Integrity violation in AOTCache

Aman Sharma amansha at kth.se
Fri Jan 30 10:53:10 UTC 2026 

Hi all,

I have been playing around with AOTCache and I tried a small with it experiment whose idea was to shadow a class using AOTCache. By class shadowing, I mean loading a different class than intended but they both share the same fully qualified name. We also explored this concept in the paper: Maven-Hijack: Software Supply Chain Attack Exploiting Packaging Order<https://arxiv.org/abs/2407.18760v4>, and now I am trying to extend it to AOTCache.

The steps in the experiment are based on POC<https://github.com/chains-project/maven-hijack-poc> from the same paper and are written briefly below. The exact commands are documented here<https://github.com/chains-project/maven-hijack-poc/blob/main/java/maven/abstract-project/AOTCache.md>.

  1.  Build the application with one of the dependencies having malicious class. The malicious class has the same name as one of the other classes, say `org.postrgresql.Driver` but has malicious contents<https://github.com/chains-project/maven-hijack-poc/blob/0310de24103a55d1f51f70ef625933a40a7a55b3/java/maven/abstract-project/install-me-first/D11/src/main/java/org/postgresql/Driver.java#L8-L23>.
  2.  Create an AOTCache using these dependencies in jar. This creates a "polluted AOTCache".
  3.  Now using the polluted cache, run the application that is packaged with genuine dependencies. Apparently, the JVM initializes the malicious class from AOTCache instead of loading it from classpath. In other words, `java -XX:AOTCache=maven.aot -jar target/victim-1.0.jar` and `java -jar target/victim-1.0.jar` give different outputs.

I see this as a weakness if the poisoned AOTCache is distributed as an artifact for consumers to be used because maybe it is not expected from consumers to perform a training run themselves. I believe there should be some sort of integrity checks before a class is initialized from AOTCache. I noticed there are already some<https://github.com/openjdk/jdk/blob/e3b5b261af6acbe7ab074f301c70283b06c17d39/src/hotspot/share/code/aotCodeCache.cpp#L435> (please share if there are more, and I have missed them), but none of them relate to what I am mentioning. I am happy to listen to some thoughts on this.


Regards,
Aman Sharma

PhD Student
KTH Royal Institute of Technology
School of Electrical Engineering and Computer Science (EECS)
Department of Theoretical Computer Science (TCS)
<http://www.kth.se><https://www.kth.se/profile/amansha><https://www.kth.se/profile/amansha>
<https://www.kth.se/profile/amansha>https://algomaster99.github.io/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/leyden-dev/attachments/20260130/553aecb2/attachment.htm>

More information about the leyden-dev mailing list