...
| Code Block |
|---|
class SerializableMap<K,V> implements Serializable {
final static long serialVersionUID = -2648720192864531932L;
private Map<K,V> map;
public SerializableMap() {
map = new HashMap<K,V>();
}
public Object getData(K key) {
return map.get(key);
}
public void setData(K key, V data) {
map.put(key, data);
}
}
public class MapSerializer {
static public SerializableMap< String, Integer> buildMap() {
SerializableMap< String, Integer> map = new SerializableMap< String, Integer>();
map.setData("John Doe", new Integer( 123456789));
map.setData("Richard Roe", new Integer( 246813579));
return map;
}
static public void InspectMap(SerializableMap< String, Integer> map) {
System.out.println("John Doe's number is " + map.getData("John Doe"));
System.out.println("Richard Roe's number is " + map.getData("Richard Roe"));
}
public static void main(String[] args) {
// ...
}
}
|
Noncompliant Code Example
This noncompliant code example simply serializes the map and then deserializes it. Thus, the map is capable of being serialized and transferred across different business tiers. Unfortunately, there are no safeguards against byte stream manipulation attacks while the binary data is in transit. Likewise, anyone can reverse engineer the serialized stream data from its hexadecimal notation to reveal the data in the HashMap.
...
If the data in the map is considered sensitive, this example will also violate SER03-J. Do not serialize unencrypted, sensitive data.
Noncompliant Code Example (Seal)
To provide message confidentiality, use the javax.crypto.SealedObject class. This class encapsulates a serialized object and encrypts (or seals) it. A strong cryptographic algorithm that uses a secure cryptographic key and padding scheme must be employed to initialize the Cipher object parameter. The seal and unseal utility methods provide the encryption and decryption facilities respectively.
...
| Code Block | ||
|---|---|---|
| ||
public static void main(String[] args)
throws IOException, GeneralSecurityException, ClassNotFoundException {
// Build map
SerializableMap< String, Integer> map = buildMap();
// Generate sealing key & seal map
KeyGenerator generator;
generator = KeyGenerator.getInstance("DES");
generator.init(new SecureRandom());
Key key = generator.generateKey();
Cipher cipher = Cipher.getInstance("DES");
cipher.init( Cipher.ENCRYPT_MODE, key);
SealedObject sealedMap = new SealedObject( map, cipher);
// Serialize map
ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream("data"));
out.writeObject( sealedMap);
out.close();
// Deserialize map
ObjectInputStream in = new ObjectInputStream(new FileInputStream("data"));
sealedMap = (SealedObject) in.readObject();
in.close();
// Unseal map
cipher = Cipher.getInstance("DES");
cipher.init( Cipher.DECRYPT_MODE, key);
map = (SerializableMap< String, Integer>) sealedMap.getObject(cipher);
// Inspect map
InspectMap( map);
}
|
Noncompliant Code Example (Seal, Sign)
Use the java.security.SignedObject class to sign an object, when the integrity of the object is to be ensured. The two new arguments passed in to the SignedObject() method to sign the object are Signature and a private key derived from a KeyPair object. To verify the signature, a PublicKey as well as a Signature argument is passed to the SignedObject.verify() method.
...
| Code Block | ||
|---|---|---|
| ||
public static void main(String[] args)
throws IOException, GeneralSecurityException, ClassNotFoundException {
// Build map
SerializableMap< String, Integer> map = buildMap();
// Generate sealing key & seal map
KeyGenerator generator;
generator = KeyGenerator.getInstance("DES");
generator.init(new SecureRandom());
Key key = generator.generateKey();
Cipher cipher = Cipher.getInstance("DES");
cipher.init( Cipher.ENCRYPT_MODE, key);
SealedObject sealedMap = new SealedObject( map, cipher);
// Generate signing public/private key pair & sign map
KeyPairGenerator kpg = KeyPairGenerator.getInstance("DSA");
KeyPair kp = kpg.generateKeyPair();
Signature sig = Signature.getInstance("SHA1withDSA");
SignedObject signedMap = new SignedObject( sealedMap, kp.getPrivate(), sig);
// Serialize map
ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream("data"));
out.writeObject( signedMap);
out.close();
// Deserialize map
ObjectInputStream in = new ObjectInputStream(new FileInputStream("data"));
signedMap = (SignedObject) in.readObject();
in.close();
// Unsign map
if (!signedMap.verify(kp.getPublic(), sig)) {
throw new GeneralSecurityException("Map failed verification");
}
sealedMap = (SealedObject) signedMap.getObject();
// Unseal map
cipher = Cipher.getInstance("DES");
cipher.init( Cipher.DECRYPT_MODE, key);
map = (SerializableMap< String, Integer>) sealedMap.getObject(cipher);
// Inspect map
InspectMap( map);
}
|
Compliant Solution (Sign, Seal)
This compliant solution correctly signs the object before sealing it. This provides a guarantee of authenticity to the object, in addition to protection from man-in-the-middle attacks.
| Code Block | ||
|---|---|---|
| ||
public static void main(String[] args)
throws IOException, GeneralSecurityException, ClassNotFoundException {
// Build map
SerializableMap< String, Integer> map = buildMap();
// Generate signing public/private key pair & sign map
KeyPairGenerator kpg = KeyPairGenerator.getInstance("DSA");
KeyPair kp = kpg.generateKeyPair();
Signature sig = Signature.getInstance("SHA1withDSA");
SignedObject signedMap = new SignedObject( map, kp.getPrivate(), sig);
// Generate sealing key & seal map
KeyGenerator generator;
generator = KeyGenerator.getInstance("DES");
generator.init(new SecureRandom());
Key key = generator.generateKey();
Cipher cipher = Cipher.getInstance("DES");
cipher.init( Cipher.ENCRYPT_MODE, key);
SealedObject sealedMap = new SealedObject( signedMap, cipher);
// Serialize map
ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream("data"));
out.writeObject( sealedMap);
out.close();
// Deserialize map
ObjectInputStream in = new ObjectInputStream(new FileInputStream("data"));
sealedMap = (SealedObject) in.readObject();
in.close();
// Unseal map
cipher = Cipher.getInstance("DES");
cipher.init( Cipher.DECRYPT_MODE, key);
signedMap = (SignedObject) sealedMap.getObject(cipher);
// Unsign map
if (!signedMap.verify(kp.getPublic(), sig)) {
throw new GeneralSecurityException("Map failed verification");
}
map = (SerializableMap<String, Integer>) signedMap.getObject();
// Inspect map
InspectMap( map);
}
|
Exceptions
| Wiki Markup |
|---|
*SEC16-EX0:* A reasonable use for signing a sealed object is to certify the authenticity of a sealed object passed from elsewhere. In the spirit of the \[[Abadi 1996|AA. Bibliography#Abadi 96]\] quotation above, this represents a commitment _about the sealed object itself_ rather than about its content. |
Risk Assessment
Failure to sign and/or seal objects during transit can lead to loss of object integrity or confidentiality.
Guideline | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
SEC16 SER02-J | medium | probable | high | P4 | L3 |
Automated Detection
Not amenable to static analysis in the general case.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Bibliography
| Wiki Markup |
|---|
\[[API 2006|AA. Bibliography#API 06]\] \[[Gong 2003|AA. Bibliography#Gong 03]\] 9.10 Sealing Objects \[[Harold 1999|AA. Bibliography#Harold 99]\] Chapter 11: Object Serialization, Sealed Objects \[[Neward 2004|AA. Bibliography#Neward 04]\] Item 64: Use SignedObject to provide integrity of Serialized objects and Item 65: Use SealedObject to provide confidentiality of Serializable objects \[[MITRE 2009|AA. Bibliography#MITRE 09]\] [CWE ID 319|http://cwe.mitre.org/data/definitions/319.html] "Cleartext Transmission of Sensitive Information" \[[Steel 2005|AA. Bibliography#Steel 05]\] Chapter 10: Securing the Business Tier, Obfuscated Transfer Object |
...