Menu
I saw an answer from another post:
String has been widely used as parameter for many java classes e.g. for opening network connection , for opening database connection, opening files . If String is not immutable, this would lead to serious security threat .
I think checking the string before use it would solve the problem. Why is it a reason that string is designed to be immutable?
Can anyone give me a concrete code example?
324
Since String is immutable, its value can't be changed otherwise any hacker could change the referenced value to cause security issues in the application. Since String is immutable, it is safe for multithreading. A single String instance can be shared across different threads.
The String is immutable, so its value cannot be changed. If the String doesn't remain immutable, any hacker can cause a security issue in the application by changing the reference value. The String is safe for multithreading because of its immutableness.
a mutable string can be changed, and an immutable string cannot be changed. Here I want to change the value of String like this, String str="Good"; str=str+" Morning"; and other way is, StringBuffer str= new StringBuffer("Good"); str.
In Java, String objects are immutable. Immutable simply means unmodifiable or unchangeable. Once String object is created its data or state can't be changed but a new String object is created.
In general, it's easier to write and review sensitive code when values don't change, because there are fewer interleavings of operations that might affect the result.
Imagine code like
void doSomethingImportant(String name) {
if (!isAlphaNumeric(name)) { throw new IllegalArgumentException(); }
Object o = lookupThingy(name);
// No chance of SQL-Injection because name is alpha-numeric.
connection.executeStatement("INSERT INTO MyTable (column) VALUES ('" + name + "')");
}
The code does some checks to prevent an escalation of authority, but this only holds if isAlphaNumeric(name) is true when the argument to executeStatement is called.
If the first two statements were re-ordered then this would not be a problem, so the insecurity arises, in-part, from a bad interleaving. But other code might call this function and assume that name is not changed by it, so might have to perform and re-perform validity checks.
If String is not immutable, then it might have been changed by lookupThingy. To be sure the security check works, there is a much larger amount of code that has to perform correctly for this code to be secure against SQL injection.
Not only is the amount of code that has to perform correctly larger, but a maintainer who makes local changes to one function might affect the security of other functions far-away. Non-local effects make code-maintenance hard. Maintaining security properties is always dicey since security vulnerabilities are rarely obvious, so mutability can lead to degradation of security over time.
Why is it a reason that string is designed to be immutable?
This is separate from why it is bad security-wise.
It is widely believed that programs written in languages with readily-available immutable string types do fewer unnecessary buffer copies than ones that do not. Unnecessary buffer copies eat up memory, cause GC churn, and can cause simple operations on large inputs to perform much worse than on small inputs.
It is also widely believed that it is easier to write correct programs when using immutable strings, because you are unlikely to fail to defensively copy a buffer.
118
It's the oldest security spoof in the book: Present some parm to the operating system, have it validate the parm, then update the parm while the OS is referring to the parm, so it will do things different from what it verified.
This was used to break IBM OS/360 back in the 60s: To request disk I/O you would pass the OS a "channel program" that contained the disk address and memory address and other stuff. The OS would check that the disk and memory addresses were locations to which you were authorized, then it would pass that "channel program" along to the I/O channel hardware to be executed, without making a local copy first. It was not hard to time things so that you'd modify the channel program after it was checked but before the I/O channel hardware executed it, allowing access to unauthorized disk and memory.
(Keep in mind that in this timeframe memory was very precious, so not copying the channel program saved a non-trivial amount of memory. But this loophole was fairly quickly closed once the way to exploit it became fairly well known.)
(Of course, one must question whether any Objective-C program can be considered "secure" from other code running in the same process. The "duck typing" nature of Objective-C makes true security improbable at best. Using immutable strings is more of a protection against accidental modification than against malicious modification.)
39
The post you linked to further links to this post, where the issue is explained in more detail:
https://softwareengineering.stackexchange.com/questions/190699/when-and-why-would-we-use-immutable-pointers/190913#190913
21
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
