Replacing Unsafe.allocateInstance
Henri Tremblay
henri at tremblay.pro
Tue Jun 30 17:41:08 UTC 2015
We currently have two valid ways to do it. It has been possible since the
first version of Java. Both can be blocked by a security manager.
So I really don't see why we should now limit the practice in scope.
Creating a bogus class in Java is already quite easy. I can just hack
around using reflection. This presentation (and variation of it) is one of
my personal favorite:
http://fr.slideshare.net/JAXLondon2014/reflection-madness-dr-heinz-kabutz
My conclusion is that user should have two choices:
- Use a security manager to prevent dangerous behavior. Knowingly
disallow some performance hack and forcing to add unnecessary default
constructor. This is the approach taken by Google App Engine for instance
- Do not use a security manager and trust the code. This is the approach
I must say I've seen everywhere for the last 15 years. I've worked for
banks and some limited military stuff. I still need to check at nuclear
power plant, fighter jets or space shuttles. I do hope they use a security
manager ;-)
On 30 June 2015 at 11:58, Brian Goetz <brian.goetz at oracle.com> wrote:
> Mocking should be allowed for any class since any class can be mocked. Even
>> the JDK ones
>>
>
> An understandable user perspective :)
>
> Unfortunately, many serious security bugs can stem from being able to
> create a bogus instance of a JDK class that is loaded off the
> bootclasspath, and the existence of vectors for creating these exploits is
> a negative for the entire ecosystem. So, we may need to make some
> tradeoffs between security and convenience.
>
> (Many JDK APIs primarily expose interfaces anyway; these are easily mocked
> without magic.)
>
>
More information about the jdk9-dev
mailing list