JVM; it is often a combination of browser-based exploits and other exploits to be able to launch the applet and include the boot classpath of a standard JVM.
• Launch a buffer overflow attack on the OS from within the JVM.

Often, breaking out of the browser sandbox is trivial and has nothing to do with the JVM itself: http://jouko.iki.fi/adv/javaplugin.html

The best information will be available from an open-source JVM like BlackDown. Search the SVN changelog for the words 'exploit', 'bug', 'sandbox' and look at the SVN Diff's.