All geek questions in one place

Why can mutable strings cause a security problem?

I saw the answer from another post:

The string is widely used as a parameter for many java classes, for example. to open a network connection, to open a database connection, open files. If String is not immutable, this will result in a serious security risk.

I think that checking the string before use, it will solve the problem. Why is this the reason the string is meant to be immutable?

Can someone give me a specific code example?

+6
source share
3 answers

In general, it’s easier to write and view sensitive code when the values ​​do not change, because there are fewer movement operations that can affect the result.

Imagine a code like

void doSomethingImportant(String name) { if (!isAlphaNumeric(name)) { throw new IllegalArgumentException(); } Object o = lookupThingy(name); // No chance of SQL-Injection because name is alpha-numeric. connection.executeStatement("INSERT INTO MyTable (column) VALUES ('" + name + "')"); }

The code performs some checks to prevent escalation of privileges, but this is only done if isAlphaNumeric(name) is true when the executeStatement argument is executeStatement .

If the first two statements were reordered, this would not be a problem, so the uncertainty arises in part due to poor alternation. But other code may call this function and assume that name does not change it, so you may need to run and re-run validation checks.

If String not immutable, it could be changed to lookupThingy . To make sure that the security check works, there is a much larger amount of code that must be correctly executed to ensure that this code is safe from SQL injection.

Not only the amount of code that must be executed correctly, but also the supporting one, which makes local changes to one function, can affect the safety of other functions far. Nonlocal effects make code maintenance difficult. Maintaining security features is always dangerous, since security vulnerabilities are rarely obvious, so variability can lead to poor security over time.

Why is this the reason the string is meant to be immutable?

This is separated from why it is poorly secure.

It is widely believed that programs written in languages ​​with easily accessible immutable string types make fewer unnecessary copies of the buffer than those that do not. Unnecessary copies of the buffer destroy memory, cause GC to be rejected, and can lead to simple operations with large inputs much worse than with small inputs.

It is also widely believed that using immutable lines makes it easier to write the right programs, because you are unlikely to be able to protect the archive.

+4
source

This is the oldest safety parody in the book: presenting some system for the operating system, checking it at the parm level, and then updating the parm, while the OS refers to the parm, so it will do something different from what it checked .

This was used to hack IBM OS / 360 in the 60s: to request disk I / O, you passed the OS a "channel program" containing the address and memory address and other materials. The OS will verify that the disk and memory addresses were the locations to which you were authorized, then it will transmit this “channel program” along with the I / O channel equipment that will be executed without the first local copy. It was not so difficult, so you changed the channel program after checking it, but before the I / O channel hardware completed it, allowing access to the unauthorized disk and memory.

(Keep in mind that in this timeframe the memory was very precious, so not copying the program of the channel did not save a non-trivial amount of memory, but this loophole was closed quite quickly, as soon as it became quite well known to operate it.)

(Of course, one needs to ask if any Objective-C program can be considered “protected” from other code running in the same process. The “wuck typing” nature of Objective-C makes better security incredible at best. Strings are more protective against accidental modifications than from malicious modifications.)

+2
source

The post you linked to further links to this post where the problem is explained in more detail:

https://softwareengineering.stackexchange.com/questions/190699/when-and-why-would-we-use-immutable-pointers/190913#190913

+1
source

Source: https://habr.com/ru/post/950206/

More articles:


All Articles