- Forward


Vulnerabilities in Java
and Mitigations


Prof. David Bernstein
James Madison University

Computer Science Department
bernstdh@jmu.edu

Print

An Important Point
Back SMYC Forward
  • Our Concern:
    • Vulnerabilities in the Java programming language
  • Other Possible Concerns:
    • Vulnerabilities in the Java runtime system (much of which is not written in Java)
Access/Visibility Vulnerabilities
Back SMYC Forward
  • Recall:
    • The access modes in Java are public, package, protected, and private
  • Recall Also:
    • The principle of information hiding says that, in general, the most restrictive possible access mode should be used
Access/Visibility Vulnerabilities (cont.)
Back SMYC Forward
  • Protected Mode Vulnerabilities:
    • A subclass can access members with protected access
  • Package Mode Vulnerabilities:
    • Any class in the same package can access members with package access
Access/Visibility Vulnerabilities (cont.)
Back SMYC Forward
  • Mitigation of Protected Mode Vulnerabilities:
    • Since an attacker might be able to provide a subclass, avoid the use of protected access mode
  • Mitigation of Package Mode Vulnerabilities:
    • The JVM provides access to package mode members only if they are in the same package and loaded by the same ClassLoader
    • Code signing adds additional protection
Reference Vulnerabilities
Back SMYC Forward
  • The Vulnerability:
    • Objects are reference types so any reference to a particular object can be used to modify its state if it is mutable
  • Mitigation:
    • When interacting with potentially malicious code, never return a reference to a mutable object
    • Include a copy constructor or copy factory that can be used to create copies for passing to untrusted code
String Vulnerabilities
Back SMYC Forward
  • The Vulnerability:
    • Because String objects are immutable sensitive information (e.g., passwords) stored in String objects can't be deleted (except by the garbage collector)
  • Mitigation:
    • Use a char[], StringBuilder or StringBuffer instead (and remember that such objects suffer from reference vulnerabilities)
Serialization Vulnerabilities
Back SMYC Forward
  • The Vulnerability:
    • The readObject() method in the ObjectInputStream class trusts its input
  • Mitigations:
    • Include a readObject(ObjectInputStream) method (which will be used by the ObjectInputStream) in classes when necessary
    • Use secure objects
Inner Class Vulnerabilities
Back SMYC Forward
  • The Vulnerability:
    • When a class has an inner class, the compiler inserts package mode methods in the outer class to allow the inner class access to the private members that it uses
    • This gives all classes in the package access to those members
  • Mitigation:
    • Use inner classes sparingly
Assertion Vulnerabilities
Back SMYC Forward
  • The assert Statement:
    • Java has an assert statement that (when enabled) evaluates its argument and throws an AssertionError if false
  • How It Is Used:
    • It is often used in test environments
    • When disabled (using a runtime property), the assert statement is a no-op
  • The Vulnerabilities:
    • When the argument has side effects (e.g., assert list.remove(element);) the code will execute differently in the test and production environments
    • When assert statements are used for parameter checking the code will execute differently in the test and production environments
Character Encoding Vulnerabilities
Back SMYC Forward
  • The Vulnerability:
    • Every instance of the JVM has a default encoding, but the default encoding need not be the same across instances
  • Mitigation:
    • When constructing String objects, use an explicit encoding
Reflection Vulnerabilities
Back SMYC Forward
  • Reflection:
    • Enables an object to look at its internal details at runtime
  • The Vulnerability:
    • The reflection API allows access to members that are normally inacessible
  • Mitigation:
    • The default SecurityManager will throw an exception in such situations so don't override this behavior (either by granting ReflectPermission or by using a SecurityManager that does not provide this protection)
What About the "Classics"?
Back SMYC Forward
  • Injection Vulnerabilities:
    • Runtime.exec()
  • Error-Handling/Exception Handling Vulnerabilities:
    • Providing too much information in messages
    • Ignoring error-codes
    • Ignoring unchecked exceptions
What About the "Classics"? (cont.)
Back SMYC Forward
  • String and Buffer Overflow:
    • Not much of an issue
  • Memory Management Vulnerabilities:
    • Not much of an issue
  • Integer Vulnerabilities:
    • Wraparound vulnerabilities exist
    • Fewer integer types, the inability to do pointer arithmetic, and the memory manager make other kinds of integer less of an issue
There's Always More to Learn
Back -