Many methods offer invariants, which are can be any or all of guarantees made about what the method can do, and what state the object must be in requirements about the required state of the object when the method is invoked, or guarantees about the state of the object when the method completes. For instance, the % operator, which computes the remainder of a number provides the invariant that
...
A fundamental principle of object-oriented design is that , when a subclass which extends a superclass , the subclass's methods must preserve the invariants provided by the superclass. Unfortunately, design principles fail to constrain attackers, who can (and do!) construct malicious classes that extend benign classes and provide methods that deliberately violate the invariants of the benign classes.
For instance, an immutable class that lacks the final qualifier can be extended by a malicious subclass that can change modify the state of the supposedly-immutable object. Further, the malicious subclass can impersonate the immutable object while actually remaining mutable. Such malicious subclasses can then violate program invariants on which clients depend, consequently introducing security vulnerabilities.
...
One commonly suggested solution is to place code at each point where the superclass can be instantiated to ensure that the instance being created has the same type as the superclass. When the type is found to be that of a subclass instead of rather than the superclass's type, the checking code performs a security manager check to ensure that malicious classes cannot misuse the superclass. This approach is insecure because it allows a malicious class to add a finalizer and obtain a partially-initialized instance of the superclass. This attack is detailed in guideline OBJ04-J. Do not allow access to partially initialized objects.
...