Oracle Calls Java Serialization 'A Horrible Mistake', Plans to Dump It (infoworld.com) 33
An anonymous reader quotes InfoWorld: Oracle plans to drop from Java its serialization feature that has been a thorn in the side when it comes to security. Also known as Java object serialization, the feature is used for encoding objects into streams of bytes... Removing serialization is a long-term goal and is part of Project Amber, which is focused on productivity-oriented Java language features, says Mark Reinhold, chief architect of the Java platform group at Oracle.
To replace the current serialization technology, a small serialization framework would be placed in the platform once records, the Java version of data classes, are supported. The framework could support a graph of records, and developers could plug in a serialization engine of their choice, supporting formats such as JSON or XML, enabling serialization of records in a safe way. But Reinhold cannot yet say which release of Java will have the records capability. Serialization was a "horrible mistake" made in 1997, Reinhold says. He estimates that at least a third -- maybe even half -- of Java vulnerabilities have involved serialization. Serialization overall is brittle but holds the appeal of being easy to use in simple use cases, Reinhold says.
Was very obvious back then (Score:3, Insightful)
But the Java fanatics just put in more and more features, regardless of whether sane languages had them or not.
Re: (Score:2)
Obvious?
Well, given the abstraction from actual hardware that is Java's goal, how would you create a way to pass data from machine to machine without worrying about things like word size and endianness?
Got any objective reasons? Because what you've posted is just an opinion. And just like that other thing everyone else has, frankly it stinks.
Re: (Score:1)
Are you for real? Maybe I'm not getting your sarcasm, but this is a solved problem and was a solved problem back in 1997.
See here for [lelanthran.com]one example of object serialization of binary fields that was doable back in 1997. Serializing 15 or so fields in a single statement; not exactly what I would call rocket science.
Re: (Score:3)
It was solved even earlier with XDR (R.I.P. Dr Bruce Nelson..)
Re: (Score:2)
Re: Was very obvious back then (Score:2)
The disadvantage with xml is that it creates a lot of overhead, which could be a problem in embedded applications and large scale solutions.
Re: (Score:2)
Oh please. This wasn't a failure with their implementation. It's an issue with the concept which is still a good thing because the positives still outweigh the negatives.
It just sucks though going through a 100+ projects to add jaxb to their pom files to prepare for Java 11 LTS that's coming in September.
Re: Was very obvious back then (Score:2)
The only sane language in that realm is Ada. C# is worse than Java because it's influenced by language problems from VB.
However the serialization is not really a language problem, it's an implementation problem. The serialization is something that could have been done better, and in a more safe manner. But it's also useful. Removing it may break a lot of applications and actually cause them to stay on older insecure runtimes instead of figuring out a way to secure that part in a manner that won't break the
Records? Is that a thing? (Score:2)
Re: (Score:2)
Cobol anyone?
I thought I was going to old-school school people by mentioning QBasic's "type" structures, but you punked me with Cobol.
But then again, not even Python does this well if you need a structure with specific data types to match a binary stream you need to read/write reading/writing.
Re: (Score:2)
RMI and serialization was useful (Score:1)
Back in the day your options of serializing objects was Corba more or less.
Having serialization built into the language and having remote method invocation (RMI) immediately accessible was a game changer for project design and implementation between different processes and machines.
I'm not sure what went wrong, was it implementation issues or bad API decisions that cause security issues, I'm curious to hear. The bottom line is that these features were a gold mine back then.
Re: RMI and serialization was useful (Score:2)
The problem lies in that there's no validation of who's submitting or fetching the data and that the data is correct when deserialized. Someone can compose a binary stream that can be crafted to result in something unexpected when deserialized.
Exchange formats like xml can be validated before parsing.
Object serialization is dangerous. (Score:3)
Regardless of language, object serialization is a dangerous idea. While it may seem like a nice idea at first, loading objects from unverified mutable data is an invitation for someone to tinker with that data. The situation only gets worse when your object structure changes because now your object data is invalid or incomplete.
Much like goto, I'm not arguing that it's not useful but rather that it's use it is inherently dangerous.
Re: (Score:2)
> Much like goto
Or worse, eval().
Re:Object serialization is dangerous. (Score:5, Interesting)
Regardless of language, object serialization is a dangerous idea. While it may seem like a nice idea at first, loading objects from unverified mutable data is an invitation for someone to tinker with that data.
Okay then, smartypants, what do you propose for persisting fields of an object? Anything you propose is, by definition, "serialisation". The only alternative to serialisation is non-persistent objects.
(TBH, I kinda like the thought of signed serialiased blobs)
That is nonsense ... (Score:2)
Why would serialization be a security risk?
Hu? Cant
... you write to a disk or to a socket and thats it.
Sure, I'm nitpicking, because deserialization might be a security risk.
However only if you actually do it and e.g. leave open paths how bad files can end on your disk, which you then read, or open a socket and accept incoming serialized objects.
A typical Java program is absolutely not vulnerable to anything regarding serialization unless the programmer (intentionally?) made it so.
Articles about this (and
I don't get it (Score:2)
OK I don't get it. Serialization is just saving the field values to a file and then reading it back. Of course if you just read a file without any validation and you don't know if it has been tampered with then of course you can have security issues. But this applies to any file formats or data anywhere. Java serialization is not a unique case. Serialization is an easy way to load values without going through an intermediary format. Replacing it with JSON or XML doesn't change the issue one bit.
The reason why it is dangerous (Score:2)
1. No validation. You might have a nicely designed object, well tested, and has all sorts of validation checks to ensure that the internal state is never broken. Java object serialization bypasses all validation, permitting an attacker to construct a malformed object. Exactly how that would