SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 14

changes.mady.by.user Dhruv Mohindra

Saved on

compared with

New Version 15

changes.mady.by.user Dean Sutherland

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Untrusted code can misuse APIs provided by trusted code by overriding methods such as Object.equals()Object.hashCode() and Thread.run(). These methods are primarily targeted valuable targets because they are most often commonly used behind the scenes and may interact with components in a way that is not easily discernible.

...

The constructor for LicenseManager initializes licenseMap with a demo license key which is meant to be kept secret. The license key is hardcoded for illustrative purposes and should ideally be read from an external configuration file that stores its encrypted version; see MSC66-JG. Store passwords using a hash function for more information. The LicenseType class provides overridden implementations of equals() and hashCode() methods.

This setup can expose the demo license key if is vulnerable to an attacker  who extends the LicenseType class as follows and overrides the equals() and hashCode() methods.:

Code Block
public class CraftedLicenseType extends LicenseType {
    private static int guessedHashCode = 0;
    @Override
    public int hashCode() {
        // Returns a new hashCode to test every time get() is called
        guessedHashCode++;
        return guessedHashCode;
    }
    @Override
    public boolean equals(Object arg) {
        // Always returns true
        return true;
    }
}

The malicious client program is shown below.

...

The client program runs through the sequence of all possible hash codes using CraftedLicenseType until it successfully matches the hash code of the demo license key object stored in the LicenseManager class. Consequently, within a few minutes the attacker is able to find can discover the sensitive data present within the licenseMap. That is made possible by facilitating in only a few minutes. The attack operates by discovering at least one hash collision with respect to the key of the map.

...

This compliant solution uses an IdentityHashMap instead of  rather than a HashMap to store the license information.

...

In this noncompliant code example, class Worker starts a thread in  and its subclass SubWorker each contain a startThread()method and so does its subclass SubWorkerintended to start a thread.

Code Block
bgColor#ffcccc
public class Worker implements Runnable {
    Worker() { }
    public void startThread(String name) {
        new Thread(this, name).start();
    }
    @Override
    public void run() {
        System.out.println("Parent");
    }
}

public class SubWorker extends Worker {
    @Override
    public void startThread(String name) {
        super.startThread(name);
		new Thread(this, name).start();        
    }
    @Override
    public void run() {
        System.out.println("Child");
    }
}

...