Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Invocation of System.exit() terminates the Java Virtual Machine (JVM), consequently terminating all running programs and threads. This can result in denial-of-service (DoS) attacks. For example, a call to System.exit() that is embedded in Java Server Pages (JSP) code can cause a web server to terminate, preventing further service for users. Programs must prevent both inadvertent and malicious calls to System.exit(). Additionally, programs should perform necessary cleanup actions when forcibly terminated (for example, by using the Windows Task Manager, POSIX kill command, or other mechanisms).

...

This noncompliant code example uses System.exit() to forcefully shutdown shut down the JVM and terminate the running process. The program lacks a security manager; consequently, it lacks the capability to check whether the caller is permitted to invoke System.exit().

Code Block
bgColor#FFcccc

public class InterceptExit {
  public static void main(String[] args) {
    // ...
    System.exit(1);  // Abrupt exit 
    System.out.println("This never executes");
  }
}	

...

This compliant solution installs a custom security manager PasswordSecurityManager that overrides the checkExit() method defined in the SecurityManager class. This override is required to enable invocation of cleanup code before allowing the exit. The default checkExit() method in the SecurityManager class lacks this facility.

Code Block
bgColor#ccccff

class PasswordSecurityManager extends SecurityManager {
  private boolean isExitAllowedFlag; 
  
  public PasswordSecurityManager(){
    super();
    isExitAllowedFlag = false;  
  }
 
  public boolean isExitAllowed(){
    return isExitAllowedFlag;	 
  }
 
  @Override 
  public void checkExit(int status) {
    if (!isExitAllowed()) {
      throw new SecurityException();
    }
    super.checkExit(status);
  }
 
  public void setExitAllowed(boolean f) {
    isExitAllowedFlag = f; 	 
  }
}

public class InterceptExit {
  public static void main(String[] args) {
    PasswordSecurityManager secManager =
        new PasswordSecurityManager();
    System.setSecurityManager(secManager);
    try {
      // ...
      System.exit(1);  // Abrupt exit call
    } catch (Throwable x) {
      if (x instanceof SecurityException) {
        System.out.println("Intercepted System.exit()");
        // Log exception
      } else {
        // Forward to exception handler
      }
    }

    // ...
    secManager.setExitAllowed(true);  // Permit exit
    // System.exit() will work subsequently
    // ...
  }
}

This implementation uses an internal flag to track whether the exit is permitted. The method setExitAllowed() sets this flag. The checkExit() method throws a SecurityException when the flag is unset (that is, false). Because this flag is not initially set, normal exception processing bypasses the initial call to System.exit(). The program catches the SecurityException and performs mandatory cleanup operations, including logging the exception. The System.exit() method is enabled only after cleanup is complete.

Exceptions

Wiki Markup*ERR09ERR09-J-EX0:* It is permissible for a command-line utility to call {{System.exit()}}, for example, when the required number of arguments are not input \[ [Bloch 2008|AA. References#Bloch 08]\]\[[ESA 2005|AA. References#ESA 05]\]], [ESA 2005].

Risk Assessment

Allowing unauthorized calls to System.exit() may lead to denial of service (DoS).

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

ERR09-J

low

Low

unlikely

Unlikely

medium

Medium

P2

L3

Automated Detection

Tool
Version
Checker
Description
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

JAVA.DEBUG.CALL

Debug Call (Java)

Coverity7.5

DC.CODING_STYLE
FB.DM_EXIT

Implemented
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CERT.ERR09.JVM
CERT.ERR09.EXIT
Do not stop the JVM in a web component
Do not call methods which terminates Java Virtual Machine
SonarQube
Include Page
SonarQube_V
SonarQube_V
S1147Exit methods should not be called

Related Guidelines

MITRE CWE

CWE-382

.

, J2EE

bad practices

Bad Practices: Use of System.exit()

Android Implementation Details

Bibliography

On Android, System.exit() should not be used because it will terminate the virtual machine abruptly, ignoring the activity life cycle, which may prevent proper garbage collection.

Bibliography

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e734f491-c594-4d5e-8815-5742409174a4"><ac:plain-text-body><![CDATA[

[[API 2006

AA. References#API 06]]

[

[API 2014]

Method checkExit()

http://java.sun.com/j2se/1.4.2/docs/api/java/lang/SecurityManager.html#checkExit(int)], class Runtime, method addShutdownHook

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="bbdd65cc-bbed-4745-93fa-8967f4ffc885"><ac:plain-text-body><![CDATA[

[[Austin 2000

AA. References#Austin 00]]

[Writing a Security Manager

http://java.sun.com/developer/onlineTraining/Programming/JDCBook/signed2.html]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="4b014992-3dcc-49fc-8909-0a4bad85486e"><ac:plain-text-body><![CDATA[

[[Darwin 2004

AA. References#Darwin 04]]

9.5, The Finalize Method

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6f26cc41-9cab-4d4d-8521-11e6a7866643"><ac:plain-text-body><![CDATA[

Class Runtime: Method addShutdownHook

[Austin 2000]

"Writing a Security Manager"

[Darwin 2004]

Section 9.5, "The Finalize Method"

[ESA 2005]

Rule 78,

[[ESA 2005

AA. References#ESA 05]]

Rule 78.

Restrict the use of the System.exit method

]]></ac:plain-text-body></ac:structured-macro> [

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="429077f9-8ead-4596-8cff-a73a45cd8e12"><ac:plain-text-body><![CDATA[

[Goetz 2006

AA. References#Goetz 06

]

]

Section 7.4,

JVM Shutdown

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="191e2bd9-bc0f-4c9f-814b-133843356927"><ac:plain-text-body><![CDATA[

[[Kalinovsky 2004

"JVM Shutdown"

[Kalinovsky 2004

AA. References#Kalinovsky 04]

]

Chapter 16, "Intercepting a Call to System.exit

]]></ac:plain-text-body></ac:structured-macro>

"


...

Image Added Image Added Image AddedImage Removed      06. Exceptional Behavior (ERR)      07. Visibility and Atomicity (VNA)