SEC00-J. Avoid granting excess privileges
SEC01-J. Minimize the accessibility of classes and their members
SEC02-J. Guard doPrivileged blocks against untrusted invocation and leakage of sensitive data
SEC03-J. Do not allow tainted variables in doPrivileged blocks
SEC04-J. Do not expose standard APIs that may bypass Security Manager checks to untrusted code
SEC06-J. Do not use APIs that perform access checks against the immediate caller
SEC08-J. Protect sensitive operations with security manager checks
SEC09-J. Do not base security checks on untrusted sources
SEC10-J. Define custom security permissions for fine grained security
SEC11-J. Call the superclass's getPermissions method when writing a custom class loader
SEC12-J. Do not grant untrusted code access to classes in inaccessible packages
SEC13-J. Do not allow unauthorized construction of classes in inaccessible packages
SEC14-J. Provide sensitive mutable classes with unmodifiable wrappers
SEC15-J. Prefer using SSLSockets over Sockets for secure data exchange
SEC16-J. Sign and seal sensitive objects before transit
SEC17-J. Create and sign a SignedObject before creating a SealedObject
SEC18-J. Define wrappers around native methods
SEC20-J. Do not expect java.lang.reflect.method.invoke() to behave as the immediate caller
SEC21-J. Remove superfluous code from privileged blocks
According to the principle of least privilege, every program and every user of the system should operate using the least set of privileges necessary to complete the particular task \[[Saltzer 1974|AA. Bibliography#Saltzer 74], [Saltzer 1975|AA. Bibliography#Saltzer 75]\]. The Build Security In website \[[DHS 2006|AA. Bibliography#DHS 06]\] provides additional definitions of this principle. Executing with minimal privileges mitigates against exploitation in case a vulnerability is discovered in the code. These principles can be applied in various ways to Java language programming. |
Java code should be run with the minimum required privileges. Applets rarely require elevated privileges. Sign only those applets that require elevated privileges; other applets should not be signed. (See guideline ENV00-J. Do not sign code that performs only unprivileged operations.) For applications, the security policy that defines the set of permissions should be as restrictive as possible. The default security policy file grants permissions sparingly, however, the flexible security model allows the user to grant additional permissions to applications by defining a custom security policy. Specific guidelines that enforce this principle include:
Applets or applications that need to be signed can coexist with unsigned classes in the same package (or JAR file). It is recommended that all privileged code be packaged together. (See guideline ENV01-J. Place all privileged code in a single package and seal the package for more information.) Furthermore, it is possible to grant privileges to code on the basis of the code base and/or its signer using a security policy.
Privileged operations should be limited to the smallest possible code blocks that require such privileges. The Java AccessController mechanism allows only certain parts of code to acquire elevated privileges. When a class needs to assert its privileges, it executes the privileged code in a doPrivileged block. The AccessController mechanism works in conjunction with the security policy in effect. Because users may be unaware of the details of the security model and incapable of correctly configuring security policies tailored to their requirements, privileged code present within the doPrivileged blocks must be kept to a minimum to avoid security vulnerabilities.
A security manager is an object that defines a security policy for an application. This policy specifies actions that are unsafe or sensitive. Any actions not allowed by the security policy cause a SecurityException to be thrown. An application can also query its security manager to discover which actions are allowed. The security manager can also be used to control the functions the trusted Java API can perform. (See guideline ENV02-J. Create a secure sandbox using a Security Manager.) When untrusted code should be disallowed from accessing system classes, it should be granted specific permissions to prevent it from accessing trusted classes in the specified packages. The accessClassInPackage permission provides the required functionality. (See guideline SEC12-J. Do not grant untrusted code access to classes in inaccessible packages.) Doing so does not limit what system classes can do; however, it restricts the range of system packages that can be used from less-privileged code.
Guideline |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
SEC00-J |
high |
probable |
high |
P6 |
L2 |
SEC01-J |
medium |
likely |
medium |
P12 |
L1 |
SEC02-J |
medium |
likely |
high |
P6 |
L2 |
SEC03-J |
high |
likely |
low |
P27 |
L1 |
SEC04-J |
high |
probable |
medium |
P12 |
L1 |
SEC05-J |
high |
probable |
medium |
P12 |
L1 |
SEC06-J |
high |
probable |
medium |
P12 |
L1 |
SEC07-J |
medium |
probable |
low |
P12 |
L1 |
SEC08-J |
high |
probable |
medium |
P12 |
L1 |
SEC09-J |
high |
probable |
medium |
P12 |
L1 |
SEC10-J |
medium |
probable |
high |
P4 |
L3 |
SEC11-J |
high |
probable |
low |
P18 |
L1 |
SEC12-J |
high |
likely |
high |
P9 |
L2 |
SEC13-J |
high |
likely |
high |
P9 |
L2 |
SEC14-J |
medium |
probable |
high |
P4 |
L3 |
SEC15-J |
medium |
likely |
high |
P6 |
L2 |
SEC16-J |
medium |
probable |
high |
P4 |
L3 |
SEC17-J |
medium |
likely |
low |
P18 |
L1 |
SEC18-J |
medium |
probable |
high |
P4 |
L3 |
SEC19-J |
high |
probable |
medium |
P12 |
L1 |
SEC21-J |
high |
probable |
high |
P6 |
L2 |
ENV10-J. Do not disable bytecode verification The CERT Oracle Secure Coding Standard for Java SEC00-J. Avoid granting excess privileges