import module and supply chain attacks

Remi Forax forax at univ-mlv.fr
Tue Feb 4 09:43:51 UTC 2025


Hello,
I still think that adding the feature "import module" in the langage allows supply chain attacks than was not possible before.

Disclaimer, i'm not a security researcher and i'm bad at it, i've created far more security issues than i've found them,
anyway, i think i should speak up because in my opinion "import module" adds a whole new cans of worms.

In Java, when a qualified names is resolved, the compiler first tries to see if its a class and then if its a package name
(see https://docs.oracle.com/javase/specs/jls/se8/html/jls-6.html#jls-6.5.4),
so adding a class in a package which is a prefix of an existing package can change the meaning of all classes in the existing package.

By example, the class foo.bar.Baz exist, and one can introduce the class "bar" that contains a member class "Baz" in the package "foo",
this class will be used instead of the existing class.

Now, import modules can even import packages from a module which is not directly referenced in the source code, it follows the "require transitive",
so an attacker can add a specily crafted class as decribed above in the dependencies and wait until the code using the dependency far down in the dependency tree is recompiled.

Again, i'm not a security researcher, so i don't how bad this is, but it seems pretty bad to me.

regards,
Rémi





More information about the amber-spec-experts mailing list