Java Developer Tools

Audit - Rules - Serialization

Description
This group contains audit rules that look for issues related to the use of Java's serialization mechanism.

Rules:

Details

Deserializeability Security

Summary
Prevent non-deserializeable classes from being deserialized by adversaries.

Description
This audit rule enforces classes to implement a readObject method:

    private final void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
        throw new IOException("Non-deserializable class");
    }

This audit will be violated if there does not exist a method with the signature:

    private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException;

Security Implications
Even when a class is not serializeable, adversaries can sometimes instantiate an instance of a class with a byte array. This can be a security hazard since there is no control on the state of the new object.

Example
The following method declaration would be flagged as a violation because it does not have the required parameter:

    private void readObject() throws IOException, ClassNotFoundException;

Do Not Implement Serializable

Summary
Objects and interfaces should not be declared as Serializable.

Description
This audit rule violates classes and interfaces that implement Serializable.

Security Implications
When an object is serialized it is outside of the JRE and thus outside of all security measures enforced by the JRE. In many cases, packages or entire projects should not declare objects or interfaces as Serializable.

Example
The following class would be flagged:

    class A implements java.io.Serializable ...

Do Not Serialize Byte Arrays

Summary
Do not serialize byte arrays using the ObjectOutputStream.write(byte[]) method.

Description
This audit rule violates invocations of the method ObjectOutputStream.write(byte[]).

Security Implications
Byte arrays should not be serialized using write(byte[]) because the method is not final, allowing subclasses of ObjectOutputStream to override the method and get access to internal data.

Example
Given the following field declaration:

    private byte[] key;

The following invocation of the write method would be flagged:

    private void writeObject(ObjectOutputStream stream)
    {
        stream.write(key);
    }

Non-serializable Class Declares readObject or writeObject

Summary
Classes that do not implement Serializable should not declare methods named readObject or writeObject.

Description
This audit rule looks for declarations of methods named readObject or writeObject in classes that do not implement the interface java.io.Serializable.

Example
The following method would be flagged as a violation:

    public class NonSerializable
    {
        private void readObject(ObjectInputStream in)
            throws IOException, ClassNotFoundException
        {
            ...
        }
    }

Non-serializable Class Declares serialVersionUID

Summary
Classes that do not implement Serializable should not declare a field named serialVersionUID.

Description
This audit rule looks for declarations of fields named serialVersionUID in classes that do not implement the interface java.io.Serializable.

Example
The following field would be flagged as a violation:

    public class NonSerializable
    {
        private static final long serialVersionUID = 0x10F7L;
    }

Prevent Overwriting Of Externalizable Objects

Summary
Disallows Externalizable objects to be overwritten.

Description
All classes that implement java.io.Externalizable must declare the public readExternal method.

This audit rule declares that every subclass of Externalizable must declare readExternal and that readExternal must match the following pattern:

    public synchronized void readExternal(ObjectInput in) throws IOException, ClassNotFoundException {
        if (! initialized) {
            initialized = true;
            *
        } else {
            throw new IllegalStateException();
        }
    }

The boolean named "initialized", may have any valid name, and can be accessed via the this keyword, but cannot be re-assigned anywhere else within the class as such a reassignment could easily invalidate the security measures being taken.

Security Implications
When readExternal is not overridden in this way, malicious users can call readExternal after the class has already been initialized and potentially have the internal state of the class overwritten.

Example
The following class would be flagged as readExternal is not declared as synchronized:

    public class A implements Externalizable {

    boolean initialized = false;
        public void readExternal(ObjectInput in) {
            if (! initialized) {
                initialized = true;
                // initialize the object            } else {
                throw new IllegalStateException();
            }
        }

        public void writeExternal(ObjectOutput out) throws IOException {
            *
        }
    }

Serializable Usage

Summary
Serializable classes should be define properly.

Description
This audit rule finds classes that are defined as Serializable (that implement the interface java.io.Serializable) that have specific problems or that do not need to be defined as Serializable.

Example
The following class would be flagged as a violation because it does not define any instance fields:

    public class Utilities implements Serializable
    {
        public static double computeInterest(double amount, double interestRate, double payment)
        {
            ...
        }
    }

Serializeability Security

Summary
When an Object implements Serializeable, adversaries can sometimes serialize the Object into a byte array, because of this, secure classes must be conscious of Serializeable.

Description
This audit rule enforces the implementation of the following in all classes that implement java.io.Serializeable:

    private final void writeObject(ObjectOutputStream in) throws IOException {
        new java.io.IOException("Class cannot be serialized");
    }

This rule flags instances of Serializable that do not contain the following method signature:

private void writeObject(ObjectOutputStream in) throws IOException;

Security Implications
This audit rule aims to prevent adversaries from accessing the state of an Object by extending classes and retrieving the Object data by calling writeObject.

Example
The following method declaration would be flagged as a violation because it does not have the required parameter:

    private void writeObject() throws IOException;

Transient Field in Non-Serializable Class

Authentication required

You need to be signed in with Google+ to do that.

Signing you in...

Google Developers needs your permission to do that.