Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8210522

Improve filtering for classes with security sensitive fields

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Approved
    • Icon: P4 P4
    • 12
    • core-libs
    • None
    • behavioral
    • medium
    • Hide
      I've set the risk to medium for now but time will tell how many libraries have been abusing these fields. We've seen a number of cases where libraries have been hacking Field.modifiers to crack static final fields. We also have seen a few cases where libraries have been hacking AccessibleObject.override instead of calling setAccessible(boolean). Anything depending on the internals of these classes is fragile and will break with any refactoring or changes to implementation (even simple renaming of private fields).
      Show
      I've set the risk to medium for now but time will tell how many libraries have been abusing these fields. We've seen a number of cases where libraries have been hacking Field.modifiers to crack static final fields. We also have seen a few cases where libraries have been hacking AccessibleObject.override instead of calling setAccessible(boolean). Anything depending on the internals of these classes is fragile and will break with any refactoring or changes to implementation (even simple renaming of private fields).
    • JDK

      Summary

      Core reflection has a filtering mechanism to hide security and integrity sensitive fields and methods from Class getXXXField(s) and getXXXMethod(s). The filtering mechanism has been used for several releases to hide security sensitive fields such as System.security and Class.classLoader.

      This CSR proposes to extend the filters to hide fields from a number of highly security sensitive classes in java.lang.reflect and java.lang.invoke.

      Problem

      Many of classes in java.lang.reflect and java.lang.invoke packages have private fields that, if accessed directly, will compromise the runtime or crash the VM. Ideally all non-public/non-protected fields of classes in java.base would be filtered by core reflection and not be readable/writable via the Unsafe API but we are no where near this at this time. In the mean-time the filtering mechanism is used as a band aid.

      Solution

      Extend the filter to all fields in the following classes:

      java.lang.ClassLoader
java.lang.reflect.AccessibleObject
java.lang.reflect.Constructor
java.lang.reflect.Field
java.lang.reflect.Method

      and the private fields in java.lang.invoke.MethodHandles.Lookup that are used for the lookup class and access mode.

      Specification

      There are no specification changes, this is filtering of non-public/non-protected fields that nothing outside of java.base should rely on. None of the classes are serializable.

            alanb Alan Bateman
            alanb Alan Bateman
            Mandy Chung (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: