Java Security: The Finalizer Attack

Anyone who is familiar with Java (or other object-oriented) programming has more than likely heard of the SOLID development principles and knows that the O is for ‘Open / Closed Principle.’  In Java the use of the final keyword helps enforce the principle and a second programming ideal discussed in Bloch’s Effective Java book: composition over inheritance.  These two principles most developers should be able to rattle off fairly quickly, however there is a third aspect that the final keyword assists with that not many developers think about.

That is, the final keyword provides is prevention of the finalizer attack.  In short, the finalizer attack is a technique to take over a class through the use of the class’ finalizer method.  Using the final keyword on your class (or the finalize method) prevents classes from injecting malicious code or short-circuiting security routines.

As a note, if you’d like to see more about various secure coding techniques you can read through them here.

2 thoughts on “Java Security: The Finalizer Attack

  1. This does come up a lot, and I like your solution. However, seeing how verbose Java is encouraged me to do the same thing in some other languages. Check it out:

    JavaScript
    ints = [1, 2, 3, 4, 5]
    ints.join(“, “)

    Ruby
    ints = [1, 2, 3, 4, 5]
    ints.join(“, “)

    Python
    ints = [1, 2, 3, 4, 5]
    ‘, ‘.join(map(str, ints))

    Clojure
    (let [ints ‘(1 2 3 4 5)] (clojure.string/join “, ” ints))

    Scala
    val ints = List(1, 2, 3, 4, 5)
    ints.mkString(“, “)

    Those are a little more concise, eh? 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *