Welcome Guest!
Create Account | Login
Locator+ Code:

Search:
FTPOnline Channels Conferences Resources Hot Topics Partner Sites Magazines About FTP RSS 2.0 Feed

Free Subscription to Java Pro

email article
printer friendly
more resources

Rule 4: Make Your Classes Noncloneable
Ensure your Java code is secure
by Adam Kolawa, Ph.D., Gina Assaf, and Roberto Scaramuzzi

Posted March 31, 2004

Editor's Note: Java Pro Online presents a weekly rule for ensuring the security of Java systems. Here's Rule 4 for beginning your strategy for ensuring your Java applications are secure. See the entire index of Java code security rules here.

This rule requires that you make classes noncloneable by defining a final method clone that will throw a java.lang.CloneNotSupportedException(). For example:

public final Object clone() throws 
  java.lang.
  CloneNotSupportedException {
  throw new java.lang.
    CloneNotSupportedException();
}
ADVERTISEMENT

Java's object cloning mechanism can allow an attacker to manufacture new instances of classes that you define—without executing any of the class's constructors. Even if your class is not cloneable, the attacker can define a subclass of your class, make the subclass implement java.lang.Cloneable, and then create new instances of your class by copying the memory images of existing objects. By defining this clone method, you will prevent such attacks.

Note that if you really need to make your classes cloneable, then be sure to follow rule 5: make your clone() method final, which will be posted at this site beginning the week of April 5.

Rule source: " "Twelve Rules for Developing More Secure Java Code" Gary McGraw and Edward Felten JavaWorld (December, 1998)

About the Author
Adam Kolawa, Ph.D, is the chairman and CEO of Parasoft. He is a writer and speaker on industry issues and in 2001 was awarded the Los Angeles Ernst & Young Entrepreneur of the Year Award in the software category. Gina Assaf has been developing, designing, testing, and implementing applications in Java for over six years, and has researched and developed coding standards for Parasoft, many of which provide security for Java applications. Roberto Scaramuzzi, Ph.D., is a Java and Perl Developer for Parasoft in San Diego, California. Born in Italy, he later moved to the United States to obtain his doctorate in Mathematics from Yale University. Contact the authors at .




Back to top











Java Pro | Visual Studio Magazine | Windows Server System Magazine
.NET Magazine | Enterprise Architect | XML & Web Services Magazine
VSLive! | Thunder Lizard Events | Discussions | Newsletters | FTP Home
 
© Copyright 2001-2006 Fawcette Technical Publications | Privacy Policy | Contact Us

Benidorm

Felton (Somerset)

Side

Mullion

Oludeniz

Cala Mesquida (Mallorca)

Taghazout

Gateshead

Sunny Beach

Port de Alcudia (Mallorca)

Newent

Blackpool

Planos (Zakynthos)

Palma Nova (Mallorca)

Pulford

Aberfoyle (Stirling)

Fleetwood

Hammamet

Lakeside