Secure Java

Java was designed with security in mind. How did they do?

Background

These notes will assume you’re a fairly capable Java programmer. In particular, you should already know:

The different data types of the language
The difference between primitive and reference types
How to define classes
The difference between constructors, fields, methods, and initializers
The difference between arrays and lists
Generics
Wheat is meant by static typing, and where Java falls short.
A little about threads

Java and Security

Java is at least a memory-managed language, meaning you don’t have to allocate and deallocate memory on your own. You simply ask to create new objects and space is found for them on the heap. When objects are no longer accessible, a garbage collector will reclaim the memory.

You may not get the classic buffer overflows possible in C and C++, but there are still many ways Java code can be vulnerable. A couple standards and guidelines are out there that can help you write more secure Java. Two well-known ones are one from Oracle and one from CMU SEI.

Secure Coding Guidelines for Java SE

This single page document covering Java software security is easy to read and full of examples. The guidelines are broadly organized into the following sections:

Fundamentals
Denial of Service
Confidential Information
Injection and Inclusion
Accessibility and Extensibility
Input Validation
Mutability
Object Construction
Serialization and Deserialization
Access Control

Within each section are specific guidelines, many with code examples.

CERT Java

There’s a fantastic amount of information at The SEI CERT Oracle Coding Standard for Java from the Software Engineering Institute at Carnegie Mellon.

The Standard is organized into a number of Guidelines, divided into Rules and Recommendations, grouped into sections numbered and titled as follows:

00. Input Validation and Data Sanitization (IDS)
01. Declarations and Initialization (DCL)
02. Expressions (EXP)
03. Numeric Types and Operations (NUM)
04. Characters and Strings (STR)
05. Object Orientation (OBJ)
06. Methods (MET)
07. Exceptional Behavior (ERR)
08. Visibility and Atomicity (VNA)
09. Locking (LCK)
10. Thread APIs (THI)
11. Thread Pools (TPS)
12. Thread-Safety Miscellaneous (TSM)
13. Input Output (FIO)
14. Serialization (SER)
15. Platform Security (SEC)
16. Runtime Environment (ENV)
17. Java Native Interface (JNI)
49. Miscellaneous (MSC)
50. Android (DRD)

Rules are basically requirements that if violated will almost surely result in an exploitable vulnerability. They are generally in principle checkable by static analysis tools (or by a competent human code reviewer). Recommendations basically improve software quality, but violations are not necessarily defects.

Examples of Rules:

EXP01-J. Do not use a null in a case where an object is required
STR02-J. Specify an appropriate locale when comparing locale-dependent data
MET05-J. Ensure that constructors do not call overridable methods
LCK04-J. Do not synchronize on a collection view if the backing collection is accessible
FIO11-J. Do not convert between strings and bytes without specifying a valid character encoding

Examples of Recommendations:

DCL51-J. Do not shadow or obscure identifiers in subscopes
EXP52-J. Use braces for the body of an if, for, or while statement
STR50-J. Use the appropriate method for counting characters in a string
ERR51-J. Prefer user-defined exceptions over more general exception types
CON51-J. Do not assume that the sleep(), yield(), or getState() methods provide synchronization semantics

The online standard has a page listing all of the rules and a page listing all of the recommendations. You can begin your study simply by reading the title of each of the rules and recommendations. Then dive into the ones of interest.

Reading the whole standard can be worthwhile too! There’s sime nice introductory material, explanations of the standard’s organization and how to get the most from it, some history, and discussion of its relationship with other standards and publications. The Back Matter section has some good stuff too.

CLASSWORK

We’re going to browse a few of these guidelines!

Concurrency and Security

Notice how many rules in CERT Java have something to with concurrency? No surprise. Java allows multithreaded programming, which is, well, hard. And one big issue is that many of the things beginners learn about the language negatively impact security. Here are a few tips to get you in the right mindset for programming securely with threads in Java:

Just say no to setters. Your first thought should be to program with immutable objects ONLY. If you must make something mutable, minimize (and isolate!) mutability as much as possible. For an object with 10 fields, make 9 immutable. Avoid the getters and setters! Who cares if they are in books and tutorials? STAY AWAY. Just stop it with the setters! You generally don’t need them. Perhaps you never need them at all. But maybe they’re okay?
Be careful with synchronized. The internal lock a synchronized method uses applies to the entire object, which is often way too coarse, and this can kill performance (with needless waiting of other threads, timeouts). They may be fine for small objects but often you are better off choosing a special purpose mechanism, like a ReadWriteLock. Or just use immutable objects, which you don’t have to lock.

Static Analysis Tools for Java

When developing in Java, you should use a source code analyzer. Two that are very popular and worth considering are:

PMD
FindBugs

CLASSWORK

Let’s demo one or both of these.

Summary

We’ve covered:

Things to keep in mind about Java and Security
CERT Java Rules and Recommendations
A couple notes about multithreading and security
The PMD Source Code Analyzer
FindBugs