Twelve
rules for developing more secure Java code
Tutorial Details:
Twelve rules for developing more secure Java code
Twelve rules for developing more secure Java code
By: By Gary McGraw and Edward Felten
Writing security-conscious Java code can help you avoid security surprises
his article introduces 12 rules for writing security-critical Java code; 12 rules that all Java developers should abide by. If you are charged with managing a gaggle of Java developers, or if your business relies on the security of Java, make sure your developers follow these rules.
These rules haven't been sugar-coated for mass consumption. They get fairly technical and require broad knowledge of Java to understand. Though experienced Java developers will understand all the rules that follow, less experienced Java developers may have a bit of homework to do. Nevertheless, following these rules will make your Java code more secure.
We base these rules on the experience of many people who have generously discussed their experience in building secure Java code. We are particularly grateful to Andrew Appel, Dirk Balfanz, Drew Dean, and Dan Wallach, of the Secure Internet Programming Team at Princeton, for helping us understand these issues. Others who have contributed significantly to the behind-the-scenes thinking that went into these rules include David Hopwood, Li Gong, and Jim Roskind.
In creating these 12 rules, we've drawn from much experience in hunting down Java security bugs, and on advice and observations from people who write and review security-critical Java code for a living. Each rule is designed to eliminate an unexpected gotcha that you might face.
Of course, security is an elusive goal. Following these rules certainly won't provide any guarantee that your code is completely secure. It is easy to write insecure code that follows these rules. By following these goals, however, you will minimize or eliminate certain kinds of security attacks that you might not have thought of.
Think of these rules as a first step. If you are writing code that may be linked or run in conjunction with untrusted code, then you should definitely consider following these rules.
Every attempt has been made to keep the rules simple enough that you can treat them as a checklist to be followed in mechanical fashion. That way you can save your brainpower for other security issues.
Rule 1: Don't depend on initialization
Most Java developers think there is no way to allocate an object without running a constructor. But this isn't true: there are several ways to allocate noninitialized objects.
The easy way to protect yourself against this problem is to write your classes so that before any object does anything, it verifies that it has been initialized. You can do this as follows:
Make all variables private. If you want to allow outside code to access variables in an object, this should be done via get and set methods. (This keeps outside code from accessing noninitialized variables.) If you're following Rule 3, you'll make the get and set methods final.
Add a new private boolean variable, initialized, to each object.
Have each constructor set the initialized variable as its last action before returning.
Have each nonconstructor method verify that initialized is true before doing anything. (Note that you may have to make exceptions to this rule for methods called by your constructors. If you do this, it's best to make the constructors call only private methods.)
If your class has a static initializer, you will need to do the same thing at the class level. Specifically, for any class that has a static initializer, follow these steps:
Make all static variables private. If you want to allow outside code to access static variables in the class, this should be done via static get and set methods. This keeps outside code from accessing noninitialized static variables. If you're following Rule 3, you'll make the get and set methods final.
Add a new private static boolean variable, classInitialized, to the class.
Have the static constructor set the initialized variable as its last action before returning.
Before doing anything, have each static method and each constructor verify that classInitialized is true. (Note: constructors are required to call a constructor of the superclass, or another constructor of the same class, as their first action. So you will have to do that before you check classInitialized .)
Rule 2: Limit access to your classes, methods, and variables
Every class, method, and variable that is not private provides a potential entry point for an attacker. By default, everything should be private. Make something nonprivate only with good reason, and document that reason.
Rule 3: Make everything final (unless there's a good reason not to)
If a class or method isn't final, an attacker could try to extend it in a dangerous and unforeseen way. By default, everything should be final. Make something nonfinal only if there is a good reason, and document that reason.
You might think you can prevent an attacker from extending your class or its methods by declaring the class nonpublic. But if a class isn't public, it must be accessible from within the same package, and as Rule 4 (below) says, you shouldn't to rely on package scope access restrictions for security.
This advice may seem harsh. After all, the rule is asking you to give up extensibility, which is one of the main benefits of using an object-oriented language like Java. But when you're trying to provide security, extensibility is your enemy: it just provides an attacker with more ways to cause trouble.
Rule 4: Don't depend on package scope
Classes, methods, and variables that aren't explicitly labeled as public, private, or protected are accessible within the same package. Don't rely on this for security. Java classes aren't closed, so an attacker could introduce a new class into your package and use this new class to access the things you thought you were hiding. (A few packages, such as java.lang , are closed by default, and a few Java virtual machines (JVMs) let you close your own packages. But you're better off assuming packages aren't closed.)
Package scope makes a lot of sense from a software-engineering standpoint, since it prevents innocent, accidental access to things you want to hide. But don't depend on it for security.
Maybe we'll get sealed classes in the future.
Rule 5: Don't use inner classes
Some Java language books say inner classes can be accessed only by the outer classes that enclose them. But this isn't true. Java bytecode has no concept of inner classes, so inner classes are translated by the compiler into ordinary classes that happen to be accessible to any code in the same package. And Rule 4 says not to depend on package scope for protection.
But wait, it gets worse. An inner class gets access to the fields of the enclosing outer class, even if the these fields are declared private. And the inner class is translated into a separate class. To let this separate class access the fields of the outer class, the compiler silently changes these fields from private to package scope! It's bad enough that the inner class is exposed; but it's even worse that the compiler is silently overruling your decision to make some fields private. Don't use inner classes if you can help it. (Ironically, the new JDK 1.2 PrivilegedAction API requires you to use an inner class to write privileged code. For more details, see our book Securing Java and the developer.com article referenced below.) That's one reason we don't like the PrivilegedAction API.)
Rule 6: Avoid signing your code
Code that isn't signed will run without any special privileges. And code with no special privileges is much less likely to do damage.
Of course, some of your code might have to acquire and use privileges to perform some dangerous operation. Work hard to minimize the amount of privileged code, and audit the privileged code more carefully than the rest.
Rule 7: If you must sign your code, put it all in one archive file
By following this rule, you will help prevent an attacker from carrying out a mix-and-match attack, in which the attacker constructs a new applet or library that links some of your signed classes together with malicious classes, or links together signed classes that you never meant to be used together. By signing a group of classes together, you make such attacks more difficult. Existing code-signing systems do an inadequate job of preventing mix-and-match attacks, so this rule cannot prevent such attacks completely. But using a single archive can't hurt.
Some code-signing systems let you examine other classes to see who signed them. If you're using a code-signing system that allows this, you can put code into the static constructors of your classes to verify that the "surrounding" classes have been signed by the expected person.
This measure doesn't completely prevent mix-and-match attacks, since an adversary can still mix together classes you signed at different times -- for example, by mixing version 1 of Class A with version 2 of Class B. If you're worried about this kind of inter-version mix-and-match attack, you can put each class's "version stamp" in a public final variable, and then have each class check the version stamps of its surrounding classes.
Rule 8: Make your classes noncloneable
Java's object cloning mechanism can allow an attacker to manufacture new instances of classes you define, without executing any of your constructors. If your class isn't cloneable, the attacker can define a subclass of your class, and make the subclass implement java.lang.Cloneable . This lets an attacker create new instances of your class. The new instances are made by copying the memory images of existing objects; though this is sometimes an acceptable way to make a new object, it often is not.
Rather than worry about this, you're better off making your objects noncloneable. You can do this by defining the following method in each o
Read
Tutorial at: Click here to view the tutorial
Rate Tutorial: Twelve
rules for developing more secure Java code
View Tutorial: Twelve
rules for developing more secure Java code
Related
Tutorials:
|
Displaying 1 - 50 of about 4527 Related Tutorials.
|
Developing Search Engine in Java
Search Engine Java, Search Engine Java Code, Develop Search Engine
Developing Search Engine in Java
 ... develop your own search engine for your website in Java
technologies. We |
Exceptions - More
Java: Exceptions - More
Java NotesExceptions - More
Exceptions
| Exception Usage.../a/today/2003/12/04/exceptions.html,
has some useful "rules", but even more useful |
EnGarde Secure Linux 3.0.4 has been released now
EnGarde Secure Linux 3.0.4
has been released now
EnGarde Secure Linux 3.0.4
has been released now
Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.4. This release includes several bug |
EnGarde Secure Linux 3.0.7 is available now
EnGarde Secure Linux 3.0.7 is available now
EnGarde Secure Linux 3.0.7
is available now
Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.7. This release includes several bug fixes |
Tutorials - Java Server Pages Technology
using HTML, and XML templates, and Java code, which is
secure, fast... or
code.
A scriptlet consists of one or more valid
Java... contain a little code that handles application logic and a
lot more code |
Tutorials - Java Server Pages Technology
using HTML, and XML templates, and Java code, which is
secure, fast... or
code.
A scriptlet consists of one or more valid
Java... contain a little code that handles application logic and a
lot more code |
AppPerfect Code Analyzer
key
software development functions: Review Java code and Enforce Good
Coding... performs analysis of your Java and Java Server Pages (JSP)
source code...
AppPerfect Code Analyzer
AppPerfect Code Analyzer |
Developing Distributed application using Enterprise Java Beans, J2EE Architecture, EJB Tutorial, WebLogic Tutorial.
Developing Distributed application using Enterprise Java Beans, J2EE... the
java programs to access the database. For more information...:
Java Server Pages allows
the developers to embed the java code |
Introduction To Enterprise Java Bean(EJB). Developing web component.
Introduction To Enterprise Java Bean(EJB). Developing web component.
Developing
web component...;
More J2EE Tutorials |
Developing Simple Struts Tiles
Application
Developing Simple Struts Tiles
Application
Developing Simple Struts Tiles Application
 ... site having
more that 500 page of static content and many dynamically generated |
Show Alpha Value and Alpha Rules
Show Alpha Value and Alpha Rules
Show Alpha Value and Alpha Rules
 ... the alpha-values and alpha-rules.
To give blending and transparency
effects |
Developing Axis Web services with XML Schemas.
Developing Axis Web services with XML Schemas
Developing Axis Web services with XML Schemas.
Developing SOAP based web services (Note |
Developing Struts Hibernate Plugin
will develop java code for Struts Hibernate Plugin.
Our Hibernate Plugin will create...
Developing Struts Hibernate Plugin
 ... enhances the performance of the application.
Source Code Of Hibernate Struts Plugin |
How To Manage Your Username And Password The Easy And Secure Way
How To Manage Your Username And Password The Easy And Secure Way... The Easy And Secure Way
 ...;
Jerry Yu
Have been an Internet user for more than 9 years, I have |
Open Source Firewall
more secure protection for your PC, and it is FREE.
* It can block the most...
Source Firewall
A firewall is one of the tools used to secure a computer... for Linux, you will find a lot of information and source code, all free. However |
Developing Simple Struts Tiles Application
Developing Simple Struts Tiles
Application
Developing Simple Struts Tiles Application
 ... site having
more that 500 page of static content and many dynamically generated |
Code rally
Eclipse Plugin-Language
Code rally...;
A Java-based, real-time programming game based on the
Eclipse platform.
What is CodeRally?
CodeRally is a Java?-based, real-time programming
game based |
More APIs Become Available
JDBC APIs,JDBC APIs in java,More APIs
More APIs...;
3. More APIs Become Available:
Some APIs and new methods have been added in JDBC
6.0.
More APIs have been added to this version of JDBC |
Open Source Code
;
Java 2 source code release
With the release of Sun's Java 2 source code...
Open Source code
Open Source Code
What... stack, providing a basic messaging framework that more abstract layers can build |
JSF Forms - Developing form based application
JSF Forms,JSF Forms
JSF Forms - Developing form...;
Complete Java Server Faces (JSF...
everything you need to know about JSF.
Developing Forms in JSF 1.2
In this tutorial we |
Developing responsive Ajax based Applications with ajax technologies
;
Ajax Resources
Ajax
Code Libraries and Tools
Code libraries and loots for the development of your Ajax based... application making it more user friendly.
Ajax Chat
List |
ILOG Business Rule Studio
-editing and debugging of Java code and rules.
Rule Studio supports deploying..., with JRules users can write and manage rules using the full features of JRules while deploying the rules for execution to a native .NET engine.
Rule development |
Code Collaborator
Code Collaborator
Code Collaborator...-in changes by label, date, branch, changelist number, and more.
You can even... to the correct logical line of code. Try doing that with email!
Defect logs |
developing a Session Bean and a Servlet and deploy the web application on
JBoss 3.0
developing a Session Bean and a Servlet and deploy the web application... multiply(int a, int b)
method for calling from JSP. Here is code... the
javax.ejb.SessionBean. In the bean class we have implemented the code for
  |
Code Management
persistence framework. The plugin will automatically generate java code when your... developed internally to find duplicated or similar fragments of code in large Java... your Java code visually allowing you to see its structure and the links (calls |
Developing Struts PlugIn
;
Writing Struts PlugIn Java Code
In this example we write...
Developing Struts PlugIn,Struts PlugIn,Struts PlugIn Example
Developing Struts PlugIn
  |
Developing Struts Web Module
\code\pages"
directory.
3. Search Java Form (SearchTutorialActionForm.java...
Struts Web Module,Developing Struts,struts Search example,struts
forum,struts forum example
Developing Struts Web Module |
Developing User Registration Form
Registration Form,User Registration Form,Developing User Registration
Form
Developing User Registration Form....
The necessary code are described further down in this section.
Registration |
Developing Struts Application
Developing Struts Application
Developing Struts Application
 .... In
an illustration,we should not introduce more than one 'unfamiliar' tool or
concept. Many |
Developing JSP, Java and Configuration for Hello World Application
Writing JSP, Java and Configuration for Hello World Application,Struts 2
Hello World
Writing JSP, Java and Configuration for Hello...;
In this section we will write JSP, Java and required |
JOptionPane - More Dialogs
Java: JOptionPane - More Dialogs
Prev: JOptionPane - Simple Dialogs | Next: none
Java: JOptionPane - More Dialogs
Here are some more useful static methods from |
CAP - Code Analysis Plugin
CAP - Code Analysis Plugin
CAP - Code Analysis... and analysis
the dependencies of your Java project. It opens a own perspective....
Click here to know more about: More detail: http://cap.xore.de |
Java error code
Java error code
Java error code...;
Java Error code are the set of error that occurs during the compile-time and
Run-time. From java error we have given you a sample of code |
JDBC Connectivity Code In Java
Jdbc Connectivity Code In Java
JDBC Connectivity Code In Java
 ... in
understanding JDBC Connectivity Code in Java. The code include a class JDBC |
Eclipse Plunging Source Code Analyzer
suite of products consisting of java
code analyzer, unit tester and profiler...: Review Java code and Enforce
Good Coding Practices which leads to optimization of your application. Code
analyzer analyzes java/jsp code against over 750 |
Eclipse Plunging/Tool
Machine Gear from Java code. This plugin launches a
wizard within Eclipse... Antidecompiler(tm) 2006 Plugin for Eclipse protects your Java source
code from... or Eclipse Plugin. Display more results for one search.
Search Java SubClass |
User Registration Action Class and DAO code
User Action,Registration Action,User Registration Action Class and DAO
code
User Registration Action Class and DAO code...;
In this section we will explain how to write code for action class |
Writing First Hibernate Code
.
Developing Code to Test Hibernate example
Now we are ready to write a program...
Writing First Hibernate Code
Writing First Hibernate Code
  |
JDemo-Java Demonstration Framework
development: When developing software, you write short code snippets (demo cases...
JDemo-Java Demonstration Framework
JDemo-Java...;
JDemo is the Java demonstration |
Introduction to the JSP Java Server Pages
with
working source code.
Introduction to JSP
Java Server Pages... and it enable the developers
to embed java code in html pages. JSP files are finally...;%! and ends %>
with .We can embed any amount of java code in the JSP |
developing a Session Bean and a Servlet and deploy the web application on
JBoss 3.0
developing a Session Bean and a Servlet and deploy the web application... String COMP_NAME="java:comp/env/ejb/test/MyTestSession";
public... is the code of our servlet.
/*
* SessionTestServlet.java |
New to Java?
on the concept of Java Virtual Machine (JVM) that
acts as a translators of byte code... operating system without recompiling your source code. Java technology is based...; By using the Java complier, you can change the
source code into byte code. The byte |
New to Java?
on the concept of Java Virtual Machine (JVM) that
acts as a translators of byte code... operating system without recompiling your source code. Java technology is based...; By using the Java complier, you can change the
source code into byte code. The byte |
Installing Java
on)
that are compiled specific to a platform. While the source code (.java
files) ... with the
more powerful java tools.Microsoft, Sun, Symantec, and Borland...
Installing Java
Installing Java |
More About Triggers
About Trigger in quartz
More About Triggers... interface:
Here is the code of Calendar interface:
package ... shutdown, in this case the misfire is occurred. More descriptions about
the misfire |
Web Services Tutorials and Links
Web
services Activity:
The World Wide Web is more and more used... on this topic in more detail.
Web
Services Addressing... format bindings.
Java
Web services |
Analysis tool - SourceGlider for Eclipse
and
subtle design patterns, which make the code more abstract, but less readable... and other collections.
For code developing
Software developers need to keep in mind...;
For code |
Struts 2 - History of Struts 2
is an open-source framework that is used for developing Java web application... an excellent framework for developing application easily by organizing JSP and Servlet
based on HTML formats and Java code. Strut1 with all standard Java |
Implementing more than one Job Details and Triggers
Implementing more than one JobDetail and Trigger
Implementing more than one Job Details and Triggers
 ...;
In this quartz tutorial, we will learn how to implement
more than one triggers |
Struts2 Training
that is used
to develop Java applications. Struts is an excellent framework for developing application easily by
organizing JSP and Servlet and basic java code. Strut1 along with all the
standard Java technologies and packages of Jakarta |
|
|
|