Saturday, July 9, 2011

Secure Your Java Code Against the finalizer Vulnerability

Finalizers can cause a vulnerability in Java code when used to create objects. The exploit is a variation of the well-known technique of using a finalizer for resurrecting an object. When an object with a finalize() method becomes unreachable, it is put on a queue to be processed at some later time. This article explains how the exploit works and shows how you can protect your code from it.

Following is the best part of article:

Until the third edition of the Java Language Specification (JLS) was implemented in Java SE 6, the only ways to avoid the attack — using an initialized flag, prohibiting subclassing, or creating a final finalizer — were unsatisfactory solutions.

The new way to prevent this kind of attack without introducing an extra code or restrictions, the Java designers modified the JLS to state that if an exception is thrown in a constructor before java.lang.Object is constructed, the finalize() method of that method will not be executed.

Read the article to see "how can an exception be thrown before java.lang.Object is constructed?"

No comments: