Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by NavBot (jp)

When System.exit() is invoked, all programs and threads running on the JVM terminate. This can lead to denial-of-service attacks, for example, a web server can stop servicing users on encountering an untimely exit.

Noncompliant Code Example

This noncompliant example calls System.exit() aiming to forcefully shutdown the JVM and terminate the running process. There is no security manager check which is highly inadvisable.

Code Block
bgColor#FFcccc
public class InterceptExit {
  public static void main(String[] args) {
    System.out.println("Regular code block");
    System.exit(1);  //abrupt exit call
    System.out.println("This is never executed");
  }
}	

Compliant Solution

The compliant solution installs a custom security manager PasswordSecurityManager that overrides the checkExist method defined in SecurityManager class. An internal flag is used to keep track of whether the exit is permitted or not. The method setExitAllowed is used to set this flag to true. If the flag is false, a SecurityException is thrown. The System.exit call is not permitted to execute by catching the SecurityException in a try-catch block. After intercepting and performing mandatory clean-up operations, the setExitAllowed method is invoked. The program as a result exits gracefully.

Code Block
bgColor#ccccff
class PasswordSecurityManager extends SecurityManager{
  private boolean flag; 
  
  public PasswordSecurityManager(){
    super();
    flag = false;  
  }
 
 public boolean isExitAllowed(){
   if(flag == true)
     return true;
   else
     return false;	 
 }
 
 public void checkExit(int status) {
   if(!isExitAllowed())
     throw new SecurityException();
   }
 
 public void setExitAllowed(boolean f) {
   if(f == true)
     flag = true;
   else
     flag = false; 	 
 }
}

public class InterceptExit {
  public static void main(String[] args) {
    PasswordSecurityManager secManager = new PasswordSecurityManager();
    System.setSecurityManager(secManager);
    try {
      System.out.println("Regular code block");
      System.exit(1);  //abrupt exit call
    }
    catch (Throwable x) {
      if (x instanceof SecurityException)
        System.out.println("Intercepted System.exit()");
      else
        x.printStackTrace();
    }

    System.out.println("Executing code block...");
    secManager.setExitAllowed(true);  //permit exit
    System.out.println("Finished block, exiting...");  //exit finally 
  }
}

Noncompliant Code Example

If a user forcefully exits a program by pressing the ctrl + c key or uses the kill command, the JVM terminates abruptly. Although this event cannot be captured, the code should be able to react to it. This is missing in this non compliant code example.

Code Block
bgColor#FFcccc
public class InterceptExit {
  public static void main(String[] args) {
    System.out.println("Regular code block");
    //abrupt exit such as ctrl + c key pressed
    System.out.println("This is never executed");
  }
}

Compliant Solution

The addShutdownHook method of java.lang.Runtime helps to perform clean-up operations in the unusual termination scenario. When the shutdown is initiated, the hook thread starts to run concurrently with other JVM threads. Since the JVM is in a sensitive state, some precautions must be taken:

  • Hook threads should be light-weight and simple
  • They should be thread safe
  • They should not rely on system services as they themselves may be shutting down

This compliant solution shows the method to install a hook.

Code Block
bgColor#ccccff
public class Hook {
  public static void main(String[] args) {
  Runtime.getRuntime().addShutdownHook(new Thread() {
  public void run() {
    hookShutdown();
  }
  });
		
  //other code
  }

  public static void hookShutdown() {
    // Log shutdown and close all resources
  }
}

Risk Assessment

Allowing inadvertent calls to System.exit() may lead to denial-of-service attacks.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

EXC04-J

low

unlikely

medium

P2

L3

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[API 06|AA. Java References#API 06]\] [method checkExit()|http://java.sun.com/j2se/1.4.2/docs/api/java/lang/SecurityManager.html#checkExit(int)]
\[[Kalinovsky 04|AA. Java References#Kalinovsky 04]\] Chapter 16 Intercepting a Call to System.exit
\[[Austin 00|AA. Java References#Austin 00]\] [Writing a Security Manager|http://java.sun.com/developer/onlineTraining/Programming/JDCBook/signed2.html]


EXC03-J. Try to recover gracefully from system errors      10. Exceptional Behavior (EXC)      EXC30-J. Do not exit abruptly from a finally block