For a non-final class, if a constructor throws an exception before fully initializing the object, it becomes possible to maliciously obtain its instance. For example, an attack that uses the finalizer
construct allows an attacker to invoke arbitrary methods within the class despite of all authorization measures.
Noncompliant Code Example
The constructor of BankOperations
class performs the SSN validation using performSSNVerification()
. Assume that an attacker does not know the correct SSN, as a result this method trivially returns false
in this example. A SecurityException
is forcefully thrown as a result. The UserApp
class appropriately catches this and an access denied message is displayed. However, it is still possible for a malicious program to invoke methods of the partially initialized class BankOperations
. This is illustrated in the code that follows this example.
Code Block | ||
---|---|---|
| ||
public class BankOperations { public BankOperations() { if (!performSSNVerification()) { throw new SecurityException("Invalid SSN!"); } } private boolean performSSNVerification() { return false; // Returns true if data entered is valid, else false. Assume that the attacker just enters invalid SSN. } public void greet() { System.out.println("Welcome user! You may now use all the features."); } } public class UserApp { public static void main(String[] args) { BankOperations bo; try { bo = new BankOperations(); } catch(SecurityException ex) { bo = null; } Storage.store(bo); System.out.println("Proceed with normal logic"); } } public class Storage { private static BankOperations bop; public static void store(BankOperations bo) { // Only store if it is not initialized if (bop == null) { if (bo == null) { System.out.println("Invalid object!"); System.exit(1); } bop = bo; } } } |
To exploit this code, an attacker extends the BankOperations
class and overrides the finalizer
method. The gist of the attack is the capture of a handle of the partially initialized class. When the constructor throws an exception, the garbage collector waits to grab the object reference. However, by overriding the finalizer
, a reference is obtained using the this
keyword. Consequently, any method on the base class can be invoked maliciously. Note that, even a security manager check can be bypassed this way.
Code Block |
---|
public class Interceptor extends BankOperations { private static Interceptor stealInstance = null; public static Interceptor get() { try { new Interceptor(); } catch(Exception ex) { } // Ignore the exception try { synchronized(Interceptor.class) { while (stealInstance == null) { System.gc(); Interceptor.class.wait(10); } } } catch(InterruptedException ex) { return null; } return stealInstance; } public void finalize() { synchronized(Interceptor.class) { stealInstance = this; Interceptor.class.notify(); } System.out.println("Stolen the instance in finalize of " + this); } } public class AttackerApp { // Invoke class and gain access to the restrictive features public static void main(String[] args) { Interceptor i = Interceptor.get(); Storage.store(i); // Can store the stolen object i.greet(); // Now invoke any method of BankOperations class UserApp.main(args); // Invoke the original UserApp } } |
This code is an exception to OBJ02-J. Avoid using finalizers
Compliant Solution
The compliant solution declares the partially-initialized class final so that it cannot be extended.
Code Block | ||
---|---|---|
| ||
public final class BankOperations { ... |
Risk Assessment
Allowing a partially initialized object to be accessed can provide an attacker with an opportunity to exploit the object.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
OBJ32-J | medium | probable | high | P4 | L3 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
Wiki Markup |
---|
\[[JLS 05|AA. Java References#JLS 05]\] Section 12.6, Finalization of Class Instances \[[API 06|AA. Java References#API 06]\] [finalize()|http://java.sun.com/j2se/1.4.2/docs/api/java/lang/Object.html#finalize()] \[[SCG 07|AA. Java References#SCG 07]\] Guideline 4-2 Defend against partially initialized instances of non-final classes \[[Kabutz 01|AA. Java References#Kabutz 01]\] Issue 032 - Exceptional Constructors - Resurrecting the dead \[[Bloch 08|AA. Java References#Bloch 08]\] Item 7, Avoid finalizers \[[Darwin 04|AA. Java References#Darwin 04]\] Section 9.5, The Finalize Method \[[Flanagan 05|AA. Java References#Flanagan 05]\] Section 3.3, Destroying and Finalizing Objects |
OBJ31-J. Misusing public static variables 06. Objects Orientation (OBJ) OBJ33-J. Limit extensibility of classes and methods