SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 49

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 50

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Invocation of System.exit() terminates the JVM, consequently terminating all programs and threads running thereon. This can result in denial-of-service attacks. For example, a call to System.exit() that is embedded in JSP code can cause a web server to terminate, preventing further service for users. Programs must prevent both inadvertent and malicious calls to System.exit(). Additionally, programs should perform necessary clean-up actions when forcibly terminated (via ctrl + c or the kill command, for example).

Noncompliant Code Example

This noncompliant code example uses System.exit() to forcefully shutdown the JVM and terminate the running process. The program lacks a security manager; consequently, it lacks the capability to check whether the caller is permitted to invoke System.exit().

Code Block
bgColor#FFcccc
public class InterceptExit {
  public static void main(String[] args) {
    // ...
    System.exit(1);  // Abrupt exit 
    System.out.println("This never executes");
  }
}

Compliant Solution

This compliant solution installs a custom security manager PasswordSecurityManager that overrides the checkExit() method defined in the SecurityManager class. This override is required to enable invocation of cleanup code before allowing the exit. The default checkExit() method in the SecurityManager class lacks this facility.

...

This implementation uses an internal flag to track whether the exit is permitted. The method setExitAllowed() sets this flag. The checkExit method throws a SecurityException when the flag is unset (e.g., false). Consequently, normal exception processing bypasses the initial call to System.exit(). The program catches the SecurityException and performs mandatory clean-up operations, including logging the exception. The setExitAllowed() method is invoked only after clean-up is complete. Consequently, the program exits gracefully.

Noncompliant Code Example

When a user forcefully exits a program by pressing the ctrl + c key or by using the kill command, the JVM terminates abruptly. Although this event cannot be captured, the program should nevertheless perform any mandatory clean-up operations before exiting. This noncompliant code example fails to do so.

Code Block
bgColor#FFcccc
public class InterceptExit {
  public static void main(String[] args) {
    System.out.println("Regular code block");
    // Abrupt exit such as ctrl + c key pressed
    System.out.println("This never executes");
  }
}

Compliant Solution

Use the addShutdownHook() method of java.lang.Runtime to assist with performing clean-up operations in the event of abrupt termination. The JVM starts the shutdown hook thread when abrupt termination is initiated; the shutdown hook runs concurrently with other JVM threads.

...

The JVM can abort for external reasons, such as an external SIGKILL signal (UNIX) or the TerminateProcess call (Microsoft Windows), or memory corruption caused by native methods. Shutdown hooks may fail to execute as expected in such cases, because the JVM cannot guarantee that they will be executed as intended.

Exceptions

Wiki Markup
*EXC09-EX1:* It is permissible for a command line utility to call {{System.exit()}} or terminate prematurely; for example, when the required number of arguments are not input \[[Bloch 2008|AA. Bibliography#Bloch 08]\] and \[[ESA 2005|AA. Bibliography#ESA 05]\].

Risk Assessment

Allowing inadvertent calls to System.exit() may lead to denial of service.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

EXC09-J

low

unlikely

medium

P2

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

Bibliography

Wiki Markup
\[[API 2006|AA. Bibliography#API 06]\] [method checkExit()|http://java.sun.com/j2se/1.4.2/docs/api/java/lang/SecurityManager.html#checkExit(int)], Class Runtime, method addShutdownHook
\[[Austin 2000|AA. Bibliography#Austin 00]\] [Writing a Security Manager|http://java.sun.com/developer/onlineTraining/Programming/JDCBook/signed2.html]
\[[Darwin 2004|AA. Bibliography#Darwin 04]\] 9.5 The Finalize Method
\[[ESA 2005|AA. Bibliography#ESA 05]\] Rule 78: Restrict the use of the System.exit method 
\[[Goetz 2006|AA. Bibliography#Goetz 06]\] 7.4. JVM Shutdown 
\[[Kalinovsky 2004|AA. Bibliography#Kalinovsky 04]\] Chapter 16 Intercepting a Call to System.exit
\[[MITRE 2009|AA. Bibliography#MITRE 09]\] [CWE ID 382|http://cwe.mitre.org/data/definitions/382.html] "J2EE Bad Practices: Use of System.exit()"

...