Welcome Guest!
Create Account | Login
Locator+ Code:

Search:
FTPOnline Channels Conferences Resources Hot Topics Partner Sites Magazines About FTP RSS 2.0 Feed

Free Subscription to Java Pro

email article
printer friendly
more resources

Rule 6: Make Classes Nonserializable
Ensure your Java code is secure
by Adam Kolawa, Ph.D., Gina Assaf, and Roberto Scaramuzzi

Posted April 14, 2004

Editor's Note: Java Pro Online presents a weekly rule for ensuring the security of Java systems. Here's Rule 6 for beginning your strategy for ensuring your Java applications are secure. See the entire index of Java code security rules here.

This rule requires that if you should make your class nonserializable if you want to prevent access to the internal state of your objects. If you do not make your classes nonserializable, your objects can be serialized into readable byte arrays. As a result, hackers can view the objects' full internal state, including private fields and the internal states of referenced objects:

private final void writeObject ( 
  ObjectInputStream in)||   throws
  java.io.IOException {
  throw new java.io.IOException (
    "Class cannot be serialized");
}
ADVERTISEMENT

This method is declared final so that a subclass defined by the adversary cannot override it.

Note: If you need to make a class serializable, here are two tips for safeguarding security: Use the Transient keyword for fields that contain direct handles to system resources and other sensitive information, and do not pass an internal array to any DataInput/DataOutput method that takes an array when defining your own serializing method for a class.

Rule sources: "
"Statically Scanning Java Code: Finding Security Vulnerabilities" John Viega, Gary McGraw, Tom Mutdosch, and Edward W. Felten (IEEE Software, September/October 2000) "Twelve Rules for Developing More Secure Java Code" Gary McGraw and Edward Felten JavaWorld (December, 1998) Effective Java Programming Language Guide Joshua Bloch, (Addison-Wesley Professional. 2001), pp. 45-52. Secure Programming for Linux and Unix HOWTO David A. Wheeler

About the Authors
Adam Kolawa, Ph.D, is the chairman and CEO of Parasoft. He is a writer and speaker on industry issues and in 2001 was awarded the Los Angeles Ernst & Young Entrepreneur of the Year Award in the software category. Gina Assaf has been developing, designing, testing, and implementing applications in Java for over six years, and has researched and developed coding standards for Parasoft, many of which provide security for Java applications. Roberto Scaramuzzi, Ph.D., is a Java and Perl Developer for Parasoft in San Diego, California. Born in Italy, he later moved to the United States to obtain his doctorate in Mathematics from Yale University. Contact the authors at .




Back to top











Java Pro | Visual Studio Magazine | Windows Server System Magazine
.NET Magazine | Enterprise Architect | XML & Web Services Magazine
VSLive! | Thunder Lizard Events | Discussions | Newsletters | FTP Home
 
© Copyright 2001-2006 Fawcette Technical Publications | Privacy Policy | Contact Us

Hurghada

Playa Blanca (Lanzarote)

Sousse

Port El Kantaoui

Playa del Ingles (Gran Canaria)

London

Montreal

Kingston upon Thames (Greater London)

Niagara Falls

Saint-Alexis-des-Monts

Denarau Island

Voua

Main Beach

Stalida

Ho Chi Minh City

Rome

Jambiani (Zanzibar)

Pemberton

Paris

Mahdia

Cavtat

Ras al-Khaimah

Alanya

Antalya

Psalidi (Kos)

Costa Teguise

Playa de las Americas (Tenerife)

Cala d'Or (Mallorca)

La Pineda

East Stoke (Dorset)

Framlingham

Otterton

Skegness

Manchester

London

La Garde-Freinet

Woolacombe

Chepstow

London Colney

Carvoeiro (Lagoa)

Belfast

Lagos

Puerto de la Cruz (Tenerife)

Ialysos (Rhodes)