Integrity violation in AOTCache

ioi.lam at oracle.com ioi.lam at oracle.com
Sun Feb 15 05:45:08 UTC 2026 

Hi Aman,


Thanks for the bug report. I have created a PR to fix this issue:


https://github.com/openjdk/jdk/pull/29728


- Ioi


On 1/30/26 2:53 AM, Aman Sharma wrote:
>
> Hi all,
>
> I have been playing around with AOTCache and I tried a small with 
> it experiment whose idea was to shadow a class using AOTCache. By 
> class shadowing, I mean loading a different class than intended but 
> they both share the same fully qualified name. We also explored this 
> concept in the paper: Maven-Hijack: Software Supply Chain Attack 
> Exploiting Packaging Order <https://arxiv.org/abs/2407.18760v4>, and 
> now I am trying to extend it to AOTCache.
>
> The steps in the experiment are based on POC 
> <https://github.com/chains-project/maven-hijack-poc> from the same 
> paper and are written briefly below. The exact commands are documented 
> here 
> <https://github.com/chains-project/maven-hijack-poc/blob/main/java/maven/abstract-project/AOTCache.md>.
>
>  1. Build the application with one of the dependencies having
>     malicious class. The malicious class has the same name as one of
>     the other classes, say `org.postrgresql.Driver` but has malicious
>     contents
>     <https://github.com/chains-project/maven-hijack-poc/blob/0310de24103a55d1f51f70ef625933a40a7a55b3/java/maven/abstract-project/install-me-first/D11/src/main/java/org/postgresql/Driver.java#L8-L23>.
>  2. Create an AOTCache using these dependencies in jar. /This creates
>     a "polluted AOTCache"./
>  3. Now using the polluted cache, run the application that is packaged
>     with genuine dependencies. Apparently, the JVM initializes the
>     malicious class from AOTCache instead of loading it
>     from classpath. In other words, `java -XX:AOTCache=maven.aot -jar
>     target/victim-1.0.jar` and `java -jar target/victim-1.0.jar` give
>     different outputs.
>
>
> I see this as a weakness if the poisoned AOTCache is distributed as an 
> artifact for consumers to be used because maybe it is not expected 
> from consumers to perform a training run themselves. I believe there 
> should be some sort of integrity checks before a class is initialized 
> from AOTCache. I noticed there are already some 
> <https://github.com/openjdk/jdk/blob/e3b5b261af6acbe7ab074f301c70283b06c17d39/src/hotspot/share/code/aotCodeCache.cpp#L435> (please 
> share if there are more, and I have missed them), but none of them 
> relate to what I am mentioning. I am happy to listen to some thoughts 
> on this.
>
>
> Regards,
> Aman Sharma
>
> PhD Student
> KTH Royal Institute of Technology
> School of Electrical Engineering and Computer Science (EECS)
> Department of Theoretical Computer Science (TCS)
> <https://www.kth.se/profile/amansha>https://algomaster99.github.io/ 
> <https://algomaster99.github.io/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/leyden-dev/attachments/20260214/149a9c6d/attachment.htm>

More information about the leyden-dev mailing list