Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8210522

Improve filtering for classes with security sensitive fields

    XMLWordPrintable

    Details

    • Type: CSR
    • Status: Closed
    • Priority: P4
    • Resolution: Approved
    • Fix Version/s: 12
    • Component/s: core-libs
    • Labels:
      None
    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      medium
    • Compatibility Risk Description:
      Hide
      I've set the risk to medium for now but time will tell how many libraries have been abusing these fields. We've seen a number of cases where libraries have been hacking Field.modifiers to crack static final fields. We also have seen a few cases where libraries have been hacking AccessibleObject.override instead of calling setAccessible(boolean). Anything depending on the internals of these classes is fragile and will break with any refactoring or changes to implementation (even simple renaming of private fields).
      Show
      I've set the risk to medium for now but time will tell how many libraries have been abusing these fields. We've seen a number of cases where libraries have been hacking Field.modifiers to crack static final fields. We also have seen a few cases where libraries have been hacking AccessibleObject.override instead of calling setAccessible(boolean). Anything depending on the internals of these classes is fragile and will break with any refactoring or changes to implementation (even simple renaming of private fields).
    • Scope:
      JDK

      Description

      Summary

      Core reflection has a filtering mechanism to hide security and integrity sensitive fields and methods from Class getXXXField(s) and getXXXMethod(s). The filtering mechanism has been used for several releases to hide security sensitive fields such as System.security and Class.classLoader.

      This CSR proposes to extend the filters to hide fields from a number of highly security sensitive classes in java.lang.reflect and java.lang.invoke.

      Problem

      Many of classes in java.lang.reflect and java.lang.invoke packages have private fields that, if accessed directly, will compromise the runtime or crash the VM. Ideally all non-public/non-protected fields of classes in java.base would be filtered by core reflection and not be readable/writable via the Unsafe API but we are no where near this at this time. In the mean-time the filtering mechanism is used as a band aid.

      Solution

      Extend the filter to all fields in the following classes:

      java.lang.ClassLoader
      java.lang.reflect.AccessibleObject
      java.lang.reflect.Constructor
      java.lang.reflect.Field
      java.lang.reflect.Method

      and the private fields in java.lang.invoke.MethodHandles.Lookup that are used for the lookup class and access mode.

      Specification

      There are no specification changes, this is filtering of non-public/non-protected fields that nothing outside of java.base should rely on. None of the classes are serializable.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                alanb Alan Bateman
                Reporter:
                alanb Alan Bateman
                Reviewed By:
                Mandy Chung
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: