Oracle Calls Java Serialization 'A Horrible Mistake', Plans to Dump It

An anonymous reader quotes InfoWorld: Oracle plans to drop from Java its serialization feature that has been a thorn in the side when it comes to security. Also known as Java object serialization, the feature is used for encoding objects into streams of bytes... Removing serialization is a long-term goal and is part of Project Amber, which is focused on productivity-oriented Java language features, says Mark Reinhold, chief architect of the Java platform group at Oracle.

To replace the current serialization technology, a small serialization framework would be placed in the platform once records, the Java version of data classes, are supported. The framework could support a graph of records, and developers could plug in a serialization engine of their choice, supporting formats such as JSON or XML, enabling serialization of records in a safe way. But Reinhold cannot yet say which release of Java will have the records capability. Serialization was a "horrible mistake" made in 1997, Reinhold says. He estimates that at least a third -- maybe even half -- of Java vulnerabilities have involved serialization. Serialization overall is brittle but holds the appeal of being easy to use in simple use cases, Reinhold says.

Was very obvious back then

[gweihir]

But the Java fanatics just put in more and more features, regardless of whether sane languages had them or not.

Re:Was very obvious back then

But the Java fanatics just put in more and more features, regardless of whether sane languages had them or not.

Obvious?

Well, given the abstraction from actual hardware that is Java's goal, how would you create a way to pass data from machine to machine without worrying about things like word size and endianness?

Got any objective reasons? Because what you've posted is just an opinion. And just like that other thing everyone else has, frankly it stinks.

Re:Was very obvious back then

But the Java fanatics just put in more and more features, regardless of whether sane languages had them or not.

Obvious?

Well, given the abstraction from actual hardware that is Java's goal, how would you create a way to pass data from machine to machine without worrying about things like word size and endianness?

Are you for real? Maybe I'm not getting your sarcasm, but this is a solved problem and was a solved problem back in 1997.

See here for one example of object serialization of binary fields that was doable back in 1997. Serializing 15 or so fields in a single statement; not exactly what I would call rocket science.

Re:Was very obvious back then

[greenwow]

Oh please. This wasn't a failure with their implementation. It's an issue with the concept which is still a good thing because the positives still outweigh the negatives.

It just sucks though going through a 100+ projects to add jaxb to their pom files to prepare for Java 11 LTS that's coming in September.

Re:Was very obvious back then

[h8sg8s]

It was solved even earlier with XDR (R.I.P. Dr Bruce Nelson..)

Re:Was very obvious back then

[TheRealMindChild]

If XML isn't the solution to your problem, you aren't using enough

Re: Was very obvious back then

[Z00L00K]

The only sane language in that realm is Ada. C# is worse than Java because it's influenced by language problems from VB.

However the serialization is not really a language problem, it's an implementation problem. The serialization is something that could have been done better, and in a more safe manner. But it's also useful. Removing it may break a lot of applications and actually cause them to stay on older insecure runtimes instead of figuring out a way to secure that part in a manner that won't break the applications that are legal.

Re: Was very obvious back then

[Z00L00K]

The disadvantage with xml is that it creates a lot of overhead, which could be a problem in embedded applications and large scale solutions.

Re:Was very obvious back then

No. The problem is with the concept. Persistent objects are dangerous.

Re:Was very obvious back then

Only a stateless universe will bring about Utopia!

Smash the state.

Re:Was very obvious back then

Tagged binary formats like TIFF? You might even have some meta-data indicating the format of the binary file. The problem is that anyone can sneak in some nasty stuff into those binary formats, so I guess you would need some kind of blockchain to ensure that no-one tampered with the sequence or contents of each block.

Re:Was very obvious back then

[mobby_6kl]

Look, I think we can all agree that Java was a huge mistake, but it's been twenty years, I think it's time to just accept it for what it is.

Re:Was very obvious back then

[gweihir]

If you really do not know how to solve this problem sanely, then you have no place in this discussion. This is a problem that has been solved long ago, far longer than Java exist. No, I am not going to tell you how.

Re:Was very obvious back then

[gweihir]

The good is minuscule, the bad is massive. And that was obvious back then. We did joke "Now Java even supports malicious mobile code!" when the feature was announced and wondered how this could ever be secured. Of course, many people though it was great because they did not get it. Just as many people today.

Re: Was very obvious back then

[gweihir]

Ada is a design-catastrophe for other reasons. That is why it is a niche-language and will remain so. It is barely usable.

Re:Was very obvious back then

[gweihir]

You think older mistakes should not be corrected?

Re:Was very obvious back then

[TechyImmigrant]

No. The problem is with the concept. Persistent objects are dangerous.

Insanity.

I like files. They are objects that are persistent.

Just because people are too weak to sanitize inputs doesn't mean that storing bytes persistently is a bad idea.

Re: Was very obvious back then

[TechyImmigrant]

Ada is a subset of a HDL language used to design the CPU you are running your web browser on right now.

Just because software engineers find it hard, it doesn't stop hardware engineers managing just fine with it.

Re: Was very obvious back then

[viperidaenz]

That link you posted is pretty much exactly the same as readObject and writeObject methods in Java serialisation

Re: Was very obvious back then

[Lunix+Nutcase]

Considering how many bugs exist in CPUs this statement doesn’t inspire a lot of confidence. Doubly so when taking into account Meltdown and Spectre.

Re:Was very obvious back then

[angel'o'sphere]

The link is about structs, not about objects.
So when you deserialize them, you have no vtable.
And if you had read (and comprehended your link) you had realized: the author shows up all the problems in serialization. He does not really propose portable solutions.

So: what exactly was your point?

Re: Was very obvious back then

[angel'o'sphere]

Ada did not take off because when it came into the industry compilers were absurdly expensive and every "Ada vendor" wanted your leg and your first born.

Besides that Ada is a nice language, very well designed. I would love to program in Ada, but because of the idiots who made it unpayable expensive most ada projects switched to C++

It is barely usable.
If you can not use Ada effectively you likely can not use any other programming language either.

Re: Was very obvious back then

[angel'o'sphere]

Meltdown and Spectre are not results of Bugs, but design flaws.

If you tell me to build a house 10m x 10m and when I'm finished you realize you actually wanted a 12m x 10m then this is not a bug: you made a mistake in planning.

Re:Was very obvious back then

[countach]

XML is strictly hierarchical. Objects are cyclical graphs. I know you can squeeze one into the other, but it's an ugly mess.

Re:Was very obvious back then

[Junta]

The issue is that in practice this feature (and features like it in other languages) 99% of the time the programmer intends it to be used for persisting "boring old data" in the laziest way possible. The feature of having data be evaluated with executable instructions being honored is just a huge liability.

The 1% of the time when the programmer explicitly does use the "data can have code-to-eval" capability, it has been in my experience, always done better another way (such code is generally a pain to debug because an intuitive path is used for some of the code that executes, and I've yet to see a situation where they really *needed* to accomplish their goals that specific way.

Basically, it's encouraging a bad practice of mixing and matching data and executable code. Ideally you want your .jpg to be "just an image" and only have to worry about arbitrary executable data when dealing with an executable file.

Re: Was very obvious back then

JSon can be faster.

Re: Was very obvious back then

[Jeremi]

The number of bugs in CPUs is an order of magnitude less than in most software. It has to be, because recalling a million CPUs is economically unfeasible. âoeRecallingâ a million software installs (via auto-update), OTOH, is so commonplace as to be unremarkable.

Re: Was very obvious back then

Other way around. VHDL is based on ADA.

Re: Was very obvious back then

[arglebargle_xiv]

The disadvantage with xml is that it creates a lot of overhead

They're already using Java, obviously they're not concerned about overhead.

Re:Was very obvious back then

[Pseudonym]

I like files. They are objects that are persistent.

I like files, too, but they are not persistent objects. Files are persistent data.

Re: Was very obvious back then

[Pseudonym]

Ada is a subset of a HDL language used to design the CPU you are running your web browser on right now.

Both VHDL and Verilog are like the mafia. Hardware designers don't do business with those languages because they want to.

Re: Was very obvious back then

[gweihir]

Well, just another aspect of why so many coders are so bad: They cannot recognize whether a tool is good or bad.

Re:Was very obvious back then

[Pseudonym]

This has nothing to do with "Java fanatics".

Java has serialization because it has RMI. Java has TMI because it was designed by Sun in the early 90s when everyone except Sun had already realised that sunrpc was a bad idea. The network is the computer, right?

Re: Was very obvious back then

[peppepz]

Java is one of the fastest, if not the fastest, non-native language.

Re: Was very obvious back then

[angel'o'sphere]

And the only way out f that is gathering experience and continuous learning and improvement. Obviously that only works if people want to improve or are forced to improve.

Re: Was very obvious back then

Well thanks for stopping by

Re: Was very obvious back then

The problem with XML is that even when people make jokes about it, it can sound like they're being serious.

Re: Was very obvious back then

[TechyImmigrant]

Ada is a subset of a HDL language used to design the CPU you are running your web browser on right now.

Both VHDL and Verilog are like the mafia. Hardware designers don't do business with those languages because they want to.

Designing logic for chips is on the order of 95% designing and 5% coding. We can use better front ends like myhdl, but it doesn't save much.

Re:Was very obvious back then

I've seen this conversation before and it always amuses me. When you persist an object all you are doing is writing its data to storage. You are not encoding CPU instructions that can be run. So in the concept of persistence there is no difference between data and objects.

An object's state - i.e. its data - can be persisted in binary, xml, json, simple ascii or any format you want. It is still just data. It is up to an application to load that data in and the execute some CPU instructions on the data.

So an object persisted to disk is a file, it is a collection of bytes that has no value or meaning outside of the application that persisted it. So yes a file can be persistent object.

Re:Was very obvious back then

[benjfowler]

?

Java language evolution is glacially slow compared to nearly all other mainstream languages.

How long did it take to get lambdas again?

Re: Was very obvious back then

[vtcodger]

Yep. Ada was a construct created by the US Dept Of Defense in the late 1970s ostensively for programming embedded computer systems -- a task for which it was monumentally unsuited because the embedded computer hardware of the time had low clock speeds and very limited memory and Ada demands a lot of resource.

The DoD then decided that a single computer language -- Ada -- should be used across all its applications. The problem was that no one was able to create an Ada eco-system -- compiler, libraries, etc that was actually usable on most of the computers that the DoD owned at the time, so the edict that all .new code be in Ada was pretty much universally ignored.

AFAICS, Ada wasn't, and isn't a terrible language. But it couldn't do what was needed at the time it needed to do it.

I did take the time to sort of study it back around 1980 during the short interval when it appeared that the gubmint might force all us Beltway Bandits to use it. I wasn't impressed.and subsequently forgot everything I had learned. I think most of my fellow bandits felt much the same way.

Re:Was very obvious back then

[Pseudonym]

When you persist an object all you are doing is writing its data to storage.

This is accurate if and only if the object is what C++ calls "plain old data" (which I assume, or at least hope, Java records will have statically-analysed support for).

Java to its credit does not think that everything is an object. Nonetheless, everything user-defined is an object. When yoir language thinks that most things are objects, then very few things are plain old data.

As soon as you have members that are themselves objects, It is no longer "an object" that you are serializing, it is multiple objects. And all objects are passed and stored by reference in Java so now you must deal with DAGs and cyclic references otherwise you might get in an infinite loop or break object identity semantics.

Consider a Java object with two strings in it. Java serialization needs to ensure that if they are the same string (in the sense of being the same object as opposed to different objects containing the same data) that information survives a round trip, otherwise Java's object identity semantics are broken.

I'm ignoring a bunch of complications about Java serialization such as versioning and its interaction with reflection (you can store object metadata in an object) because you can detect these cases easily and special-case or disallow them.

Re:Was very obvious back then

It is no longer "an object" that you are serializing, it is multiple objects.

So what, serializing one or more objects is exactly the same. All you are doing in serialization is saving the data state of those one or more objects to a stream, whether that is a network stream, file stream, etc. Just because part of what is stored might be references to other objects in a DAG is irrelevant.

There is nothing magical about serializing objects, all serialization is treating the object as "plain old data" whether that is C or Java because it is the data that is stored.

Reading an "object" in from serialization simply reconstitutes the object but until the application code executes on the data of that object nothing happens. JSON was a bigger threat because too many JavaScript developers simply took a JSON stream and executed it.

Re:Was very obvious back then

[Pseudonym]

I think you may be misunderstanding the issue in Java's case.

Objects live on the heap, with no exceptions. If a field of an object is an object, you do not store an object there, you store a heap reference.

So any field which isn't a basic type is not plain old data. It is a heap reference, i.e. a pointer. You cannot directly serialise and deserialise pointers; you need to swizzle and unswizzle them.

It's not conceptually difficult, it's not magic, but it's not as simple as plain old data.

Re:Was very obvious back then

[TechyImmigrant]

I like files. They are objects that are persistent.

I like files, too, but they are not persistent objects. Files are persistent data.

Code, data. It's all bytes. Don't get lost in abstractions.

Re:Was very obvious back then

[Pseudonym]

That's kind of my point. Objects are abstractions, designed to keep you separated from data. Most of the time, that aspect confuses more than it helps.

Re:Was very obvious back then

[TechyImmigrant]

Fair enough.

Re: Was very obvious back then

[bulled]

That isn't setting the bar particularly high.

Re: Was very obvious back then

[jimmifett]

json doesn't have the advantage of schemas to define and validate. JSON only somewhat reliable internally when it has a person to tightly control that object and prevent any yahoo from extending or changing without telling anyone else. It's OK for a front end where you control both the client and the backend (browsercode and server), but xml and xsd is an absolute requirement for exchanging data with other parties where you need consistency and validation that a schema provides.

JSON has a place, just a limited scope place. Yes, I know there are various attempts at JSON schemas, not a single one have I seen that's been either widely adopted or usable as efficiently as an xml schema.

Re:Was very obvious back then

[JoeDuncan]

But the Java fanatics just put in more and more features, regardless of whether sane languages had them or not.

Sounds like the exact strategy being used by the .NET folks currently...

Re: Was very obvious back then

[JoeDuncan]

The disadvantage with xml is that it creates a lot of overhead

They're already using Java, obviously they're not concerned about overhead.

LOL!

Re: Was very obvious back then

Deserialising an object only deserialises the fields, not the object definition or class bytecode.

Re: Was very obvious back then

Wrong , rmi is not serialisation.

Records? Is that a thing?

[gb7djk]

What is this thing called a "record"? What possible use is it? Or could it be a new name for an old concept that might have existed in some ancient cruddy languages. Cobol anyone?

Re:Records? Is that a thing?

[hazem]

Cobol anyone?

I thought I was going to old-school school people by mentioning QBasic's "type" structures, but you punked me with Cobol.

But then again, not even Python does this well if you need a structure with specific data types to match a binary stream you need to read/write reading/writing.

Re:Records? Is that a thing?

I wish I still had all my old COBOL records. My favorite album was "Data Division."

Re:Records? Is that a thing?

[gb7djk]

For a slightly more modern take, this book is still relevant even today: https://en.wikipedia.org/wiki/.... Maybe someone read it recently - it is still a useful book.

Re: Records? Is that a thing?

Better than Joy Division!!

Re: Records? Is that a thing?

âoeGO TO Will Tear Us Apartâ!

Re:Records? Is that a thing?

[Pseudonym]

A record is basically what in C you would call a struct. The reason why Java desperately needs them is that there is currently no way to efficiently store an "array of structs". Yes, you could do SoA, but that isn't what you want some of the time.

The inability to control memory layout more finely is the main thing that people trying to write high-performance Java complain about. This will help, at least a bit.

Re: Records? Is that a thing?

[TechyImmigrant]

Better than Joy Division!!

It will return your data in a new order.

Re:Records? Is that a thing?

[AuMatar]

If you need that, write C. Its neither a goal nor a use case Java should support. Not every language needs to do everything.

Re:Records? Is that a thing?

[Pseudonym]

I agree, although to be fair, anything that makes Java less object-oriented is a clear improvement.

Re:Records? Is that a thing?

[countach]

Efficiency isn't a goal or use case of Java? Well maybe it damned well should be then.

Re: Records? Is that a thing?

No, trying to controls the memory layout on the host machine implementing the virtual
machine executing the jar file. If you want to write #pragma pack and clusterfuck bitfield statements, use C.

Re:Records? Is that a thing?

[AuMatar]

No, it isn't. If you want efficiency, write in a language that targets bare metal. Especially if you're talking about binary layouts, which depend on a dozen factors like padding and endianness which are supposed to be abstracted away in a language like Java.

Re:Records? Is that a thing?

[Pseudonym]

This isn't about having bit-perfect layout, it's just about having a way to build an array of structs that doesn't require each individual struct to be individually allocated.

Re:Records? Is that a thing?

[countach]

Efficiency is actually a goal of every programming language on the planet. Some more than others. There is no reason why a language must be either pure bare metal, or else completely oblivious to performance. One other example I can think of is Apple's Swift language which didn't opt for garbage collection, but rather reference counting. Maybe that's a good trade off for writing apps for phones that don't have much memory.

Java drops ass wiping features

Java developers now have to wipe their own ass.

Re:Java drops ass wiping features

There's always the option of not wiping. I think some of them have been going this route for a while.

Re:Java drops ass wiping features

It's the garbage collectors job!

So?

So they are replacing efficient binary serialization with serialization in textual form, and that's somehow better?

Re:So?

Sure. Sells more hardware so that it all keeps up.

Re: no, but it will be (per summary)

(FYI: If you can't figure it out from the context given in the summary, then maybe you're not the intended audience.)

The summary tells us that records are a planned feature that doesn't exist yet, but that records will be the plain-old-data (aka PoD) replacement for full object serialization.

RMI and serialization was useful

Back in the day your options of serializing objects was Corba more or less.

Having serialization built into the language and having remote method invocation (RMI) immediately accessible was a game changer for project design and implementation between different processes and machines.

I'm not sure what went wrong, was it implementation issues or bad API decisions that cause security issues, I'm curious to hear. The bottom line is that these features were a gold mine back then.

 

Re: RMI and serialization was useful

[Z00L00K]

The problem lies in that there's no validation of who's submitting or fetching the data and that the data is correct when deserialized. Someone can compose a binary stream that can be crafted to result in something unexpected when deserialized.

Exchange formats like xml can be validated before parsing.

Re: RMI and serialization was useful

The root problem is skipping the parsing step completely.

Re:RMI and serialization was useful

[isj]

Java's rmi was not cross-language, so it was only useful if both ends were written in Java.

Corba was cross-language, but had several problems:
    - "Design by committee". Designed in OMG, and it wasn't until version 2 that they bothered with specifying the on-wire format.
    - No versioning of interfaces. Unless the developers took care not to break things you had to upgrade both ends.
    - Cross-platform exceptions didn't work to well. I remember spending a week tracking down an unmarshalling error - turns out the remote call threw an exception and inside that exception was a LongLong and by default the CORBA library didn't instantiate and register a LongLongFactory or something.
    - And then there were a fundamental problem (not unique to Corba): pretending that remote calls are the same as local calls. But they aren't. Soon a remote call will time out - something that cannot happen with a local call, and then you have to deal with the complexity of a distributed system anyway. No amount of asphalt or lipstick can hide that.
    - And the underlying network (at least with Orbacus) was hidden, so you could not eg. tweak TCP parameters.

Re: versioning: It could have been remedied if they had adopted something like the versioning in Sun/ONC RPC.

Re: local vs. remote calls: It could probably work better if the client-side language supports transactions even on local variables (eg. Progress 4GL).

Re: RMI and serialization was useful

[isj]

The Java serialization feature was fine. It just wasn't meant to be robust against adversaries. Java RMI uses the serialization feature and thus have the same problem. It is fine in trusted environments.

It is a bad idea to use them with untrusted sources.

I didn't RTFA so I don't know if there are other reasons that security for removing the feature.

Re:RMI and serialization was useful

[cpurdy]

I'm not sure what went wrong, was it implementation issues or bad API decisions that cause security issues, I'm curious to hear.

Java serialization allowed Java byte code (ClassFile structures) to be embedded in the stream (to support RMI), and automatically loaded on the other end.

Re: RMI and serialization was useful

The Java serialization feature was fine. It just wasn't meant to be robust against adversaries.

Yes, there are times when I need to do rapid prototyping of scientific algorithms. And it's really useful to be able to just dump a complex (Java) data structure out to disk (in a reasonably efficient binary format) and then re-read it later without having to re-compute the whole thing from scratch.

Re: RMI and serialization was useful

[countach]

I think it's got more problems than just the security thing. Java serialisation is a pain the ass.

Re: RMI and serialization was useful

[Z00L00K]

Compared to having to write your own non-standard serialization/deserialization it's not bad. At the time when this was created there weren't much XML support either in Java and other languages.

A lot of computer languages and design paradigms have been created through history - some of them have been fine at the time, a few have survived, some have been overdue for replacement for decades but there are no way to migrate away from them.

If you want real pain in the ass - Cobol fixed size records where the signed data fields are very strange and not compatible with anything. May even depend on which compiler you use. Big-endian, little-endian and mixed word order are additional headaches that have been historical headaches. Even odd floating point number formats not using the regular IEEE notation because they were invented before that.

Re: RMI and serialization was useful

[countach]

Oh I don't know, it's pretty bad. It doesn't solve any of the things that inevitably come up, like what happens when you change your classes, how do you migrate the legacy data? It's not bad if you're a school student hacking some rubbish. But in the real world it's pretty useless.

Re: no, but it will be (per summary)

whoooosh

What's the alternative to binary serialization?

https://en.wikipedia.org/wiki/... ?

I've not found the JSON's serialization.

Object serialization is dangerous.

[Gravis+Zero]

Regardless of language, object serialization is a dangerous idea. While it may seem like a nice idea at first, loading objects from unverified mutable data is an invitation for someone to tinker with that data. The situation only gets worse when your object structure changes because now your object data is invalid or incomplete.

Much like goto, I'm not arguing that it's not useful but rather that it's use it is inherently dangerous.

Re:Object serialization is dangerous.

[greenwow]

> Much like goto

Or worse, eval().

Re:Object serialization is dangerous.

[goose-incarnated]

Regardless of language, object serialization is a dangerous idea. While it may seem like a nice idea at first, loading objects from unverified mutable data is an invitation for someone to tinker with that data.

Okay then, smartypants, what do you propose for persisting fields of an object? Anything you propose is, by definition, "serialisation". The only alternative to serialisation is non-persistent objects.

(TBH, I kinda like the thought of signed serialiased blobs)

Re:Object serialization is dangerous.

It is.

Re:Object serialization is dangerous.

Serialization is neither good nor bad, it's a tool. It can be combined with other tools to produce the desired effects. For example, if security is required then serialization can be combined with techniques from cryptography to incorporate a digital signature, to guard against tampering, or encryption of the contents, to provide both secrecy and anti-tampering. If very high security is needed then both techniques can be combined together in sequence with the serialized data being first signed and then encrypted. This can be thought of as signing your letter and then placing it inside a very secure envelope that nobody but the intended recipients can open. The key insight here is to stop thinking about each of your tools in isolation and accepting or rejecting them on that basis. Instead, one ought to develop the Unix, Linux and general programming mindset of chaining different tools together in sequence to compose a stack that produces the needed outputs from the given inputs. This is how good programmers think, as opposed to crappy programmers who try to produce one-off pieces of all-in-one code that mash all of the requirements together into a glorious amorphous mess. The location and identity of these crappy programmers is left as an exercise to the reader in doing the needful.

Re:Object serialization is dangerous.

[Hognoxious]

Put it in the cloud, of course!

Re:Object serialization is dangerous.

Goto's with global scope creates programs with potentially exponential cyclomatic complexity. Most languages goto's have limited scope.

Java serialization you might as well open a socket to expose a peek and poke interface to allow random people to read and modify raw memory.

Re:Object serialization is dangerous.

[HornWumpus]

Fortran had (has?) calculated goto. Not goto pointerVar, goto intVar where intVar contains _LINE_NUMBER_.

I've seen it used. Integer NextIter. Then you use the middle bits of that Int as binary option flags. At least that's what you do if you have an applied math PhD and a case of cranial rectosis...

On point: You're not supposed to deserialize from untrusted sources, in any language. Might as well execute SQL right from a web form.

Re:Object serialization is dangerous.

[Gravis+Zero]

Regardless of language, object serialization is a dangerous idea.

Okay then, smartypants, what do you propose for persisting fields of an object?

I was speaking specifically about object serialization. There's nothing wrong with data serialization but using it for object serialization is asking for trouble. If you don't understand the difference then you should excuse yourself.

Re: Object serialization is dangerous.

Thank Go weaning me off ruby's eval(). In fact Golang is efficient and fairly secure supporting several serialization schemes in stdlib.

Re:Object serialization is dangerous.

[goose-incarnated]

I was speaking specifically about object serialization. There's nothing wrong with data serialization but using it for object serialization is asking for trouble.

How do you propose to persist an object, and how does that differ from serialising that object?

Re:Object serialization is dangerous.

How do you propose to persist an object...?

You don't, which is the point.

how does that differ from serialising that object?

The whole point of good data serialization is you only serialize a very limited of data and you bounds check it to avoid abuse. Of course bad data serialization is effectively equivalent to current object serialization, where the easy of just dump and reloading it in without any consideration creates a security mess. So, it's not enough to go with data serialization.

The major point is sanitizing. With object serialization, it's too easy to simply serialize stuff out and back in without bothering, so it's little wonder it's a mess. Even relatively easy data serialization is a good bit harder because it's a lot more likely to break. That alone encourages the data serialization to be smaller. Add to that the troubles when adding things basically mandates putting in at least some sanitation. In short, it's a good bit harder to write (really) bad data serialization.

If you're the exception to the rule and do all the appropriate object sanitation, that's great. But given just how poorly most data serialization turns out, as a whole it's just a bad idea to turn to something else that tends to be worse. The whole point of OO is to make it easier to work with to make it harder to make mistakes. Everything about object serialization internally fulfills that while simultaneously making a huge security hole, overall making mistakes more likely.

So the solution is really to avoid it. Data serialization is bad, but object serialization is worse.

Re:Object serialization is dangerous.

[HeckRuler]

ok, help me out here. If you save an object (or any data) to a file, as long as you validate the data when you open the file and load it..... what's the problem?

Because we have "persistent objects", they're called files.

signed serialized blobs

We call those a CRC bits, or checksums. Usually there's one per record and/or one for the whole file / stream / whatnot.

Also, those round things are called "wheels", there's really no need to re-invent them. And PLEASE don't try patenting them, that has the potential for a big headache for the rest of us.

Re:Object serialization is dangerous.

[goose-incarnated]

How do you propose to persist an object...?

You don't, which is the point.

So each time a program starts up it must prompt the user to manually enter all those values it had when it shut down? Frankly that sounds like a stupid solution.

Re:Object serialization is dangerous.

Regardless of language, object serialization is a dangerous idea.

I've not thought of the danger, but object serialization definitely gets irritating, since now all I have another entire code path for everything to be instantiated out of, which tends to lead to breaks. Sure, with infinite time I could setup all kinds of automated tests, but things tend to change fast enough that you'd never keep the tests up to date.

Still, I am a fan of Newtonsoft.JSON. It normally just works, at least in c#. Also, at least with JSON you have some hope of cross platform. I'm not sure i'd recommend it for things your doing thousands of times a second, but for config time stuff, where it actually helps, yah, I'll take the risk, since there is just too many benefits not to. Of course my users are a very small group that you know aren't trying to hack the code.

Fun fact, in C# Newtonsoft's deserialization is smart enough to create WPF brushes from something like "BROWN". It is a bit scary that that magic works, but it does...

Another bonus of JSON serialization, is it provides a compact way to store something in a database, if you really must to do. Of course if your object really is just a plain boring table, then that is the way to store it. I'm pretty sure some SQL variants can even query on json fields. Microsoft? I know Java's H2 database can have arbitrary java based macros created, so it certainly could.

Re:Object serialization is dangerous.

[AuMatar]

If you have to ask that, you don't belong in this conversation. Its a well defined term.

Re:Object serialization is dangerous.

[Lunix+Nutcase]

You store off program state as data not as a serialized binary object.

Re:Object serialization is dangerous.

How do you propose to persist an object...?

You don't, which is the point.

how does that differ from serialising that object?

The whole point of good data serialization is you only serialize a very limited of data and you bounds check it to avoid abuse.

It really depends a lot on what you're doing. If I'm prototyping a scientific algorithm where I need to dump out a large complex data structure representing an intermediate result - so I can then slurp it back in without having to wait recalculate the intermediate result - then the Java serialization is very convenient. So, in that case, spending days of development time trying to figure out which part of of the intermediate data structure need to be persisted and then writing bounds checking routines would be ridiculous.

So the solution is really to avoid it. Data serialization is bad, but object serialization is worse.

Well, sometimes you have a lot of complex data that needs to be efficiently sent between two different Java programs. And the performance needs are sufficiently high that you don't want to be spending a lot of time converting back and forth between text representations and binary representations, for example, you don't want to convert a billion integers to text send them to the other program and then parse them back into the Java native binary representation.

I wouldn't defend the implementation of Java object serialization even for a second. But there are a lot of cases where converting the data to JSON or XML and back just isn't feasible for performance reasons.

Re: Object serialization is dangerous.

[K.+S.+Kyosuke]

Thank Go weaning me off ruby's eval().

That's because Google's motto is "Do no eval".

Re:Object serialization is dangerous.

[angel'o'sphere]

If you can not answer a simple question, you don't belong into this discussion either ;D smart ass.

Re:Object serialization is dangerous.

[countach]

Gravis Zero: Oh I guess all those guys making object databases are damned fools and you know better than them. We're not worthy, we're not worthy.

Re: Object serialization is dangerous.

Outsourcing security considerations to other tools in a chain (or no chain) is what created this clusterfuck in the first place. If you can't input signed and / or encrypted records then you have a toy.

Re:Object serialization is dangerous.

[AuMatar]

Oh I can answer it. But all it will do is cause him to ask another dozen questions about it, because he's ignorant. Kind of like this response to you.

Re:Object serialization is dangerous.

[MillionthMonkey]

The issue is that you're also persisting the methods, not just the fields.

Re:Object serialization is dangerous.

[HiThere]

Serialization is quite important, however. My preference is that it contain some "signing bytes" to identify what it is, including version number, and a checksum. This still doesn't protect against hostile action, of course, but is more for detecting that you can handle the version and you know what it is you're deserializing. It might also identify the word-length and byte order, to make it more portable, but in my typical use case having it match my native processor is more important than portability. (Still, it would be useful to, once a file, specify what the word length and byte order were. This would allow recovery onto some other machine at some future date.)

But what's important to *you* is going to depend on *your* use case.

Re:Object serialization is dangerous.

[jb_nizet]

No, you don't. But, you allow a hacker to modify the persisted bytes and thus make the production code load objects that have a state that they should never, ever have, breaking their invariants, and possibly make them call constructors of classes that they should never call.

Re:Object serialization is dangerous.

[Dog-Cow]

So you're an elitist wad of shit. Perhaps you belong here, but it would still be better if someone would shoot you in the face.

Re: Object serialization is dangerous.

[Dog-Cow]

I hope I never have to use your code. You're an idiot.

Re:Object serialization is dangerous.

Actually .. but trying to shut down a conversation like that you are proving that you don't have a valid answer ... thereby weaken your point.

Often the most insiteful progress is made by someone asking basic questions causing people to re-evaluate there original assumptions about something.

Re:Object serialization is dangerous.

Is data not a serialized binary object?

Re:Object serialization is dangerous.

Can you not see that the question of verification of input data is entirely orthogonal to deciding the means by which language objects can be constructed?

Re:Object serialization is dangerous.

[Pseudonym]

Not unless you think everything is an object, which Java (to its credit) never believed.

Re:Object serialization is dangerous.

[goose-incarnated]

If you have to ask that, you don't belong in this conversation. Its a well defined term.

OP clearly stated that the problem with object serialisation was reading in fields that could be tampered with. I'm genuinely curious about what alternatives to persistence there is that overcomes this "problem".

I think the problem is that you and the OP are clearly newbies. That "problem" you think exists with object serialisation exists with all data serialisation. If you weren't newbies you'd know that.

Re:Object serialization is dangerous.

[goose-incarnated]

You store off program state as data not as a serialized binary object.

How does that avoid the problem OP has with object serialisation (data is tampered with when persisted).

Re:Object serialization is dangerous.

So people not understanding common terms should force others to educate them? Why not educate yourself before trying to get into a technical discussion?

In this case AuMatar is not being elitist, he is just telling people that if they don't know the difference between data serialization and object serialization, they do not have much to contribute in a discussion on why object serialization is dangerous.

Just because you have a low-UID doesn't mean that you can behave like an asshole and say that someone should be killed because you don't agree with their standpoint. Get your act together or delete your Slashdot account.

Re:Object serialization is dangerous.

The only thing wrong with eval is someone using it to execute code their own application hasn't created.

Re:Object serialization is dangerous.

Object serialization uses data serialization to save/load its state. Where is the magic that makes one dangerous and the other not dangerous?

Re:Object serialization is dangerous.

And you're right: there's a very limited use case where it makes sense to do object serialization. It's just clear from the GGP that they don't believe there's anything wrong with object serialization in general because there's no alternatives. Even the use of JSON/XML won't be enough even with a schema for constraints because it encourages the notion that a schema is enough--it often isn't because schema design will often be so flexible to abuse intent so actual sanitation is still necessary.

Programmers are lazy, and object serialization is giving them a shotgun to easily shoot their foot off. Granting them the notion that you can safely persist objects is a recipe for disaster. Taking the notion that data can be blindly trusted with automated sanity checks is already enough of a mistake in data serialization that it shouldn't be further encouraged with yet more data written out in another form.

There's a lot of performance compromises Java makes in the name of security/sanity--that's the core of what makes Java easier and better to program with vs many alternatives. So, even though you have a legitimate use case, object serialization needs added to the list along with pointers.

Re:Object serialization is dangerous.

How does that avoid the problem OP has with object serialisation (data is tampered with when persisted).

Persistent objects are a non-sequitur. The underlying storage can change at any time*. For this reason, reading data from storage should always be challenged and new objects created from that data. This notion is antithetical to object serialization and the root of their abuse.

* One could argue the same about the memory because of debuggers, hardware failures, etc, but I'm talking about actually in-specification usage. Any presumption you make about storage being around later or producing consistent results is a failure on your part. Your program should always be designed with the expectation that storage will fail and do its best to recover, not just fail horrible or leave itself open to being hijacked.

PS - I'm done responding to you. I'm not sure if you're not actually reading these comments, your head is just stuck in the sand, or you truly are naive about what object serialization is, but you really need to read about the dangers and issues of object serialization in all its forms. They're only a prettier version of data dumps, and data dumps are some of the worst designed things.
  Actually supporting something like that is a security/sanity/rationality failing unless you're arguing a very specific use/edge cases that has sufficient justification.

Re:Object serialization is dangerous.

[Gravis+Zero]

OP clearly stated that the problem with object serialisation was reading in fields that could be tampered with. I'm genuinely curious about what alternatives to persistence there is that overcomes this "problem".

When data fields are filled in an object, they are validated by the methods that set them. However, object serialization by it's very nature bypasses these methods of setting data which results in the possibility of restoring object data that would have otherwise been caught by method setting it.

Like AuMatar wrote, you don't belong in this conversation.

Re:Object serialization is dangerous.

[goose-incarnated]

When data fields are filled in an object, they are validated by the methods that set them. However, object serialization by it's very nature bypasses these methods of setting data which results in the possibility of restoring object data that would have otherwise been caught by method setting it.

That's an artifical distinction you just made up right now. There's nothing stopping you from checksumming your binary data before reading them in, just like there's nothing forcing data field-by-field serialisation from not doing any validation.

Like AuMatar wrote, you don't belong in this conversation.

I'm always amused when people who clearly have very little experience in something chime in. Thank you for that.

Re:Object serialization is dangerous.

Just leave. Not everyone has to pander to your stupidity and inferior use of civilized language.

Re:Object serialization is dangerous.

[Gravis+Zero]

That's an artifical distinction you just made up right now.

No, that' is the default implementation in languages that support it.

There's nothing stopping you from checksumming your binary data before reading them in, just like there's nothing forcing data field-by-field serialisation from not doing any validation.

You are correct. However, the sad fact is that doesn't happen in the real world (since it's far easier to not do validation and get away with it until it shows up in a CVE which is the entire premise of them discontinuing it) which is why it's dangerous. Likewise there is nothing stopping a programmer from using goto properly and yet it's avoided like the plague.

I'm always amused when people who clearly have very little experience in something chime in. Thank you for that.

I find it depressing that there are so many condescending know-it-alls in tech. Please reconsider your approach to discussions or at the very least you should be correct.

Re:Object serialization is dangerous.

[goose-incarnated]

No, that' is the default implementation in languages that support it.

So either change the default or wrap the default serialization in a checksum; either way it's trivial and leaps+bounds ahead of notserialising whole objects at a time.

A developer who won't be bothered to checksum persisted data when it's serialised in an object isn't going to suddenly think it's a good idea when they have to do it field-by-field :-/

I find it depressing that there are so many condescending know-it-alls in tech. Please reconsider your approach to discussions or at the very least you should be correct.

If you don't want to be depressed you should avoid being condescending to someone who obviously knows what they are talking about. IOW "you started it" ... with "excuse yourself from the conversation".

Serialization, whether via a language primitive, standard library or once-off programmer-implemented field-by-field method is still serialisation and vulnerable to tampering. The only way around it is via checksumming/signing. Pithy soundbites such as "This is dangerous" sound profound to the clueless but isn't actually meaningful. It's gonna be dangerous no matter if you do object serialization or data serialization, regardless of the artifical distinction you draw between them.

Regarding that distinction - your assertion of methods doing the input validation is just as wrong - it's possible to tamper with fields so that they pass input validation anyway, so there's no real distinction between the two in terms of danger/safety. They're both equally dangerous, hence any distinction you draw between them is pointless.

Re:Object serialization is dangerous.

[Gravis+Zero]

So either change the default or wrap the default serialization in a checksum;

Right because a hacker could never find a way around a checksum... -_-

either way it's trivial and leaps+bounds ahead of notserialising whole objects at a time.

And it's that verified simplicity that makes it such an easy target.

A developer who won't be bothered to checksum persisted data when it's serialised in an object isn't going to suddenly think it's a good idea when they have to do it field-by-field :-/

The point is that if they are using the methods in which the data is normally set that they do not have to write additional validation code. This isn't rocket science.

you should avoid being condescending to someone who obviously knows what they are talking about.

Now that's funny. ;)

IOW "you started it" ... with "excuse yourself from the conversation".

Right because "Okay then, smartypants" counts for not.

Regarding that distinction - your assertion of methods doing the input validation is just as wrong - it's possible to tamper with fields so that they pass input validation anyway,

If it passes input validation then it's valid data, period. We're talking about vulnerabilities that arise from invalid data being used, per the article.

it's possible to tamper with fields so that they pass input validation anyway, so there's no real distinction between the two in terms of danger/safety.

You seem to be completely oblivious to why they are doing away with it.

You know, for "someone who obviously knows what they are talking about," you sure seem uninformed on the subject matter.

Trump dying in prison a traitor obvious?

I mean how obvious are we talking? Like can we get Giuliani out here again to just blurt out smoking guns like bourbon burps?

That is nonsense ...

[angel'o'sphere]

Why would serialization be a security risk?

Hu? Cant ... you write to a disk or to a socket and thats it.

Sure, I'm nitpicking, because deserialization might be a security risk.

However only if you actually do it and e.g. leave open paths how bad files can end on your disk, which you then read, or open a socket and accept incoming serialized objects.

A typical Java program is absolutely not vulnerable to anything regarding serialization unless the programmer (intentionally?) made it so.

Articles about this (and basically every post here in the story while I type this): are simply wrong.

Java Serialization was once its strongest point of success. Many GUI builders let you edit "beans" and simply serialize the GUI as an graph of objects that simply gets read in again when the application starts and you call the setVisible(true) method to show your window.

Not needing to write any boilerplate code for writing and reading objects is a huge time saver and simplification.

Re:That is nonsense ...

[roman_mir]

I agree with you completely. Serialization was one of the best features (also great features are/were strong typing, reflection and the JVM automated memory management) that Java provided.

I am talking about server side Java, I don't care about Java based GUIs, those don't matter. There are thousands of tools to choose from that use serialization/deserialization and reflection to speed up development.

Of-course I look at it from the point of view of development risk, reducing business related bugs, reducing resource management bugs. Java, like any other language, can be used to build horrible code it can also be used to build working code that does what it is supposed to do.

To remove a tool like serialization or reflection for example is to cripple the language AFAIC. Actually combining this with the Java 5 and further 'improvements' makes the language and the platform worse, not better. AFAIC syntax sugar that was introduced starting with 5 made the language less suitable for solid development and debugging. The path Oracle is on will prevent people from using the language in the future and will eventually be its demise.

Re:That is nonsense ...

[HornWumpus]

Deserialization is a risk, it's a risk in every language.

Are Java coders just letting users browse for object in the file system? Accepting objects in web form inputs or unvalidated webmethod parameters? Turning around and running those objects as root?

The problem isn't Java per se...it's coders who only know one language. They really do need a language that 'bubble wraps' the OS. But at some point, they have to get things done.

Re:That is nonsense ...

[Hognoxious]

Of course it is. If you were reading stuff off magnetic tape or even sodding punch cards it was still possible that it had been fucked around with.

As the nuns said: if you don't know where it's been, don't stick it in your mouth.

Re:That is nonsense ...

[psycho12345]

Serialization of data only is not a risk. Serialization of objects that can contain references to other objects is the problem. Because an attacker can tamper with the raw binary object that can still be deserialized, but now has different contents and now will run differently on the other end, in a manner not expected or possibly controlled.

Basically, serializing anything that can be acted upon is dangerous. It is like sending you a package and then immediately telling you to pick the first thing out of the package, turn to your nearest family member and use the object. If I did this with a camera in the box, no problem. Do this with a book, again no problem. Pull out a handgun... big problem. Deserialization will happily do this, even though you may have added code somewhere to prevent packages from having handguns, because deserialization ignores all that.

Re:That is nonsense ...

[countach]

You could make the same argument about using Hibernate and constructing objects from a relational database. You could use the same argument about basically any program that does IO. It's a damned stupid argument. Whether and how much validation you need to do on your IO is application specific. If your application needs to validate the entire state of the object graph before doing anything with it, then you need to do that. It's not a problem with the concept of deserialisation.

Re:That is nonsense ...

Java Serialization was once its strongest point of success. Many GUI builders let you edit "beans" and simply serialize the GUI as an graph of objects that simply gets read in again when the application starts and you call the setVisible(true) method to show your window.

I don't think GUI builders work that way. See JPanel JavaDoc: 'Warning: Serialized objects of this class will not be compatible with future Swing releases. '

Re:That is nonsense ...

Why would serialization be a security risk?

Sure, I'm nitpicking, because deserialization might be a security risk.

Well, serialization in itself is kind of useless. Unless you have some way to deserialize, you could just have written the data/objects to /dev/null and claimed it was serialized. It is kind of pointless of having one but not the other, so nitpicking might be fun but is rather useless in this case.

And the difference between serializing data and entire objects is important. Data you can validate. Code, you cannot. (Unless you have solved the halting problem that is.)

So if you allow for entire objects to be serialized, including methods that will be executed, you are opening up for a new kind of problem. Not something we haven't seen before. We have had eval() type of functions in languages for ages. But a problem that is tricky to solve safely.

Is is handy? Oh, yes. But is it dangerous? Very much so. A trade-off.

You might think that you are only reading serialized objects from trusted sources, still, you have an attack vector that you cannot disregard. Not all programmers are good at making sure that the problems they introduce while developing will be handled safely at run time.

Since a lot of security breaches in Java has been possible through the mis-use of the serialization/deserialization feature, if find your claims a bit much.

Re:That is nonsense ...

The difference is between data and code. You can validate that input data is acceptable before going ahead. Validating code is impossible. You can do a good job, but if the code can be arbitrary you cannot protect yourself fully. So serializing entire objects (and not just data regarding their states) is troublesome.

Perhaps future AI-technology will be able to let a machine look at code and determine if it is safe to run or not, but we are not there yet.

Re:That is nonsense ...

[angel'o'sphere]

Because an attacker can tamper with the raw binary object that can still be deserialized, but now has different contents and now will run differently on the other end, in a manner not expected or possibly controlled.
Yeah, and he can use an SQL statement to change a row in the data base ... or a PERL script to change a line in a text file ... what exactly is the difference?
And it has nothing to do with graphs anyway. It can be a single object, only consisting out of primitive types.

Hint: the problem is code, not data. Your explanation makes pretty clear that you don't know what the problem with "simple deserialization" is.

because deserialization ignores all that. the build in standard, yes. However you can augment it.

Preventing the problems the people here get heated up about is super simple:
https://wiki.sei.cmu.edu/confl...
(Original: https://www.ibm.com/developerw...)
Interesting discussion: https://github.com/atomix/cata...

The whole claim that there is a "problem" and the inventors of Java made design mistakes: is clearly wrong! They designed the ObjectInputStream and the way how objects are serialized/deserialize in an easy to adapt and change manner. In other words: they showed great foresight!

Re:That is nonsense ...

"Java Serialization was once its strongest point of success. Many GUI builders let you edit "beans" and simply serialize the GUI as an graph of objects that simply gets read in again when the application starts and you call the setVisible(true) method to show your window."

Client-side java was never a success. Applets, Swing, JavaWebStart, JavaFX.. all largely forgotten, thankfully.

Re:That is nonsense ...

That's moronic. Deserialized data is far from the only way to do flow control using an external resource. You either choose to trust the data (You produced it and the transmission media is secure or the data is authenticated, or you validated it), or you don't trust the data and you limit its capabilities. It's just normal input considerations, nothing special. Any developer who doesn't just innately understand this is a cargo cult developer who doesn't actually know what serialization is.

I don't get it

[kbg]

OK I don't get it. Serialization is just saving the field values to a file and then reading it back. Of course if you just read a file without any validation and you don't know if it has been tampered with then of course you can have security issues. But this applies to any file formats or data anywhere. Java serialization is not a unique case. Serialization is an easy way to load values without going through an intermediary format. Replacing it with JSON or XML doesn't change the issue one bit.

Re:I don't get it

Basically, it's programmer error: you'll try to serialize some object over a stream you know is not secure, and the data is not supposed to need to be secure, but the object has a reference to something else which references other things and you end up sending a huge chunk of program state unawares over an unsecured link. It used to be very noticeable but with today's higher bandwidth it's not uncommon to see a meg fly across the wire -- which could have been the keys to your kingdom or just some particularly large object state.

The way serialization should have worked was that ONLY things marked "serializeable" get serialized, but in Java, ANYTHING referenced by an Object marked "serializable" can get sent down the stream.

More intelligence is needed in the selection of the object serialization. They should have had hooks to do this in the base Object class at Java's inception (a .serialize() method), but they didn't because they were a bit short sighted. Now we'll need an API for serialization, probably like the Collections interfaces. Time to do it right instead of just making it work.

Java Beans have provided a better way to serialize for a long time anyway...

Re:I don't get it

The issue is with using user supplied class name. It is though true that it isn't limited to Java build-in serialization, XStream that dumps Java objects to XML was also vulnerable.

Re:I don't get it

[angel'o'sphere]

Java is in so far unique as when you use build in serialization, you also serialize the class files.
There are two "marker interfaces" to make a Java class serializable: Serializable and Externalizable.

In casse of the first one, the Java Framework/VM uses reflection to serialize and deserialize objects.
In case of the second one, you are required to implement the methods writeExternal() and readExternal().

As the class files are in the serialized data stream, a program reading "untrusted" serialized data might also load classes aka code from that stream. If that code implements Externalizable and thus has an "unknonwn foreign" method readExternal(), the deserialization framework will call that unknown/untrusted method readExternal() which means: you run code coming from outside, which can do what ever it wants besides reading the object from the object stream.

Re:I don't get it

[countach]

Errrm, I thought Java only serialised Objects that inherit from Serializable and if you don't inherit that it isn't serialised. Not that I find that a great design, but technically yes you can mark what is serialised. And you could also override readObject and writeObject to customise it further.

Re:I don't get it

[iggymanz]

Not just "field values" but executable code!

Re:I don't get it

[kbg]

If you reading the code also from an untrusted stream then yes of course you will have security issues. But that is a completely separate matter. You don't ever load code from an untrusted source.

I don't see anywhere in the Java specifications that code is also read in when dezerializing can you point me to that spec?

Re:I don't get it

[angel'o'sphere]

You are right, normal serialization to files does not include the code, only via RMI the code is included (or requested be the recipient) when the recipient does not have the classes on the classpath.

The reason why it is dangerous

[Wookie+Monster]

I'm concerned that someone might hear "object serialization is bad, but JSON is good" and make the same mistakes that were made with Java object serialization. Java object serialization is bad for the following reasons:

1. No validation. You might have a nicely designed object, well tested, and has all sorts of validation checks to ensure that the internal state is never broken. Java object serialization bypasses all validation, permitting an attacker to construct a malformed object. Exactly how that would cause a problem requires a bit more work on the attacker's part, by studying how the application reacts to the malformed object. Adding validation is supported with Java serialization, but its not used by default. The designers favored simplicity over safety. Does switching to JSON magically fix the validation problem? Nope.

2. Loading of classes that you didn't expect to load. If I expect to receive a serialized list of strings, there's nothing to prevent an attacker to providing a list of any kind of object instead, due to type erasure. The application might fail to process the list because of a ClassCastException, but the potential damage is done. Java serialization /does/ support filtering out classes that aren't expected, but this is off by default. You need to define the blacklist yourself. Why is loading other classes a problem? See the next reasons:

3. Custom code during deserialization, which is actually necessary for performing your own validation. You can define your own code which runs when the object is deserialized, and the code can do pretty much anything. An attacker might be able to trick the code (using malformed input) into doing something harmful.

4. Additional classes on the classpath. Even if all of your code is well behaved, and has proper validation checks, and proper custom code, you're still vulnerable because additional classes exist that you're not aware of. You had no idea that there's this class 'Q' which has broken custom code, because Q was sucked in as a dependency of something else. That popular open source library you're using might be exposing your application to attack, and you didn't even know it.

For anyone designing an object serialization mechanism, always consider the tradeoffs when trying to make the system easier to use. Always use whitelists for trusted code instead of blacklists. Always construct objects using the object's public API. Favor the use of standard representations (maps, lists, tuples) instead of supporting full-blown customization. A little bit of friction can be a good thing.

Re:The reason why it is dangerous

To answer your points with the obvious:

1) Use the validation supported by java, just like you would in XML, JSON, . Problem solved. Serialization isn't the issue here, the app dev is. The app dev can be lazy on XML or any other serialization classes.

2) Same as point 1. The facility is there, use it. 'off by default' isn't an excuse for it being 'bad'

3) Unit tests and write proper code. Again, this problem isn't different to any other XML/JSON serialisation mechanism.

4) You have the same issue with any XML classes if you're using opensource code, JSON, etc, etc.

So, basically, the issues are the same for any serialization classes, the java ones aren't any different to be honest.

Re:The reason why it is dangerous

If someone is at the point were they're able to modify your serialized objects with wild abandon then you're already fucked!
At the end of the day your're converting bits into an object...somehow. It's up to you how to secure this process. Serialization is a tool at your disposal. It's up to you to implement it securely if you choose to use it. Serialization can be used for a number of useful things. Are we really going to start throwing out every feature that could possibly be used insecurely? What will that leave us with exactly?

Re:The reason why it is dangerous

[Jeremi]

If I'm following you correctly, the problem isn't serialization per se but rather the fact that the deserialization is being done by the Java runtime (which has no way to validate the resulting objects against the application's requirements, since its deserialization code is application-independent, and also has the power to instantiate any kind of object, even those that are totally irrelevant to the task at hand), rather than by the application itself.

A user-supplied deserialization-routine, OTOH, has at least a chance of being secure in the face of invalid source data, since it can check to make sure that its constraints are correctly satisfied and reject the data if they aren't.

Of course, avoiding making every application developer write his own application-specific serialization/deserialization routines was largely the point of this Java feature, but in hindsight it appears that was a bad decision.

Re:The reason why it is dangerous

[drinkypoo]

Of course, avoiding making every application developer write his own application-specific serialization/deserialization routines was largely the point of this Java feature, but in hindsight it appears that was a bad decision.

And this decision is just further evidence of Oracle's incompetence. Instead of keeping it but requiring every application developer to write his own object verifier, they're simply removing it because doing it right is hard.

Re:The reason why it is dangerous

If I'm following you correctly, the problem isn't serialization per se but rather the fact that the deserialization is being done by the Java runtime (which has no way to validate the resulting objects against the application's requirements, since its deserialization code is application-independent, and also has the power to instantiate any kind of object, even those that are totally irrelevant to the task at hand), rather than by the application itself.

Java deserialization is magic. By which I mean it behaves in several ways that user code pretty much can't.

The default system effectively loads a binary blob off the input stream and then creates each object without calling a constructor*. You can't just not call a constructor in Java, but Java deserialization does. All the fields are set by magic, by which I mean it ignores getters and setters and whatever access level might be on the fields. Any field marked as "not serialized" (transient) is left with default values - but those may not be the default values you think! If you write private transient int foo = 3; then foo won't be serialized, and when the object is deserialized, it will instead be ... 0. Because 0 is the default for ints.

How does Java deserialization know if it's loading the right fields for a given object? Well, it's magic, but not that magic - you're supposed to let it know by setting the serialization ID for the class. And how do you do that? By declaring a static long serialVersionUID, and making sure you update it whenever your class structure changes. Don't do that and the deserialization logic might not notice that the structure doesn't quite match. No, you can't just have it autogenerate one - if not set, the serialization/deserialization code will create one, but it may be dependent on compiler and randomly break across identical code bases. Surprise!

But in any case, the serialization system is magic. How do you write a custom serializer/deserializer? By creating the private methods writeObject(ObjectOutputStream) and readObject(ObjectOutputStream). Because the serializer is magic, it can access these private methods. (Note that readObject(ObjectOutputStream) gets called on a magically created object that has never had a constructor called on it, so all fields will have their default values! How does that work with final fields? Well... the short answer is "like shit." The longer answer is that the default deserializer just ignores the final modifier (which you can't do in generic code), and that if you want to do the same, there's some reflection magic or non-standard APIs you can do.)

So anyway, there's a basic overview of how Java serialization defies expectations and basically guarantees that anyone writing code that involves serialization will do it wrong.

* This is false. What it really does is go up the object hierarchy and look for the first parent class that does not declare itself serializable and calls its default no-args constructor. But that means that your class that you declared serializable therefore, by definition, does not get its constructor called. Surprise!

Re:The reason why it is dangerous

[phantomfive]

Of course, avoiding making every application developer write his own application-specific serialization/deserialization routines was largely the point of this Java feature, but in hindsight it appears that was a bad decision.

Yeah. It seems like there's no really good way to make this feature work. Whitelists can help, but ultimately there is no way to avoid thinking about security when you read things off the wire.

Re:The reason why it is dangerous

Yes, I hope your post eventually makes it up to +5. The way that Java serialization was implemented is definitely a total mess.

Re:The reason why it is dangerous

Unit tests and write proper code. Again, this problem isn't different to any other XML/JSON serialisation mechanism.

. Unit tests can’t catch everything unless you’re going to write an infinite amount of unit tests.

Re:The reason why it is dangerous

[angel'o'sphere]

But that means that your class that you declared serializable therefore, by definition, does not get its constructor called. Surprise!

No surprise. Calling a constructor when you deserialize an object makes no sense. That is why Java rightfully does not do that.

Re:The reason why it is dangerous

No surprise. Calling a constructor when you deserialize an object makes no sense. That is why Java rightfully does not do that.

That's not my point. How do you construct an instance of an object in Java without calling a constructor?

The answer is that you can't. There is no public API to do this and you can't do it through reflection. If you were to write your own Java serialization library, you'd probably need to create a special "deserialization constructor" that handles instantiating the object (probably by giving it the ObjectInputStream equivalent) or a factory class or something to handle this case, because the Java abstraction does not let you just load memory and say "that's now an instance of an object." And, in fact, there are plenty of Java persistence libraries that opt to just call the default constructor and make that part of the official deserialization process.

So how does the Java serialization API manage to create an object without calling (all) constructors? By using a special, private, backdoor API designed for it. (This API also lets it set final and private fields, which is how it loads the rest of the object state.) It's doing stuff that's JVM-specific in order to break the standard rules of Java.

The serialization API does a whole bunch of things (like accessing private methods and members) that "real" APIs can't do and that I can't think of a single other API that does. It's effectively "magic," doing special things that are unique to it. That's my point - it breaks the rules, and it alone breaks them.

Re:The reason why it is dangerous

[Dog-Cow]

Unit tests will never catch the cases you didn't think of. Attackers are going to exploit the cases you didn't think of. Ergo, unit tests cannot ensure security.

Re:The reason why it is dangerous

[Dog-Cow]

What I've gotten is that Java allows the actual byte-code of the class implementation to be included in the serialized data. This allows code to be injected, and not just malformed data. I would think the fix would be to just remove the part of the JVM which creates new classes from serialized data.

Re:The reason why it is dangerous

Of course it's redundant - that's the whole point. Redundancy serves a useful purpose and isn't a bad thing - in fact, it's often an intentional goal. Why make backups? For redundancy. Why have reserve players in sports? For redundancy.

One of the major purposes of this particular form of redundancy is clarity. It's used when terms would be cryptic or ambiguous without the added redundancy, which happens surprisingly often.

Re:The reason why it is dangerous

He just explained why, and you should have kept reading the rest of the post before your kneejerk one-size-fits-all response. One of the reasons is that deserialization brings back a subset of the fields of the original object, and does not initialize the rest (like the transient example) properly.

FFS

What the fuck is going on?
Oracle thinks opening up future feature requests (does it really need any more?) to a public voting system (so any retard with an Internet connection can have an influence over the future of Java) and moving to a six month release cycle (how fucking much are you planning on changing the language to a need a fucking six month release cycle?) and fucking JEP 286 (yay, let's make Java like JavaScript!) is a good idea, but object serialization needs to go?
C is starting to look really good to me lately.

Re:FFS

[Lunix+Nutcase]

and fucking JEP 286 (yay, let's make Java like JavaScript!) is a good idea,

What’s wrong with type inference and how would that make Java like Javascript? Just because both would use the keyword “var” does not make the concept the same especially as like in C# and C++11 everything would still be statically-typed unlike Javascript.

Re:FFS

Because it's solving a problem that doesn't exist.
Are we doing it to save keystrokes?
Map> thingyListLookup = new HashMap(); ...vs...
var thingyListLookup = new HashMap>();
Wow...what a huge difference!
Which is more clear?
Map> thingyListLookup = prepareLookup(); ...or...
var thingyListLookup = prepareLookup();
??
Now I have to find out what prepareLookup is returning.
But no, let's add a feature that makes shit less transparent, makes more work for IDE developers, and make new useless shit for everybody to have to learn to remain an "expert".

Re:FFS

Goddamn it. Way to ruin a rant.
Are we doing it to save keystrokes?
Map<String,List<Thingy>> thingyListLookup = new HashMap()<>;
...vs...
var thingyListLookup = new HashMap<String,List<Thingy>>();
Wow...what a huge difference!
Which is more clear?
Map<String,List<Thingy>> thingyListLookup = prepareLookup();
...or...
var thingyListLookup = prepareLookup();
Now I have to find out what prepareLookup is returning.

Re:FFS

[Lunix+Nutcase]

Yes it is to save keystrokes in writing useless boilerplate that the compiler can infer on its own.

Re:FFS

Sweet Jesbuz...
Map<String,List<Thingy>> thingyListLookup = new HashMap<>();

Re:FFS

[Dog-Cow]

The entire purpose of computers is to automate (usually calculations in some form). If you're telling the compiler stuff it already knows, you're doing it wrong.

Re:FFS

[swilver]

...because we all the speed of writing code is restricted by how fast programmers can type.

Compare that to the speed of how fast people can read code... that's limited by how easy the code can be understood with limited context.

Re:AC Calls Java 'A Horrible Mistake'

[rednip]

While I've dabbled in several other language, Java has 'paid my bills' for most of the last twenty years, so my view may be slanted. However, I can say that I've never written nor encountered a 'buffer overflow' hidden away in any code I was directly responsible, and while there have been a few over the years in the core and some well used libraries, they have been usually related to Serialization. This is a good move.

I'd argue that Java is the reason why so many Linux servers are used in the corporate environment. The ability to write/compile software on typical Windows desktops (or Mac) yet run reliably on Linux has been a big selling point. In fact the only places I've worked at with significant Windows Server installations have been those who's product is built on dot net, C# or C++. While there are 'work arounds' (e.g. virtual box, Cygwin, etc) to test and compile many other languages in such an environment, few languages offer the same level of host OS diversity.

It won't change anything

[pestilence669]

Serialization isn't inherently bad. It's bad practices and misuse, which won't change. It'll just be replaced by many developers with XML, JSON, Protobuf, YAML, or other. Then, someone will inevitably sprinkle on some reflection or code generation, and you've almost done a 360... but with a lot more code and even more that could go wrong. I don't agree that adding more training wheels and/or removing features is always the best way to fix bad developer habits.

*Java* was a horrible mistake

[PrismaticBooger]

There, I said it.

Re:AC Calls Java 'A Horrible Mistake'

[countach]

Yes, although technically you're talking about the portability of the Java VM rather than Java the language. The language I find adequate and mediocre, but I agree the VM and the "it just works" thing makes it compelling.

Java infantilization

[iamacat]

In some way, Java started as a toy language and headed downhill since. Multiple inheritance and deterministic object destruction are hard but useful. Java never had those, but it had an option to have full featured, grown up applications on desktop and in the web browser. Of course native look and feel of the former and security of the later is hard. So - out these features go. Couldn't make J2ME on mobile phones work either, so took another company to productize Java for mobile apps. Instead of appreciating the effort, Oracle has to take Google to court. Serialization is a solid server side feature, and I think that's the last use case of Java still supported by Oracle. If they can't make it work properly, what exactly is Java for?

Don't you just use JSON

[rsilvergun]

for that? Still, If I coded a lot of Java I could see likeing object serialization. Being able to write out the state of your objects cuts down on the amount of custom save code you'd have to write.

Re:Don't you just use JSON

[Z00L00K]

JSON is not entirely solving the serialization/deserialization problem, it's just making it in text format instead of binary format. It appeared after Java had created the serialization/deserialization and is even though it's better not the complete answer. It also adds a footprint penalty (bad for embedded) and performance penalty (bad for large scale solutions and embedded). So even though JSON is only ensuring that a numeric value isn't a character value suddenly it's only coming half-way and I expect that format to be compromised as well. XML actually also suffers from the same issue, but there you can in the XML Schema Definitions also place rules for what formats and ranges that are permitted, but it don't protect the integrity of the data in the channel between sender and receiver.

With large scale solutions I'm concerned about solutions where you process a massive amount of data in multiple computers where performance is the key. Java might not be the perfect solution for this, but sometimes it's actually used.

Then realize that the Java serialization/deserialization is very similar to actually just passing the data package of a C struct between two programs, so it's not really a surprise that it lacks some validation features and the data is assumed to be packed in a valid form when deserialized - which is good for performance but open to malicious injections. Adding an algorithm that signs/checks that the data actually was created by the same class/version as the deserializer would add overhead and increase security. If you look at RMI then you'd see the use of serializing/deserializing of objects.

But if you want to view the data you pass then JSON might be the alternative - but so is XML.

If you want to secure a channel from injection of incorrect data then you'd need a solution involving encryption and hashes to ensure the integrity. Installing signing certificates in the class that do the serialization/deserialization and keeping it up to date for every version would improve the security.

Re:Don't you just use JSON

TL;DR: JSON is a binary format. woe is us.

Programming languages behaving paternalistically

[CustomSolvers2]

I have never used this serialisation (under potentially dangerous conditions) or any other language feature not allowing me to have a reasonably good understanding of what is going on in the code. I also support any effort to reduce unnecessary functionalities from programming languages and, in general, to let them efficiently accomplish their expected goal. On other hand, some people might prefer to rely on certain features about which I don't care and their code might be as good as mine.

What I certainly don't support are the deflecting-responsibility-paternalistic-reaction attitudes which seem so common lately. Descriptive example:
- (developer wannabe) "My application has lots of security problems. The responsible is the language for allowing me to do what I shouldn't.".
- (paternalistic programming language) "You are right. We are aware that you might do really stupid things in case of being able to do so."
(further ridiculous, childish, amateur, tons-of-problems-prone, etc. nonsense...)

Don't you think that certain functionality in your programming language is worth keeping? Remove it! Do you usually have problems when relying on certain feature of a programming language for whatever reason? Don't use it! Or learn to use it properly! But what is with all these generic paternalistic behaviours lately? Making the overall programming experience more comfortable is certainly a good thing. Arbitrarily restricting the capabilities of programming languages (expected to be used by experts!) to somehow account for incompetence or lack of care is ridiculous. Over-protection is usually a very bad idea which provokes lower quality outputs (worse programmers) and other problems (false sense of security, disproportionate trust in what might be faulty, etc.).

Object serialization, bad for perf, sec and ops.

[upuv]

Object Serialization was horrible from day one. It was the tool of lazy programmers for years.

Performance wise it was a disaster. People would pass objects between jvm instances with no regard to the size of the data blob they were sending. When in reality very little of an object is required to be sent in most use cases. Example: When you have a java cluster and you sync session objects between instances. ( Note this is just dumb anyway. There are far better patterns for this. ) But your low cost developer is stuff the session object with literally everything they can think of for data. So you see these monster 20Meg Objects fly around. The bigger you cluster gets the SLOWER it becomes as all the object passing is just simply taking over all the processing and memory.

Security. Massive issue here with object deserialization. Basically you can sneak any payload in you want here. You may have had value checks on the set methods but the vast majority simply trust a deserialized object. Trivial to change a string value into a sql injection string. And a million other holes just like this one.

Object serialization means that the two ends of the object share must now be in LOCK step with each wr.t. to class signatures. Which means to upgrade them you have to bring both end down at the same time. In the case of web infrastructure you are now forced to take that service completely offline in most scenarios. And if you are using something like RMI to a back end. That now has to be upgraded as well. This makes change operations incredibly painful for no reason whatsoever.

Personally I like the use of protobuf as a means of passing object data around. It literally solves all of the above problems with very little overhead. And it has the added benefit of being compatible with many other languages. It's also far tighter than xml and end thus takes less to transmit. Where as XML tends to cause a temp object storm on the receiver as it is deserialized. Which in turn causes more expensive garbage collection cycles.

I call Oracle a horrible mistake

News at eleven!

Not new. Added in 2016

[campuscodi]

This is not news, unless we've all turned our clocks back to 2016 See: https://dzone.com/articles/a-f... and http://openjdk.java.net/jeps/2...

Re:Not new. Added in 2016

[campuscodi]

Ignore my previous comment. I see they're planning to drop it, not filter it. I've re-read TFA.

data segments

Put a hash on it, have a checksum, and specific segments where only data can be retrieved. I'm surprised there isn't a generic data object where you could add data only versions and pass that into a pipeline to verify.

Ruby eval

[Tenebrousedge]

Why would you ever use eval in Ruby?

RAS Syndrome

[Tenebrousedge]

EMP pulse, ATM machine, HIV virus, PIN number, MSDS sheet, NIC card, IRA account, ISBN number, LCD display, PDF format, SPF factor, AC current. English does this, deal with it.

Re:RAS Syndrome

We can even have non-numeric PINs!! E.g. pkcs11

Re:Programming languages behaving paternalisticall

That is why, for real programmers, we have C++! Said bitching/whining remains as bitching/whining. See any /. article on C++ for an example.

The greatest mystery in programming

Why are C++ programmers such douches?