Effective Java 3rd Edition Section 85 Choose Alternatives Over Java Serialization

I had the opportunity to work with serialization in Java, so I read Chapter 12 of Effective Java 3rd Edition. Here is a summary.

What is Serialize / Deserialize?

A technique for encoding an object as a byte stream and vice versa. In the Java framework, it can be easily implemented by implementing the Serializable interface on the object.

For example, when User is serialized as follows, the instantiated User object can be easily deserialized by calling ```ObjectInputStream # readObject ()` ``.

public class User implements Serializable {
    private static final long serialVersionUID = 199035831519635924L;
    private String name;
    private String cardNumber;

    public User(String name, String cardNumber) {
        this.name = name;
        this.cardNumber = cardNumber;
    }
}

Danger of serialization

Serialization is convenient, but the above example also means that the User instance can be deserialized from anywhere.

Such code is a weak point for attacks such as remote code execution (RCE) and denial of service attacks. In addition, serialization is also used in popular Java subsystems such as RMI, JMX, and JMS, as well as in third-party libraries, which tends to increase the ** attack surface **. (Methods with Java serializable types used in various places such as these libraries and products are called ** gadgets **. By combining these gadgets (gadget chain), an attacker can call native code. Will end up.)

Also, even without a gadget, you can use serialization technology to launch a DoS attack and make a "deserialize bomb". This exploits the need to calculate the hash code for the field or element when deserializing an instance, for example by creating a deeply nested HashSet instance and deserializing it. This is an attack method that requires a huge amount of calculation time.

Countermeasures against deserialization attacks

The best bet is not to do any deserialization in the system. There is a cross-platform structured data representation (≠ serialization system) in the world, and by using these, it is possible to safely perform conversion between an object and a byte sequence by a method other than serialization. These representations support only basic data types and arrays and are much simpler than Java serialization.

The main ones are JSON and protobuf, which are ** language neutral **. -JSON → A lightweight data exchange format often used on the Web. Developed for JavaScript, it can represent data in a human-readable format in text. ・ Protobuf → Developed by Google as C ++. Binary format, more efficient.

Next, if you are developing an existing Java system and you cannot avoid using serialization, do not deserialize untrusted byte streams at all. (Do not accept RMI requests from untrusted sources) → Java's Secure Coding Guidelines state that "deserialization of untrusted data is inherently dangerous and should be avoided" and is the only one highlighted in capital letters, bold, italics, and red throughout the guidelines. ing. Secure Coding Guidelines for Java SE

If serialization is unavoidable and data safety cannot be ensured, it is also necessary to use ObjectInputFilter introduced in Java 9. This allows the filtering applied to the data stream to be performed before deserialization. There are the following two types of filter methods. Blacklist ... How to accept classes by default and reject potentially dangerous classes Whitelist ... How to reject classes by default and accept safe classes

Blacklists cannot respond to new threats, so choose a *** whitelist *** (A tool called the Serial Whitelist Application Trainer automatically prepares the whitelist to prevent excessive memory usage and deeply structured objects, but there are also attacks such as deserialized bombs that cannot be prevented. )

Reference books

[Effective Java 3rd Edition](https://www.amazon.co.jp/Effective-Java-%E7%AC%AC3%E7%89%88-Joshua-Bloch/dp/4621303252/ref=tmm_pap_swatch_0?_encoding = UTF8 & qid = & sr =)

Recommended Posts

Effective Java 3rd Edition Section 85 Choose Alternatives Over Java Serialization
Effective Java 3rd Edition Chapter 5 Generics
Effective Java 3rd Edition Chapter 8 Methods
Effective Java 3rd Edition Chapter 9 Program General
Effective Java 3rd Edition Chapter 6 enums and annotations
Effective Java 3rd Edition Chapter 4 Classes and Interfaces
Effective Java 3rd Edition Chapter 7 Lambda and Streams
effective java 3rd summary
Effective Java 3rd Edition Chapter 2 Object Creation and Disappearance
Effective Java 3rd Edition Chapter 3 Methods Common to All Objects
What has changed between Effective Java 2nd Edition and 3rd Edition
Item 85: Prefer alternatives to Java serialization
Java serialization
Effective Java 2nd Edition Related Matters Survey Summary
I tried to explain Effective Java 3rd edition "almost all chapters" in "easy-to-read Japanese".