[TOC] [Prev] [Next]
 
The object serialization system allows a bytestream to be produced from a 
graph of objects, sent out of the Java environment (either saved to disk or sent 
over the network) and then used to recreate an equivalent set of new objects 
with the same state.
What happens to the state of the objects outside of the environment is outside 
of the control of the Java system (by definition), and therefore is outside the 
control of the security provided by the system. The question then arises, once 
an object has been serialized, can the resulting byte array be examined and 
changed, perhaps injecting viruses into Java programs? The intent of this 
section is to address these security concerns.
The goal for object serialization is to be as simple as possible and yet still be 
consistent with known security restrictions; the simpler the system is, the more 
likely it is to be secure. The following points summarize how security in object 
serialization has been implemented:
- Only objects implementing the java.io.Serializable or java.io.Externalizable 
interfaces can be serialized. there are mechanisms for not serializing certain 
fields and certain classes.
- The serialization package cannot be used to recreate the same object, and no 
object is ever overwritten by a deserialize operation. All that can be done 
with the serialization package is to create new objects, initialized in a 
particular fashion.
- While deserializing an object might cause code for the class of the object to 
be loaded, that code loading is protected by all of the usual Java code 
verification and security management guarantees. Classes loaded because of 
deserialization are no more or less secure than those loaded in any other 
fashion.
- Externalizable objects expose themselves to being overwritten because the 
readExternal method is public.
Direct handles to system resources, such as file handles, are the kind of 
information that is relative to an address space and should not be written out 
as part of an object's persistent state. Therefore, fields that contain this kind of 
information should be declared transient, which prevents them from being 
serialized. Note that this is not a new or overloaded meaning for the 
transient keyword.If a resource, like a file handle, was not declared transient, the object could 
be altered while in its serialized state, enabling it to have improper access to 
resources after it is deserialized.
To guarantee that a deserialized object does not have state which violates some 
set of invariants that need to be guaranteed, a class can define its own 
serializing and deserializing methods. If there is some set of invariants that 
need to be maintained between the data members of a class, only the class can 
know about these invariants, and it is up to the class writer to provide a 
deserialization method that checks these invariants.
This is important even if you are not worried about security; it is possible that 
disk files can be corrupted and serialized data be invalid. So checking such 
invariants is more than just a security measure; it is a validity measure. 
However, the only place it can be done is in the code for the particular class, 
since there is no way the serialization package can determine what invariants 
should be maintained or checked.
Another way of protecting a bytestream outside the Java virtual machine is to 
encrypt the stream produced by the serialization package. Encrypting the 
bytestream prevents the decoding and the reading of a serialized object's 
private state.
The implementation allows encryption, both by allowing the classes to have 
their own special methods for serialization/deserialization and by using the 
stream abstraction for serialization, so the output can be fed into some other 
stream or filter.
 
[TOC] [Prev] [Next]
 
Copyright © 1996, 1997 Sun Microsystems, Inc.  All rights
reserved.