SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 60

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 61

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Sealing a JAR file automatically enforces the requirement of keeping privileged code together. In addition, it is important to adhere to rule OBJ15-J. Minimize the accessibility of classes and their members.

Noncompliant Code Example

This noncompliant code example uses a doPrivileged block and calls a method defined in a class that exists in a different, untrusted package.

...

An attacker can provide an implementation of class RetValue so that the privileged code uses the wrong return value. Even if class MixMatch trusted only signed code, an attacker can still cause this behavior by maliciously deploying a legally signed class in the class path of the privileged code.

Compliant Solution

This compliant solution combines all privileged code into the same package and reduces the accessibility of the getValue() method to package-private. Sealing the package is necessary to prevent attackers from inserting any rogue classes.

...

Code Block
Name: trusted/ // package name
Sealed: true  // sealed attribute

Exception

ENV01-EX1: Independent groups of privileged code may be placed in separate sealed packages. The enabling condition is that the code in any one of these packages lacks any dynamic or static dependency on any of the other packages. This means that code from one such package must not invoke code from any of the others, whether directly or transitively.

Risk Assessment

Failure to place all privileged code together in one package and seal the package can lead to mix and match attacks.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

ENV01-J

high

probable

medium

P12

L1

Automated Detection

Detecting code that should be considered privileged or sensitive requires programmer assistance. Given identified privileged code as a starting point, automated tools could compute the closure of all code that can be invoked from that point. Such a tool could plausibly determine whether all code in that closure exists within a single package. A further check of whether the package is sealed appears feasible.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

MITRE CWE: CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data

Bibliography

Wiki Markup
\[[API 2006|AA. Bibliography#API 06]\]
\[[McGraw 1999|AA. Bibliography#Ware 99]\] Rule 7: If You Must Sign Your Code, Put It All in One Archive File (sic)
\[[Ware 2008|AA. Bibliography#Ware 08]\]

...