Invocation of System.exit() terminates the Java Virtual Machine (JVM), consequently terminating all running programs and threads. This can result in denial-of-service (DoS) attacks. For example, a call to System.exit() that is embedded in Java Server Pages (JSP) code can cause a web server to terminate, preventing further service for users. Programs must prevent both inadvertent and malicious calls to System.exit(). Additionally, programs should perform necessary cleanup actions when forcibly terminated (for example, by using the Windows Task Manager, POSIX kill command, or other mechanismmechanisms).
Noncompliant Code Example
...
| Code Block | ||
|---|---|---|
| ||
class PasswordSecurityManager extends SecurityManager {
private boolean isExitAllowedFlag;
public PasswordSecurityManager(){
super();
isExitAllowedFlag = false;
}
public boolean isExitAllowed(){
return isExitAllowedFlag;
}
@Override
public void checkExit(int status) {
if (!isExitAllowed()) {
throw new SecurityException();
}
super.checkExit(status);
}
public void setExitAllowed(boolean f) {
isExitAllowedFlag = f;
}
}
public class InterceptExit {
public static void main(String[] args) {
PasswordSecurityManager secManager =
new PasswordSecurityManager();
System.setSecurityManager(secManager);
try {
// ...
System.exit(1); // Abrupt exit call
} catch (Throwable x) {
if (x instanceof SecurityException) {
System.out.println("Intercepted System.exit()");
// Log exception
} else {
// Forward to exception handler
}
}
// ...
secManager.setExitAllowed(true); // Permit exit
// System.exit() will work subsequently
// ...
}
}
|
This implementation uses an internal flag to track whether the exit is permitted. The method setExitAllowed() sets this flag. The checkExit() method throws a SecurityException when the flag is unset (that is, false). ConsequentlyBecause this flag is not initially set, normal exception processing bypasses the initial call to System.exit(). The program catches the SecurityException and performs mandatory cleanup operations, including logging the exception. The setExitAllowedSystem.exit() method is invoked enabled only after cleanup is complete. Consequently, the program exits gracefully.
Exceptions
| Wiki Markup |
|---|
*ERR09-EX0:* It is permissible for a command-line utility to call {{System.exit()}}, orfor terminate prematurely, such asexample, when the required number of arguments are not input \[[Bloch 2008|AA. Bibliography#Bloch 08]\, \[ESA 2005|AA. Bibliography#ESA 05]\]. |
Risk Assessment
Allowing inadvertent unauthorized calls to System.exit() may lead to denial of service (DoS).
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2992af4be8f59c42-683859cc-4f174a0d-bee6baec-455ee1006fec74590a7d68e2"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | [Method | http://java.sun.com/j2se/1.4.2/docs/api/java/lang/SecurityManager.html#checkExit(int)], class | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="daf50d9924ceaa2a-16dc57e9-4adb41b4-a603a6ba-e6d78cbbf1c83f561af2d052"><ac:plain-text-body><![CDATA[ | [[Austin 2000 | AA. Bibliography#Austin 00]] | [Writing a Security Manager | http://java.sun.com/developer/onlineTraining/Programming/JDCBook/signed2.html] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="024ab2ea003cf436-0e5101b4-43354334-be109895-f1a93d0209c26b8371034be7"><ac:plain-text-body><![CDATA[ | [[Darwin 2004 | AA. Bibliography#Darwin 04]] | 9.5, The Finalize Method | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="1243a722341dfa0a-34c6c6f1-43e74ecb-942ca0ce-c9d6b97a87506eee9e7d12c9"><ac:plain-text-body><![CDATA[ | [[ESA 2005 | AA. Bibliography#ESA 05]] | Rule 78. Restrict the use of the | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="10accbd10e075c8b-b3344c9d-45de4d58-8d3a9660-946d6100aca585aafa000507"><ac:plain-text-body><![CDATA[ | [[Goetz 2006 | AA. Bibliography#Goetz 06]] | 7.4, JVM Shutdown | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="304f18a387bd2e08-df9cf320-4389409b-a0bd88de-8885b6d3757916fe0f549451"><ac:plain-text-body><![CDATA[ | [[Kalinovsky 2004 | AA. Bibliography#Kalinovsky 04]] | Chapter 16, Intercepting a Call to | ]]></ac:plain-text-body></ac:structured-macro> |
...