When Invocation of System.exit() terminates the Java Virtual Machine (JVM) is invoked, consequently terminating all running programs and threads running on the JVM terminate. This can lead to result in denial-of-service attacks, for example, a web server can stop servicing users on encountering an untimely exit.
Non-Compliant Code Example
(DoS) attacks. For example, a call to System.exit() that is embedded in Java Server Pages (JSP) code can cause a web server to terminate, preventing further service for users. Programs must prevent both inadvertent and malicious calls to System.exit(). Additionally, programs should perform necessary cleanup actions when forcibly terminated (for example, by using the Windows Task Manager, POSIX kill command, or other mechanisms).
Noncompliant Code Example
This noncompliant code example uses This non-compliant example calls System.exit() aiming to forcefully shutdown shut down the JVM and terminate the running process. There is no The program lacks a security manager check which is highly inadvisable; consequently, it lacks the capability to check whether the caller is permitted to invoke System.exit().
| Code Block | ||
|---|---|---|
| ||
public class InterceptExit { public static void main(String[] args) { // System..out.println("Regular code block"); System.exit(1); //abrupt Abrupt exit call System.out.println("This is never executedexecutes"); } } |
Compliant Solution
The This compliant solution installs a custom security manager PasswordSecurityManager that overrides the checkExist checkExit() method defined in the SecurityManager class. An internal flag is used to keep track of whether the exit is permitted or not. The method setExitAllowed is used to set this flag to true. If the flag is false, a SecurityException is thrown. The System.exit call is not permitted to execute by catching the SecurityException in a try-catch block. After intercepting and performing mandatory clean-up operations, the setExitAllowed method is invoked. The program thus exits gracefullyThis override is required to enable invocation of cleanup code before allowing the exit. The default checkExit() method in the SecurityManager class lacks this facility.
| Code Block | ||
|---|---|---|
| ||
public class PasswordSecurityManager extends SecurityManager { private boolean flagisExitAllowedFlag; public PasswordSecurityManager(){ super(); flagisExitAllowedFlag = false; } public boolean isExitAllowed(){ if(flag == true) return trueisExitAllowedFlag; } else return false; }@Override public void checkExit(int status) { if (!isExitAllowed()) { throw new SecurityException(); } public void setExitAllowed(boolean f) {super.checkExit(status); if(f == true)} public void setExitAllowed(boolean flag = true; elsef) { isExitAllowedFlag flag = falsef; } } public class InterceptExit { public static void main(String[] args) { PasswordSecurityManager secManager = new PasswordSecurityManager(); System.setSecurityManager(secManager); try { // System..out.println("Regular code block"); System.exit(1); //abrupt Abrupt exit call } catch (Throwable x) { if (x instanceof SecurityException) { System.out.println("Intercepted System.exit()"); // Log exception } else { // Forward to exception handler x.printStackTrace(); } } System.out.println("Executing code block// ..."); secManager.setExitAllowed(true); //permit Permit exit // System.out.println("Finished block, exiting...");exit() will work subsequently //exit finally ... } } |
References
This implementation uses an internal flag to track whether the exit is permitted. The method setExitAllowed() sets this flag. The checkExit() method throws a SecurityException when the flag is unset (that is, false). Because this flag is not initially set, normal exception processing bypasses the initial call to System.exit(). The program catches the SecurityException and performs mandatory cleanup operations, including logging the exception. The System.exit() method is enabled only after cleanup is complete.
Exceptions
ERR09-J-EX0: It is permissible for a command-line utility to call System.exit(), for example, when the required number of arguments are not input [Bloch 2008], [ESA 2005].
Risk Assessment
Allowing unauthorized calls to System.exit() may lead to denial of service.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
ERR09-J | Low | Unlikely | Medium | P2 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CodeSonar |
| JAVA.DEBUG.CALL | Debug Call (Java) | ||||||
| Coverity | 7.5 | DC.CODING_STYLE | Implemented | ||||||
| Parasoft Jtest |
| CERT.ERR09.JVM CERT.ERR09.EXIT | Do not stop the JVM in a web component Do not call methods which terminates Java Virtual Machine | ||||||
| SonarQube |
| S1147 | Exit methods should not be called |
Related Guidelines
Android Implementation Details
On Android, System.exit() should not be used because it will terminate the virtual machine abruptly, ignoring the activity life cycle, which may prevent proper garbage collection.
Bibliography
[API 2014] | Method |
Section 9.5, "The Finalize Method" | |
[ESA 2005] | Rule 78, Restrict the use of the |
Section 7.4, "JVM Shutdown" | |
Chapter 16, "Intercepting a Call to |
...
Covert Java, Chapter 16 Intercepting a Call to System.exit
Java Documentation http://java.sun.com/j2se/1.4.2/docs/api/java/lang/SecurityManager.html#checkExit(int
)
Custom security managers, http://java.sun.com/developer/onlineTraining/Programming/JDCBook/signed2.html