Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by sciSpider Java v3.0
Wiki Markup
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
    <title>ENV00-J. Do not sign code that performs only unprivileged operations - CERT Secure Coding Standards</title>

        

                        
    
            
<meta id="confluence-context-path" name="confluence-context-path" content="/confluence">
<meta id="atlassian-token" name="atlassian-token" content="3UIncFJ_LX">
<meta id="confluence-space-key" name="confluence-space-key" content="java">

<script type="text/javascript">
    // Deprecated global variables. To be removed in a future version of Confluence.
    var contextPath = '/confluence';
    var i18n = [];
</script>

    

<!-- include system resources -->
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:prototype/confluence.web.resources:prototype.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:scriptaculous/confluence.web.resources:scriptaculous.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0.2/_/download/batch/com.atlassian.auiplugin:jquery/com.atlassian.auiplugin:jquery.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0.2/_/download/batch/com.atlassian.auiplugin:jquery-base/com.atlassian.auiplugin:jquery-base.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0.2/_/download/batch/com.atlassian.auiplugin:ajs/com.atlassian.auiplugin:ajs.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/resources/confluence.web.resources:dwr/engine.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/resources/confluence.web.resources:dwr/util.js" ></script>
<link type="text/css" rel="stylesheet" href="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:page-editor/confluence.web.resources:page-editor.css" media="all"/>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/resources/confluence.web.resources:page-editor/dwr-wysiwyg-converter.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/resources/confluence.web.resources:page-editor/dwr-user-profile-editor.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/resources/confluence.web.resources:page-editor/dwr-draft.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/resources/confluence.web.resources:page-editor/dwr-heartbeat.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:page-editor/confluence.web.resources:page-editor.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0.2/_/download/batch/com.atlassian.auiplugin:jquery-selection/com.atlassian.auiplugin:jquery-selection.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0.2/_/download/batch/com.atlassian.auiplugin:dialog/com.atlassian.auiplugin:dialog.js" ></script>
<link type="text/css" rel="stylesheet" href="/confluence/s/1627/6/1.0.2/_/download/batch/com.atlassian.auiplugin:dialog/com.atlassian.auiplugin:dialog.css" media="all"/>
<!--[if IE]>
<link type="text/css" rel="stylesheet" href="/confluence/s/1627/6/1.0.2/_/download/batch/com.atlassian.auiplugin:dialog/com.atlassian.auiplugin:dialog.css?ieonly=true" media="all"/>
<![endif]-->
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:raphael/confluence.web.resources:raphael.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/batch/confluence.editor.actions:editor-macro-browser/confluence.editor.actions:editor-macro-browser.js" ></script>
<link type="text/css" rel="stylesheet" href="/confluence/s/1627/6/1.0/_/download/batch/confluence.editor.actions:editor-macro-browser/confluence.editor.actions:editor-macro-browser.css" media="all"/>
<!--[if IE]>
<link type="text/css" rel="stylesheet" href="/confluence/s/1627/6/1.0/_/download/batch/confluence.editor.actions:editor-macro-browser/confluence.editor.actions:editor-macro-browser.css?ieonly=true" media="all"/>
<![endif]-->
<script type="text/javascript" src="/confluence/s/1627/6/1.0.2/_/download/batch/com.atlassian.auiplugin:jquery-ui-draggable/com.atlassian.auiplugin:jquery-ui-draggable.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:page-ordering-tree/confluence.web.resources:page-ordering-tree.js" ></script>
<link type="text/css" rel="stylesheet" href="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:page-ordering-tree/confluence.web.resources:page-ordering-tree.css" media="all"/>
<!--[if IE]>
<link type="text/css" rel="stylesheet" href="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:page-ordering-tree/confluence.web.resources:page-ordering-tree.css?ieonly=true" media="all"/>
<![endif]-->
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:page-location-editor/confluence.web.resources:page-location-editor.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:page-permissions-editor/confluence.web.resources:page-permissions-editor.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/resources/confluence.web.resources:page-permissions-editor/EntitiesAjaxService.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/resources/confluence.web.resources:labels-editor/AddLabeltoEntity.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/resources/confluence.web.resources:labels-editor/RemoveLabelFromEntity.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/resources/confluence.web.resources:labels-editor/SuggestedLabelsForEntity.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/resources/confluence.web.resources:labels-editor/GenerateAutocompleteLabelsListForEntity.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:labels-editor/confluence.web.resources:labels-editor.js" ></script>
<link type="text/css" rel="stylesheet" href="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:labels-editor/confluence.web.resources:labels-editor.css" media="all"/>
<link type="text/css" rel="stylesheet" href="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:master-styles/confluence.web.resources:master-styles.css" media="all"/>
<!--[if IE]>
<link type="text/css" rel="stylesheet" href="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:master-styles/confluence.web.resources:master-styles.css?ieonly=true" media="all"/>
<![endif]-->
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:breadcrumbs/confluence.web.resources:breadcrumbs.js" ></script>
<link type="text/css" rel="stylesheet" href="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:print-styles/confluence.web.resources:print-styles.css?media=print" media="print"/>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:safe-ajax/confluence.web.resources:safe-ajax.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/batch/confluence.userstatus:userstatus-resources/confluence.userstatus:userstatus-resources.js" ></script>
<link type="text/css" rel="stylesheet" href="/confluence/s/1627/6/1.0/_/download/batch/confluence.userstatus:userstatus-resources/confluence.userstatus:userstatus-resources.css" media="all"/>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:master-scripts/confluence.web.resources:master-scripts.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/resources/confluence.web.resources:master-scripts/PageNotification.js" ></script>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:contentnamesearch/confluence.web.resources:contentnamesearch.js" ></script>
<link type="text/css" rel="stylesheet" href="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:contentnamesearch/confluence.web.resources:contentnamesearch.css" media="all"/>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:userlink/confluence.web.resources:userlink.js" ></script>
<link type="text/css" rel="stylesheet" href="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:userlink/confluence.web.resources:userlink.css" media="all"/>
<!--[if IE]>
<link type="text/css" rel="stylesheet" href="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:userlink/confluence.web.resources:userlink.css?ieonly=true" media="all"/>
<![endif]-->
<script type="text/javascript" src="/confluence/s/1627/6/1.0.2/_/download/batch/com.atlassian.auiplugin:drop-down/com.atlassian.auiplugin:drop-down.js" ></script>
<link type="text/css" rel="stylesheet" href="/confluence/s/1627/6/1.0.2/_/download/batch/com.atlassian.auiplugin:drop-down/com.atlassian.auiplugin:drop-down.css" media="all"/>
<script type="text/javascript" src="/confluence/s/1627/6/1.0/_/download/batch/confluence.web.resources:atlassian-effects/confluence.web.resources:atlassian-effects.js" ></script>

<!-- end system resources -->

    <link rel="stylesheet" href="/confluence/s/1627/6/1/_/styles/combined.css?spaceKey=java" type="text/css">

    <meta name="robots" content="noindex,nofollow">
    <meta name="robots" content="noarchive">
    <meta name="confluence-request-time" content="1250711127867">

    <link rel="shortcut icon" href="/confluence/favicon.ico">
    <link rel="icon" type="image/png" href="/confluence/s/1627/6/_/images/logo/confluence_16.png">

<link rel="search" type="application/opensearchdescription+xml" href="/confluence/opensearch/osd.action" title="CERT Secure Coding Standards"/>

    

    <script type="text/javascript">

    function toggleMenu(menuId)
    {
        var visible = toggleVisibility(menuId);
        if (visible)
            setCookie("confluence.leftnav." + menuId, true);
        else
            setCookie("confluence.leftnav.", false);
    }

    function isMenuExpanded(menuId)
    {
        return getCookie("confluence.leftnav." + menuId);
    }

    function initMenuItem(menuId)
    {
        if (document.getElementById(menuId))
        {
            if (isMenuExpanded(menuId) == 'true')
            {
                document.getElementById(menuId).style.display = "block";
            }
            else
            {
                document.getElementById(menuId).style.display = "none";
            }
        }
    }
</script>

</head>

            <body onload="placeFocus()" id="com-atlassian-confluence">
    <!--BEGIN HEADER -->

<table border="0" width="100%" cellspacing="0" cellpadding="0" bgcolor="#ffffff"><tr>
<td valign="middle"><img src="https://www.cert.org/images/1pxinv.gif" width="5" height="94"></td><td valign="middle"><a href="https://www.cert.org/"><img 
src="https://www.cert.org/cert/images/cert_logo.gif" alt="CERT" border="0"></a></td><td valign="bottom" align="right" width="100%">

<!--NAVIGATION TABLE-->
<table border="0" cellspacing="0" cellpadding="0" width="600"><a href="https://www.cert.org/work/software_assurance.html"><img src="https://www.cert.org/cert/images/1off.jpg" 
width="132" height="21" 
alt="Software Assurance" border="0"></a><img src="https://www.cert.org/images/1pxinv.gif" width="1" height="21"><a href="https://www.cert.org/work/secure_systems.html"><img 
src="https://www.cert.org/cert/images/2off.jpg" width="109" height="21" alt="Secure Systems" border="0"></a><img src="https://www.cert.org/images/1pxinv.gif" width="1" height="21"><a 
href="https://www.cert.org/work/organizational_security.html"><img 
src="https://www.cert.org/cert/images/3off.jpg" width="140" height="21" alt="Organizational Security" border="0"></a><img src="https://www.cert.org/images/1pxinv.gif" width="1" height="21"><a 
href="https://www.cert.org/work/coordinating_response.html"><img 
src="https://www.cert.org/cert/images/4off.jpg" width="140" height="21" alt="Coordinating Response" border="0"></a><img 
src="https://www.cert.org/images/1pxinv.gif" width="1" height="21"><a href="https://www.cert.org/work/training.html"><img src="https://www.cert.org/cert/images/5off.jpg" width="75" 
height="21" alt="Training" border="0"></a></td></tr></table>

<!--END NAVIGATION TABLE -->

</td></tr></table>

<table border="0" width="100%" cellspacing="0" cellpadding="0" bgcolor="#666666"><tr><td><img src="https://www.cert.org/images/1pxinv.gif" width="1" height="3"></td></tr></table>

<!--END HEADER -->


    <script type="text/javascript">
        AJS.toInit(function ($) {
            $(".message-close-button").each(function () {
                var li = $(this).parent();
                var cookieId = this.alt;
                $(this).click(function () {
                    li.slideUp();
                    setCookie(cookieId, true);
                });
            });

            $("#messageContainer .confluence-messages").each(function () {
                if (!getCookie(this.id)) {
                    $(this).show();
                }
            })
        });
    </script>

        

<div id="header">
        <form id="quick-search" class="quick-search" method="get" action="/confluence/dosearchsite.action">
                <fieldset>
            <legend>Quick Search</legend>
            <input class="quick-search-query" id="quick-search-query" type="text" accessKey="q" autocomplete="off" name="queryString" size="25" />
            <input class="quick-search-submit" id="quick-search-submit" type="submit" value="Search" />
        </fieldset>
        <fieldset class="hidden parameters">
            <input type="hidden" class="quickSearchPlaceholder" id="quickSearchPlaceholder" value="Search" />

            <input type="hidden" id="quickNavEnabled" value="true" />
             <!-- Quick nav disabled. SettingsManager could not be found -->         </fieldset>
    </form>
    
    
    <ol id="breadcrumbs">
                    
        <li class="first" ><span>
                                    <a href="/confluence/dashboard.action">Dashboard</a>
                </span></li>
                    
        <li><span>
                                    <a href="/confluence/display/java">java</a>
                </span></li>
                                        <li id="ellipsis" title="    &#8230;
                    The CERT Sun Microsystems Secure Coding Standard for Java
        &#8230;
"><span><strong>&#8230;</strong></span></li>
                                    
        <li class="hidden-crumb" ><span>
                                    <a href="/confluence/display/java/The+CERT+Sun+Microsystems+Secure+Coding+Standard+for+Java">The CERT Sun Microsystems Secure Coding Standard for Java</a>
                </span></li>
                    
        <li><span>
                                    <a href="/confluence/display/java/00.+Runtime+Environment+%28ENV%29">00. Runtime Environment (ENV)</a>
                </span></li>
                    
        <li><span>
                                    <a href="/confluence/display/java/ENV00-J.+Do+not+sign+code+that+performs+only+unprivileged+operations">ENV00-J. Do not sign code that performs only unprivileged operations</a>
                </span></li>
                    
        <li><span>
                                    Edit Page
                </span></li>
        </ol>

</div>

<div id="PageContent">
    <table cellspacing="0" cellpadding="0" width="100%">
        <tr>
                    <td width="150px" valign="top" class="sidebar" nowrap>
                <div class="leftnav">
                     <div id="logodiv">
                        					        <a href="/confluence/display/java"><img class="logo global" src="/confluence/images/logo/confluence_48_white.png" alt=""></a>					                          </div>
                      <div id="menu">
                        <table class="sectionMacro" border="0" cellpadding="5" cellspacing="0" width="100%"><tbody><tr>
<td class="confluenceTd" valign="top" width="105%">
<div class='panelMacro'><table class='infoMacro'><tr><td><p><b>Standards</b><br/>
<a href="/confluence/display/seccode/CERT+Secure+Coding+Standards" title="CERT Secure Coding Standards">Overview</a><br/>
<a href="/confluence/display/seccode/CERT+C+Secure+Coding+Standard" title="CERT C Secure Coding Standard">C Language</a><br/>
<a href="/confluence/pages/viewpage.action?pageId=637" title="CERT C++ Secure Coding Standard">C+&#43;</a><br/>
<a href="/confluence/display/java/The+CERT+Sun+Microsystems+Secure+Coding+Standard+for+Java" title="The CERT Sun Microsystems Secure Coding Standard for Java">Java</a></p>

<p><b>CERT Websites</b><br/>
<a href="http://www.cert.org/" rel="nofollow">CERT</a><br/>
<a href="http://www.cert.org/secure-coding" rel="nofollow">Secure Coding</a><br/>
<a href="http://www.cert.org/tech_tips/" rel="nofollow">Tech Tips</a></p>

<p><b>Related Websites</b><br/>
<a href="https://buildsecurityin.us-cert.gov/daisy/bsi/home.html" rel="nofollow">Build Security In</a></p>

<p><a href="http://www.informit.com/store/product.aspx?isbn=0321563212" rel="nofollow"><span class="image-wrap" style=""><img src="https://www.cert.org/images/cert-c-book-cover-100.jpg" border="0" width="100" /></span></a></p>

<p><a href="http://www.cert.org/books/secure-coding/" rel="nofollow"><span class="image-wrap" style=""><img src="https://www.cert.org/images/securec.jpg" border="0" width="100" /></span></a></p>

<p><b>Related Sites</b><br/>
<a href="http://www.us-cert.gov/" rel="nofollow"><span class="image-wrap" style=""><img src="https://www.cert.org/images/logo/uscert_4g_sm.jpg" border="0" /></span></a><br/>
<a href="http://www.cylab.cmu.edu/" title="http://www.cylab.cmu.edu/" rel="nofollow"><span class="image-wrap" style=""><img src="https://www.cert.org/images/logo/cylab_alt.jpg" border="0" /></span></a></p></td></tr></table></div></td></tr></tbody></table>
                        
<h5><a href="#" onCLick="toggleMenu('pagenav'); return false;"><img src="/confluence/images/icons/docs_16.gif" width=16 height=16 border=0 align=absmiddle >Page Operations</a></h5>
<div id="pagenav" class="subnav" style="display:none;">
   <ul>
	   		   <li><a  id="viewPageLink"  href="/confluence/display/java/ENV00-J.+Do+not+sign+code+that+performs+only+unprivileged+operations"   onClick="javascript:saveDraftOnPageChange(this); return false;"   accessKey="v"><u>V</u>iew</a></li>
	   		   <li><a  id="editPageLink"  href="/confluence/pages/editpage.action?pageId=32833591"  class="current"   onClick="javascript:saveDraftOnPageChange(this); return false;"   accessKey="e"><u>E</u>dit</a></li>
	   		   <li><a  id="view-attachments-link"  href="/confluence/pages/viewpageattachments.action?pageId=32833591"   onClick="javascript:saveDraftOnPageChange(this); return false;"   accessKey="a"><u>A</u>ttachments (0)</a></li>
	   		   <li><a  id="view-page-info-link"  href="/confluence/pages/viewinfo.action?pageId=32833591"   onClick="javascript:saveDraftOnPageChange(this); return false;"   accessKey="i"><u>I</u>nfo</a></li>
	   		   <li><a  href="/confluence/pages/worddav/uploadimport.action?pageId=32833591"   onClick="javascript:saveDraftOnPageChange(this); return false;"  >Doc Import</a></li>
	      </ul>
</div>

                        
                        
<h5><a href="#" onCLick="toggleMenu('browsenav'); return false;"><img src="/confluence/images/icons/browse_space.gif" height="16" width="16" border="0" align="absmiddle" title="Find Content">Browse Space</a></h5>
<div id="browsenav" class="subnav" style="display:none;">
	<ul>
					<li><a href="/confluence/pages/listpages.action?key=java" >Pages</a></li>
					<li><a href="/confluence/pages/viewrecentblogposts.action?key=java" >News</a></li>
					<li><a href="/confluence/labels/listlabels-heatmap.action?key=java" >Labels</a></li>
					<li><a href="/confluence/spaces/listattachmentsforspace.action?key=java" >Attachments</a></li>
					<li><a href="/confluence/spaces/viewmailarchive.action?key=java" >Mail</a></li>
					<li><a href="/confluence/spaces/viewspacesummary.action?key=java" >Advanced</a></li>
			</ul>
</div>

<h5><a href="#" onCLick="toggleMenu('addcontent'); return false;"><img src="/confluence/images/icons/add_16.gif" height="16" width="16" border="0" align="absmiddle" title="Add Content">Add Content</a></h5>
<div id="addcontent" class="subnav" style="display:none;">
    <ul>
										
									<li><a href="/confluence/pages/createpage.action?spaceKey=java&fromPageId=32833591"><img src="/confluence/images/icons/add_page_16.gif" height="16" width="16" border="0" align="absmiddle" title="Add Page">&nbsp;Add Page</a></li>
						    					
									<li><a href="/confluence/pages/createblogpost.action?spaceKey=java"><img src="/confluence/images/icons/add_blogentry_16.gif" height="16" width="16" border="0" align="absmiddle" title="Add News">&nbsp;Add News</a></li>
						    			</ul>
</div>

                      </div>
                    <script type="text/javascript">
                        initMenuItem("browsenav");
                        initMenuItem("pagenav");
                        initMenuItem("addcontent");
                    </script>
                </div>
            </td>
                    <td valign="top" width="100%">
                <!-- Inner content table -->
                <table width="100%" cellpadding="2" cellspacing="0">
                    <tr>
                        <td colspan="2" valign="middle" align="right" style="background-color:#F0F0F0">
                            
    <ul id="page-view-panel">
        <li>    <a href="/confluence/pages/editpage.action?pageId=32833591&decorator=printable" rel="nofollow" title="View a printable version of the current page." class="print icon">View a printable version of the current page.</a>
</li>
                    <li>    
                            <a href="/confluence/spaces/flyingpdf/pdfpageexport.action?pageId=32833591&atl_token=3UIncFJ_LX" rel="nofollow" title="Export Page as PDF" class="pdf icon">Export Page as PDF</a>
                        </li>
                 <li>    </li>
    </ul>

                                        <ul id="user-control-panel">
                    <li class="first">Welcome <a href="/confluence/display/~agoyal">Ankur Goyal</a></li>

                                                                                    <li><a  id="set-user-status-link" href="/confluence/display/~agoyal" >Update Status&hellip;</a></li>
                                            <li><a  id="view-user-history-link" href="/confluence/users/viewuserhistory.action" >Recently Viewed</a></li>
                                            <li><a  id="user-settings-link" href="/confluence/users/viewmysettings.action" >Settings</a></li>
                                            <li><a  id="logout-link" href="/confluence/logout.action" >Log Out</a></li>
                                                                </ul>
                            </td>
                    </tr>
                    <tr>
                        <td id="mainViewPane">
                            <div>
                                <table class="fullWidthBorderless">
                                    <td><span id="spaceFullNameLink">            <a href="/confluence/display/java">java</a>    </span></td>
                                    <td align="right">
    <a  id="pageFavourite"  href="/confluence/labels/addfavourite.action?entityId=32833591&atl_token=3UIncFJ_LX"><img src="/confluence/images/icons/star_grey.gif" height="16" width="16" border="0" align="absmiddle" title="Add this page to your favourites list" alt="Add this page to your favourites list"></a>
    <a  id="pageWatch"  href="/confluence/pages/addpagenotification.action?pageId=32833591&atl_token=3UIncFJ_LX"><img src="/confluence/images/icons/watch_16.gif" height="16" width="16" border="0" align="absmiddle" title="Watch this page" alt="Watch this page"></a>
</td>
                                </table>
                                <h1>
                                                                                                                                                                                                                        <a href="/confluence/display/java/ENV00-J.+Do+not+sign+code+that+performs+only+unprivileged+operations">ENV00-J. Do not sign code that performs only unprivileged operations</a>
                                                                                                        </h1>
                            </div>
                                                        <div id="content">
                                <!-- call the page decorator -->
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  

<!--
    Root decorator: this is a layer of abstraction that Confluence doesn't need. It will be removed eventually.
-->




    
    <!--[if gte IE 5.5000]>
<script language="JavaScript">
function correctPNG() // correctly handle PNG transparency in Win IE 5.5 or higher.
   {
   for(var i=0; i<document.images.length; i++)
      {
	  var img = document.images[i]
	  var imgName = img.src.toUpperCase()
	  if (imgName.substring(imgName.length-3, imgName.length) == "PNG")
	     {
		 var imgID = (img.id) ? "id='" + img.id + "' " : ""
		 var imgClass = (img.className) ? "class='" + img.className + "' " : ""
		 var imgTitle = (img.title) ? "title='" + img.title + "' " : "title='" + img.alt + "' "
		 var imgStyle = "display:inline-block;" + img.style.cssText
		 if (img.align == "left") imgStyle = "float:left;" + imgStyle
		 if (img.align == "right") imgStyle = "float:right;" + imgStyle
		 if (img.parentElement.href) imgStyle = "cursor:hand;" + imgStyle
		 var strNewHTML = "<span " + imgID + imgClass + imgTitle
		 + " style=\"" + "width:" + img.width + "px; height:" + img.height + "px;" + imgStyle + ";"
	     + "filter:progid:DXImageTransform.Microsoft.AlphaImageLoader"
		 + "(src=\'" + img.src + "\', sizingMethod='scale');\"></span>"
		 img.outerHTML = strNewHTML
		 i = i-1
	     }
      }
   }
window.attachEvent("onload", correctPNG);
</script>
<![endif]-->


































    <div id="editpage">
    <fieldset class="hidden parameters">
    <input type="hidden" id="spaceKey" value="java">
    <input type="hidden" id="pageId" value="32833591">
    <input type="hidden" id="originalParentPage" value="00. Runtime Environment (ENV)">
    <input type="hidden" id="formName" value="editpageform">
    <input type="hidden" id="defaultContentTitle" value="">
    <input type="hidden" id="draftSavedMessage" value="Draft saved at {0}">
    <input type="hidden" id="draftSavingMessage" value="Saving draft&hellip;">
    <input type="hidden" id="draftSavingTimedOutMessage" value="Draft saving timed out">
</fieldset>


<form id="editpageform" name="editpageform" method="post" action="doeditpage.action?pageId=32833591" class="editor">
        <input type="hidden" name="atl_token" value="3UIncFJ_LX">
    <input
    type="hidden"
          name="labelsShowing"            value="false"                     id="labelsShowing"           />    <input
    type="hidden"
          name="restrictionsShowing"            value="false"                     id="restrictionsShowing"           />    <input
    type="hidden"
          name="locationShowing"            value="false"                     id="locationShowing"           />
                <input
    type="hidden"
          name="originalVersion"            value="13"                     id="originalVersion"           />        <input
    type="hidden"
          name="originalContent"            value="Code signing was introduced in Java to provide a mechanism for granting elevated privileges to code depending on the security policy in effect. For example, signed Java applets that need to read system properties from a user's machine can escape the default sandbox restrictions. When a signed applet is run, the user is prompted with a security dialog, asking whether the party that signed the code is considered trustworthy. This element of trusting the signature allows applets to escape the default security sandbox restrictions. On the other hand, with applications that use a custom security policy, explicit permissions need to be granted to the particular codebase and optionally, the signer. This has the benefit of ensuring that only trusted signed code runs with the specified privileges.

Signing code, however, has its own demerits. According to Schneier \[[Schneier 00|AA. Java References#Schneier 00]\]:
{quote}First, users have no idea how to decide if a particular signer is trusted or not. Second, just because a component is signed doesn't mean that it is safe. Third, just because two components are individually signed does not mean that using them together is safe; lots of accidental harmful interactions can be exploited. Fourth, "safe" is not an all-or-nothing thing; there are degrees of safety. And fifth, the fact that the evidence of attack (the signature on the code) is stored on the computer under attack is mostly useless: The attacker could delete or modify the signature during the attack, or simply reformat the drive where the signature is stored."
{quote}
Code signing is designed primarily to verify authenticity of origin and integrity of the code. It relies on the Certification Authority (CA) to duly confirm the identity of the principal signer. Naive users should not be expected to understand how certificates and the Public Key Infrastructure (PKI) work. All too often, they associate digital signatures with safety of code execution, and trust the code to cause them no harm.

In general, there is a misconception that signed code is safe to be executed. The problem manifests itself when a vulnerability is discovered in signed code. As many users choose the option of permanently trusting the organizations that they have full confidence in, they are not notified if an adversary offers them the vulnerable software with the intentions of exploiting it. Consider, for example, signed Java applets. Whenever a certificate is verified to be correct (as opposed to being self-signed or tampered), on widely used platforms the user is confronted with a security dialog that has the check box option "Always trust the content from the publisher" turned on. Unfortunately, this setting overrides any future warning dialogs about potentially vulnerable software versions from the respective organization.

In addition, McGraw and Felten \[[McGraw 00|AA. Java References#McGraw 00]\] stress that only privileged code should be signed. They further recommend that, since all development is not in-house, an organization that signs its code must not vouch for code acquired from a third party. They suggest using the {{AccessController}} mechanism wherein only the privileged code ({{doPrivileged() section}}) ought to be signed. The other code can be left unsigned, restricting it to the sandbox. Any code that is incomprehensible or unaudited must not be signed ([SEC32-J. Create and sign a SignedObject before creating a SealedObject|SEC32-J. Create and sign a SignedObject before creating a SealedObject]).

It follows that unprivileged code is not required to be digitally signed and consequently should not be. This conviction adequately respects the guideline [SEC00-J. Follow the principle of least privilege|SEC00-J. Follow the principle of least privilege].

h2. Exceptions

*EX1:* An organization that has an internal PKI and uses code signing for internal development activities (such as to facilitate code-check-in and track developers) may sign unprivileged code. This codebase should however, not be carried forward to the production environment. The keys used for signing must not be used to ship the products.

h2. Risk Assessment

Signing unprivileged code violates the principle of least privilege as it can circumvent security restrictions defined by the security policies of applets and Java Network Launch Protocol (JNLP) applications, for example.

|| Rule || Severity || Likelihood || Remediation Cost || Priority || Level ||
| ENV00-CPP | high | probable | medium | {color:red}{*}P12{*}{color} | {color:red}{*}L1{*}{color} |

h3. Automated Detection

TODO

h3. Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the [CERT website|https://www.kb.cert.org/vulnotes/bymetric?searchview&query=FIELD+KEYWORDS+contains+ENV00-J].

h2. References

\[[Schneier 00|AA. Java References#Schneier 00]\]
\[[McGraw 00|AA. Java References#McGraw 00]\] Appendix C: Sign Only Privileged Code
\[[Dormann 08|AA. Java References#Dormann 08]\]

----
[!The CERT Sun Microsystems Secure Coding Standard for Java^button_arrow_left.png!|SEC09-J. Prefer using SSLSockets over Sockets for secure data exchange]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;[!The CERT Sun Microsystems Secure Coding Standard for Java^button_arrow_up.png!|01. Platform Security (SEC)]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;[!The CERT Sun Microsystems Secure Coding Standard for Java^button_arrow_right.png!|ENV30-J. Create a secure sandbox using a Security Manager]"                     id="orginalContent"           />        <input
    type="hidden"
          name="conflictingVersion"            value="13"                     id="conflictingVersion"           />    

    <div id="wiki-editor">
        <!-- remove content link -->
                <div class="remove-control">
                                                        <a href="/confluence/pages/removepage.action?pageId=32833591"><img src="/confluence/images/icons/trash_16.gif" width="16" height="16" border="0px" align="absmiddle" title="Remove"></a>&nbsp;<a href="/confluence/pages/removepage.action?pageId=32833591">Remove Page</a>
                                        </div>

        <!-- title text field -->
        <div id="content-title-div" class="inputSection">
                                                  <input type="text" name="title" size="43" value="ENV00-J. Do not sign code that performs only unprivileged operations" tabindex="1" id="content-title" class="pagetitle">
        </div>
        
                <!-- captcha form elements -->
        
<div id='heartbeat-div' class="hidden">
    <table cellpadding='5' cellspacing='8px' class='noteMacro' border="0" align='center'>
        <tr><td valign='top' width="1%"><img src="/confluence/s/1627/6/_/images/icons/emoticons/warning.gif" width="16" height="16" align="absmiddle" alt="" border="0"></td><td>
            This page is being edited by <span id='other-users-span'></span>.
        </td></tr>
    </table>
</div>



        <!-- template link -->
        
        <!-- content editor -->
        <div class="inputSection">
            <div class="submit-buttons">
                   <input tabindex="102"  accessKey="s"  type="submit"  name="confirm" value="Save">&nbsp;&nbsp;
<input tabindex="104"  type="submit"  name="cancel" value="Cancel">            </div>
            <div id="draft-status">
            </div>
                                    <div id="editorDiv">
                

    
    
    
    
    
                    
    



        

<fieldset class="hidden parameters">
    <input type="hidden" id="contextPath" value="/confluence">
    <input type="hidden" id="contentId" value="32833591">
    <input type="hidden" id="contentType" value="page">
    <input type="hidden" id="useWysiwyg" value="false">
    <input type="hidden" id="saveDrafts" value="true">
    <input type="hidden" id="draftType" value="page">
    <input type="hidden" id="heartbeat" value="true">
    <input type="hidden" id="newPage" value="">
    <input type="hidden" id="maxThumbWidth" value="200">
    <input type="hidden" id="editorMode" value="markup">
    <input type="hidden" id="paramsHeight" value="480">
    <input type="hidden" id="isDevMode" value="false">
    <input type="hidden" id="parametersName" value="content">
    <input type="hidden" id="parametersId" value="content">
    <input type="hidden" id="actionLocale" value="en_GB">
    <input type="hidden" id="actionMarkup" value="markup">
    <input type="hidden" id="actionRichtext" value="richtext">
    <input type="hidden" id="actionPreview" value="preview">
    <input type="hidden" id="spaceKey" value="java">
    <input type="hidden" id="remoteUser" value="agoyal">
    <input type="hidden" id="editorPluginResourcePrefix" value="/confluence/s/1627/6/3.0.0_01/_">
        <input type="hidden" id="staticResourceUrlPrefix" value="/confluence/s/1627/6/_">
    <input type="hidden" id="blankSearchText" value="Search">
    <input type="hidden" id="loadBrowserErrorMessage" value="There has been an error loading the macro browser. Please try again or see your system administrator.">
    <input type="hidden" id="unknownMacroMessage" value="Could not load unknown macro in the macro browser.">
    <input type="hidden" id="nestingSameMacroNotAllowedMessage" value="Macros with the same name cannot be nested inside each other.">
    <input type="hidden" id="loadingMessage" value="The Macro Browser has not yet been initialised. Please try again in a few seconds.">
    <input type="hidden" id="categoryAllLabel" value="All">
    <input type="hidden" id="nextButtonLabel" value="Next">
    <input type="hidden" id="backButtonLabel" value="Back">
    <input type="hidden" id="previewButtonLabel" value="Preview">
    <input type="hidden" id="cancelButtonLabel" value="Cancel">
    <input type="hidden" id="insertButtonLabel" value="Insert">
    <input type="hidden" id="saveButtonLabel" value="Save">
                <input type="hidden" id="formName" value="editpageform">
    </fieldset>

    
    <ul id="editor-tabs" class="tab-navigation">
        
        <li id="markupTab" class="tab  current">
            <a href="#">Wiki Markup</a>
        </li>

        <li id="previewTab" class="tab ">
            <a href="#">Preview</a>
        </li>

        <li id="wysiwygWaitImage" class="notab loading">Loading…</li>

            </ul>

        <div id="linkinserters" >
                    <a id="editor-insert-link" href="#" title="Insert Link (Ctrl+K)">
            <span class="editor-icon"></span>
        </a>
            <a id="editor-insert-image" href="#" title="Insert Image (Ctrl+M)">
            <span class="editor-icon"></span>
        </a>
            <a id="editor-insert-macro" href="#" title="Macro Browser">
            <span class="editor-icon"></span>
        </a>
        </div>
    
    
    <div id="markup" >
        <textarea id="markupTextarea" name="content"
                      cols="80"
                      rows="30"

                                             tabindex="5"                style=""
            class="monospaceInput"
            >Code signing was introduced in Java to provide a mechanism for granting elevated privileges to code depending on the security policy in effect. For example, signed Java applets that need to read system properties from a user's machine can escape the default sandbox restrictions. When a signed applet is run, the user is prompted with a security dialog, asking whether the party that signed the code is considered trustworthy. This element of trusting the signature allows applets to escape the default security sandbox restrictions. On the other hand, with applications that use a custom security policy, explicit permissions need to be granted to the particular codebase and optionally, the signer. This has the benefit of ensuring that only trusted signed code runs with the specified privileges.

Signing code, however, has its own demerits. According to Schneier \[[Schneier 00|AA. Java References#Schneier 00]\]:
{quote}First, users have no idea how to decide if a particular signer is trusted or not. Second, just because a component is signed doesn't mean that it is safe. Third, just because two components are individually signed does not mean that using them together is safe; lots of accidental harmful interactions can be exploited. Fourth, "safe" is not an all-or-nothing thing; there are degrees of safety. And fifth, the fact that the evidence of attack (the signature on the code) is stored on the computer under attack is mostly useless: The attacker could delete or modify the signature during the attack, or simply reformat the drive where the signature is stored."
{quote}
Code signing is designed primarily to verify authenticity of origin and integrity of the code. It relies on the Certification Authority (CA) to duly confirm the identity of the principal signer. Naive users should not be expected to understand how certificates and the Public Key Infrastructure (PKI) work. All too often, they associate digital signatures with safety of code execution, and trust the code to cause them no harm.

In general, there is a misconception that signed code is safe to be executed. The problem manifests itself when a vulnerability is discovered in signed code. As many users choose the option of permanently trusting the organizations that they have full confidence in, they are not notified if an adversary offers them the vulnerable software with the intentions of exploiting it. Consider, for example, signed Java applets. Whenever a certificate is verified to be correct (as opposed to being self-signed or tampered), on widely used platforms the user is confronted with a security dialog that has the check box option "Always trust the content from the publisher" turned on. Unfortunately, this setting overrides any future warning dialogs about potentially vulnerable software versions from the respective organization.

In addition, McGraw and Felten \[[McGraw 00|AA. Java References#McGraw 00]\] stress that only privileged code should be signed. They further recommend that, since all development is not in-house, an organization that signs its code must not vouch for code acquired from a third party. They suggest using the {{AccessController}} mechanism wherein only the privileged code ({{doPrivileged() section}}) ought to be signed. The other code can be left unsigned, restricting it to the sandbox. Any code that is incomprehensible or unaudited must not be signed ([SEC32-J. Create and sign a SignedObject before creating a SealedObject|SEC32-J. Create and sign a SignedObject before creating a SealedObject]).

It follows that unprivileged code is not required to be digitally signed and consequently should not be. This conviction adequately respects the guideline [SEC00-J. Follow the principle of least privilege|SEC00-J. Follow the principle of least privilege].

h2. Exceptions

*EX1:* An organization that has an internal PKI and uses code signing for internal development activities (such as to facilitate code-check-in and track developers) may sign unprivileged code. This codebase should however, not be carried forward to the production environment. The keys used for signing must not be used to ship the products.

h2. Risk Assessment

Signing unprivileged code violates the principle of least privilege as it can circumvent security restrictions defined by the security policies of applets and Java Network Launch Protocol (JNLP) applications, for example.

|| Rule || Severity || Likelihood || Remediation Cost || Priority || Level ||
| ENV00-CPP | high | probable | medium | {color:red}{*}P12{*}{color} | {color:red}{*}L1{*}{color} |

h3. Automated Detection

TODO

h3. Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the [CERT website|https://www.kb.cert.org/vulnotes/bymetric?searchview&query=FIELD+KEYWORDS+contains+ENV00-J].

h2. References

\[[Schneier 00|AA. Java References#Schneier 00]\]
\[[McGraw 00|AA. Java References#McGraw 00]\] Appendix C: Sign Only Privileged Code
\[[Dormann 08|AA. Java References#Dormann 08]\]

----
[!The CERT Sun Microsystems Secure Coding Standard for Java^button_arrow_left.png!|SEC09-J. Prefer using SSLSockets over Sockets for secure data exchange]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;[!The CERT Sun Microsystems Secure Coding Standard for Java^button_arrow_up.png!|01. Platform Security (SEC)]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;[!The CERT Sun Microsystems Secure Coding Standard for Java^button_arrow_right.png!|ENV30-J. Create a secure sandbox using a Security Manager]</textarea>
    </div>
    <input id="selectedText" name="selectedText" type="hidden">
        <input type="hidden" name="sel1">    <input type="hidden" name="sel2">    <input type="hidden" name="inPreview" value="false"/>
    <input type="hidden" name="mode" value="markup"/>
    <input type="hidden" name="xhtml" value="false"/>

    <div id="preview" class="hidden">
                        <div id="previewArea"></div>
    </div>
    <div id="macro-browser-templates" class="hidden">
        <ol id="macro-summaries-template" class="macro-list"></ol>
    <ul>
    <li id="macro-summary-template" class="macro-list-item">
        <h3 class="macro-title"></h3>
        <div class="macro-desc"></div>
    </li>
    </ul>
        <div id="macro-insert-template">
        <input class="macro-name" type="hidden"/>
        <div class="macro-preview-container dialog-panel">
            <div class="macro-preview-header">
                <a href="#">Refresh</a>
                <span>Preview</span>
            </div>
            <div class="macro-preview"></div>
        </div>
        <div class="macro-input-fields dialog-panel"></div>
    </div>
    <span id="macro-doco-link-template">
        <a href="#" class="macro-doco-link">Documentation</a>
    </span>
    <div id="macro-freeform-template" class="macro-freeform-div">
        <div class="macro-freeform-desc">This macro does not provide any parameter information. If the available information does not help, you may find its documentation at <a href=http://confluence.atlassian.com/display/CONFEXT>Confluence Extensions</a>.</div>
        <div class="macro-freeform-input">
            {<span class="macro-name-display"></span><input type="text" class="macro-text"/>}
        </div>
        <div class="macro-example hidden">
            <h3 class="underlined">Examples</h3>
        </div>
        <div class="macro-help hidden">
            <h3 class="underlined">Description</h3>
        </div>
    </div>
    <div id="macro-param-template" class="macro-param-div">
        <label></label>
        <input type="text" class="text"/>
    </div>
    <div id="macro-param-checkbox-template" class="macro-param-div boolean-param">
        <label></label>
        <input type="checkbox" value="true"/>
    </div>
    <div id="macro-param-select-template" class="macro-param-div">
        <label></label>
        <select></select>
    </div>
    <div id="macro-param-hidden-text-template" class="macro-param-div">
        <label></label>
        <input type="text" class="text"/>
        <input type="hidden"/>
    </div>
    <div id="macro-param-hidden-template" class="macro-param-div">
        <input type="hidden"/>
    </div>
    <div id="macro-param-desc-template" class="macro-param-desc"></div>
    <div id="macro-body-template" class="macro-body-div">
        <label>Body Text</label>
        <textarea class="monospaceInput textarea" type="text" rows="10"></textarea>
    </div>
</div>            </div>
        </div>

        <!-- comment field and minor edit checkbox -->
        <div class="inputSection">
                            <div class="minor-edit">
                    <input id="minorEdit" type="checkbox" name="minorEdit" value="true"  />
                    <label for="minorEdit">
                        <span class="smalltext"><b>Minor change?</b> (no notifications will be sent)</span>
                    </label>
                </div>
                                                                      <span class="formtitle">Comment:</span>
                <input type="text"
                                   name="versionComment"
             size="40"                     tabindex="6"             class="monospaceInput"                style="width: 50%"       />                    </div>

        <!-- content location editor -->
                    <div class="inputSection">
               	

    
    
    


<fieldset class="hidden parameters">
    <input type="hidden" title="editLabel" value="Edit">
    <input type="hidden" title="doneLabel" value="Done">
    <input type="hidden" title="showLocation" value="false">
    <input type="hidden" title="hasChildren" value="false">
    <input type="hidden" title="availableSpacesSize" value="4">
    <input type="hidden" title="spaceKey" value="java">
    <input type="hidden" title="pageId" value="32833591">
    <input type="hidden" title="actionMode" value="edit">
    <input type="hidden" title="parentPageId" value="33128636">
        <input type="hidden" title="expandedNodes" class="list" value="4179">
        <input type="hidden" title="expandedNodes" class="list" value="33128636">
    </fieldset>

<span class="formtitle">Location:</span>
<span id="location_info">
    <span id="space_info" >
        <span id="space_content">java</span>
    </span>
    <span id="parent_info" >
        > <span id="parent_content">00. Runtime Environment (ENV)</span>
    </span>
    <a href="" class="inline-control-link" id="location_edit_link">Edit</a>
</span>

<a name="locationSection"/>
<div id="location_div" class="toggleFormDiv editor-panel hidden">
                  
          <div class="smalltext" style="float:right">You can move the highlighted page by dragging it to a new position in the tree.</div>
      <div>
          <label id="currentLocation" class="formtitle">Space</label>

                <select id="newSpaceKey" name="newSpaceKey" tabindex="3">
                        <option value="cplusplus" >C++ Secure Coding Practices</option>
                        <option value="java"  selected>java</option>
                        <option value="seccode" >Secure Coding</option>
                        <option value="SD" >Secure Design</option>
                    </select>
            </div>
   
    <div id="resultsDiv"></div>
    <div style="padding: 10px" id="outer-container"><div id="tree-div" style="min-height:150px"></div></div>
    <input id="parentPageString" type="hidden" value="00. Runtime Environment (ENV)" name="parentPageString"/>
	<input id="hierarchy_checkbox" type="hidden" name="moveHierarchy" value="true" />
    <input id="position" type="hidden" value="" name="position"/>
    <input id="targetId" type="hidden" value="" name="targetId"/>
</div>
            </div>
        
        <!-- content permissions -->
                    <div class="inputSection">
                

    
    

<!-- Copy some methods out of prototype 1.5 since we can't rev to it yet due to it causing a memory leak in jwebunit 1.2 and hence our func tests -->
<!-- this block of javascript can be removed when we rev to prototype 1.5 -->
<script type="text/javascript">
    Array.prototype.indexOf = function(object)
    {
        for (var i = 0, length = this.length; i < length; i++)
            if (this[i] == object) return i;
        return -1;
    }

    Array.prototype.without = function()
    {
        var values = $A(arguments);
        return this.select(function(value)
        {
            return !values.include(value);
        });
    }

    String.prototype.strip = function()
    {
        return this.replace(/^\s+/, '').replace(/\s+$/, '');
    }
</script>

<script type="text/javascript">



var viewPagePermissions = new PagePermissions();

var editPagePermissions = new PagePermissions();

var viewPermissionManager = new PermissionManager(PagePermissionType.VIEW);
var editPermissionManager = new PermissionManager(PagePermissionType.EDIT);
var currentPermissionManager = viewPermissionManager;



i18n['perms.remove'] = 'Remove';
i18n['done.name.caps'] = 'Done';
i18n['edit.name.caps'] = 'Edit';
i18n['page.perms.viewing.restricted'] = 'Viewing restricted to:';
i18n['page.perms.editing.restricted'] = 'Editing restricted to:';
i18n['page.perms.no.view.restrictions'] = 'No viewing restrictions set on this page';
i18n['page.perms.no.edit.restrictions'] = 'No editing restrictions set on this page';
i18n['page.perms.duplicate.names'] = 'Duplicate user or group name(s):';
i18n['page.perms.invalid.entity.names'] = 'Invalid user or group name(s):';

</script>

              </div>
        
        <!-- labels section -->
        <div class="inputSection">
            
    
    
    
    

<fieldset class="hidden parameters">
    <input type="hidden" id="editLabel" value="Edit">
    <input type="hidden" id="doneLabel" value="Done">
    <input type="hidden" id="pageId" value="32833591">
</fieldset>

<div id="labels_tab">
    <span class="formtitle">Labels: </span>
    <a href="" class="inline-control-link" id="labels_edit_link">Edit</a>
</div>
<div id="labels_info">
   review-one
</div>

<div id="labels_div" class="toggleFormDiv editor-panel hidden" style="padding: 8px;">
    <table width="100%">
        <tr>
            <td width="60%" valign="top">
                <span class="error">
                    <span class="errorMessage" id="errorSpan"></span>
                </span>
                                              <input autocomplete="off" type="text" id="labelsString" name="labelsString" value="review-one" class="monospaceInput" style="width:100%;" />
                <div class="smalltext">Looking for a label? Just start typing.</div>
                <div class="auto_complete" id="labelsAutocompleteList"></div>
            </td>
            <td valign="top">
                <div id="suggestedLabelsSpan" style="margin-top:5px;">
                </div>
            </td>
        </tr>
    </table>
</div>
        </div>

        
        <div class="submit-buttons bottom">
               <input tabindex="102"  accessKey="s"  type="submit"  name="confirm" value="Save">&nbsp;&nbsp;
<input tabindex="104"  type="submit"  name="cancel" value="Cancel">        </div>
    </div>
</form>
    </div>
                            </div>
                        </td>
                                
    
            
    
                                                    <td valign="top" id="helptd" style="display:block; width:200px; border-top:1px solid #CCC;">
                            <div style="padding-left:5px;">
                                <div id="info-panel" class="rightpanel">
        <h3 id="helpheading">Help Tips</h3>
      <div id="helpcontent">
                        <dl>
    <dt class="first">Text formatting</dt>
    <dd class="text-formatting"><code>*bold*</code> <strong>bold</strong></dd>
    <dd class="text-formatting"><code>_italic_</code> <em>italic</em></dd>
    <dd class="text-formatting"><code>-strike-</code> <del>strike</del></dd>
    <dd class="text-formatting"><code>+under+</code> <u>under</u></dd>

    <dt>Headings
    <dd><code>h1.</code> Large heading</dd>
    <dd><code>h3.</code> Medium heading</dd>
    <dd><code>h5.</code> Small heading</dd>

    <dt>Lists</dt>
    <dd><code>*</code> Bulleted point</dd>
    <dd><code>#</code> Numbered point</dd>

    <dt>Tables</dt>
    <dd><pre>||head1 ||head2||
| colA1 | colA2 |
| colB1 | colB2 |</pre></dd>

    <dt>Links</dt>
    <dd><code>[title#anchor]</code> Link a page</dd>
    <dd><code>[dev:title]</code> In 'dev' space</dd>
    <dd><code>[http://host.com]</code> Remote link</dd>
    <dd><code>[phrase@shortcut]</code> Shortcut</dd>
    <dd><code>[alias|link]</code> Custom link title
</dl>
<a href="/confluence/renderer/notationhelp.action" onClick="window.open('/confluence/renderer/notationhelp.action','notation_help','width=780, height=580, resizable, scrollbars'); return false;">Full notation guide</a>
                </div>
  </div>
                            </div>
                        </td>
                                            </tr>
                </table>
                <!-- End inner content table -->
            </td>
        </tr>
    </table>
</div>
                                                        <!--     <ul id="poweredby">
        <li>Powered by <a href="http://www.atlassian.com/software/confluence" class="smalltext">Atlassian Confluence</a> 3.0.0_01, the <a href="http://www.atlassian.com/software/confluence" class="smalltext">Enterprise Wiki</a>.</li>
        <li><a href="http://jira.atlassian.com/secure/BrowseProject.jspa?id=10470" class="smalltext">Bug/feature request</a> &#8211;</li>
        <li><a href="http://www.atlassian.com/about/connected.jsp?s_kwcid=Confluence-stayintouch" class="smalltext">Atlassian news</a> &#8211;</li>
        <li><a href="/confluence/administrators.action">Contact administrators</a></li>
    </ul>
 -->

<!-- delay the loading of large javascript files to the end so that they don't interfere with the loading of page content -->
<span style="display: none"></span>

<!--BEGIN FOOTER -->


<table border="0" width="100%" cellspacing="0" cellpadding="8" bgcolor="#666666"><tr>
<td width="50%"><img src="https://www.cert.org/cert/images/sei_cmu_logo2.gif" alt="Software Engineering Institute | Carnegie Mellon University" border="0" usemap="#footermap"/>
        <map name="footermap" id="footermap">
                <area shape="rect" coords="2,2,233,19" href="http://www.sei.cmu.edu/"  alt="Software Engineering Institute"/>
                <area shape="rect" coords="241,3,341,19" href="http://www.cmu.edu/" alt="Carnegie Mellon University" />
        </map>
</td>
<td width="50%" align="right">
        <span style="font-size:11px; color:#ffffff; font-family:Verdana">
        <a style="color:#ffffff" href="https://www.cert.org/">Home</a> | 
        <a style="color:#ffffff" href="https://www.cert.org/meet_cert/meetcertcc.html">About</a> | 
        <a  style="color:#ffffff" href="https://www.cert.org/contact_cert/">Contact</a> | 
        <a style="color:#ffffff" href="https://www.cert.org/faq/cert_faq.html">FAQ</a> | 
        <a style="color:#ffffff" href="https://www.cert.org/stats/">Statistics</a> | 
        <a style="color:#ffffff" href="https://www.cert.org/jobs/">Jobs</a> | 
        <a style="color:#ffffff" href="https://www.cert.org/legal_stuff/">Legal</a> | 
        <a style="color:#ffffff" href="https://www.securecoding.cert.org/confluence/display/seccode/Terms+and+Conditions">Legal</a>
        <br/>
        Copyright © 1995-2009 Carnegie Mellon University 
</td>
</tr>
</table>


<!--END FOOTER -->
</body>
</html>

Code signing was introduced in Java to provide a mechanism for granting elevated privileges to code depending on the security policy in effect. For example, signed Java applets that need to read system properties from a user's machine can escape the default sandbox restrictions. When a signed applet is run, the user is prompted with a security dialog, asking whether the party that signed the code is considered trustworthy. This element of trusting the signature allows applets to escape the default security sandbox restrictions. On the other hand, with applications that use a custom security policy, explicit permissions need to be granted to the particular codebase and optionally, the signer. This has the benefit of ensuring that only trusted signed code runs with the specified privileges.

Wiki Markup
Signing code, however, has its own demerits. According to Schneier \[[Schneier 00|AA. Java References#Schneier 00]\]:

First, users have no idea how to decide if a particular signer is trusted or not. Second, just because a component is signed doesn't mean that it is safe. Third, just because two components are individually signed does not mean that using them together is safe; lots of accidental harmful interactions can be exploited. Fourth, "safe" is not an all-or-nothing thing; there are degrees of safety. And fifth, the fact that the evidence of attack (the signature on the code) is stored on the computer under attack is mostly useless: The attacker could delete or modify the signature during the attack, or simply reformat the drive where the signature is stored."

Code signing is designed primarily to verify authenticity of origin and integrity of the code. It relies on the Certification Authority (CA) to duly confirm the identity of the principal signer. Naive users should not be expected to understand how certificates and the Public Key Infrastructure (PKI) work. All too often, they associate digital signatures with safety of code execution, and trust the code to cause them no harm.

In general, there is a misconception that signed code is safe to be executed. The problem manifests itself when a vulnerability is discovered in signed code. As many users choose the option of permanently trusting the organizations that they have full confidence in, they are not notified if an adversary offers them the vulnerable software with the intentions of exploiting it. Consider, for example, signed Java applets. Whenever a certificate is verified to be correct (as opposed to being self-signed or tampered), on widely used platforms the user is confronted with a security dialog that has the check box option "Always trust the content from the publisher" turned on. Unfortunately, this setting overrides any future warning dialogs about potentially vulnerable software versions from the respective organization.

Wiki Markup
In addition, McGraw and Felten \[[McGraw 00|AA. Java References#McGraw 00]\] stress that only privileged code should be signed. They further recommend that, since all development is not in-house, an organization that signs its code must not vouch for code acquired from a third party. They suggest using the {{AccessController}} mechanism wherein only the privileged code ({{doPrivileged() section}}) ought to be signed. The other code can be left unsigned, restricting it to the sandbox. Any code that is incomprehensible or unaudited must not be signed ([SEC32-J. Create and sign a SignedObject before creating a SealedObject|SEC32-J. Create and sign a SignedObject before creating a SealedObject]).

It follows that unprivileged code is not required to be digitally signed and therefore should not be. This conviction adequately respects the guideline SEC00-J. Follow the principle of least privilege.

Exceptions

EX1: An organization that has an internal PKI and uses code signing for internal development activities (such as to facilitate code-check-in and track developers) may sign unprivileged code. This codebase should however, not be carried forward to the production environment. The keys used for signing must not be used to ship the products.

Risk Assessment

Signing unprivileged code violates the principle of least privilege as it can circumvent security restrictions defined by the security policies of applets and Java Network Launch Protocol (JNLP) applications, for example.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

ENV00-J

high

probable

medium

P12

L1

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[Schneier 00|AA. Java References#Schneier 00]\]
\[[McGraw 00|AA. Java References#McGraw 00]\] Appendix C: Sign Only Privileged Code
\[[Dormann 08|AA. Java References#Dormann 08]\]

...