Virtually every Java class needs references to other classes to achieve something meaningful. The example below, despite not so meaningful, will suffice to show them in action:
|
1 2 3 |
public interface I { void m(); } |
|
1 2 3 |
public class A implements I { public void m() { System.out.println("A::m"); } } |
|
1 2 |
public class B extends A { } |
|
1 2 3 4 5 6 |
public class Main { public static void main(String[] args) { I i = new B(); i.m(); } } |
The javac compiler will take the Java source from these classes and turn it into four separate binary files called classfiles. Each of them includes the JVM executable instructions (bytecode), the data upon which they operate and linkage information that indicates references to external classes by their name. This type of references are commonly known as symbolic.
Once a reference is in the Constants Pool, it can be pointed-out multiple times by its position. See, for example, how the new bytecode instruction in the Main::main method uses a reference to class B:
- does class A, referenced from B, exist and is it reachable?
- is class A non-final so B can extend it?
- does B implement I so its new instance in Main::main is assignable to the local variable i?
- does I::m throw any checked exception that is not handled or declared to be thrown in Main::main?
- etc.
The first observation I want to make is that this is not about security. Classfiles can be generated by non-javac compilers, tampered with instrumentation tools or even entirely written by hand with an hexadecimal editor. No matter how they are generated, all of them can be passed to the JVM. The final judgement on whether a classfile is valid or not will -and must- take place at load time in the JVM.
If you are curious about classfile verification in the JVM, I’d suggest looking at the ClassVerifier::verify_class method. As an example, we can pick one of the type checks. Bytecode instructions are walked-through and for each one that pushes a value to the stack, its type is tracked in a shadow stack -such as here-. Note how statically-typed languages allow this information to be known at this point. When an instruction consumes from the stack, a type is retrieved from the shadow stack -such as here-. The obtained type must match the instruction expected one -such as this-. Actual values do not matter and are unknown until code is run: this is a symbolic pre-execution.
With all this introduction about references and classfile verification, let’s have some fun! We will mess with references and push verification to its limits.
JVM Class Relinker is a security testing tool to invalidate classfiles linkage checks between compilation and load times. In other words, to enable linking against a class during compilation but loading a different ‘version’ of the same class at run time. Under these circumstances, all javac previous checks become obsolete and JVM checks at load time turn essential.
To better illustrate, class A was not final at compile time in our study case but what if class A’(*) at load time is final?
|
1 2 3 |
public final class A' implements I { public void m() { System.out.println("A::m"); } } |
It is out of scope to discuss the implications that extending a final class would have, but believe me that nothing good from a security standpoint can come out of that. Quick spoiler, so Java devs sleep tonight:
|
1 2 3 4 5 6 |
Exception in thread "main" java.lang.IncompatibleClassChangeError: class B cannot inherit from final class A at java.base/java.lang.ClassLoader.defineClass1(Native Method) ... at Main.execute(Main.java:73) at Main$JVMClassRelinker.execute(Main.java:108) at Main.main(Main.java:82) |
What we need to try this tricky input on the JVM is four classfiles: I, A’, B and Main. As previously discussed, javac will refuse to compile these classes together because B extending A’ would break the rules. Let’s create two groups of classes for compilation purposes only: I, A, B, Main on the one group; and I, A’ on the other. No rule is broken within each group, and 6 classfiles are generated at the end -from which I’s classfiles are duplicate-. We finally pick I, A’, B and Main classfiles and pass them to the JVM for execution.
JVM Class Relinker takes this concept but adds some twists. All classes will be compiled at once -as part of the same compilation group- but:
- non-colliding names will be used for A (A representing the final class and AComp the non-final one); and
- B will extend class AComp.
|
1 2 3 |
public final class A implements I { public void m() { System.out.println("A::m"); } } |
|
1 2 3 |
public class AComp implements I { public void m() { System.out.println("AComp::m"); } } |
|
1 2 |
public class B extends AComp { } |
There won’t be compilation issues but this is not what we want: B is not extending the final class A. So here it comes the magic: class B will be re-written on-the-fly (at load time) with all references to AComp replaced by references to A. Let’s break down this idea into parts:
At load time…
…re-written…
When a reference replacement is needed, the JVM Class Relinker will fully re-write the class. A raw approach such as modifying the Constants Pool symbolic name would be possible, but the lack of APIs to parse this data and the consistency implications of a change (i.e.: modifying the length of a symbolic name may require sizes or offsets elsewhere to be adjusted) made me rule it out.
JVM Class Relinker uses ASM for class re-writing. This library is capable of going through every byte in a classfile (representing class metadata, methods, instructions, etc.) and let us decide how to write it down on a new classfile output. For those interested in software design patterns, this works as a typical Visitor pattern in which we extend a Reader (for callbacks) and call a Writer (for output). The Constants Pool for the re-written class is generated automatically by the library as needed.
This is how a super-class reference replacement looks like:
|
1 2 3 4 5 |
public void visit​(int version, int access, String name, String signature, String superName, String[] interfaces) { superName = replaceClass(superName, classReplacements); super.visit(version, access, name, signature, superName, interfaces); } |
This method will be called when reading class B. The superName parameter will contain the ‘AComp’ value. However, it will end-up passing ‘A’ to the Writer.
all references replaced.
- Classes subject to references replacements are those internal to class Main
- A special annotation type can be used to specify replacements on a class (syntax: original-class->replaced-class[,...,original-class-n->replaced-class-n])
- The method called for execution (with or without replacements) is Main::execute (write your testing code there)
- Invoke JVMClassRelinker.execute() for action (execution goes to Main::execute after replacements)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
public final class Main { public interface I { void m(); } public static final class A implements I { public void m() { System.out.println("A::m"); } } public static class AComp implements I { public void m() { System.out.println("AComp::m"); } } @JVMClassRelinker.NewLinkage(replaceClass = "AComp->A") public static class B extends AComp { } public static void execute() { I i = new B(); i.m(); } public static void main(String[] args) throws Throwable { System.out.println("===== Without replacement ====="); execute(); System.out.println("======= With replacement ======"); JVMClassRelinker.execute(); } ... } |
Output:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
===== Without replacement ===== AComp::m ======= With replacement ====== Exception in thread "main" java.lang.IncompatibleClassChangeError: class Main$B cannot inherit from final class Main$A at java.base/java.lang.ClassLoader.defineClass1(Native Method) at java.base/java.lang.ClassLoader.defineClass(ClassLoader.java:1012) at java.base/java.lang.ClassLoader.defineClass(ClassLoader.java:874) at Main$JVMClassRelinker.findClass(Main.java:103) at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:587) at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:520) at Main.execute(Main.java:58) at Main$JVMClassRelinker.execute(Main.java:95) at Main.main(Main.java:67) |
Bonus track
|
1 2 3 4 5 6 7 8 |
public final class Main { ... public static void execute() { I i = new B(); i.m(); } ... } |
We said that Main::execute gets called with class reference replacements applied. What’s wrong with that?
The Main::execute method was compiled by javac and loaded into the JVM by the Application Class Loader. Thus, any reference there points to a non-replaced class after load time linking. In example, the class B in new B() is the one extending from AComp. How can the JVM Class Relinker invoke that method and expect its own replaced classes there? In reality, the JVM Class Relinker generates a shadow Main class with a copy of the Main::execute method. When loading the shadow Main, linkage will be against classes loaded by himself. This is for syntax convenience only, so we don’t need reflection or handle APIs to invoke methods or access fields.
If you find any security issue in OpenJDK, please report it according to this procedure.
Code is under a GPLv3 license.
Download JVM Class Relinker (v1.0)
(*) A’ is a conceptual name only: the actual class name is A and collides with the compile-time A. Thus, we have two ‘versions’ of A.