Object serialization allows an object's state to be saved as a sequence of bytes and then reconstituted at a later time. Default serialization lacks protection for data that has been serialized. An attacker who gains access to the serialized data can use it to discover sensitive data, to determine implementation details of the objects, and for many other purposes. Similarly, an attacker can modify the serialized data in an attempt to compromise the system when the malicious data is deserialized. Consequently, sensitive data that is serialized is potentially exposed, without regard to the access qualifiers (such as the private
keyword) that were used in the original code. Moreover, the security manager lacks checks that could guarantee integrity of the serialized data.
Examples of sensitive data that should remain unserialized include cryptographic keys, digital certificates, and classes that may hold references to sensitive data at the time of serialization.
This rule addresses unintentional serialization of sensitive data. For information on intentionally serializing sensitive data securely, see SER02-J. Sign and seal sensitive objects before sending them outside a trust boundary.
Noncompliant Code Example
The data members of class Point
are declared as private
. If the coordinates were sensitive (as we assume for this example), their presence in the data stream would expose them to malicious tampering.
public class Point { private double x; private double y; public Point(double x, double y) { this.x = x; this.y = y; } public Point() { // no-argument constructor } } public class Coordinates extends Point implements Serializable { public static void main(String[] args) { FileOutputStream fout = null; try { Point p = new Point(5, 2); fout = new FileOutputStream("point.ser"); ObjectOutputStream oout = new ObjectOutputStream(fout); oout.writeObject(p); } catch (Throwable t) { // Forward to handler } finally { fout.close(); } } }
Compliant Solution
In the absence of sensitive data, classes can be serialized by simply implementing the java.io.Serializable
interface. By doing so, the class indicates that no security issues may result from the object's serialization. Note that any derived subclasses also inherit this interface and are consequently serializable. This simple approach is inappropriate for any class that contains sensitive data.
When serializing a class that contains sensitive data, programs must ensure that sensitive data is omitted from the serialized form. This includes both suppressing serialization of data members that contain sensitive data, and also suppressing serialization of references to non-serializable or sensitive objects.
This compliant solution both avoids the possibility of incorrect serialization and also protects sensitive data members from accidental serialization by declaring the relevant members as transient
so that they are omitted from the list of fields to be serialized by the default serialization mechanism.
public class Point { private transient double x; // declared transient private transient double y; // declared transient public Point(double x, double y) { this.x = x; this.y = y; } public Point() { // no-argument constructor } } public class Coordinates extends Point implements Serializable { public static void main(String[] args) { try { Point p = new Point(5,2); FileOutputStream fout = new FileOutputStream("point.ser"); ObjectOutputStream oout = new ObjectOutputStream(fout); oout.writeObject(p); oout.close(); } catch (Exception e) { // Forward to handler } } }
Compliant Solution
Another acceptable solution involves using custom implementations of the writeObject()
, writeReplace()
and writeExternal()
methods that prevent sensitive fields from being written to the serialized stream.
Compliant Solution
Another acceptable approach is to define the serialPersistentFields
array field and ensure that sensitive fields are omitted from the array. (See rule SER00-J. Maintain serialization compatibility during class evolution.)
Noncompliant Code Example
Serialization can also be used maliciously. One example is returning multiple instances of a singleton-like class. In this noncompliant code example (based on [[Bloch 2005]]), a subclass SensitiveClass
inadvertently becomes serializable because it extends the Exception
class which implements Serializable
.
public class SensitiveClass extends Exception { public static final SensitiveClass INSTANCE = new SensitiveClass(); private SensitiveClass() { // Perform security checks and parameter validation } protected int printBalance() { int balance = 1000; return balance; } } class Malicious { public static void main(String[] args) { SensitiveClass sc = (SensitiveClass) deepCopy(SensitiveClass.INSTANCE); System.out.println(sc == SensitiveClass.INSTANCE); // Prints false; indicates new instance System.out.println("Balance = " + sc.printBalance()); } // This method should not be used in production quality code static public Object deepCopy(Object obj) { try { ByteArrayOutputStream bos = new ByteArrayOutputStream(); new ObjectOutputStream(bos).writeObject(obj); ByteArrayInputStream bin = new ByteArrayInputStream(bos.toByteArray()); return new ObjectInputStream(bin).readObject(); } catch (Exception e) { throw new IllegalArgumentException(e); } } }
See rule MSC11-J. Address the shortcomings of the Singleton design pattern for more information on singletons.
Compliant Solution
Extending a class or interface that implements Serializable
should be avoided whenever possible. When extension of such a class is necessary, undue serialization of the subclass can be prohibited by throwing a NotSerializableException
from a custom writeObject()
or readResolve()
method, defined in the subclass SensitiveClass
. Note that the custom writeObject()
or readResolve()
methods must be declared final
to prevent a malicious subclass from overriding them.
class SensitiveClass extends Exception { // ... private Object readResolve() throws NotSerializableException { throw new NotSerializableException(); } }
Exceptions
SER03:EX0: Sensitive data that has been properly encrypted may be serialized.
Risk Assessment
If sensitive data can be serialized, it may be transmitted over an insecure link, or stored in an insecure medium, or disclosed inappropriately.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
SER03-J |
medium |
likely |
high |
P6 |
L2 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="036e0a61-4340-4b83-9a2a-8de1d73f13f3"><ac:plain-text-body><![CDATA[ |
[[MITRE 2009 |
AA. Bibliography#MITRE 09]] |
[CWE ID 502 |
http://cwe.mitre.org/data/definitions/502.html] "Deserialization of Untrusted Data" |
]]></ac:plain-text-body></ac:structured-macro> |
|
CWE ID 499 "Serializable Class Containing Sensitive Data" |
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ffc0622f-b8f8-4eaa-b361-e7d5b2d030b9"><ac:plain-text-body><![CDATA[ |
[[Bloch 2005 |
AA. Bibliography#Bloch 05]] |
Puzzle 83: Dyslexic Monotheism |
]]></ac:plain-text-body></ac:structured-macro> |
|
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="385e60cc-766f-4397-bcf1-de852ffb9d7d"><ac:plain-text-body><![CDATA[ |
[[Bloch 2001 |
AA. Bibliography#Bloch 01]] |
Item 1: Enforce the singleton property with a private constructor |
]]></ac:plain-text-body></ac:structured-macro> |
|
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="42df59fe-5921-4409-a816-ffeefaed898a"><ac:plain-text-body><![CDATA[ |
[[Greanier 2000 |
AA. Bibliography#Greanier 00]] |
[Discover the secrets of the Java Serialization API |
http://java.sun.com/developer/technicalArticles/Programming/serialization/] |
]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="060694eb-db68-461b-987d-d6b7a40c08b7"><ac:plain-text-body><![CDATA[ |
[[Harold 1999 |
AA. Bibliography#Harold 99]] |
|
]]></ac:plain-text-body></ac:structured-macro> |
|
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f4478953-18f5-4e06-a243-563fe945a897"><ac:plain-text-body><![CDATA[ |
[[JLS 2005 |
AA. Bibliography#JLS 05]] |
[Transient modifier |
http://java.sun.com/docs/books/jls/third_edition/html/classes.html#37020] |
]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="0591bd9d-96e1-4934-8636-2ed6cba08738"><ac:plain-text-body><![CDATA[ |
[[Long 2005 |
AA. Bibliography#Long 05]] |
Section 2.4, Serialization |
]]></ac:plain-text-body></ac:structured-macro> |
|
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="0cd00a87-dc0d-46b6-a8be-0bdd58ef8fcf"><ac:plain-text-body><![CDATA[ |
[[SCG 2007 |
AA. Bibliography#SCG 07]] |
Guideline 5-1 Guard sensitive data during serialization |
]]></ac:plain-text-body></ac:structured-macro> |
|
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="094c1ea3-b0a6-467d-bd47-958c34f932a6"><ac:plain-text-body><![CDATA[ |
[[Sun 2006 |
AA. Bibliography#Sun 06]] |
"Serialization specification: A.4 Preventing Serialization of Sensitive Data" |
]]></ac:plain-text-body></ac:structured-macro> |
SER02-J. Sign and seal sensitive objects before sending them outside a trust boundary 13. Serialization (SER)