...
Java language's access control mechanisms cease to remain effective after a class is serialized. Consequently, any sensitive data that was originally protected using access qualifiers (such as the private keyword) gets exposed. Moreover, the security manager does not provide any checks to guarantee integrity of the serialized data.
Noncompliant Code Example
...
Other solutions include custom implementation of writeObject, writeReplace and writeExternal methods such that sensitive fields are not written to the serialized stream or alternatively, conducting proper validation checks while deserializing. Yet another remediation is to define the serialPersistentFields array field and ensure that sensitive fields are not added to the array. Sometimes it is necessary to prevent a serializable object (whose superclass implements serializable) from getting serialized. This is the focus of the second noncompliant code example.
Noncompliant Code Example
| Wiki Markup |
|---|
Serialization can also be used maliciously to return multiple instances of a singleton-like class. In this noncompliant example, a subclass {{SensitiveClass}} inadvertently becomes Serializable since it extends the {{Exception}} class that implements {{Serializable}}. (Based on \[[Bloch 05|AA. Java References#Bloch 05]\]) |
| Code Block | ||
|---|---|---|
| ||
public class SensitiveClass extends Exception { public static final SensitiveClass INSTANCE = new SensitiveClass(); private SensitiveClass() { // Perform security checks and parameter validation } protected int printBalance() { int balance = 1000; return balance; } } class Malicious { public static void main(String[] args) { SensitiveClass sc = (SensitiveClass) deepCopy(SensitiveClass.INSTANCE); System.out.println(sc == SensitiveClass.INSTANCE); // prints false; indicates new instance System.out.println("Balance =" + sc.printBalance()); } // This method should not be used in production quality code static public Object deepCopy(Object obj) { try { ByteArrayOutputStream bos = new ByteArrayOutputStream(); new ObjectOutputStream(bos).writeObject(obj); ByteArrayInputStream bin = new ByteArrayInputStream(bos.toByteArray()); return new ObjectInputStream(bin).readObject(); } catch (Exception e) { throw new IllegalArgumentException(e); } } } |
Compliant Solution
Undue serialization of the subclass can be prohibited can be achieved by throwing a NotSerializableException from the a custom writeObject() method or the readResolve() method, defined in the subclass SensitiveClass. Ideally, one should avoid extending a class or interface that implements Serializable.
| Code Block | ||
|---|---|---|
| ||
private Object readResolve() throws NotSerializableException {
throw new NotSerializableException();
}
|
Risk Assessment
If sensitive data can be serialized then it may be transmitted over an insecure link, or stored in an insecure medium, and thereby released inappropriately.
...
| Wiki Markup |
|---|
\[[JLS 05|AA. Java References#JLS 05]\] [Transient modifier|http://java.sun.com/docs/books/jls/third_edition/html/classes.html#37020] \[[SCG 07|AA. Java References#SCG 07]\] Guideline 5-1 Guard sensitive data during serialization \[[Harold 99|AA. Java References#Harold 99]\] \[[Long 05|AA. Java References#Long 05]\] Section 2.4, Serialization \[[Greanier 00|AA. Java References#Greanier 00]\] [Discover the secrets of the Java Serialization API|http://java.sun.com/developer/technicalArticles/Programming/serialization/] \[[Bloch 05|AA. Java References#Bloch 05]\] Puzzle 83: Dyslexic Monotheism |
...
FIO31-J. Create a copy of mutable inputs 07. Input Output (FIO) FIO33-J. Do not allow serialization and deserialization to bypass the Security Manager