SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 51

changes.mady.by.user Dean Sutherland

Saved on

compared with

New Version 52

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In Java SE 6, privileged code either uses the AccessController mechanism or must be signed by an owner (or provider) who is trusted by the user. Adversaries Attackers could link privileged code with malicious code if the privileged code directly or indirectly invokes code from another package. This is called a mix and match attack. A mix and match attack is not possible if the code is signed because, by default, the jarsigner tool signs the finished manifest that contains the names of the included classes along with their digests.

Execution of untrusted code causes loss of privileges. If trusted code calls some untrusted code that attempts to perform some action requiring permissions not granted by the security policy, the action is not allowed. However, privileged code may use a class that exists in an untrusted container and performs , performing only unprivileged operations. If the attacker replaces this class with a malicious implementation, the trusted code will retrieve incorrect results.

...

Failure to place all privileged code together , in one package and sealing seal the package can lead to mix and match attacks.

...

Detecting code that should be considered privileged or sensitive requires programmer assistance. Given identified privileged code as a starting point, automated tools could compute the closure of all code that may can be invoked from that point. Such a tool could plausibly determine whether all code in that closure exists within a single package. A further check of whether the package is sealed appears feasible.

...

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

Related Guidelines

MITRE CWE: CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data

Bibliography

Wiki Markup
\[[API 2006|AA. Bibliography#API 06]\]
\[[McGraw 2000|AA. Bibliography#Ware 00]\] Rule 7: If You Must Sign Your Code, Put It All in One Archive File (sic)
\[[MITRE 2009|AA. Bibliography#MITRE 09]\] [CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data|http://cwe.mitre.org/data/definitions/349.html]
\[[Ware 2008|AA. Bibliography#Ware 08]\]

...