SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 30

changes.mady.by.user Pennie Walters

Saved on

compared with

New Version 31

changes.mady.by.user Pennie Walters

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

When System.exit() is invoked, all programs and threads running on the JVM terminate. This can result in denial-of-service attacks, for example, a web server can stop servicing users upon encountering an untimely call to System.exit().

Noncompliant Code Example

This noncompliant code example calls System.exit() to forcefully shutdown the JVM and terminate the running process. No security manager checks have been installed to check whether the program has sufficient permissions to exit.

Code Block
bgColor#FFcccc
public class InterceptExit {
  public static void main(String[] args) {
    // ...
    System.exit(1);  // Abrupt exit 
    System.out.println("This is never executed");
  }
}

Compliant Solution

This compliant solution installs a custom security manager PasswordSecurityManager that overrides the checkExit() method defined in the SecurityManager class. An internal flag is used to keep track of whether the exit is permitted or not. The method setExitAllowed() is used to set this flag. If the flag is not set (false), a SecurityException is thrown. The System.exit() call is not allowed to execute by catching the SecurityException in a try-catch block. After intercepting and performing mandatory clean-up operations, the setExitAllowed() method is invoked. As a result, the program exits gracefully.

Code Block
bgColor#ccccff
class PasswordSecurityManager extends SecurityManager{
  private boolean isExitAllowedFlag; 
  
  public PasswordSecurityManager(){
    super();
    isExitAllowedFlag = false;  
  }
 
 public boolean isExitAllowed(){
   return isExitAllowedFlag;	 
 }
 
 @Override public void checkExit(int status) {
   if(!isExitAllowed())
     throw new SecurityException();
   }
 
 public void setExitAllowed(boolean f) {
   isExitAllowedFlag = f; 	 
 }
}

public class InterceptExit {
  public static void main(String[] args) {
    PasswordSecurityManager secManager = new PasswordSecurityManager();
    System.setSecurityManager(secManager);
    try {
      // ...
      System.exit(1);  // Abrupt exit call
    }
    catch (Throwable x) {
      if (x instanceof SecurityException) {
        System.out.println("Intercepted System.exit()");
      } else {
        // Forward to exception handler
      }
    }

    // ...
    secManager.setExitAllowed(true);  // Permit exit
    // System.exit() will work subsequently
    // ...
  }
}

Noncompliant Code Example

If a user forcefully exits a program by pressing the ctrl + c key or uses the kill command, the JVM terminates abruptly. Although this event cannot be captured, the code should be able to react to it. This noncompliant code example misses this step.

Code Block
bgColor#FFcccc
public class InterceptExit {
  public static void main(String[] args) {
    System.out.println("Regular code block");
    // Abrupt exit such as ctrl + c key pressed
    System.out.println("This never executes");
  }
}

Compliant Solution

The addShutdownHook() method of java.lang.Runtime helps to perform clean-up operations in the abrupt termination scenario. When the shutdown is initiated, the hook thread starts to run concurrently with other JVM threads.

...

It is still possible for the JVM to abort because of external issues, such as an external SIGKILL signal (UNIX) or the TerminateProcess call (Microsoft Windows), or memory corruption caused by native methods. In such cases, it is not guaranteed that the hooks will execute as expected.

Exceptions

Wiki Markup
*EX1:* It is permissible for a command line utility to call {{System.exit()}} or terminate prematurely, for example, when the required number of arguments are not input. \[[Bloch 08|AA. Java References#Bloch 08]\] and \[[ESA 05|AA. Java References#ESA 05]\]

Risk Assessment

Allowing inadvertent calls to System.exit() may lead to denial of service.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

EXC04- J

low

unlikely

medium

P2

L3

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[API 06|AA. Java References#API 06]\] [method checkExit()|http://java.sun.com/j2se/1.4.2/docs/api/java/lang/SecurityManager.html#checkExit(int)], Class Runtime, method addShutdownHook
\[[Kalinovsky 04|AA. Java References#Kalinovsky 04]\] Chapter 16 Intercepting a Call to System.exit
\[[Austin 00|AA. Java References#Austin 00]\] [Writing a Security Manager|http://java.sun.com/developer/onlineTraining/Programming/JDCBook/signed2.html]
\[[Darwin 04|AA. Java References#Darwin 04]\] 9.5 The Finalize Method
\[[Goetz 06|AA. Java References#Goetz 06]\] 7.4. JVM Shutdown 
\[[ESA 05|AA. Java References#ESA 05]\] Rule 78: Restrict the use of the System.exit method 
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 382|http://cwe.mitre.org/data/definitions/382.html] "J2EE Bad Practices: Use of System.exit()"

...