Object serialization allows an object's state to be saved as a sequence of bytes and then reconstituted at a later time. The primary application of serialization is in Java Remote Method Invocation (RMI) wherein objects must be packed (marshalled), exchanged between distributed virtual machines and subsequently unpacked (unmarshalled). It also finds extensive use in Java Beans.
Java language's access control mechanisms are ineffective after a class is serialized. Consequently, any sensitive data that was originally protected using access qualifiers (such as the private keyword) are exposed. Moreover, the security manager does not provide any checks to guarantee integrity of the serialized data.
Noncompliant Code Example
The data members of class Point are declared as private. The saveState and readState methods are used for serialization and de-serialization respectively. The coordinates (x,y) that are written to the data stream are susceptible to malicious tampering.
public class Point {
private double x;
private double y;
public Point(double x, double y) {
this.x = x;
this.y = y;
}
public Point() {
// no argument constructor
}
}
import java.io.Serializable;
import java.io.FileOutputStream;
import java.io.ObjectOutputStream;
public class Coordinates extends Point implements Serializable {
public static void main(String[] args) {
try {
Point p = new Point(5,2);
FileOutputStream fout = new FileOutputStream("point.ser");
ObjectOutputStream oout = new ObjectOutputStream(fout);
oout.writeObject(p);
oout.close();
}
catch (Exception e) {System.err.println(e);}
}
}
Compliant Solutions
In the absence of sensitive data, a class can be serialized by implementing the java.io.Serializable interface. By doing so, the class indicates that no security issues may result from the object's serialization. Note that any derived sub classes also inherit this interface and are therefore serializable.
When serialization is unavoidable, it is still possible to have classes that cannot implement serializable. This condition is common when there are references to non-serializable objects within the contained methods. The following compliant solution avoids this issue and also protects sensitive data members from getting serialized accidentally. The basic idea is to declare the target member as transient so that it is not included in the list of fields to be serialized, whenever default serialization is being used.
public class Point {
private transient double x;
private transient double y;
public Point(double x, double y) {
this.x = x;
this.y = y;
}
public Point()
{
//no argument constructor
}
}
import java.io.Serializable;
import java.io.FileOutputStream;
import java.io.ObjectOutputStream;
public class Coordinates extends Point implements Serializable {
public static void main(String[] args)
{
try {
Point p = new Point(5,2);
FileOutputStream fout = new FileOutputStream("point.ser");
ObjectOutputStream oout = new ObjectOutputStream(fout);
oout.writeObject(p);
oout.close();
}
catch (Exception e) {System.err.println(e);}
}
}
Other solutions include custom implementation of writeObject, writeReplace and writeExternal methods such that sensitive fields are not written to the serialized stream or alternatively, conducting proper validation checks while deserializing. Yet another remediation is to define the serialPersistentFields array field and ensure that sensitive fields are not added to the array. Sometimes it is necessary to prevent a serializable object (whose superclass implements serializable) from getting serialized. This is the focus of the second noncompliant code example.
Noncompliant Code Example
Serialization can also be used maliciously to return multiple instances of a singleton-like class. In this noncompliant example, a subclass SensitiveClass inadvertently becomes Serializable since it extends the Exception class that implements Serializable. (Based on [[Bloch 05]])
public class SensitiveClass extends Exception {
public static final SensitiveClass INSTANCE = new SensitiveClass();
private SensitiveClass() {
// Perform security checks and parameter validation
}
protected int printBalance() {
int balance = 1000;
return balance;
}
}
class Malicious {
public static void main(String[] args) {
SensitiveClass sc = (SensitiveClass) deepCopy(SensitiveClass.INSTANCE);
System.out.println(sc == SensitiveClass.INSTANCE); // prints false; indicates new instance
System.out.println("Balance =" + sc.printBalance());
}
// This method should not be used in production quality code
static public Object deepCopy(Object obj) {
try {
ByteArrayOutputStream bos = new ByteArrayOutputStream();
new ObjectOutputStream(bos).writeObject(obj);
ByteArrayInputStream bin = new ByteArrayInputStream(bos.toByteArray());
return new ObjectInputStream(bin).readObject();
} catch (Exception e) { throw new IllegalArgumentException(e); }
}
}
Compliant Solution
Undue serialization of the subclass can be prohibited by throwing a NotSerializableException from a custom writeObject() method or the readResolve() method, defined in the subclass SensitiveClass. Ideally, one should avoid extending a class or interface that implements Serializable.
private Object readResolve() throws NotSerializableException {
throw new NotSerializableException();
}
Risk Assessment
If sensitive data can be serialized then it may be transmitted over an insecure link, or stored in an insecure medium, and thereby released inappropriately.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
FIO32-J |
medium |
likely |
high |
P6 |
L2 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[JLS 05]] Transient modifier
[[SCG 07]] Guideline 5-1 Guard sensitive data during serialization
[[Sun 06]] "Serialization specification: A.4 Preventing Serialization of Sensitive Data"
[[Harold 99]]
[[Long 05]] Section 2.4, Serialization
[[Greanier 00]] Discover the secrets of the Java Serialization API
[[Bloch 05]] Puzzle 83: Dyslexic Monotheism
[[Bloch 01]] Item 1: Enforce the singleton property with a private constructor
[[MITRE 09]] CWE ID 502 "Deserialization of Untrusted Data", CWE ID 499 "Serializable Class Containing Sensitive Data"
FIO31-J. Defensively copy mutable inputs and mutable internal components 07. Input Output (FIO) SER32-J. Do not allow serialization and deserialization to bypass the Security Manager