What are the dangers of bytecode manipulation (if any)?

Question

Bytecode enhancement seems like a very interesting Java technique, but it has the feel of a bit of "black magic" about it. Are there any disadvantages to using it (other than the fact that functionality is added to classes that is not apparent from the source code)?

Does it cause problems with security, serialization, etc.?

Answer 1

Are there any disadvantages to using it (other than the fact that functionality is added to classes that is not apparent from the source code)?

One thing is that bugs created by bytecode manipulation are likely to be more difficult to diagnose. Examination of the source code, and source level debugging will be harder.

Does it cause problems with security,

The verifier should (in theory) prevent the modified bytecode from breaking the core type system and corrupting the JVM. (And it goes without saying that untrusted code shouldn't be allowed to do bytecode modification, so we can discount that scenario.) However, in the past, some Java byte code verifiers have been less than thorough.

Furthermore, bytecode modification :

• makes it harder to do a proper source code based security analysis, and
• could nullify the (limited) security benefits of using a static analysis tool such as FindBugs.

serialization, etc.?

Bytecode modification can do things that will make existing serialized objects readable by the modified class; e.g. by adding and removing fields, or by changing a classes superclass and interfaces. However, you can do the same thing by changing the sourcecode.

Answer 2

The JVM verifies bytecodes, but deviant bytecode may represent a security threat.