Vulnerabilities in Java

Vulnerabilities in Java
and Mitigations

Prof. David Bernstein
James Madison University

Computer Science Department

bernstdh@jmu.edu

An Important Point

Our Concern:
- Vulnerabilities in the Java programming language
Other Possible Concerns:
- Vulnerabilities in the Java runtime system (much of which is not written in Java)

Access/Visibility Vulnerabilities

Recall:
- The access modes in Java are public, package, protected, and private
Recall Also:
- The principle of information hiding says that, in general, the most restrictive possible access mode should be used

Access/Visibility Vulnerabilities (cont.)

Protected Mode Vulnerabilities:
- A subclass can access members with protected access
Package Mode Vulnerabilities:
- Any class in the same package can access members with package access

Access/Visibility Vulnerabilities (cont.)

Mitigation of Protected Mode Vulnerabilities:
- Since an attacker might be able to provide a subclass, avoid the use of protected access mode
Mitigation of Package Mode Vulnerabilities:
- The JVM provides access to package mode members only if they are in the same package and loaded by the same ClassLoader
- Code signing adds additional protection

Reference Vulnerabilities

The Vulnerability:
- Objects are reference types so any reference to a particular object can be used to modify its state if it is mutable
Mitigation:
- When interacting with potentially malicious code, never return a reference to a mutable object
- Include a copy constructor or copy factory that can be used to create copies for passing to untrusted code

String Vulnerabilities

The Vulnerability:
- Because String objects are immutable sensitive information (e.g., passwords) stored in String objects can't be deleted (except by the garbage collector)
Mitigation:
- Use a char[], StringBuilder or StringBuffer instead (and remember that such objects suffer from reference vulnerabilities)

Serialization Vulnerabilities

The Vulnerability:
- The readObject() method in the ObjectInputStream class trusts its input
Mitigations:
- Include a readObject(ObjectInputStream) method (which will be used by the ObjectInputStream) in classes when necessary
- Use secure objects

Inner Class Vulnerabilities

The Vulnerability:
- When a class has an inner class, the compiler inserts package mode methods in the outer class to allow the inner class access to the private members that it uses
- This gives all classes in the package access to those members
Mitigation:
- Use inner classes sparingly

Assertion Vulnerabilities

The assert Statement:
- Java has an assert statement that (when enabled) evaluates its argument and throws an AssertionError if false
How It Is Used:
- It is often used in test environments
- When disabled (using a runtime property), the assert statement is a no-op
The Vulnerabilities:
- When the argument has side effects (e.g., assert list.remove(element);) the code will execute differently in the test and production environments
- When assert statements are used for parameter checking the code will execute differently in the test and production environments

Character Encoding Vulnerabilities

The Vulnerability:
- Every instance of the JVM has a default encoding, but the default encoding need not be the same across instances
Mitigation:
- When constructing String objects, use an explicit encoding

Reflection Vulnerabilities

Reflection:
- Enables an object to look at its internal details at runtime
The Vulnerability:
- The reflection API allows access to members that are normally inacessible
Mitigation:
- The default SecurityManager will throw an exception in such situations so don't override this behavior (either by granting ReflectPermission or by using a SecurityManager that does not provide this protection)

What About the "Classics"?

Injection Vulnerabilities:
- Runtime.exec()
Error-Handling/Exception Handling Vulnerabilities:
- Providing too much information in messages
- Ignoring error-codes
- Ignoring unchecked exceptions

What About the "Classics"? (cont.)

String and Buffer Overflow:
- Not much of an issue
Memory Management Vulnerabilities:
- Not much of an issue
Integer Vulnerabilities:
- Wraparound vulnerabilities exist
- Fewer integer types, the inability to do pointer arithmetic, and the memory manager make other kinds of integer less of an issue