SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 29

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version Current

changes.mady.by.user Will Snavely

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

According to Oracle's Secure Coding Guidelines [SCG 2010],

Callback methods are generally invoked from the system with full permissions. It seems reasonable to expect that malicious code needs to be on the stack in order to perform an operation, but that is not the case. Malicious code may set up objects that bridge the callback to a security checked operation. For instance, a file chooser dialog box that can manipulate the filesystem from user actions, may have events posted from malicious code. Alternatively, malicious code can disguise a file chooser as something benign while redirecting user events.

This guideline is an instance of 17 SEC51-J. Minimize privileged code and is related to SEC01-J. Do not allow tainted variables in privileged blocks.

Noncompliant Code Example

This noncompliant code example uses a UserLookupCallBack class that implements the CallBack interface to look up a user's name given the user's ID. This lookup code assumes that this information lives in the /etc/passwd file, which requires elevated privileges to open. Consequently, the Client class invokes all callbacks with elevated privileges (within a doPrivileged block).

...

Code Block
class MaliciousCallBack implements CallBack {
  public void callMethod() {
    // Code here gets executed with elevated privileges
  }
}

// Client code
public static void main(String[] args) {
  CallBack callBack = new MaliciousCallBack();
  CallBackAction action = new CallBackAction(callBack);
  action.perform(); // Executes malicious code
}

Compliant Solution (Callback-Local doPrivileged Block)

According to Oracle's secure coding guidelines [SCG 2010]:

By convention, instances of PrivilegedAction and PrivilegedExceptionAction may be made available to untrusted code, but doPrivileged must not be invoked with caller-provided actions.

...

This code behaves the same as before, but an attacker can no longer run malicious callback code with elevated privileges. Even though an attacker can pass a malicious callback instance using the constructor of class CallBackAction, the code is not executed with elevated privileges because the malicious instance must contain a doPrivileged block that cannot have the same privileges as trusted code. Additionally, class CallBackAction cannot be subclassed to override the perform() method as it is declared final.

Compliant Solution (Declare Callback Final)

This compliant solution declares the UserLookupCallBack class final to prevent overriding of callMethod().

Code Block
bgColor#ccccff
langjava
final class UserLookupCallBack implements CallBack {
  // ...    
}
 
// Remaining code is unchanged

Applicability

Exposing sensitive methods through callbacks can result in misuse of privileges and arbitrary code execution.

Bibliography

[API 2014]

AccessController.doPrivileged()

[SCG 2010]

Guideline 9-3: Safely invoke java.security.AccessController.doPrivileged
Guideline 9-2: Beware of callback methods

 

 

...

Image Modified Image Modified Image Modified