Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How could not using "final" be a security issue?

From page 113 of O'Reilly's Essential ActionScript 3.0 (2007):

Methods that are final help hide a class’s internal details. Making a class or a method final prevents other programmers from extending the class or overriding the method for the purpose of examining the class’s internal structure. Such prevention is considered one of the ways to safeguard an application from being maliciously exploited.

Does this refer to users of the API of a compiled, closed-source package, and "maliciously exploited" to learning things about the class design? Is this really a problem?

For some more context, it's the second of two reasons to use final. In the 2007 edition, it's on page 113 in the chapter Inheritance under subtitle Preventing Classes from Being Extended and Methods from Being Overridden.

The final attribute is used for two reasons in ActionScript:

  • In some situations, final methods execute faster than non-final methods. If you are looking to improve your application’s performance in every possible way, try making its methods final. Note, however, that in future Flash runtimes, Adobe expects non-final methods to execute as quickly as final methods.

  • Methods that are final help hide a class’s internal details. Making a class or a method final prevents other programmers from extending the class or overriding the method for the purpose of examining the class’s internal structure. Such prevention is considered one of the ways to safeguard an application from being maliciously exploited.

like image 405
Tim Avatar asked Jul 13 '11 07:07

Tim


People also ask

Why should we use final?

Using the final keyword means that the value can't be modified in the future. This entity can be - but is not limited to - a variable, a class or a method.

Why is the final modifier important to security in Java?

When a final modifier is used with a class then the class cannot be extended further. This is one way to protect your class from being subclassed and often sensitive classes are made final due to security reasons. This is also one of the reasons why String and wrapper classes are final in Java.

How does final keyword affects a variable?

When final is applied to a local variable, its value must be assigned exactly once. We can assign the value in the final variable declaration or in the class constructor. In case we try to change the final variable value later, the compiler will throw an error.

Why You Should Use final in Java?

You use the final keyword in a method declaration to indicate that the method cannot be overridden by subclasses. The Object class does this—a number of its methods are final .


1 Answers

In many languages, overriding methods is opt-in from the base class. Often, it is the virtual keyword that allows base class authors to opt-in for the possibility of overriding.

In AS3, however, the ability to have methods overridden is opt-out. That is what the final keyword does. It allows the base class author to say "this method may not be overridden".

There are some old-school thoughts about encapsulation that would suggest that it is a security problem for AS3 to do it this way. But this is mostly in cases of public APIs in which you want to hide your content but expose the functionality.

But, in more modern times, we have learned that disassembly and reflection will allow a malicious developer to do anything he/she wants anyways, so this is less of an issue today. Relying on final for security is a crutch, in my opinion, and any suggestions of it should be dismissed. Security needs to be thought of more carefully than that. APIs need to be architected such that the implementation lets developers do what then need to do, but security-critical information should not be included in public APIs.

That is not to say that final is not useful. final tells developers that derive from your class that you never intended them to override the function. It lets you say "please just call this function. Don't override." It is more of an interface or a communications mechanism than anything else, IMO.

like image 149
Brian Genisio Avatar answered Oct 15 '22 19:10

Brian Genisio