Vulnerabilities in Java
and Mitigations |
Prof. David Bernstein
|
Computer Science Department |
bernstdh@jmu.edu |
ClassLoader
String
VulnerabilitiesString
objects are immutable
sensitive information (e.g., passwords) stored in
String
objects can't be deleted (except
by the garbage collector)readObject()
method
in the ObjectInputStream
class
trusts its inputreadObject(ObjectInputStream)
method
(which will be used by the ObjectInputStream
)
in classes when necessaryassert
Statement:
assert
statement that (when enabled)
evaluates its argument and throws an AssertionError
if false
assert
statement is a no-opassert list.remove(element);
)
the code will execute differently in the test and production
environmentsassert
statements are used for
parameter checking the code will execute differently in
the test and production environmentsString
objects, use
an explicit encodingSecurityManager
will throw an
exception in such situations so don't override this
behavior (either by granting
ReflectPermission
or by using
a SecurityManager
that does not provide
this protection)Runtime.exec()