SlideShare une entreprise Scribd logo
1  sur  23
Java Class Loader &
Security
Bhanu Prakash Gopularam
Senior Engineer
Java Platform Group
Agenda
• Introduction
• Java Class Loader
• Java Class Loading Phases
• Custom Class loading
• Class Loader Exceptions
• Debugging Class loader Problems
• Questions
Java Language
Java Platform and Programming language introduced in 1995
• Java Language
– General purpose object oriented programming language
– Automatic storage management – GC
– Platform independent code, security and network mobility
• Few Java Language Security features
– Built in Security Architecture
– Configurable policies and domains
– Applet Sand box: Allows securely download and run untrusted Java programs
over the network
Java Class Loader - Introduction
ClassLoader “Reads byte code into JVM”
A class is defined by its
<class name, defining class loader>
Goals of Class Loader:
• Make first line of defense
• Guard system packages from fake classes and spoofing
attacks
• Resolve symbolic references from one class to another
Java Class loading phases
Verification Process:
1.Structural check
2.Semantic check
3.Byte code verification
4.Symbolic references check
Java Class Loader
Java Class Loader
Java Class Loaders
1. Bootstrap or Primordial Class Loader
• rt.jar
• -XbootClassPath – use judiciously
• System property sun.boot.class.path
1. Extension Class Loader
• Installed optional packages, lib/ext (in JRE) or jre/lib/ext (in JDK)
• $JRE_HOME/lib/ext
• System property java.ext.dirs
1. Application Class Loader
• Application classpath $CLASSPATH or -cp variable
• System property java.class.path
• Misleadingly it is also called as System Classloader
• Can be changed using property -Djava.system.class.loader
4. SecureClassLoader
– Adds support for code security model in JDK 1.2
• Adds defineClass(String name, CodeSource)
• Adds getPermissions(CodeSource)
4. URLClassLoader
– Loads classes from specified url path (dir or jar file)
– Extends from SecureClassLoader
• Supports loading classes from URL code sources
5. Context Class Loader
– Context class loader is provided by creator of thread
– If Security Manager is present, checkPermission() is invoked with
getClassLoader() call
Java Class Loaders – contd..
Java Class loader Delegation
Why to write own class loader ?
1. Alternative delegation model - Java EE web modules
 Checks local repositories first, common folder in Tomcat. However loading of
system classes remain unchanged
 By instantiating class loader again, a class can be reloaded
1. Hot Deployment
 Support upgrade
1. Class loader and Security
 Add extra code after findClass() and before defineClass(), compression,
encryption techniques
1. Modifying the class files
 Add extra debugging logic
Example: BCEL (Byte code engineering library) and ASM tools
Example (1): Jars in same classpath
v1/version.java v2/version.java
Test.java
Example (2): RMI Execution Engine
Server
taskIntf.execute()
Client-2
Client-1
serverIntf.execute(taskIntf)
RMI
Registry
1. Register
2. Lookup
3. Return server stub
4. Data Comm.
common.ServerInterface
execute(TaskInterface)
common.ServerInterface
execute(TaskInterface)
Server.ServerImpl
execute(TaskInterface)
Server.ServerImpl
execute(TaskInterface)
Example (3): RMI Execution Engine
Server
fileSystemClassLoader.execute(codeNa
me, code)
Client-2
Client-1
serverIntf.execute(codeName,
byte[])
RMI
Registry
1. Register
2. Lookup
3. Return server stub
4. Data Comm.
common.ServerInterface
execute(CodeName, byte[])
common.ServerInterface
execute(CodeName, byte[])
Server.ServerImpl
execute(CodeName, byte[])
Server.ServerImpl
execute(CodeName, byte[])
common.FileSystemClassLoader
ClassLoader
Class Loader Security
• Classes are separated using namespaces
• Built-in checks for identifying malicious classes
• Encloses class into ProtectionDomain
• Verification of code for valid signature
• Class File Verifier does various checks for integrity
ClassLoader Exceptions
1. ClassNotFoundException
– ClassLoader.findSystemClass(), loadClass() fails
– Wrong classloader is used or Dir is not added
 Figure out what class loader and parent class loader and see why class
cannot be loaded
1. NoClassDefFoundError
– Indicates linkage problem, Symbolic reference cannot be found.
– Folder or source of class is not made available to parent class loader
– Check the stacktrace to find the class name
 Figure out class loader and missing symbolic link
 List parent class loaders recursively
3. ClassCastException
– Casting an object to an unrelated class
 Check for type and classloader used
4. UnSatisfiedLinkError
– System.loadLibrary(“solaris.image_converter”), loading JNI code
 JVM is unable to find proper native library of class, check references
5. ClassCircularityError
– Thrown when some class is a indirect superclass of itself, an Interface extends
itself or similar, mainly when diff versions of same library is loaded
 Check for double class names in classpath
ClassLoader Exceptions – Contd.
Debugging Class Loading Problems
1. Use java –verbose class HelloWord
2. Use javap –private HelloWord
3. Linux check class file
– find *.jar –exec jar –tf ‘{}’ ; | grep HelloWorld
1. Use BCEL or ASM libraries, ByteCode visualizer for Eclipse
Questions - 1
• Difference between
Class.forName() vs classLoader.loadClass()
Questions - 2
• In Java, what is the need for main method?
public static void main(String args[])
Questions - 3
• Guess first 4 bytes of a class file!
Byte code generated by compiler need to have standard data
at beginning of the file
Resources
1. The Java Language Specification, Java SE 8 Edition,
https://docs.oracle.com/javase/specs/jls/se8/jls8.pdf
2. The Java Virtual Machine Specification, Java SE 8 Edition,
https://docs.oracle.com/javase/specs/jvms/se8/jvms8.pdf
3. Demystifying Java Platform Security Architecture, Ramesh Nagappan
4. Internals of Java Class Loading, Binildas Christudas, O'Reilly, OnJava.com
5. Core Security Patterns: Best Practices and Strategies for J2EE, Web Services and
Identity Management, Sun MicroSystems, Prentice Hall
6. Java and JVM security vulnerabilities and their exploitation techniques
7. http://www.blackhat.com/presentations/bh-asia-02/LSD/bh-asia-02-lsd.pdf
8. GitHub URL - https://github.com/gopularam/developer/tree/master/Classloader
9. Slideshare URL - http://www.slideshare.net/bhanugopularam/java-class-loader-
49366166
Thank You. Q/A

Contenu connexe

Tendances

Java Tutorial | Java Programming Tutorial | Java Basics | Java Training | Edu...
Java Tutorial | Java Programming Tutorial | Java Basics | Java Training | Edu...Java Tutorial | Java Programming Tutorial | Java Basics | Java Training | Edu...
Java Tutorial | Java Programming Tutorial | Java Basics | Java Training | Edu...Edureka!
 
Static keyword ppt
Static keyword pptStatic keyword ppt
Static keyword pptVinod Kumar
 
Spring boot Introduction
Spring boot IntroductionSpring boot Introduction
Spring boot IntroductionJeevesh Pandey
 
Core java concepts
Core java  conceptsCore java  concepts
Core java conceptsRam132
 
Java And Multithreading
Java And MultithreadingJava And Multithreading
Java And MultithreadingShraddha
 
Java 9/10/11 - What's new and why you should upgrade
Java 9/10/11 - What's new and why you should upgradeJava 9/10/11 - What's new and why you should upgrade
Java 9/10/11 - What's new and why you should upgradeSimone Bordet
 
java 8 new features
java 8 new features java 8 new features
java 8 new features Rohit Verma
 
Java exception handling
Java exception handlingJava exception handling
Java exception handlingBHUVIJAYAVELU
 

Tendances (20)

Java Tutorial | Java Programming Tutorial | Java Basics | Java Training | Edu...
Java Tutorial | Java Programming Tutorial | Java Basics | Java Training | Edu...Java Tutorial | Java Programming Tutorial | Java Basics | Java Training | Edu...
Java Tutorial | Java Programming Tutorial | Java Basics | Java Training | Edu...
 
Static keyword ppt
Static keyword pptStatic keyword ppt
Static keyword ppt
 
Java Class Loading
Java Class LoadingJava Class Loading
Java Class Loading
 
J2ee
J2eeJ2ee
J2ee
 
Spring boot Introduction
Spring boot IntroductionSpring boot Introduction
Spring boot Introduction
 
OOPs in Java
OOPs in JavaOOPs in Java
OOPs in Java
 
Spring AOP
Spring AOPSpring AOP
Spring AOP
 
Java 8 Streams
Java 8 StreamsJava 8 Streams
Java 8 Streams
 
Core java concepts
Core java  conceptsCore java  concepts
Core java concepts
 
Spring Data JPA
Spring Data JPASpring Data JPA
Spring Data JPA
 
Spring Boot
Spring BootSpring Boot
Spring Boot
 
Java And Multithreading
Java And MultithreadingJava And Multithreading
Java And Multithreading
 
Java 9/10/11 - What's new and why you should upgrade
Java 9/10/11 - What's new and why you should upgradeJava 9/10/11 - What's new and why you should upgrade
Java 9/10/11 - What's new and why you should upgrade
 
java 8 new features
java 8 new features java 8 new features
java 8 new features
 
Java interfaces
Java interfacesJava interfaces
Java interfaces
 
Java Basic Oops Concept
Java Basic Oops ConceptJava Basic Oops Concept
Java Basic Oops Concept
 
Jdbc ppt
Jdbc pptJdbc ppt
Jdbc ppt
 
Java exception handling
Java exception handlingJava exception handling
Java exception handling
 
Java 17
Java 17Java 17
Java 17
 
Jdbc complete
Jdbc completeJdbc complete
Jdbc complete
 

Similaire à Java Class Loader

Let's talk about java class loader
Let's talk about java class loaderLet's talk about java class loader
Let's talk about java class loaderYongqiang Li
 
Chapter three Java_security.ppt
Chapter three Java_security.pptChapter three Java_security.ppt
Chapter three Java_security.pptHaymanotTadese
 
Learn Java with Dr. Rifat Shahriyar
Learn Java with Dr. Rifat ShahriyarLearn Java with Dr. Rifat Shahriyar
Learn Java with Dr. Rifat ShahriyarAbir Mohammad
 
Understanding ClassLoaders
Understanding ClassLoadersUnderstanding ClassLoaders
Understanding ClassLoadersMartin Skurla
 
chap 10 : Development (scjp/ocjp)
chap 10 : Development (scjp/ocjp)chap 10 : Development (scjp/ocjp)
chap 10 : Development (scjp/ocjp)It Academy
 
Unit8 security (2) java
Unit8 security (2) javaUnit8 security (2) java
Unit8 security (2) javaSharafat Husen
 
Use of Java™ Technology-Based Class Loaders to Design and Implement a Java P...
Use of Java™ Technology-Based Class Loaders  to Design and Implement a Java P...Use of Java™ Technology-Based Class Loaders  to Design and Implement a Java P...
Use of Java™ Technology-Based Class Loaders to Design and Implement a Java P...gustavoeliano
 
Java Interview Questions Answers Guide
Java Interview Questions Answers GuideJava Interview Questions Answers Guide
Java Interview Questions Answers GuideDaisyWatson5
 
Introduction to Java Programming
Introduction to Java Programming Introduction to Java Programming
Introduction to Java Programming Saravanakumar R
 
Class loader basic
Class loader basicClass loader basic
Class loader basic명철 강
 
Writing Plugged-in Java EE Apps: Jason Lee
Writing Plugged-in Java EE Apps: Jason LeeWriting Plugged-in Java EE Apps: Jason Lee
Writing Plugged-in Java EE Apps: Jason Leejaxconf
 

Similaire à Java Class Loader (20)

Let's talk about java class loader
Let's talk about java class loaderLet's talk about java class loader
Let's talk about java class loader
 
Chapter three Java_security.ppt
Chapter three Java_security.pptChapter three Java_security.ppt
Chapter three Java_security.ppt
 
Class loaders
Class loadersClass loaders
Class loaders
 
Learn Java with Dr. Rifat Shahriyar
Learn Java with Dr. Rifat ShahriyarLearn Java with Dr. Rifat Shahriyar
Learn Java with Dr. Rifat Shahriyar
 
WHAT IS JVM.pdf
WHAT IS JVM.pdfWHAT IS JVM.pdf
WHAT IS JVM.pdf
 
WHAT IS JVM.pdf
WHAT IS JVM.pdfWHAT IS JVM.pdf
WHAT IS JVM.pdf
 
WHAT IS JVM.pdf
WHAT IS JVM.pdfWHAT IS JVM.pdf
WHAT IS JVM.pdf
 
Understanding ClassLoaders
Understanding ClassLoadersUnderstanding ClassLoaders
Understanding ClassLoaders
 
chap 10 : Development (scjp/ocjp)
chap 10 : Development (scjp/ocjp)chap 10 : Development (scjp/ocjp)
chap 10 : Development (scjp/ocjp)
 
Unit8 security (2) java
Unit8 security (2) javaUnit8 security (2) java
Unit8 security (2) java
 
Use of Java™ Technology-Based Class Loaders to Design and Implement a Java P...
Use of Java™ Technology-Based Class Loaders  to Design and Implement a Java P...Use of Java™ Technology-Based Class Loaders  to Design and Implement a Java P...
Use of Java™ Technology-Based Class Loaders to Design and Implement a Java P...
 
Java Interview Questions Answers Guide
Java Interview Questions Answers GuideJava Interview Questions Answers Guide
Java Interview Questions Answers Guide
 
Java Classloaders
Java ClassloadersJava Classloaders
Java Classloaders
 
02 cldc
02 cldc02 cldc
02 cldc
 
Introduction to Java Programming
Introduction to Java Programming Introduction to Java Programming
Introduction to Java Programming
 
Class loader basic
Class loader basicClass loader basic
Class loader basic
 
9 cm604.26
9 cm604.269 cm604.26
9 cm604.26
 
Writing Plugged-in Java EE Apps: Jason Lee
Writing Plugged-in Java EE Apps: Jason LeeWriting Plugged-in Java EE Apps: Jason Lee
Writing Plugged-in Java EE Apps: Jason Lee
 
oop unit1.pptx
oop unit1.pptxoop unit1.pptx
oop unit1.pptx
 
Java and the JVM
Java and the JVMJava and the JVM
Java and the JVM
 

Dernier

Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 

Dernier (20)

Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 

Java Class Loader

  • 1. Java Class Loader & Security Bhanu Prakash Gopularam Senior Engineer Java Platform Group
  • 2. Agenda • Introduction • Java Class Loader • Java Class Loading Phases • Custom Class loading • Class Loader Exceptions • Debugging Class loader Problems • Questions
  • 3. Java Language Java Platform and Programming language introduced in 1995 • Java Language – General purpose object oriented programming language – Automatic storage management – GC – Platform independent code, security and network mobility • Few Java Language Security features – Built in Security Architecture – Configurable policies and domains – Applet Sand box: Allows securely download and run untrusted Java programs over the network
  • 4. Java Class Loader - Introduction ClassLoader “Reads byte code into JVM” A class is defined by its <class name, defining class loader> Goals of Class Loader: • Make first line of defense • Guard system packages from fake classes and spoofing attacks • Resolve symbolic references from one class to another
  • 5. Java Class loading phases Verification Process: 1.Structural check 2.Semantic check 3.Byte code verification 4.Symbolic references check
  • 8. Java Class Loaders 1. Bootstrap or Primordial Class Loader • rt.jar • -XbootClassPath – use judiciously • System property sun.boot.class.path 1. Extension Class Loader • Installed optional packages, lib/ext (in JRE) or jre/lib/ext (in JDK) • $JRE_HOME/lib/ext • System property java.ext.dirs 1. Application Class Loader • Application classpath $CLASSPATH or -cp variable • System property java.class.path • Misleadingly it is also called as System Classloader • Can be changed using property -Djava.system.class.loader
  • 9. 4. SecureClassLoader – Adds support for code security model in JDK 1.2 • Adds defineClass(String name, CodeSource) • Adds getPermissions(CodeSource) 4. URLClassLoader – Loads classes from specified url path (dir or jar file) – Extends from SecureClassLoader • Supports loading classes from URL code sources 5. Context Class Loader – Context class loader is provided by creator of thread – If Security Manager is present, checkPermission() is invoked with getClassLoader() call Java Class Loaders – contd..
  • 10. Java Class loader Delegation
  • 11. Why to write own class loader ? 1. Alternative delegation model - Java EE web modules  Checks local repositories first, common folder in Tomcat. However loading of system classes remain unchanged  By instantiating class loader again, a class can be reloaded 1. Hot Deployment  Support upgrade 1. Class loader and Security  Add extra code after findClass() and before defineClass(), compression, encryption techniques 1. Modifying the class files  Add extra debugging logic Example: BCEL (Byte code engineering library) and ASM tools
  • 12. Example (1): Jars in same classpath v1/version.java v2/version.java Test.java
  • 13. Example (2): RMI Execution Engine Server taskIntf.execute() Client-2 Client-1 serverIntf.execute(taskIntf) RMI Registry 1. Register 2. Lookup 3. Return server stub 4. Data Comm. common.ServerInterface execute(TaskInterface) common.ServerInterface execute(TaskInterface) Server.ServerImpl execute(TaskInterface) Server.ServerImpl execute(TaskInterface)
  • 14. Example (3): RMI Execution Engine Server fileSystemClassLoader.execute(codeNa me, code) Client-2 Client-1 serverIntf.execute(codeName, byte[]) RMI Registry 1. Register 2. Lookup 3. Return server stub 4. Data Comm. common.ServerInterface execute(CodeName, byte[]) common.ServerInterface execute(CodeName, byte[]) Server.ServerImpl execute(CodeName, byte[]) Server.ServerImpl execute(CodeName, byte[]) common.FileSystemClassLoader ClassLoader
  • 15. Class Loader Security • Classes are separated using namespaces • Built-in checks for identifying malicious classes • Encloses class into ProtectionDomain • Verification of code for valid signature • Class File Verifier does various checks for integrity
  • 16. ClassLoader Exceptions 1. ClassNotFoundException – ClassLoader.findSystemClass(), loadClass() fails – Wrong classloader is used or Dir is not added  Figure out what class loader and parent class loader and see why class cannot be loaded 1. NoClassDefFoundError – Indicates linkage problem, Symbolic reference cannot be found. – Folder or source of class is not made available to parent class loader – Check the stacktrace to find the class name  Figure out class loader and missing symbolic link  List parent class loaders recursively
  • 17. 3. ClassCastException – Casting an object to an unrelated class  Check for type and classloader used 4. UnSatisfiedLinkError – System.loadLibrary(“solaris.image_converter”), loading JNI code  JVM is unable to find proper native library of class, check references 5. ClassCircularityError – Thrown when some class is a indirect superclass of itself, an Interface extends itself or similar, mainly when diff versions of same library is loaded  Check for double class names in classpath ClassLoader Exceptions – Contd.
  • 18. Debugging Class Loading Problems 1. Use java –verbose class HelloWord 2. Use javap –private HelloWord 3. Linux check class file – find *.jar –exec jar –tf ‘{}’ ; | grep HelloWorld 1. Use BCEL or ASM libraries, ByteCode visualizer for Eclipse
  • 19. Questions - 1 • Difference between Class.forName() vs classLoader.loadClass()
  • 20. Questions - 2 • In Java, what is the need for main method? public static void main(String args[])
  • 21. Questions - 3 • Guess first 4 bytes of a class file! Byte code generated by compiler need to have standard data at beginning of the file
  • 22. Resources 1. The Java Language Specification, Java SE 8 Edition, https://docs.oracle.com/javase/specs/jls/se8/jls8.pdf 2. The Java Virtual Machine Specification, Java SE 8 Edition, https://docs.oracle.com/javase/specs/jvms/se8/jvms8.pdf 3. Demystifying Java Platform Security Architecture, Ramesh Nagappan 4. Internals of Java Class Loading, Binildas Christudas, O'Reilly, OnJava.com 5. Core Security Patterns: Best Practices and Strategies for J2EE, Web Services and Identity Management, Sun MicroSystems, Prentice Hall 6. Java and JVM security vulnerabilities and their exploitation techniques 7. http://www.blackhat.com/presentations/bh-asia-02/LSD/bh-asia-02-lsd.pdf 8. GitHub URL - https://github.com/gopularam/developer/tree/master/Classloader 9. Slideshare URL - http://www.slideshare.net/bhanugopularam/java-class-loader- 49366166

Notes de l'éditeur

  1. General purpose object oriented programming language (architectural neutral interpreted and executable byte code) JVM – abstract computing engine, it insulates JVM from underlying differences Rules-based class loading and verification of byte code. Applet Sandbox
  2. Responsible for locating byte code of particular class and and then transform to usable class by runtime system To enforce security it coordinates with SecurityManager and AccessController Protect java classes from spoofing attacks ClassLoader recursively delegates class loading to its parent loader. Can be changed by custom class loaders Developers have two well-known reasons for building customClassLoaders: 1. providing support for a new class repository and 2. partitioning user code in a server
  3. Java byte code verifier: Pass-1 – Structural check, starting bytes in class file, major minor version checks etc Pass -2 – Semantic Check – method descriptors, context-free grammar, adherence to java specification Pass-3 – byte code verification, improper gotos, opcodes vs operands, method arguments, local variable initialization, etc Pass-4 – verification of symbolic references, loading referenced types, dynamic linking, binary compatibility check It is based on data flow analysis. It does by modeling each bytecode instruction and simulates each execution path that can possibly occur Check number of registers, stack height, types of values in register. Class donot forge pointers Class file format is OK Code donot violate access privileges Class definition is correct --------- Security. Your ClassLoader could examine classes before they are handed off to the JVM to see if they have a proper digital signature. You can also create a kind of &amp;quot;sandbox&amp;quot; that disallows certain kinds of method calls by examining the source code and rejecting classes that try to do things outside the sandbox. Encryption. It&amp;apos;s possible to create a ClassLoader that decrypts on the fly, so that your class files on disk are not readable by someone with a decompiler. The user must supply a password to run the program, and the password is used to decrypt the code. * Archiving. Want to distribute your code in a special format or with special compression? Your ClassLoader can pull raw class file bytes from any source it wants. Self-extracting programs. It&amp;apos;s possible to compile an entire Java application into a single executable class file that contains compressed and/or encrypted class file data, along with an integral ClassLoader; when the program is run, it unpacks itself entirely in memory -- no need to install first. * Dynamic generation. They sky&amp;apos;s the limit here. You can generate classes that refer to other classes that haven&amp;apos;t been generated yet -- create entire classes on the fly and bring them into the JVM without missing a beat.
  4. If class is already loaded then return it else call findClass()
  5. Primordial class loader: java applications have capability of loading bootstrap, system and app classed To protect from malicious attacks it uses java.security.SecureClassLoader Load class Finding a class using delegation Defining the class Link class Happens before class initialization or before reflection API calls Byte code verifier – bytecode is typesafe, execution paths Checks like Verification (Semantics, type checking), Preparation (allocate JVM internal objects ) Initialize class Happens once on “first use” Before class first instance creation, Runs static code Before access to static fields or methods Class loading phases Load class – finding the class using delegation Link class – Runs Bytecode verifier, allocates JVM internal objects Initialize class – Happens once on “first use”
  6. A domain conceptually encloses a set of classes whose instances are granted the same set of permissions.  CodeSource - each piece of code has two identity-defining characteristics: origin and signature. These two characteristics are represented in the class java.security.CodeSource the context class loader was invented to give framework code a mechanism to find the &amp;quot;correct&amp;quot; class loader to load application classes. In the case of the web application, the server typically applies the web application class loader as the context class loader. AppletClassLoader SecureClassLoader RMIClasssLoader
  7. Delegation works in bottom-up manner Visbility - Classes loaded by top level classloader are visible to class loaders beneath it and not vice versa.
  8. RMI Execution Engine Clients can supply any tasks that implement common.TaskIntf RMI execution engine loads code only once but executes 2 times based on requests In client VM, separate client.TaskImpl classes are loaded, instantiated and sent to Execution Engine Server VM for execution Each client uses different instances of FileSystem classloader. At server side, in findClass we call defineClass internally with byte[] and class name.
  9. RMI Execution Engine Clients can supply any tasks that implement common.TaskIntf RMI execution engine loads code only once but executes 2 times based on requests In client VM, separate client.TaskImpl classes are loaded, instantiated and sent to Execution Engine Server VM for execution
  10. Whether bytecode was generated by compliant compiler,
  11. ClassNotFoundException Look for code where classloader loadClass() call is involved NoClassDefFoundException Check why class is not available
  12. Javap – java class file disassembler By default it prints package, protected and public fields and methods
  13. Class.forName() uses classloader of the callers’ classloader, it initializes the class (executes static data) classLoader.loadClass() – is used when we need to pass on classloader name as argument. It just loads class and initialization is deferred till class is used for first time