SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 84

changes.mady.by.user Brendan Saulsbury

Saved on

compared with

New Version 85

changes.mady.by.user Robert Seacord (Manager)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: done

...

Examples of sensitive data that should remain unserialized include cryptographic keys, digital certificates, and classes that may hold references to sensitive data at the time of serialization.

This rule addresses meant to prevent the unintentional serialization of sensitive data. For information on intentionally serializing sensitive data securely, see information. Rule SER02-J. Sign and seal sensitive objects before sending them outside a trust boundary applies to the intentional serialization of sensitive information.

Noncompliant Code Example

The data members of class Point are private. If Assuming the coordinates are sensitive (as we assume for this example), their presence in the data stream would expose them to malicious tampering.

Code Block
bgColor#FFcccc
public class Point {
  private double x;
  private double y;

  public Point(double x, double y) {
    this.x = x;
    this.y = y;
  }

  public Point() {
    // no-argument constructor
  }
}

public class Coordinates extends Point implements Serializable {
  public static void main(String[] args) {
    FileOutputStream fout = null;
    try {
      Point p = new Point(5, 2);
      fout = new FileOutputStream("point.ser");
      ObjectOutputStream oout = new ObjectOutputStream(fout);
      oout.writeObject(p);
    } catch (Throwable t) { 
      // Forward to handler 
    } finally {
      fout.close();
    }
 }
}

Compliant Solution

In the absence of sensitive data, classes can be serialized by simply implementing the java.io.Serializable interface. By doing so, the class indicates that no security issues may result from the object's serialization. Note that any derived subclasses also inherit this interface and are consequently serializable. This simple approach is inappropriate for any class that contains sensitive data.

...

Code Block
bgColor#ccccff
public class Point {
 private transient double x; // declared transient
 private transient double y; // declared transient

 public Point(double x, double y) {
  this.x = x;
  this.y = y;
 }

 public Point() {
   // no-argument constructor
 }
}

public class Coordinates extends Point implements Serializable {
  public static void main(String[] args) {
    try {
      Point p = new Point(5,2);
      FileOutputStream fout = new FileOutputStream("point.ser");
      ObjectOutputStream oout = new ObjectOutputStream(fout);
      oout.writeObject(p);
      oout.close();
    } catch (Exception e) {
      // Forward to handler
    }
  }
}

Compliant Solution

Another acceptable solution involves using custom implementations of the writeObject(), writeReplace() and writeExternal() methods that prevent sensitive fields from being written to the serialized stream.

Compliant Solution

Another acceptable approach is to define the serialPersistentFields array field and ensure that sensitive fields are omitted from the array. (See rule SER00-J. Maintain serialization compatibility during class evolution.)

Noncompliant Code Example

Wiki Markup
Serialization can also be used maliciously. One example is returning multiple instances of a singleton-like class. In this noncompliant code example (based on \[[Bloch 2005|AA. Bibliography#Bloch 05]\]), a subclass {{SensitiveClass}} inadvertently becomes serializable because it extends the {{Exception}} class which implements {{Serializable}}.

...

See rule MSC11-J. Address the shortcomings of the Singleton design pattern for more information on singletons.

Compliant Solution

Extending a class or interface that implements Serializable should be avoided whenever possible. When extension of such a class is necessary, undue serialization of the subclass can be prohibited by throwing a NotSerializableException from a custom writeObject() or readResolve() method, defined in the subclass SensitiveClass. Note that the custom writeObject() or readResolve() methods must be declared final to prevent a malicious subclass from overriding them.

Code Block
bgColor#ccccff
class SensitiveClass extends Exception {
  // ...

  private Object readResolve() throws NotSerializableException {
    throw new NotSerializableException();
  }
}

Exceptions

SER03:EX0: Sensitive data that has been properly encrypted may be serialized.

Risk Assessment

If sensitive data can be serialized, it may be transmitted over an insecure link, or stored in an insecure location, or disclosed inappropriately.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

SER03-J

medium

likely

high

P6

L2

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

MITRE 2009

CWE ID 499, "Serializable Class Containing Sensitive Data"

 

CWE ID 502, "Deserialization of Untrusted Data"

SCG 2009

Guideline 5-2 Guard sensitive data during serialization

Bibliography

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="82079734930b3528-244d7077-45104ae2-bacf8ade-ad98b3031699024d7105ef9e"><ac:plain-text-body><![CDATA[

[[Bloch 2005

AA. Bibliography#Bloch 05]]

Puzzle 83: Dyslexic Monotheism

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="3bd0c79865e67097-449565f1-485049e0-9232b756-8c07cd2bb46c24397b6ef39d"><ac:plain-text-body><![CDATA[

[[Bloch 2001

AA. Bibliography#Bloch 01]]

Item 1: Enforce the singleton property with a private constructor

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a5975e6d3fbb84fc-f0714c0f-48e4486a-90039ce2-3ae36aa547a7473ded4ff0fb"><ac:plain-text-body><![CDATA[

[[Greanier 2000

AA. Bibliography#Greanier 00]]

[Discover the secrets of the Java Serialization API

http://java.sun.com/developer/technicalArticles/Programming/serialization/]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="98c31ea0c5169a10-bf974101-4759441f-baf1a4b5-485fde4d74b28f3b87bce122"><ac:plain-text-body><![CDATA[

[[Harold 1999

AA. Bibliography#Harold 99]]

 

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="66d66c41bd6c57d4-c889e6dd-44f44ac5-99efbf74-3437d0990a29e12d70bfcbc1"><ac:plain-text-body><![CDATA[

[[JLS 2005

AA. Bibliography#JLS 05]]

[Transient modifier

http://java.sun.com/docs/books/jls/third_edition/html/classes.html#37020]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="12a69e605ca56f08-27217886-48d74bd8-af99a255-6ee9e56032d5e5f2cfa6e52b"><ac:plain-text-body><![CDATA[

[[Long 2005

AA. Bibliography#Long 05]]

Section 2.4, Serialization

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="20ef3419349f6616-eab2921e-4d754260-baca8e0a-9290791e2357595882333bd6"><ac:plain-text-body><![CDATA[

[[Sun 2006

AA. Bibliography#Sun 06]]

"Serialization specification: A.4 Preventing Serialization of Sensitive Data"

]]></ac:plain-text-body></ac:structured-macro>

...