You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 60 Next »

Invocation of System.exit() terminates the JVM, consequently terminating all programs and threads running thereon. This can result in denial-of-service attacks. For example, a call to System.exit() that is embedded in JSP code can cause a web server to terminate, preventing further service for users. Programs must prevent both inadvertent and malicious calls to System.exit(). Additionally, programs should perform necessary clean-up actions when forcibly terminated (for example, by using the Windows Task Manager, POSIX kill command, or other mechanism).

Noncompliant Code Example

This noncompliant code example uses System.exit() to forcefully shutdown the JVM and terminate the running process. The program lacks a security manager; consequently, it lacks the capability to check whether the caller is permitted to invoke System.exit().

public class InterceptExit {
  public static void main(String[] args) {
    // ...
    System.exit(1);  // Abrupt exit 
    System.out.println("This never executes");
  }
}	

Compliant Solution

This compliant solution installs a custom security manager PasswordSecurityManager that overrides the checkExit() method defined in the SecurityManager class. This override is required to enable invocation of cleanup code before allowing the exit. The default checkExit() method in the SecurityManager class lacks this facility.

class PasswordSecurityManager extends SecurityManager {
  private boolean isExitAllowedFlag; 
  
  public PasswordSecurityManager(){
    super();
    isExitAllowedFlag = false;  
  }
 
  public boolean isExitAllowed(){
    return isExitAllowedFlag;	 
  }
 
  @Override public void checkExit(int status) {
    if(!isExitAllowed()) {
      throw new SecurityException();
    }
    super.checkExit(status);
  }
 
  public void setExitAllowed(boolean f) {
    isExitAllowedFlag = f; 	 
  }
}

public class InterceptExit {
  public static void main(String[] args) {
    PasswordSecurityManager secManager = new PasswordSecurityManager();
    System.setSecurityManager(secManager);
    try {
      // ...
      System.exit(1);  // Abrupt exit call
    } catch (Throwable x) {
      if (x instanceof SecurityException) {
        System.out.println("Intercepted System.exit()");
        // Log exception
      } else {
        // Forward to exception handler
      }
    }

    // ...
    secManager.setExitAllowed(true);  // Permit exit
    // System.exit() will work subsequently
    // ...
  }
}

This implementation uses an internal flag to track whether the exit is permitted. The method setExitAllowed() sets this flag. The checkExit method throws a SecurityException when the flag is unset (e.g., false). Consequently, normal exception processing bypasses the initial call to System.exit(). The program catches the SecurityException and performs mandatory clean-up operations, including logging the exception. The setExitAllowed() method is invoked only after clean-up is complete. Consequently, the program exits gracefully.

Exceptions

EXC09-EX0: It is permissible for a command line utility to call System.exit() or terminate prematurely; for example, when the required number of arguments are not input [[Bloch 2008]] and [[ESA 2005]].

Risk Assessment

Allowing inadvertent calls to System.exit() may lead to denial of service.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

ERR09-J

low

unlikely

medium

P2

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="0c4db639-696c-4b03-9d71-978d5996a9b5"><ac:plain-text-body><![CDATA[

[[MITRE 2009

AA. Bibliography#MITRE 09]]

[CWE ID 382

http://cwe.mitre.org/data/definitions/382.html] "J2EE Bad Practices: Use of System.exit()"

]]></ac:plain-text-body></ac:structured-macro>

Bibliography

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="af3a7521-ef98-4e70-8d27-f3db939a8af3"><ac:plain-text-body><![CDATA[

[[API 2006

AA. Bibliography#API 06]]

[method checkExit()

http://java.sun.com/j2se/1.4.2/docs/api/java/lang/SecurityManager.html#checkExit(int)], Class Runtime, method addShutdownHook

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="24214234-2028-4167-a4bf-b75abc313d9f"><ac:plain-text-body><![CDATA[

[[Austin 2000

AA. Bibliography#Austin 00]]

[Writing a Security Manager

http://java.sun.com/developer/onlineTraining/Programming/JDCBook/signed2.html]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ac855e7f-70e6-45fa-abd3-0906ca9e0201"><ac:plain-text-body><![CDATA[

[[Darwin 2004

AA. Bibliography#Darwin 04]]

9.5 The Finalize Method

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="533a150e-c9ce-441e-810c-fb0651b5597d"><ac:plain-text-body><![CDATA[

[[ESA 2005

AA. Bibliography#ESA 05]]

Rule 78: Restrict the use of the System.exit method

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e24dda73-b76b-4282-86a0-6cacf2ba5314"><ac:plain-text-body><![CDATA[

[[Goetz 2006

AA. Bibliography#Goetz 06]]

7.4. JVM Shutdown

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c43b7ff0-7b70-4a94-8173-488926b1c393"><ac:plain-text-body><![CDATA[

[[Kalinovsky 2004

AA. Bibliography#Kalinovsky 04]]

Chapter 16 Intercepting a Call to System.exit

]]></ac:plain-text-body></ac:structured-macro>


      06. Exceptional Behavior (ERR)      ERR10-J. Do not let code throw undeclared checked exceptions

  • No labels