Integrity violation in AOTCache

María Arias de Reyna Dominguez mariasde at redhat.com
Thu Feb 19 11:59:23 UTC 2026 

Hi!

Is there a reason not to port this to JDK25? Because if there ain't, I want
to port it.

Cheers!
María.

On Sun, Feb 15, 2026 at 6:45 AM <ioi.lam at oracle.com> wrote:

> Hi Aman,
>
>
> Thanks for the bug report. I have created a PR to fix this issue:
>
>
> https://github.com/openjdk/jdk/pull/29728
>
>
> - Ioi
>
>
> On 1/30/26 2:53 AM, Aman Sharma wrote:
>
> Hi all,
>
> I have been playing around with AOTCache and I tried a small with
> it experiment whose idea was to shadow a class using AOTCache. By class
> shadowing, I mean loading a different class than intended but they both
> share the same fully qualified name. We also explored this concept in
> the paper: Maven-Hijack: Software Supply Chain Attack Exploiting
> Packaging Order <https://arxiv.org/abs/2407.18760v4>, and now I am trying
> to extend it to AOTCache.
>
> The steps in the experiment are based on POC
> <https://github.com/chains-project/maven-hijack-poc> from the same paper
> and are written briefly below. The exact commands are documented here
> <https://github.com/chains-project/maven-hijack-poc/blob/main/java/maven/abstract-project/AOTCache.md>
> .
>
>    1. Build the application with one of the dependencies having malicious
>    class. The malicious class has the same name as one of the other classes,
>    say `org.postrgresql.Driver` but has malicious contents
>    <https://github.com/chains-project/maven-hijack-poc/blob/0310de24103a55d1f51f70ef625933a40a7a55b3/java/maven/abstract-project/install-me-first/D11/src/main/java/org/postgresql/Driver.java#L8-L23>
>    .
>    2. Create an AOTCache using these dependencies in jar. *This creates a
>    "polluted AOTCache".*
>    3. Now using the polluted cache, run the application that is packaged
>    with genuine dependencies. Apparently, the JVM initializes the malicious
>    class from AOTCache instead of loading it from classpath. In other words, `java
>    -XX:AOTCache=maven.aot -jar target/victim-1.0.jar` and `java -jar
>    target/victim-1.0.jar` give different outputs.
>
>
> I see this as a weakness if the poisoned AOTCache is distributed as an
> artifact for consumers to be used because maybe it is not expected from
> consumers to perform a training run themselves. I believe there should be
> some sort of integrity checks before a class is initialized from AOTCache.
> I noticed there are already some
> <https://github.com/openjdk/jdk/blob/e3b5b261af6acbe7ab074f301c70283b06c17d39/src/hotspot/share/code/aotCodeCache.cpp#L435> (please
> share if there are more, and I have missed them), but none of them relate
> to what I am mentioning. I am happy to listen to some thoughts on this.
>
>
> Regards,
> Aman Sharma
>
> PhD Student
> KTH Royal Institute of Technology
> School of Electrical Engineering and Computer Science (EECS)
> Department of Theoretical Computer Science (TCS)
> <https://www.kth.se/profile/amansha>https://algomaster99.github.io/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/leyden-dev/attachments/20260219/58b97117/attachment.htm>

More information about the leyden-dev mailing list