Command line flag to disable finalizers.
Sean Mullan
sean.mullan at oracle.com
Wed Apr 20 15:01:14 UTC 2022
On 4/15/22 10:46 PM, Peter Firmstone wrote:
> To securely instrument access controls onto public Java API, we need to
> have the ability to disable finalizers, to prevent finalizer attacks
> from circumventing access controls.
>
> Since finalizers are planned for removal, as soon as finalizers are
> officially deprecated, I propose a command line flag be provided to
> disable jvm calls to finalizer methods.
This is already supported. JEP 421 added a "--finalization=disabled"
option to JDK 18:
https://openjdk.java.net/jeps/421#Command-line-option-to-disable-finalization
--Sean
More information about the security-dev
mailing list