Integrity violation in AOTCache

ioi.lam at oracle.com ioi.lam at oracle.com
Fri Feb 20 02:44:58 UTC 2026 

Yes, I think it's worth backporting to 25

Thanks

- Ioi

On 2/19/26 3:59 AM, María Arias de Reyna Dominguez wrote:
> Hi!
>
> Is there a reason not to port this to JDK25? Because if there ain't, I 
> want to port it.
>
> Cheers!
> María.
>
> On Sun, Feb 15, 2026 at 6:45 AM <ioi.lam at oracle.com> wrote:
>
>     Hi Aman,
>
>
>     Thanks for the bug report. I have created a PR to fix this issue:
>
>
>     https://github.com/openjdk/jdk/pull/29728
>     <https://urldefense.com/v3/__https://github.com/openjdk/jdk/pull/29728__;!!ACWV5N9M2RV99hQ!KsE2fK3xBtpr78EttB-D0dK45XNk7kwPuHWu7XKqhwgMBGJ4LfdEmi2FqbCSJeKeYlyhl12M2fvjkJc$>
>
>
>     - Ioi
>
>
>     On 1/30/26 2:53 AM, Aman Sharma wrote:
>>
>>     Hi all,
>>
>>     I have been playing around with AOTCache and I tried a small with
>>     it experiment whose idea was to shadow a class using AOTCache. By
>>     class shadowing, I mean loading a different class than intended
>>     but they both share the same fully qualified name. We also
>>     explored this concept in the paper: Maven-Hijack: Software Supply
>>     Chain Attack Exploiting Packaging Order
>>     <https://urldefense.com/v3/__https://arxiv.org/abs/2407.18760v4__;!!ACWV5N9M2RV99hQ!KsE2fK3xBtpr78EttB-D0dK45XNk7kwPuHWu7XKqhwgMBGJ4LfdEmi2FqbCSJeKeYlyhl12MWNbNI6c$>,
>>     and now I am trying to extend it to AOTCache.
>>
>>     The steps in the experiment are based on POC
>>     <https://urldefense.com/v3/__https://github.com/chains-project/maven-hijack-poc__;!!ACWV5N9M2RV99hQ!KsE2fK3xBtpr78EttB-D0dK45XNk7kwPuHWu7XKqhwgMBGJ4LfdEmi2FqbCSJeKeYlyhl12MToKQONo$> from
>>     the same paper and are written briefly below. The exact commands
>>     are documented here
>>     <https://urldefense.com/v3/__https://github.com/chains-project/maven-hijack-poc/blob/main/java/maven/abstract-project/AOTCache.md__;!!ACWV5N9M2RV99hQ!KsE2fK3xBtpr78EttB-D0dK45XNk7kwPuHWu7XKqhwgMBGJ4LfdEmi2FqbCSJeKeYlyhl12M9r6gjyE$>.
>>
>>      1. Build the application with one of the dependencies having
>>         malicious class. The malicious class has the same name as one
>>         of the other classes, say `org.postrgresql.Driver` but has
>>         malicious contents
>>         <https://urldefense.com/v3/__https://github.com/chains-project/maven-hijack-poc/blob/0310de24103a55d1f51f70ef625933a40a7a55b3/java/maven/abstract-project/install-me-first/D11/src/main/java/org/postgresql/Driver.java*L8-L23__;Iw!!ACWV5N9M2RV99hQ!KsE2fK3xBtpr78EttB-D0dK45XNk7kwPuHWu7XKqhwgMBGJ4LfdEmi2FqbCSJeKeYlyhl12Md5v-MsY$>.
>>      2. Create an AOTCache using these dependencies in jar. /This
>>         creates a "polluted AOTCache"./
>>      3. Now using the polluted cache, run the application that is
>>         packaged with genuine dependencies. Apparently, the JVM
>>         initializes the malicious class from AOTCache instead of
>>         loading it from classpath. In other words, `java
>>         -XX:AOTCache=maven.aot -jar target/victim-1.0.jar` and `java
>>         -jar target/victim-1.0.jar` give different outputs.
>>
>>
>>     I see this as a weakness if the poisoned AOTCache is distributed
>>     as an artifact for consumers to be used because maybe it is not
>>     expected from consumers to perform a training run themselves. I
>>     believe there should be some sort of integrity checks before a
>>     class is initialized from AOTCache. I noticed there are already
>>     some
>>     <https://urldefense.com/v3/__https://github.com/openjdk/jdk/blob/e3b5b261af6acbe7ab074f301c70283b06c17d39/src/hotspot/share/code/aotCodeCache.cpp*L435__;Iw!!ACWV5N9M2RV99hQ!KsE2fK3xBtpr78EttB-D0dK45XNk7kwPuHWu7XKqhwgMBGJ4LfdEmi2FqbCSJeKeYlyhl12M2grxqBY$> (please
>>     share if there are more, and I have missed them), but none of
>>     them relate to what I am mentioning. I am happy to listen to
>>     some thoughts on this.
>>
>>
>>     Regards,
>>     Aman Sharma
>>
>>     PhD Student
>>     KTH Royal Institute of Technology
>>     School of Electrical Engineering and Computer Science (EECS)
>>     Department of Theoretical Computer Science (TCS)
>>     <https://urldefense.com/v3/__https://www.kth.se/profile/amansha__;!!ACWV5N9M2RV99hQ!KsE2fK3xBtpr78EttB-D0dK45XNk7kwPuHWu7XKqhwgMBGJ4LfdEmi2FqbCSJeKeYlyhl12Mmqili_8$>https://algomaster99.github.io/
>>     <https://urldefense.com/v3/__https://algomaster99.github.io/__;!!ACWV5N9M2RV99hQ!KsE2fK3xBtpr78EttB-D0dK45XNk7kwPuHWu7XKqhwgMBGJ4LfdEmi2FqbCSJeKeYlyhl12MePVOr8E$>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/leyden-dev/attachments/20260219/c60f7da0/attachment.htm>

More information about the leyden-dev mailing list