Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM cost reform

...

The following table summarizes these three approaches:

Solution

Uninitialized Values

Partially Initialized Objects

Exception in constructor

Prevents

Does not prevent

Final field

Prevents

Prevents

Initialized flag

Detects

Detects

Noncompliant Code Example (Finalizer Attack)

...

Allowing access to a partially initialized object can provide an attacker with an opportunity to resurrect the object before or during its finalization; as a result, the attacker can bypass security checks.

Rule

Severity

Likelihood

Remediation Cost

Detectable

Repairable

Priority

Level

OBJ11-J

High

Probable

Yes

Medium

No

P12

L1

Automated Detection

Automated detection for this rule is infeasible in the general case. Some instances of nonfinal classes whose constructors can throw exceptions could be straightforward to diagnose.

ToolVersionCheckerDescription
Klocwork

Include Page
Klocwork_V
Klocwork_V

JAVA.CTOR.EXCEPT
JAVA.FINAL.STATIC.VAR

Parasoft Jtest
9.5EXCEPT.ENFCImplemented
Include Page
Parasoft_V
Parasoft_V
CERT.OBJ11.EPNFCDo not throw exceptions from constructors of "public" non-"final" classes

Related Vulnerabilities

CVE-2008-53395353 describes a collection of vulnerabilities in Java. In one of the vulnerabilities, an applet causes an object to be deserialized using ObjectInputStream.readObject(), but the input is controlled by an attacker. The object actually read is a serializable subclass of ClassLoader, and it has a readObject() method that stashes the object instance into a static variable; consequently, the object survives the serialization. As a result, the applet manages to construct a ClassLoader object by passing the restrictions against this in an applet, and the ClassLoader allows it to construct classes that are not subject to the security restrictions of an applet. This vulnerability is described in depth in SER08-J. Minimize privileges before deserializing from a privileged context.

Related Guidelines

Secure Coding Guidelines for Java SE, Version 5.0

Guideline 4-5 / EXTEND-5: Limit the extensibility of classes and methods
Guideline 7-3 / OBJECT-3: Defend against partially initialized instances of non-final classes

Bibliography

[API 2006]

finalize()

[Darwin 2004]

Section 9.5, "The Finalize Method"

[Flanagan 2005]

Section 3.3, "Destroying and Finalizing Objects"

[JLS 2015]

§8.3.1, Field Modifiers 
§12.6, Finalization of Class Instances

§17.5, "final Field Semantics"

[Kabutz 2001]

Issue 032, "Exceptional Constructors—Resurrecting the Dead"

[Lai 2008]

"Java Insecurity: Accounting for Subtleties That Can Compromise Code"

[Masson 2011]"Secure Your Code against the Finalizer Vulnerability"

...


...

Image Modified Image Modified Image Modified