Bytecode level: for break in.

Model is attack a normal running Java process or a going to run Java applet. Maybe something like Inject.

1) escape sandbox (SecurityManager) from Applet, or from constraint, for example Load From Uncontrolled source with custom policy;

2) classLoader hijack;

3) Unserialize Object;

4) Reflection;

5) Module (jar, osgi-bundle);

6) Expression Language inject (OGNL, SPEL, JSTL_EL, MVEL, ...);

7) bytecode verify escape?

 

System level: for persist control.

1) web shell;

2) jni module hijack;

3) so hijack, like libc.so;

4) rt.jar hijack;

5) user space rootkit, binutils hijack;

6) kernel space rookit, LKM.