This articlerelies largely or entirely on asingle source. Relevant discussion may be found on thetalk page. Please helpimprove this article byintroducing citations to additional sources. Find sources: "Security of the Java software platform" – news ·newspapers ·books ·scholar ·JSTOR(January 2014)

TheJava software platform provides a number of features designed for improving thesecurity of Java applications. This includes enforcing runtime constraints through the use of theJava Virtual Machine (JVM), a security manager thatsandboxes untrusted code from the rest of the operating system, and a suite of securityAPIs that Java developers can utilise. Despite this, criticism has been directed at the programming language, and Oracle, due to an increase in malicious programs that revealed security vulnerabilities in the JVM, which were subsequently not properly addressed by Oracle in a timely manner.

The binary form of programs running on the Java platform is not nativemachine code but an intermediatebytecode. TheJVM performsverification on this bytecode before running it to prevent the program from performing unsafe operations such as branching to incorrect locations, which may contain data rather than instructions. It also allows the JVM to enforce runtime constraints such as arraybounds checking. This means that Java programs are significantly less likely to suffer frommemory safety flaws such asbuffer overflow than programs written in languages such asC which do not provide such memory safety guarantees.

The platform does not allow programs to perform certain potentially unsafe operations such aspointer arithmetic or uncheckedtype casts. It manages memory allocation and initialization and provides automaticgarbage collection which in many cases (but not all) relieves the developer frommanual memory management. This contributes totype safety and memory safety.

The platform provides a security manager which allows users to run untrusted bytecode in a "sandboxed" environment designed to protect them from malicious or poorly written software by preventing the untrusted code from accessing certain platform features and APIs. For example, untrusted code might be prevented from reading or writing files on the local filesystem, running arbitrary commands with the current user's privileges, accessing communication networks, accessing the internal private state of objects using reflection, or causing the JVM to exit.

The security manager also allows Java programs to becryptographically signed; users can choose to allow code with a valid digital signature from a trusted entity to run with full privileges in circumstances where it would otherwise be untrusted.

Users can also set fine-grained access control policies for programs from different sources. For example, a user may decide that only system classes should be fully trusted, that code from certain trusted entities may be allowed to read certain specific files, and that all other code should be fully sandboxed.

TheJava Class Library provides a number of APIs related to security, such as standardcryptographic algorithms, authentication, and secure communication protocols.

sun.misc.Unsafe is an internal utility class in the Java programming language which is a collection of low-level unsafe operations.^[1] While it is not a part of the officialJava Class Library, it is called internally by the Java libraries. It resides in an unofficialJava module namedjdk.unsupported. Beginning in Java 11, it has been partially migrated tojdk.internal.misc.Unsafe (which resides in modulejava.base).^[1]

Its primary feature is to allow direct memory management (similar toC memory management) and memory address manipulation, manipulating objects and fields, thread manipulation, and concurrency primitives.

Its declaration is:publicfinalclassUnsafe;, and it is asingleton class with a private constructor.^[2]

It contains the following methods, many of which are declarednative (invokingJava Native Interface):^[2][3]

• staticUnsafegetUnsafe(): retrieves theUnsafe instance. It usessun.reflect.Reflection to do so.
• intgetInt(Objecto,longoffset): fetches a value (a field or array element) in the object at the given offset. (There are correspondinggetBoolean(),getByte(),getShort(),getChar(),getLong(),getFloat(), andgetDouble() methods as well.)
• voidputInt(Objecto,longoffset,intx): stores a value into an object at the given offset. (There are correspondingputBoolean(),putByte(),putShort(),putChar(),putLong(),putFloat(), andputDouble() methods as well.)
• ObjectgetObject(Objecto,longoffset): fetches a reference value from an object at the given offset.
• voidputObject(Objecto,longoffset,Objectx): stores a reference value into an object at the given offset.
• intgetInt(longaddress): fetches a value at the given address. (There are correspondinggetBoolean(),getByte(),getShort(),getChar(),getLong(),getFloat(), andgetDouble() methods as well.)
• voidputInt(longaddress,intx): stores a value into the given address. (There are correspondingputBoolean(),putByte(),putShort(),putChar(),putLong(),putFloat(), andputDouble() methods as well.)
• longgetAddress(longaddress): fetches a native pointer from a given address.
• voidputAddress(longaddress,longx): stores a native pointer into a given address.
• longallocateMemory(longbytes): allocates a block of native memory of the given size (similar tomalloc()).
• longreallocateMemory(longaddress,longbytes): resizes a block of native memory to the given size (similar torealloc()).
• voidsetMemory(Objecto,longoffset,longbytes,bytevalue),voidsetMemory(longaddress,longbytes,bytevalue): sets all bytes in a block of memory to a fixed value (similar tomemset()).
• voidcopyMemory(ObjectsrcBase,longsrcOffset,ObjectdestBase,longdestOffset,longbytes),voidcopyMemory(longsrcAddress,longdestAddress,longbytes): sets all bytes in a given block of memory to a copy of another block (smilar tomemcpy()).
• voidfreeMemory(longaddress): deallocates a block of native memory obtained fromallocateMemory() orreallocateMemory(), similar tofree()).
• longstaticFieldOffset(Fieldf): obtains the location of a given field in the storage allocation of its class.
• longobjectFieldOffset(Fieldf): obtains the location of a given static field in conjunction withstaticFieldBase().
• ObjectstaticFieldBase(Fieldf): obtains the location of a given static field in conjunction withstaticFieldOffset().
• voidensureClassInitialized(Class<?>c): ensures the given class has been initialized.
• intarrayBaseOffset(Class<?>arrayClass): obtains the offset of the first element in the storage allocation of a given array class.
• intarrayIndexScale(Class<?>arrayClass): obtains the scale factor for addressing elements in the storage allocation of a given array class.
• staticintaddressSize(): obtains the size (in bytes) of a native pointer.
• intpageSize(): obtains the size (in bytes) of a native memory page.
• Class<?>defineClass(Stringname,byte[]b,intoff,intlen,ClassLoaderloader,ProtectionDomainprotectionDomain): signals to the JVM to define a class without security checks.
• Class<?>defineAnonymousClass(Class<?>hostClass,byte[]data,Object[]cpPatches): signals to the JVM to define a class but do not make it known to the class loader or system directory.
• ObjectallocateInstance(Class<?>cls)throwsInstantiationException: allocates an instance of a class without running its constructor.
• voidmonitorEnter(Objecto): locks an object.
• voidmonitorExit(Objecto): unlocks an object.
• booleantryMonitorEnter(Objecto): tries to lock an object, returning whether the lock succeeded.
• voidthrowException(Throwableee): throws an exception without telling the verifier.
• finalbooleancompareAndSwapInt(Objecto,longoffset,intexpected,intx): updates a variable tox if it is holdingexpected, returning whether the operation succeeded. (There are correspondingcompareAndSwapLong() andcompareAndSwapObject() methods as well.)
• intgetIntVolatile(Objecto,longoffset): volatile version ofgetInt(). (There are correspondinggetBooleanVolatile(),getByteVolatile(),getShortVolatile(),getCharVolatile(),getLongVolatile(),getFloatVolatile(),getDoubleVolatile(), andgetObjectVolatile() methods as well.)
• voidputIntVolatile(Objecto,longoffset,intx): volatile version ofputInt(). (There are correspondingputBooleanVolatile(),putByteVolatile(),putShortVolatile(),putCharVolatile(),putLongVolatile(),putFloatVolatile(),putDoubleVolatile(), andputObjectVolatile() methods as well.)
• voidputOrderedInt(Objecto,longoffset,intx): version ofputIntVolatile() not guaranteeing immediate visibility of storage to other threads. (There are correspondingputOrderedLong() andputOrderedObject() methods as well.)
• voidunpark(Objectthread): unblocks a thread.
• voidpark(booleanisAbsolute,longtime): blocks the current thread.
• intgetLoadAverage(double[]loadavg,intnelems): gets the load average in the system run queue assigned to available processors averaged over various periods of time.
• voidinvokeCleaner(ByteBufferdirectBuffer): invokes the given direct byte buffer's cleaner.
• voidfullFence(): ensures loads and stores before the fence will not be reordered with loads and stores after the fence.
• voidloadFence(): ensures loads before the fence will not be reordered with loads and stores after the fence.
• voidstoreFence(): ensures loads and stores before the fence will not be reordered with stores after the fence.

it also contains the following constants:

• staticfinalintINVALID_FIELD_OFFSET=-1
• staticfinalintARRAY_BOOLEAN_BASE_OFFSET=arrayBaseOffset(boolean[].class)
• staticfinalintARRAY_BYTE_BASE_OFFSET=arrayBaseOffset(byte[].class)
• staticfinalintARRAY_SHORT_BASE_OFFSET=arrayBaseOffset(short[].class)
• staticfinalintARRAY_CHAR_BASE_OFFSET=arrayBaseOffset(char[].class)
• staticfinalintARRAY_INT_BASE_OFFSET=arrayBaseOffset(int[].class)
• staticfinalintARRAY_LONG_BASE_OFFSET=arrayBaseOffset(long[].class)
• staticfinalintARRAY_FLOAT_BASE_OFFSET=arrayBaseOffset(float[].class)
• staticfinalintARRAY_DOUBLE_BASE_OFFSET=arrayBaseOffset(double[].class)
• staticfinalintARRAY_OBJECT_BASE_OFFSET=arrayBaseOffset(Object[].class)
• staticfinalintARRAY_BOOLEAN_INDEX_SCALE=arrayIndexScale(boolean[].class)
• staticfinalintARRAY_BYTE_INDEX_SCALE=arrayIndexScale(byte[].class)
• staticfinalintARRAY_SHORT_INDEX_SCALE=arrayIndexScale(short[].class)
• staticfinalintARRAY_CHAR_INDEX_SCALE=arrayIndexScale(char[].class)
• staticfinalintARRAY_INT_INDEX_SCALE=arrayIndexScale(int[].class)
• staticfinalintARRAY_LONG_INDEX_SCALE=arrayIndexScale(long[].class)
• staticfinalintARRAY_FLOAT_INDEX_SCALE=arrayIndexScale(float[].class)
• staticfinalintARRAY_DOUBLE_INDEX_SCALE=arrayIndexScale(double[].class)
• staticfinalintARRAY_OBJECT_INDEX_SCALE=arrayIndexScale(Object[].class)
• staticfinalintADDRESS_SIZE=addressSize()

An example usage the following:

packageorg.wikipedia.example;importjava.lang.reflect.Field;importsun.misc.Unsafe;publicclassExample{publicstaticvoidmain(String[]args)throwsException{// Get Unsafe instance via reflectionFieldf=Unsafe.class.getDeclaredField("theUnsafe");f.setAccessible(true);Unsafeunsafe=(Unsafe)f.get(null);// Allocate a block of 8 byteslongmemoryAddress=unsafe.allocateMemory(8L);try{// Insert a long into the memory, and read from that blockunsafe.putLong(memoryAddress,123456789L);longvalue=unsafe.getLong(memoryAddress);System.out.printf("Value from memory: %d%n",value);// Output: 123456789}finally{// Free the allocated memoryunsafe.freeMemory(memoryAddress);}}}

One can also wrap native memory segments, likejava.lang.foreign.MemorySegment:

packageorg.wikipedia.example;importjava.lang.reflect.Field;importsun.misc.Unsafe;publicclassNativeMemoryimplementsAutoCloseable{privatestaticfinalUnsafeunsafe;privatefinallongaddress;privatefinallongsize;static{try{FieldtheUnsafe=Unsafe.class.getDeclaredField("theUnsafe");theUnsafe.setAccessible(true);unsafe=(Unsafe)theUnsafe.get(null);}catch(Exceptione){thrownewRuntimeException("Unable to access Unsafe",e);}}publicNativeMemory(longsize){this.size=size;this.address=unsafe.allocateMemory(size);}publicvoidputByte(longoffset,bytevalue){checkBounds(offset,1);unsafe.putByte(address+offset,value);}publicbytegetByte(longoffset){checkBounds(offset,1);returnunsafe.getByte(address+offset);}privatevoidcheckBounds(longoffset,longbytes){if(offset<0||offset+bytes>size){thrownewIndexOutOfBoundsException(String.format("Offset out of bounds: %d",offset));}}@Overridepublicvoidclose(){unsafe.freeMemory(address);}}

In use:

packageorg.wikipedia.example;publicclassMain{publicstaticvoidmain(String[]args){try(NativeMemorymem=newNativeMemory(1024)){mem.putByte(0,(byte)42);System.out.printf("Value: %s%n",mem.getByte(0));}}}

There are a number of possible sources ofsecurity vulnerabilities in Java applications, some of which are common to non-Java applications and some of which are specific to the Java platform. (Note that these refer topotential sources of vulnerabilities which need to be kept in mind by security-conscious programmers: this is not intended as a list ofactual vulnerabilities.)

Examples of potential sources of vulnerability common to Java and non-Java applications are:

• Vulnerabilities in the protection mechanisms provided by thehardware oroperating system which the application relies upon for its security
• Vulnerabilities in native libraries, such as theC standard library, which may be used to implement the application and/or runtime
• Vulnerabilities caused purely by errors in user programs (for example improper construction ofSQL queries leading toSQL injection vulnerabilities)

However, much discussion of Java security focusses on potential sources of vulnerability specific to the Java platform. These include:

• Vulnerabilities in the sandboxing mechanism which allow untrusted bytecode to circumvent the restrictions imposed by the security manager
• Vulnerabilities in the Java class library which an application relies upon for its security

A vulnerability in the Java platform will not necessarily make all Java applications vulnerable. When vulnerabilities and patches are announced, for example by Oracle, the announcement will normally contain a breakdown of which types of application are affected (example).

For example, a hypothetical security flaw which affectsonly the security manager sandboxing mechanism of a particular JVM implementation would mean thatonly Java applications which run arbitrary untrusted bytecode would be compromised: applications where the user fully trusts and controls all bytecode being executed would not. This would mean that, say, a web browser plugin based on that JVM would be vulnerable tomalicious applets downloaded from public websites, but a server-side web application running on the same version of the JVM where the administrator has full control over theclasspath would be unaffected.^[4]As with non-Java applications, security vulnerabilities can stem from parts of the platform which may not initially appear to be security-related. For example, in 2011, Oracle issued a security fix for a bug in theDouble.parseDouble method.^[5] This method converts astring such as "12.34" into the equivalent double-precisionfloating point number. The bug caused this method to enter an infinite loop when called on a specific input. This bug had security implications, because for example if a web server converts a string typed into a form by the user using this method, a malicious user could type in the string which triggers the bug. This would cause the web server thread processing the malicious request to enter an infinite loop and become unavailable for serving requests from other users. Doing this repeatedly to a vulnerable web server would be an easydenial-of-service attack: all the web server's threads for responding to user requests would soon be stuck in the infinite loop and the web server would be unable to serve any legitimate users at all.

The security manager in the Java platform (which, as mentioned above, is designed to allow the user to safely run untrusted bytecode) has beencriticized in recent years for making users vulnerable tomalware, especially in web browser plugins which execute Java applets downloaded from public websites, more informally known as "Java in the browser".

Oracle's efforts to address these vulnerabilities resulted in a delay to the release of Java 8.^[6]

AnOS Xtrojan referred to asFlashback exploited a vulnerability in Java, which had not been patched byApple, althoughOracle had already released a patch.^[7] In April, Apple later released a removal tool forLion users without Java.^[8] With Java 7 Update 4, Oracle began to release Java directly for Lion andlater.^[9]

In October, Apple released an update that removed the Javaplugin from allbrowsers.^[10] This was seen as a move by Apple to distance OS X from Java.^[11]

In January, azero-day vulnerability was found in all versions of Java 7, including the latest version Java 7 Update 10, which was already exploited in the wild.^[12] The vulnerability was caused by a patch to fix an earlier vulnerability.^[13] In response, Apple blacklisted the latest version of the Java plugin.^[14] Oracle released a patch (Update 11) within three days.^[15]Microsoft also released a patch forInternet Explorerversions 6,7, and8.^[16]

CyberespionagemalwareRed October was found exploiting a Java vulnerability that was patched in October 2011.^[17] The website forReporters Without Borders was also compromised by a Java vulnerability in versions prior to Update 11.^[18]

After the release of Update 11, another vulnerability began circulating online,^[19] which was later confirmed.^[20] It was also found that Java's security mode itself was vulnerable due to a bug.^[21] In response,Mozilla disabled Java (as well asAdobe Reader andMicrosoft Silverlight) inFirefox by default,^[22] while Apple blacklisted the latest Java plugin again.^[23]

In February,Twitter reported that it had shut down an attack. Twitter advised users to disable Java, although it did not explain why.^[24] Later in the month, Facebook reported that it had been hacked by a zero-day Java attack.^[25] Apple also reported an attack.^[26] It was found that a breach of aniPhone developer forum was used to attack Twitter, Facebook, and Apple.^[27] The forum itself was unaware of the breach.^[28] Following Twitter, Facebook, and Apple, Microsoft reported that it was also similarly compromised.^[29]

Another vulnerability discovered allowed for the Java security sandbox to be completely bypassed in the original release of Java 7, as well as Updates 11 and 15.^[30] In March, trojan called McRat was found exploiting a zero-day Java vulnerability.^[31] Oracle then released another patch to address the vulnerability.^[32]

• Criticism of Java

• Java SE Security. Oracle Corporation. Downloaded 2013-04-24.
• Secure Coding Guidelines for the Java Programming Language. Oracle Corporation. Downloaded 2013-04-24.
• How Security manager helps in Run with least privilege principle.

• Java platform
• Computer security
• Cybersecurity engineering

• Articles with short description
• Short description matches Wikidata
• Articles needing additional references from January 2014
• All articles needing additional references
• Use mdy dates from March 2013
• Articles with example Java code