Secure Java Serialization - validation of untrusted data

[Peter Firmstone]

Historically Java's strong type system has eliminated many security issues developers experience in other non type safe languages.

De Serialization of untrusted / unvalidated data presents a problem for java, given the deployed software in use today.

I have a working reimplimentation of deserialization, it is has a subset of the functionality of Objectinputstream, sufficient for RMI, but it lacks support for circular object graphs and requires periodical stream resets, or it will throw an IOException, returning control to the caller to prevent DOS.  Failure is atomic, the first object that cannot satisfy it's invarients is not created and control returns to the caller.  Every class ProtectionDomain is on the stack at construction, preventing deserialization into privileged context.  A permission check is also performed prior to construction on each class in the hierarchy of the serialized object, allowing domain level white listing.

I believe it would be useful to create a superclass of Objectinputstream with this functionality.

Regards,

Peter.

Sent from my Samsung device.
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/net-dev/attachments/20160619/29845992/attachment.html>