...
Writing garbage collection friendly code helps restrict many attack avenues. Many of the best practices are enumerated below.
Use Short-Lived Immutable Objects
| Wiki Markup |
|---|
Since JDK 1.2, the generational garbage collector has reduced memory allocation related costs to low levels, in many cases lower than C/C++. Generational garbage collection reduces garbage collection costs by grouping objects into generations. The _younger generation_ consists of short-lived objects. The GC performs a minor collection on the younger generation when it fills up with dead objects \[[Oracle 2010a|AA. Bibliography#Oracle 10a]\]. Improved garbage collection algorithms have reduced the cost of garbage collection so that it is proportional to the number of _live_ objects in the _younger generation_, rather than to the _total_ number of objects allocated since the last garbage collection. |
...
The guidelines FIO00-J. Defensively copy mutable inputs and mutable internal components and OBJ09-J. Defensively copy private mutable class members before returning their references are instrumental in promoting GC-friendly code.
Avoid Large Objects
The allocation of large objects is expensive; further, the cost to initialize their fields is proportional to their size. Additionally, frequent allocation of large objects of different sizes can cause fragmentation issues or non-compacting collect operations.
Do Not Use Direct Buffers for Short Lived, Infrequently Used Objects
The new IO classes (NIO) in java.nio allow the creation and use of direct buffers. These buffers tremendously increase throughput for repeated IO activities. However, their creation and reclamation is more expensive than that for heap-based non-direct buffers, because direct buffers are managed using OS specific native code. This added management cost makes direct buffers an poor choice for single-use or infrequently used cases. Direct buffers are also not subject to Java's garbage collector which can cause memory leaks. Frequent allocation of large direct buffers can cause an OutOfMemoryError.
Noncompliant Code Example
This noncompliant code example uses a short-lived local object buffer, which is allocated in non-heap memory and is not garbage collected.
| Code Block | ||
|---|---|---|
| ||
ByteBuffer buffer = ByteBuffer.allocateDirect(8192); // use buffer once |
Compliant Solution
This compliant solution uses an indirect buffer to allocate the short-lived, infrequently used object.
| Code Block | ||
|---|---|---|
| ||
ByteBuffer buffer = ByteBuffer.allocate(8192); // use buffer once |
Nulling References
Reference nulling to "help the garbage collector" is unnecessary. It adds clutter to the code and can introduce subtle bugs. Assigning null to local variables is also unnecessary; the Java Just-In-Time compiler (JIT) can perform an equivalent liveness analysis; in fact most implementations do this. A related bad practice is use of a finalizer to null out references; see MET18-J. Avoid using finalizers for additional details.
Noncompliant Code Example
This noncompliant code example assigns null to the buffer array.
| Code Block | ||
|---|---|---|
| ||
int[] buffer = new int[100]; doSomething(buffer); buffer = null // No need to explicitly assign null |
Compliant Solution
| Wiki Markup |
|---|
This compliant solution adds a lexical block to limit the scope of the variable {{buffer}}; the garbage collector can collect the object immediately when it goes out of scope \[[Bloch 2008|AA. Bibliography#Bloch 08]\]. |
...
Array based data structures such as ArrayLists are exceptions because the programmer may be required to explicitly set individual array elements to null to indicate their absence.
Long-Lived Objects Containing Short-Lived Objects
Always remove short-lived objects from long-lived container objects when the task is over. For example, objects attached to a java.nio.channels.SelectionKey object must be removed when they are no longer needed. Doing so reduces the possibility of memory leaks.
Do Not Explicitly Invoke the Garbage Collector
The garbage collector can be explicitly invoked by calling the System.gc() method. Even though the documentation says that it "runs the garbage collector", there is no guarantee as to when the garbage collector will actually run. In fact, the call only suggests that the GC will subsequently execute. Other reasons to avoid explicit invocation of the GC include:
...
In the Java Hotspot VM (default since JDK 1.2), System.gc() forces an explicit garbage collection. Such calls can be buried deep within libraries and so they may be difficult to trace. To ignore the call in such cases, use the flag -XX:+DisableExplicitGC. To avoid long pauses while performing a full GC, a less demanding concurrent cycle may be invoked by specifying the flag -XX:ExplicitGCInvokedConcurrent.
Exceptions
OBJ13-EX1: When an application goes through several phases such as an initialization and a ready phase, it may require heap compaction between phases. Given an uneventful period, System.gc() may be invoked in such cases, provided that there is a suitable uneventful period between phases.
OBJ13-EX2: System.gc() may be invoked as a last resort in a catch block that is attempting to recover from an OutOfMemoryError.
Risk Assessment
Misusing some garbage collection utilities can cause Denial Of Service (DoS) related issues and severe performance degradation.
Guideline | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
OBJ13 OBJ11-J | low | likely | high | P3 | L3 |
Related Vulnerabilities
Bibliography
| Wiki Markup |
|---|
\[[API 2006|AA. Bibliography#API 06]\] Class {{System}}
\[[Bloch 2008|AA. Bibliography#Bloch 08]\] Item 6: "Eliminate obsolete object references"
\[[Commes 2007|AA. Bibliography#Commes 07]\] Garbage Collection Concepts and Programming Tips
\[[Goetz 2004|AA. Bibliography#Goetz 04]\]
\[[Lo 2005|AA. Bibliography#Lo 05]\]
\[[MITRE 2009|AA. Bibliography#MITRE 09]\] [CWE ID 405|http://cwe.mitre.org/data/definitions/405.html] "Asymmetric Resource Consumption (Amplification)" |
...