SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 60

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version Current

changes.mady.by.user Michal Rozenau

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Parasoft Jtest 2022.2

Programs must comply with the principle of least privilege not only by providing privileged blocks with the minimum permissions required for correct operation (see 16 SEC50-J. Avoid granting excess privileges) but also by ensuring that privileged code contains only those operations that require the increased privileges. Superfluous code contained within a privileged block necessarily operates must operate with the privileges of that block, increasing the attack surface.

Noncompliant Code Example

This noncompliant code example contains a changePassword() method that attempts to open a password file within a doPrivileged block and performs operations using that file. The doPrivileged block also contains a superfluous System.loadLibrary() call that loads the authentication library.

...

This example violates the principle of least privilege because an unprivileged caller will could also cause the authentication library to be loaded. An unprivileged caller should not be allowed to cannot invoke the System.loadLibrary() method , especially via the doPrivileged mechanism, because System.loadLibrary uses only the immediate caller's class loader to find and load the library. Unprivileged code is seldom granted privileges to load libraries because doing so would expose native methods to the unprivileged code [SCG 2010]directly because this could expose native methods to the unprivileged code [SCG 2010]. Furthermore, the System.loadLibrary() method checks only the privileges of its immediate caller, so it should be used only with great care. For more information, see SEC52-J. Do not expose methods that use reduced-security checks to untrusted code.

Compliant Solution

This compliant solution moves the call to System.loadLibrary() outside the doPrivileged() block. Doing so allows unprivileged code to perform preliminary password - reset checks using the file but prevents it from loading the authentication library. 

...

The loadLibrary() invocation could also occur before preliminary password - reset checks are performed; in this caseexample, it is deferred for performance reasons.

Applicability

Minimizing privileged code reduces the attack surface of an application and simplifies the task of auditing privileged code. 

Automated Detection

ToolVersionCheckerDescription
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CERT.SEC51.PCLLimit the number of lines in "privileged" code blocks

Bibliography

[API

2011

2013]

Class AccessController

 


...

Image Modified Image Modified Image Modified