Vulnerabilities in Java
and Mitigations
|
Prof. David Bernstein
James Madison University
|
|
Computer Science Department |
bernstdh@jmu.edu |
|
An Important Point
- Our Concern:
- Vulnerabilities in the Java programming language
- Other Possible Concerns:
- Vulnerabilities in the Java runtime system (much of which
is not written in Java)
Access/Visibility Vulnerabilities
- Recall:
- The access modes in Java are public, package, protected,
and private
- Recall Also:
- The principle of information hiding says that, in
general, the most restrictive possible access mode should
be used
Access/Visibility Vulnerabilities (cont.)
- Protected Mode Vulnerabilities:
- A subclass can access members with protected access
- Package Mode Vulnerabilities:
- Any class in the same package can access members with
package access
Access/Visibility Vulnerabilities (cont.)
- Mitigation of Protected Mode Vulnerabilities:
- Since an attacker might be able to provide a subclass,
avoid the use of protected access mode
- Mitigation of Package Mode Vulnerabilities:
- The JVM provides access to package mode members only if they
are in the same package and loaded by the same
ClassLoader
- Code signing adds additional protection
Reference Vulnerabilities
- The Vulnerability:
- Objects are reference types so any reference to a particular
object can be used to modify its state if it is mutable
- Mitigation:
- When interacting with potentially malicious code, never return
a reference to a mutable object
- Include a copy constructor or copy factory that can be used
to create copies for passing to untrusted code
String
Vulnerabilities
- The Vulnerability:
- Because
String
objects are immutable
sensitive information (e.g., passwords) stored in
String
objects can't be deleted (except
by the garbage collector)
- Mitigation:
- Use a
char[]
,
StringBuilder
or
StringBuffer
instead (and
remember that such objects suffer from
reference vulnerabilities)
Serialization Vulnerabilities
- The Vulnerability:
- The
readObject()
method
in the ObjectInputStream
class
trusts its input
- Mitigations:
- Include a
readObject(ObjectInputStream)
method
(which will be used by the ObjectInputStream
)
in classes when necessary
- Use
secure objects
Inner Class Vulnerabilities
- The Vulnerability:
- When a class has an inner class, the compiler inserts package
mode methods in the outer class to allow the inner class
access to the private members that it uses
- This gives all classes in the package access to those members
- Mitigation:
- Use inner classes sparingly
Assertion Vulnerabilities
- The
assert
Statement:
- Java has an
assert
statement that (when enabled)
evaluates its argument and throws an AssertionError
if false
- How It Is Used:
- It is often used in test environments
- When disabled (using a runtime property), the
assert
statement is a no-op
- The Vulnerabilities:
- When the argument has side effects (e.g.,
assert list.remove(element);
)
the code will execute differently in the test and production
environments
- When
assert
statements are used for
parameter checking the code will execute differently in
the test and production environments
Character Encoding Vulnerabilities
- The Vulnerability:
- Every instance of the JVM has a default encoding, but the
default encoding need not be the same across instances
- Mitigation:
- When constructing
String
objects, use
an explicit encoding
Reflection Vulnerabilities
- Reflection:
- Enables an object to look at its internal
details at runtime
- The Vulnerability:
- The reflection API allows access to members that are
normally inacessible
- Mitigation:
- The default
SecurityManager
will throw an
exception in such situations so don't override this
behavior (either by granting
ReflectPermission
or by using
a SecurityManager
that does not provide
this protection)
What About the "Classics"?
- Injection Vulnerabilities:
- Error-Handling/Exception Handling Vulnerabilities:
- Providing too much information in messages
- Ignoring error-codes
- Ignoring unchecked exceptions
What About the "Classics"? (cont.)
- String and Buffer Overflow:
- Memory Management Vulnerabilities:
- Integer Vulnerabilities:
- Wraparound vulnerabilities exist
- Fewer integer types, the inability to do pointer arithmetic,
and the memory manager make other kinds of integer
less of an issue