Java security coding standard

Original Title: The CERT Oracle Secure coding standard for Java Author: (US) Fred long Dhruv mohindra Robert C. seacord Dean F. sutherland David Svoboda Translator: Ji Wenke Yang xiaochun book series name: Chapter Hua programmer library Publishing House: Machinery Industry Publishing House ISBN: 9787111428183 mounting time: June 2013 publication date: Opening: 16 open pages: 1 version: 1-1 category: more about computers and Java security coding standards computer books Java security coding standards are the most authoritative, comprehensive, and detailed works in the Java security coding field, the father of Java, James. recommended for gosling. It not only systematically elaborates on the Elements, standards, norms and best practices of Java security coding from a language perspective, in addition, the design defects and possible security risks of Java APIs are analyzed from the perspective of architecture design, as well as corresponding policies and measures. You can use this book as a tool for Java security. You can read and understand the rules you are interested in based on your needs, or when you encounter security problems during actual development, you can index and read rules according to the general categories listed in the book, or read all the rules in the book to systematically Understand Java security rules, enhanced understanding of Java security features, language usage, and runtime environment features. This book guides Java software engineers to design high-quality, secure, reliable, powerful, elastic, available, and maintainability software systems. The Java security coding standard is comprehensive, including a series of security coding rules applied to the Java language and class libraries based on the Java SE 6 platform, and these rules are classified, includes input data verification, declaration and initialization, expressions, value types and operations, object-oriented, method usage, exception handling, visibility and atomicity, locks, threads, input and output, serialization, and Platform security features, Java Runtime Environment and other important aspects, the security coding elements, norms and standards involved in each aspect are described in detail. Contents Java security coding standards preface remarks 1st Chapter overview 11.1 misplaced trust 11.2 injection attacks 21.3 sensitive data leakage 31.4 performance leakage 51.5 Denial of Service 61.6 serialization 81.7 concurrency, visibility and memory 81.8 minimum permission principle 141.9 Security Manager 151.10 class loaders 161.11 summary 16 chapter 16 input verification and data cleansing (IDS) 17 Rule 17 Risk Assessment Summary 17.2.1 ids00-j purification non-trusted data crossing trusted boundaries 182.2 ids01-j validation pre-standardized string 262.3 ids02-j standardization path name 282.4 ids03-j before verification do not record unpurified user input 312.5 ids04-j limit file size passed to zipinputstream 332.6 ids05-j uses a subset of the ASCII character set as the file name and path name 352.7 ids06-j from the format string exclude user input 372.8 ids07-jdo not want to runtime.exe C ()? Method transfer non-trusted, unpurified data 382.9 ids08-j purification transfer to the Regular Expression of non-trusted data 412.10 ds09-j if the appropriate locale is not specified, do not use locale-related methods to process locale-related data 442.11 ids10-j do not split strings in two data structures 452.12 ids11-j remove non-escape code points 502.13 ids12-j before verification lossless conversion in different character encodings string data 512.14 ids13-j using compatible encoding methods at both ends of the file or network I/O 53 chapter 3rd declaration and initialization (DCL) 56 rule 56 Risk Assessment Summary 563.1 dcl00-j prevent class loop initialization 563.2 dcl01-j do not reuse the already exposed identifiers of the java standard library 593.3 dcl02-j declare the loop variables of all enhancement for statements as final type 60 chapter 1 expressions (exp) 63 rule 63 Risk Assessment Summary 634.1 exp00-j do not ignore the return value of the method 634.2 exp0 1-j do not describe NULL pointer 654.3 the exp02-j uses two parameters for arrays. equals () method To compare the content of two arrays 674.4 exp03-j do not use equal operator to compare the value of two base data types 674.5 exp04-j make sure to use the correct type to automatically encapsulate the value 724.6 exp05-j not in one expression for the same variable write multiple times 734.7 exp06-j do not use expressions with side effects in assertion 76 chapter 5th numeric type and computation (Num) 78 rule 78 Risk Assessment Summary 785.1 num00-j detection and avoidance integer overflow 795.2 num01-j do not bitwise AND math operations on the same data 855.3 num02-j make sure that the divisor in division and modulo operations is not 0885.4 num03-j use integer type that can hold the valid value range of unsigned data 895.5 num04-j do not use floating point for fine calculation 905.6 num05-j do not use non-standardized number 925.7 num06-j use strictfp Modifiers ensure consistency of cross-platform floating point operations 945.8 num07-j do not try to compare with Nan 975.9 num08-j check floating point input special numeric 985.10 num09-j do not use floating point variables as cyclic counter 1005.11 num10-j do not build from floating point characters bigdecimal object 1015.12 num11-j do not compare or review floating point values expressed in strings 1025.13 num12-j make sure that converting a value to a smaller type does not result in data loss or misinterpretation 1035.14 num13-j convert basic integer type to floating point type precision loss should be avoided. Chapter 1 object-oriented (OBJ) 110 RULES 110 Risk Assessment Summary 1106.1 obj00-j only trusted sub-classes can be extended for immutable classes and Methods 1116.2 obj01-j declares that data members are private and provide accessible encapsulated Methods 1166.3 obj02-j when when the base class is changed, save dependencies between subclasses 1186.4 obj03-j in new code, do not mix with generics Non-generic raw data type 1246.5 obj04-j provides the replication feature for the mutable class and allows the instance to be passed to a non-trusted code 1286.6 obj05-j before returning a reference, defensive replication private variable class member 1326.7 obj06-j for variable input and variable internal components create defensive replication 1366.8 obj07-j does not allow sensitive classes to replicate its own 1386.9 obj08-j do not expose external classes in nested classes private field 1416.10 obj09-j compare class instead of class name 1436.11 obj10-j do not use public static non final variable 1446.12 obj11-j handle constructor throw exception Case 146 chapter 7th method (MET) 153 rules 153 Risk Assessment Summary 1537.1 met00-j verification method parameters 1547.2 met01-j do not use Assertion Verification Method parameters 1567.3 met02-j do not use obsolete or obsolete classes and Methods 1577.4 methods for security detection must be declared is PR Ivate or final1587.5 met04-j do not add the accessibility of the override method and the hidden method 1607.6 met05-j make sure the constructor does not call the override method 1617.7 met06-j not in clone () call override methods in 1637.8 met07-j do not define class methods to hide Methods declared in base classes or base class interfaces 1657.9 met08-j make sure equivalent objects get equal results 1677.10 met09-j Definitions equlas () the class of the method must define the hashcode () method 1747.11 met10-j to implement compareto () method compliance regular contract 1767.12 met11-j make sure the key code in the comparison is immutable 1787.13 met12-j do not use destructor chapter 182 abnormal behavior (ERR) 187 Rule 187 Risk Assessment Summary 1878.1 err00-j do not remove or ignore checkable exceptions 1878.2 err01-j cannot allow exceptions to leak sensitive information 1928.3 Err02-j logs should avoid exceptions 1968.4 err03-j restore object previous State 1978.5 err04-j do not exit abnormally in finally program segment 2018.6 err05-j do not miss in finally program segment check exception 2028.7 err06-j do not throw undeclared checkable exception 2058.8 err07-j do not throw runtimeexception, exception, or throwable2098.9 err08-j do not catch nullpointerexception or any of its base class 2108.10 err09-j prohibit non-trusted code to terminate jvm216 chapter 9th visibility and atomicity (VnA) 219 Rule 219 Risk Assessment Summary 2199.1 vna00-j when you need to read shared basic data type variables, the need to ensure its visibility 2199.2 vna01-j ensures visibility into a shared reference to an immutable object 2229.3 vna02-j ensures that a combination of operations on shared variables is 2259.4 vna03-j of atomicity even if every method is independent and atomic, also, do not assume that a group of calls is atomic 2309.5 vna04-j to ensure that the method calls in tandem are atomic 2359.6 vna05-j to ensure the atomicity of Chapter 239 locks when reading 64-bit values. (LCK) 241 rules 241 Risk Assessment Summary 24110.1 lck00-j through private final lock objects can synchronize classes that interact with non-trusted code 24210.2 lck01-j not based on objects that may be reused 24610.3 lck02-j not based on those use getclass () the returned class object to implement synchronization 24910.4 lck03-j do not implement synchronization 25210.5 lck04-j Based on the built-in lock of the High-level concurrent object even if the set is accessible, also, do not use the synchronous 25310.6 lck05-j based on the collection view for static fields that can be modified by non-trusted code and need to be synchronized into the 25510.7 lck06-j without using an instance lock to protect Protect shared static data 25610.8 the lck07-j uses the same way to request and release locks to avoid deadlocks 25810.9 when the lck08-j is under exceptional conditions, ensure release of held lock 26610.10 lck09-j do not execute those hold lock will block the operation 27010.11 lck10-j do not use incorrect form of double lock check Convention 27310.12 lck11-j when using those that cannot commit to the lock Policy class time, avoid using client lock chapter 277 thread API (THI) 11th rule 282 Risk Assessment Summary 282 thi00-j do not call thread. run () 28211.2 thi01-j cannot call threadgroup method 28411.3 thi02-j notifies all threads in wait instead of a single thread 28711.4 thi03-j always calls wait () and await () in a loop () method 29211.5 thi04-j make sure it can terminate blocked thread 29511.6 thi05-j do not use thread. Stop () to terminate the thread Chapter 300 thread pool (TPS) 304 rule 304 Risk Assessment Summary 30412.1 the tps00-j uses a thread pool to handle traffic bursts to achieve lower performance run 30412.2 the tps01-j does not use a limited thread pool to execute mutually dependent tasks 30712.3 the tps02-j ensures that it is committed to the thread pool the task of is an interruptible 31212.4 tps03-j that ensures that the tasks being executed in the thread pool do not fail without any prompt 31512.5 tps04-j when using the thread pool, ensure that the threadlocal variable can reinitialize other rules related to thread security in Chapter 318 (TSM) 323 rules 323 Risk Assessment Summary 32313.1 tsm00-j do not use non-thread-safe methods to override thread-Safe Methods 32313.2 tsm01-j do not make this reference leak 32613.3 tsm02-j do not use background threads when initializing classes 33213.4 tsm03-j do not publish partial initialized objects chapter 336 Input and Output (FIO) 342 rules 342 Risk Assessment Summary 34214.1 fio00-j do not operate on files in shared directories 34314.2 fio01-j create files with appropriate access permissions 35114.3 fio02-j discover and handle file-related errors 35214.4 fio03-j remove temporary before termination file 35414.5 fio04-j disable resource 35714.6 fio05-j do not use wrap () or duplicate () to create a cache, and expose these caches to non-trusted code 36114.7 the fio06-j cannot create multiple cache areas on a separate inputstream 36414.8 fio07-j don't let the external process block the input and output stream 36714.9 fio08-j to read one character or byte method, return Value Using int type 37014.10 fio09-j do not use the write () method to output more than 0 ~ 255 integer 37214.11 fio10-j using read () the method ensures filling in an array 37314.12 fio11-j do not read raw binary data as character data into 37514.13 fio12-j provides a way to read and write small-end data 37614.14 fio13-j do not record sensitive information outside the trusted boundary 37914.15 fio14-j execute the correct cleanup action when the program ends Chapter 381 serialization (SER) 387 rule 387 Risk Assessment Summary 38715.1 the ser00-j maintains its serialized compatibility during class evolution 38815.2 the ser01-j does not deviate from the correct signature of the serialization method 39015.3 when the ser02-j sends an object out of the trusted boundary, require signature and encapsulate Sensitive Object 39215.4 ser03-j do not serialize unencrypted sensitive data 39715.5 ser04-j do not allow serialization and deserialization bypass security manager 40115.6 ser05-j do not serialize internal class instance 40415.7 ser06-j during deserialization, defensive replication of private mutable components 40515.8 ser07-j do not use the default serialization format 40615.9 ser08-j to minimize privileges 41015.10 ser09-j before deserializing from an environment with properties do not read from readobject () method call can be overwritten method 41315.11 ser10-j in serialization, to avoid memory and resource leakage 414