SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 135

changes.mady.by.user Axel Hauschulte

Saved on

compared with

New Version Current

changes.mady.by.user Jon O'Donnell

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This rule is meant to prevent the unintentional serialization of sensitive information. SER02-J. Sign then seal sensitive objects before sending them outside a trust boundary applies to the intentional serialization of sensitive information.

...

It is still possible for an attacker to obtain uninitialized instances of SensitiveClass by catching NotSerializableException or by using a finalizer attack (see OBJ11-J. Be wary of letting constructors throw exceptions for more information). Consequently, an unserializable class that extends a serializable class must always validate its invariants before executing any methods. That is, any object of such a class must inspect its fields, its actual type (to prevent it being a malicious subclass), and any invariants it possesses (such as being a malicious second object of a singleton class).

Exceptions

SER03-J-EX0: Sensitive data that has been properly encrypted may be serialized.

...

If sensitive data can be serialized, it may be transmitted over an insecure connection, stored in an insecure location, or disclosed inappropriately.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

SER03-J

Medium

Likely

High

P6

L2

Automated Detection

Tool
Version
Checker
Description
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

JAVA.CLASS.SER.ND

Serialization Not Disabled (Java)

Coverity7.5UNSAFE_DESERIALIZATIONImplemented
Parasoft Jtest
9.5SECURITY.ESD.SIF
Include Page
Parasoft_V
Parasoft_V
CERT.SER03.SIFInspect instance fields of serializable objects to make sure they will not expose sensitive information
Implemented

Related Guidelines

MITRE CWE

CWE-499, Serializable Class Containing Sensitive Data
CWE-502, Deserialization of Untrusted Data

Secure Coding Guidelines for Java SE, Version 5.0

Guideline 8-2 / SERIAL-2: Guard sensitive data during serialization

Bibliography

[Bloch 2005]

Puzzle 83, "Dyslexic monotheism"

[Bloch 2001]

Item 1, "Enforce the Singleton Property with a Private Constructor"

[Greanier 2000]

Discover the Secrets of the Java Serialization API

[Harold 1999]

 


[Long 2005]

Section 2.4, "Serialization"

[Sun 2006]

Serialization Specification, A.4, Preventing Serialization of Sensitive Data

 


...

SER02-J. Sign then seal sensitive objects before sending them outside a trust boundary Image Added