Abstract
Sun and the CERT recommend for secure Java development to not allow partially initialized objects to be accessed. The CERT considers the severity of the risks taken by not following this recommendation as high. The solution currently used to enforce object initialization is to implement a coding pattern proposed by Sun, which is not formally checked. We propose a modular type system to formally specify the initialization policy of libraries or programs and a type checker to statically check at load time that all loaded classes respect the policy. This allows to prove the absence of bugs which have allowed some famous privilege escalations in Java. Our experimental results show that our safe default policy allows to prove 91% of classes of java.lang, java.security and javax.security safe without any annotation and by adding 57 simple annotations we proved all classes but four safe. The type system and its soundness theorem have been formalized and machine checked using Coq.
Chapter PDF
References
Buckley, A.: JSR 202: JavaTM class file specification update (December 2006), http://jcp.org/en/jsr/detail?id=202
The CERT Sun Microsystems secure coding standard for Java (February 2010), https://www.securecoding.cert.org/confluence/display/java/
Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: A survey. ACM Computing Survey 41(3) (2009)
Dean, D., Felten, E.W., Wallach, D.S.: Java security: From HotJava to Netscape and beyond. IEEE Symposium on Security and Privacy, 190–200 (1996)
Demange, D., Jensen, T., Pichardie, D.: A provably correct stackless intermediate representation for java bytecode. Research Report RR-7021, INRIA (2009), http://hal.inria.fr/inria-00414099/en/
Fähndrich, M., Xia, S.: Establishing object invariants with delayed types. In: Proc. of OOPSLA 2007, pp. 337–350. ACM, New York (2007)
Freund, S.N., Mitchell, J.C.: A type system for the Java bytecode language and verifier. J. Autom. Reasoning 30(3-4), 271–321 (2003)
Gosling, J., Joy, B., Steele, G., Bracha, G.: The JavaTM Language Specification, 3rd edn. Addison Wesley, Reading (2005)
Qi, X., Myers, A.C.: Masked types for sound object initialization. In: POPL, pp. 53–65. ACM, New York (2009)
Secunia advisory sa10056: Sun jre and sdk untrusted applet privilege escalation vulnerability. Web (October 2003), http://secunia.com/advisories/10056/
Sun. Secure coding guidelines for the Java programming language, version 3.0. Technical report, Oracle (2010), http://java.sun.com/security/seccodeguide.html
Unkel, C., Lam, M.S.: Automatic inference of stationary fields: a generalization of Java’s final fields. In: Proc. of POPL, pp. 183–195. ACM, New York (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Hubert, L., Jensen, T., Monfort, V., Pichardie, D. (2010). Enforcing Secure Object Initialization in Java. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds) Computer Security – ESORICS 2010. ESORICS 2010. Lecture Notes in Computer Science, vol 6345. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15497-3_7
Download citation
DOI: https://doi.org/10.1007/978-3-642-15497-3_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-15496-6
Online ISBN: 978-3-642-15497-3
eBook Packages: Computer ScienceComputer Science (R0)