...
There are three common approaches to dealing with the problem of partially initialized objects:
- Exception in constructor. This approach throws an exception in the object's constructor. Unfortunately, an attacker can maliciously obtain the instance of such an object. For example, an attack that uses the finalizer construct allows an attacker to invoke arbitrary methods within the class, even if the class methods are protected by a security manager.
- Final field. Declaring the variable that is initialized to the object as
finalprevents the object from being partially initialized. The compiler produces a warning when there is a possibility that the variable's object might not be fully initialized. Declaring the variablefinalalso guarantees initialization safety in multithreaded code. According to The Java Language Specification (JLS), §17.5, "FinalfinalField Semantics" [JLS 20052015], "An object is considered to be completely initialized when its constructor finishes. A thread that can only see a reference to an object after that object has been completely initialized is guaranteed to see the correctly initialized values for that object's final fields." In other words, when a constructor executing in one thread initializes a final field to a known safe value, other threads are unable to see the preinitialized values of the object.
- Initialized flag. This approach allows uninitialized or partially initialized objects to exist in a known failed state; such objects are commonly known as zombie objects. This solution is error prone because any access to such a class must first check whether the object has been correctly initialized.
...
This noncompliant code example, based on an example by Kabutz [Kabutz 2001], defines the constructor of the BankOperations class so that it performs social security number (SSN) verification using the method performSSNVerification(). The implementation of the performSSNVerification() method assumes that an attacker does not know the correct SSN and trivially returns false.
| Code Block | ||
|---|---|---|
| ||
public class BankOperations {
public BankOperations() {
if (!performSSNVerification()) {
throw new SecurityException("Access Denied!");
}
}
private boolean performSSNVerification() {
return false; // Returns true if data entered is valid, else false.
// Assume that the attacker always enters an invalid SSN.
}
public void greet() {
System.out.println("Welcome user! You may now use all the features.");
}
}
public class Storage {
private static BankOperations bop;
public static void store(BankOperations bo) {
// Store only if it is initialized
if (bop == null) {
if (bo == null) {
System.out.println("Invalid object!");
System.exit(1);
}
bop = bo;
}
}
}
public class UserApp {
public static void main(String[] args) {
BankOperations bo;
try {
bo = new BankOperations();
} catch (SecurityException ex) { bo = null; }
Storage.store(bo);
System.out.println("Proceed with normal logic");
}
}
|
...
The goal of the attack is to capture a reference to the partially initialized object of the BankOperations class. If a malicious subclass catches the SecurityException thrown by the BankOperations constructor, it is unable to further exploit the vulnerable code because the new object instance has gone out of scope. Instead, an attacker can exploit this code by extending the BankOperations class and overriding the finalize() method. This attack intentionally violates rule MET12-J. Do not use finalizers.
...
This compliant solution declares the partially initialized class final so that it cannot be extended:
...
If the class itself cannot be declared final, it can still thwart the finalizer attack by declaring its own finalize() method and making it final:
| Code Block | ||
|---|---|---|
| ||
public class BankOperations {
public final void finalize() {
// Do nothing
}
}
|
...
Consequently, to execute potentially exception-raising checks before the java.lang.Object constructor exits, the programmer must place them in an argument expression of an explicit constructor invocation. For example, the single constructor can be split into three parts: a public constructor , whose interface remains unchanged; , a private constructor that takes (at least) one argument and performs the actual work of the original constructor; , and a method that performs the checks. The public constructor invokes the private constructor on its first line while invoking the method as an argument expression. All code in the expression will be executed before the private constructor, thereby ensuring that any exceptions will be raised before the java.lang.Object constructor is invoked.
This compliant solution demonstrates the design. Note that the performSSNVerification() method is modified to throw an exception rather than returning false if the security check fails.
| Code Block | ||
|---|---|---|
| ||
public class BankOperations {
public BankOperations() {
this(performSSNVerification());
}
private BankOperations(boolean secure) {
// secure is always true
// constructorConstructor without any security checks
}
private static boolean performSSNVerification() {
// Returns true if data entered is valid, else throws a SecurityException
// Assume that the attacker just enters invalid SSN, so this method always throws the exception
throw new SecurityException("Invalid SSN!");
}
// ...remainder of BankOperations class definition
}
|
...
Rather than throwing an exception, this compliant solution uses an initialized flag to indicate whether an object was successfully constructed. The flag is initialized to false and set to true when the constructor finishes successfully.
...
This noncompliant code example uses a nonfinal static variable. The Java Language SpecificationJLS does not mandate complete initialization and safe publication even though a static initializer has been used. Note that in the event of an exception during initialization, the variable can be incorrectly initialized.
...
This compliant solution guarantees safe publication by declaring the Stock field final:
| Code Block | ||
|---|---|---|
| ||
private static final Stock s; |
...
Automated detection for this rule is infeasible in the general case. Some instances of non-final nonfinal classes whose constructors can throw exceptions could be straightforward to diagnose.
...
Secure Coding Guidelines for the Java Programming LanguageSE, Version 35.0 | Guideline 1-2. 4-5 / EXTEND-5: Limit the extensibility of classes and methods |
...
[API 2006] | |
Section 9.5, "The Finalize Method" | |
Section 3.3, "Destroying and Finalizing Objects" | |
§8.3.1, Field Modifiers final Field Semantics" | |
Issue 032, "Exceptional Constructors—Resurrecting the Dead" | |
[Lai 2008] | "Java Insecurity: Accounting for Subtleties That Can Compromise Code" |
| [Masson 2011] | "Secure Your Code against the Finalizer Vulnerability" |
...