import module and supply chain attacks

Brian Goetz brian.goetz at oracle.com
Tue Feb 4 09:48:05 UTC 2025


Could you flesh out this idea with a before and after example?  

> On Feb 4, 2025, at 10:44 AM, Remi Forax <forax at univ-mlv.fr> wrote:
> 
> Hello,
> I still think that adding the feature "import module" in the langage allows supply chain attacks than was not possible before.
> 
> Disclaimer, i'm not a security researcher and i'm bad at it, i've created far more security issues than i've found them,
> anyway, i think i should speak up because in my opinion "import module" adds a whole new cans of worms.
> 
> In Java, when a qualified names is resolved, the compiler first tries to see if its a class and then if its a package name
> (see https://docs.oracle.com/javase/specs/jls/se8/html/jls-6.html#jls-6.5.4),
> so adding a class in a package which is a prefix of an existing package can change the meaning of all classes in the existing package.
> 
> By example, the class foo.bar.Baz exist, and one can introduce the class "bar" that contains a member class "Baz" in the package "foo",
> this class will be used instead of the existing class.
> 
> Now, import modules can even import packages from a module which is not directly referenced in the source code, it follows the "require transitive",
> so an attacker can add a specily crafted class as decribed above in the dependencies and wait until the code using the dependency far down in the dependency tree is recompiled.
> 
> Again, i'm not a security researcher, so i don't how bad this is, but it seems pretty bad to me.
> 
> regards,
> Rémi
> 
> 
> 


More information about the amber-spec-experts mailing list