SlideShare a Scribd company logo

Java Class Loader

B
Bhanu Gopularam

Java Class Loader Internals Example code: https://github.com/gopularam/developer/tree/master/Classloader

Technology
1 of 23
Java Class Loader & Security Bhanu Prakash Gopularam Senior Engineer Java Platform Group
Agenda • Introduction • Java Class Loader • Java Class Loading Phases • Custom Class loading • Class Loader Exceptions • Debugging Class loader Problems • Questions
Java Language Java Platform and Programming language introduced in 1995 • Java Language – General purpose object oriented programming language – Automatic storage management – GC – Platform independent code, security and network mobility • Few Java Language Security features – Built in Security Architecture – Configurable policies and domains – Applet Sand box: Allows securely download and run untrusted Java programs over the network
Java Class Loader - Introduction ClassLoader “Reads byte code into JVM” A class is defined by its <class name, defining class loader> Goals of Class Loader: • Make first line of defense • Guard system packages from fake classes and spoofing attacks • Resolve symbolic references from one class to another
Java Class loading phases Verification Process: 1.Structural check 2.Semantic check 3.Byte code verification 4.Symbolic references check
Java Class Loaders 1. Bootstrap or Primordial Class Loader • rt.jar • -XbootClassPath – use judiciously • System property sun.boot.class.path 1. Extension Class Loader • Installed optional packages, lib/ext (in JRE) or jre/lib/ext (in JDK) • $JRE_HOME/lib/ext • System property java.ext.dirs 1. Application Class Loader • Application classpath $CLASSPATH or -cp variable • System property java.class.path • Misleadingly it is also called as System Classloader • Can be changed using property -Djava.system.class.loader
4. SecureClassLoader – Adds support for code security model in JDK 1.2 • Adds defineClass(String name, CodeSource) • Adds getPermissions(CodeSource) 4. URLClassLoader – Loads classes from specified url path (dir or jar file) – Extends from SecureClassLoader • Supports loading classes from URL code sources 5. Context Class Loader – Context class loader is provided by creator of thread – If Security Manager is present, checkPermission() is invoked with getClassLoader() call Java Class Loaders – contd..
Java Class loader Delegation
Why to write own class loader ? 1. Alternative delegation model - Java EE web modules  Checks local repositories first, common folder in Tomcat. However loading of system classes remain unchanged  By instantiating class loader again, a class can be reloaded 1. Hot Deployment  Support upgrade 1. Class loader and Security  Add extra code after findClass() and before defineClass(), compression, encryption techniques 1. Modifying the class files  Add extra debugging logic Example: BCEL (Byte code engineering library) and ASM tools
Example (1): Jars in same classpath v1/version.java v2/version.java Test.java
Example (2): RMI Execution Engine Server taskIntf.execute() Client-2 Client-1 serverIntf.execute(taskIntf) RMI Registry 1. Register 2. Lookup 3. Return server stub 4. Data Comm. common.ServerInterface execute(TaskInterface) common.ServerInterface execute(TaskInterface) Server.ServerImpl execute(TaskInterface) Server.ServerImpl execute(TaskInterface)
Example (3): RMI Execution Engine Server fileSystemClassLoader.execute(codeNa me, code) Client-2 Client-1 serverIntf.execute(codeName, byte[]) RMI Registry 1. Register 2. Lookup 3. Return server stub 4. Data Comm. common.ServerInterface execute(CodeName, byte[]) common.ServerInterface execute(CodeName, byte[]) Server.ServerImpl execute(CodeName, byte[]) Server.ServerImpl execute(CodeName, byte[]) common.FileSystemClassLoader ClassLoader
Class Loader Security • Classes are separated using namespaces • Built-in checks for identifying malicious classes • Encloses class into ProtectionDomain • Verification of code for valid signature • Class File Verifier does various checks for integrity
ClassLoader Exceptions 1. ClassNotFoundException – ClassLoader.findSystemClass(), loadClass() fails – Wrong classloader is used or Dir is not added  Figure out what class loader and parent class loader and see why class cannot be loaded 1. NoClassDefFoundError – Indicates linkage problem, Symbolic reference cannot be found. – Folder or source of class is not made available to parent class loader – Check the stacktrace to find the class name  Figure out class loader and missing symbolic link  List parent class loaders recursively
3. ClassCastException – Casting an object to an unrelated class  Check for type and classloader used 4. UnSatisfiedLinkError – System.loadLibrary(“solaris.image_converter”), loading JNI code  JVM is unable to find proper native library of class, check references 5. ClassCircularityError – Thrown when some class is a indirect superclass of itself, an Interface extends itself or similar, mainly when diff versions of same library is loaded  Check for double class names in classpath ClassLoader Exceptions – Contd.
Debugging Class Loading Problems 1. Use java –verbose class HelloWord 2. Use javap –private HelloWord 3. Linux check class file – find *.jar –exec jar –tf ‘{}’ ; | grep HelloWorld 1. Use BCEL or ASM libraries, ByteCode visualizer for Eclipse
Questions - 1 • Difference between Class.forName() vs classLoader.loadClass()
Questions - 2 • In Java, what is the need for main method? public static void main(String args[])
Questions - 3 • Guess first 4 bytes of a class file! Byte code generated by compiler need to have standard data at beginning of the file
Resources 1. The Java Language Specification, Java SE 8 Edition, https://docs.oracle.com/javase/specs/jls/se8/jls8.pdf 2. The Java Virtual Machine Specification, Java SE 8 Edition, https://docs.oracle.com/javase/specs/jvms/se8/jvms8.pdf 3. Demystifying Java Platform Security Architecture, Ramesh Nagappan 4. Internals of Java Class Loading, Binildas Christudas, O'Reilly, OnJava.com 5. Core Security Patterns: Best Practices and Strategies for J2EE, Web Services and Identity Management, Sun MicroSystems, Prentice Hall 6. Java and JVM security vulnerabilities and their exploitation techniques 7. http://www.blackhat.com/presentations/bh-asia-02/LSD/bh-asia-02-lsd.pdf 8. GitHub URL - https://github.com/gopularam/developer/tree/master/Classloader 9. Slideshare URL - http://www.slideshare.net/bhanugopularam/java-class-loader- 49366166
Thank You. Q/A

Recommended

Diving into Java Class Loader
Diving into Java Class LoaderDiving into Java Class Loader
Diving into Java Class LoaderMd Imran Hasan Hira
 
Spring boot introduction
Spring boot introductionSpring boot introduction
Spring boot introductionRasheed Waraich
 
Java Class Loading
Java Class LoadingJava Class Loading
Java Class LoadingSandeep Verma
 
Spring Core
Spring CoreSpring Core
Spring CorePushan Bhattacharya
 
Spring Boot
Spring BootSpring Boot
Spring BootJiayun Zhou
 
Spring annotation
Spring annotationSpring annotation
Spring annotationRajiv Srivastava
 
JVM++: The Graal VM
JVM++: The Graal VMJVM++: The Graal VM
JVM++: The Graal VMMartin Toshev
 
Xke spring boot
Xke spring bootXke spring boot
Xke spring bootsourabh aggarwal
 

Recommended

Diving into Java Class Loader
Diving into Java Class LoaderDiving into Java Class Loader
Diving into Java Class LoaderMd Imran Hasan Hira
 
Spring boot introduction
Spring boot introductionSpring boot introduction
Spring boot introductionRasheed Waraich
 
Java Class Loading
Java Class LoadingJava Class Loading
Java Class LoadingSandeep Verma
 
Spring Core
Spring CoreSpring Core
Spring CorePushan Bhattacharya
 
Spring Boot
Spring BootSpring Boot
Spring BootJiayun Zhou
 
Spring annotation
Spring annotationSpring annotation
Spring annotationRajiv Srivastava
 
JVM++: The Graal VM
JVM++: The Graal VMJVM++: The Graal VM
JVM++: The Graal VMMartin Toshev
 
Xke spring boot
Xke spring bootXke spring boot
Xke spring bootsourabh aggarwal
 
Java Spring framework, Dependency Injection, DI, IoC, Inversion of Control
Java Spring framework, Dependency Injection, DI, IoC, Inversion of ControlJava Spring framework, Dependency Injection, DI, IoC, Inversion of Control
Java Spring framework, Dependency Injection, DI, IoC, Inversion of ControlArjun Thakur
 
Spring boot - an introduction
Spring boot - an introductionSpring boot - an introduction
Spring boot - an introductionJonathan Holloway
 
PUC SE Day 2019 - SpringBoot
PUC SE Day 2019 - SpringBootPUC SE Day 2019 - SpringBoot
PUC SE Day 2019 - SpringBootJosué Neis
 
Java EE Introduction
Java EE IntroductionJava EE Introduction
Java EE Introductionejlp12
 
Introduction to Spring Boot
Introduction to Spring BootIntroduction to Spring Boot
Introduction to Spring BootPurbarun Chakrabarti
 
Spring boot
Spring bootSpring boot
Spring bootGyanendra Yadav
 
Spring Boot
Spring BootSpring Boot
Spring BootJaydeep Kale
 
Broadleaf Presents Thymeleaf
Broadleaf Presents ThymeleafBroadleaf Presents Thymeleaf
Broadleaf Presents ThymeleafBroadleaf Commerce
 
Spring boot Introduction
Spring boot IntroductionSpring boot Introduction
Spring boot IntroductionJeevesh Pandey
 
JPA and Hibernate
JPA and HibernateJPA and Hibernate
JPA and Hibernateelliando dias
 
Core java
Core javaCore java
Core javaShivaraj R
 
An Introduction to JUnit 5 and how to use it with Spring boot tests and Mockito
An Introduction to JUnit 5 and how to use it with Spring boot tests and MockitoAn Introduction to JUnit 5 and how to use it with Spring boot tests and Mockito
An Introduction to JUnit 5 and how to use it with Spring boot tests and Mockitoshaunthomas999
 
Spring boot
Spring bootSpring boot
Spring bootPradeep Shanmugam
 
Spring framework core
Spring framework coreSpring framework core
Spring framework coreTaemon Piya-Lumyong
 
Java Tutorial | Java Programming Tutorial | Java Basics | Java Training | Edu...
Java Tutorial | Java Programming Tutorial | Java Basics | Java Training | Edu...Java Tutorial | Java Programming Tutorial | Java Basics | Java Training | Edu...
Java Tutorial | Java Programming Tutorial | Java Basics | Java Training | Edu...Edureka!
 
Hibernate Presentation
Hibernate PresentationHibernate Presentation
Hibernate Presentationguest11106b
 
Java Persistence API (JPA) Step By Step
Java Persistence API (JPA) Step By StepJava Persistence API (JPA) Step By Step
Java Persistence API (JPA) Step By StepGuo Albert
 
Spring MVC Framework
Spring MVC FrameworkSpring MVC Framework
Spring MVC FrameworkHùng Nguyễn Huy
 
Spring Framework - AOP
Spring Framework - AOPSpring Framework - AOP
Spring Framework - AOPDzmitry Naskou
 
Spring framework Introduction
Spring framework IntroductionSpring framework Introduction
Spring framework IntroductionAnuj Singh Rajput
 
Let's talk about java class loader
Let's talk about java class loaderLet's talk about java class loader
Let's talk about java class loaderYongqiang Li
 
Chapter three Java_security.ppt
Chapter three Java_security.pptChapter three Java_security.ppt
Chapter three Java_security.pptHaymanotTadese
 

More Related Content

What's hot

Java Spring framework, Dependency Injection, DI, IoC, Inversion of Control
Java Spring framework, Dependency Injection, DI, IoC, Inversion of ControlJava Spring framework, Dependency Injection, DI, IoC, Inversion of Control
Java Spring framework, Dependency Injection, DI, IoC, Inversion of ControlArjun Thakur
 
Spring boot - an introduction
Spring boot - an introductionSpring boot - an introduction
Spring boot - an introductionJonathan Holloway
 
PUC SE Day 2019 - SpringBoot
PUC SE Day 2019 - SpringBootPUC SE Day 2019 - SpringBoot
PUC SE Day 2019 - SpringBootJosué Neis
 
Java EE Introduction
Java EE IntroductionJava EE Introduction
Java EE Introductionejlp12
 
Spring boot Introduction
Spring boot IntroductionSpring boot Introduction
Spring boot IntroductionJeevesh Pandey
 
An Introduction to JUnit 5 and how to use it with Spring boot tests and Mockito
An Introduction to JUnit 5 and how to use it with Spring boot tests and MockitoAn Introduction to JUnit 5 and how to use it with Spring boot tests and Mockito
An Introduction to JUnit 5 and how to use it with Spring boot tests and Mockitoshaunthomas999
 
Java Tutorial | Java Programming Tutorial | Java Basics | Java Training | Edu...
Java Tutorial | Java Programming Tutorial | Java Basics | Java Training | Edu...Java Tutorial | Java Programming Tutorial | Java Basics | Java Training | Edu...
Java Tutorial | Java Programming Tutorial | Java Basics | Java Training | Edu...Edureka!
 
Hibernate Presentation
Hibernate PresentationHibernate Presentation
Hibernate Presentationguest11106b
 
Java Persistence API (JPA) Step By Step
Java Persistence API (JPA) Step By StepJava Persistence API (JPA) Step By Step
Java Persistence API (JPA) Step By StepGuo Albert
 
Spring Framework - AOP
Spring Framework - AOPSpring Framework - AOP
Spring Framework - AOPDzmitry Naskou
 
Spring framework Introduction
Spring framework IntroductionSpring framework Introduction
Spring framework IntroductionAnuj Singh Rajput
 

What's hot (20)

Java Spring framework, Dependency Injection, DI, IoC, Inversion of Control
Java Spring framework, Dependency Injection, DI, IoC, Inversion of ControlJava Spring framework, Dependency Injection, DI, IoC, Inversion of Control
Java Spring framework, Dependency Injection, DI, IoC, Inversion of Control
 
Spring boot - an introduction
Spring boot - an introductionSpring boot - an introduction
Spring boot - an introduction
 
PUC SE Day 2019 - SpringBoot
PUC SE Day 2019 - SpringBootPUC SE Day 2019 - SpringBoot
PUC SE Day 2019 - SpringBoot
 
Java EE Introduction
Java EE IntroductionJava EE Introduction
Java EE Introduction
 
Introduction to Spring Boot
Introduction to Spring BootIntroduction to Spring Boot
Introduction to Spring Boot
 
Spring boot
Spring bootSpring boot
Spring boot
 
Spring Boot
Spring BootSpring Boot
Spring Boot
 
Broadleaf Presents Thymeleaf
Broadleaf Presents ThymeleafBroadleaf Presents Thymeleaf
Broadleaf Presents Thymeleaf
 
Spring boot Introduction
Spring boot IntroductionSpring boot Introduction
Spring boot Introduction
 
JPA and Hibernate
JPA and HibernateJPA and Hibernate
JPA and Hibernate
 
Core java
Core javaCore java
Core java
 
An Introduction to JUnit 5 and how to use it with Spring boot tests and Mockito
An Introduction to JUnit 5 and how to use it with Spring boot tests and MockitoAn Introduction to JUnit 5 and how to use it with Spring boot tests and Mockito
An Introduction to JUnit 5 and how to use it with Spring boot tests and Mockito
 
Spring boot
Spring bootSpring boot
Spring boot
 
Spring framework core
Spring framework coreSpring framework core
Spring framework core
 
Java Tutorial | Java Programming Tutorial | Java Basics | Java Training | Edu...
Java Tutorial | Java Programming Tutorial | Java Basics | Java Training | Edu...Java Tutorial | Java Programming Tutorial | Java Basics | Java Training | Edu...
Java Tutorial | Java Programming Tutorial | Java Basics | Java Training | Edu...
 
Hibernate Presentation
Hibernate PresentationHibernate Presentation
Hibernate Presentation
 
Java Persistence API (JPA) Step By Step
Java Persistence API (JPA) Step By StepJava Persistence API (JPA) Step By Step
Java Persistence API (JPA) Step By Step
 
Spring MVC Framework
Spring MVC FrameworkSpring MVC Framework
Spring MVC Framework
 
Spring Framework - AOP
Spring Framework - AOPSpring Framework - AOP
Spring Framework - AOP
 
Spring framework Introduction
Spring framework IntroductionSpring framework Introduction
Spring framework Introduction
 

Similar to Java Class Loader

Let's talk about java class loader
Let's talk about java class loaderLet's talk about java class loader
Let's talk about java class loaderYongqiang Li
 
Chapter three Java_security.ppt
Chapter three Java_security.pptChapter three Java_security.ppt
Chapter three Java_security.pptHaymanotTadese
 
Learn Java with Dr. Rifat Shahriyar
Learn Java with Dr. Rifat ShahriyarLearn Java with Dr. Rifat Shahriyar
Learn Java with Dr. Rifat ShahriyarAbir Mohammad
 
Understanding ClassLoaders
Understanding ClassLoadersUnderstanding ClassLoaders
Understanding ClassLoadersMartin Skurla
 
chap 10 : Development (scjp/ocjp)
chap 10 : Development (scjp/ocjp)chap 10 : Development (scjp/ocjp)
chap 10 : Development (scjp/ocjp)It Academy
 
Unit8 security (2) java
Unit8 security (2) javaUnit8 security (2) java
Unit8 security (2) javaSharafat Husen
 
Use of Java™ Technology-Based Class Loaders to Design and Implement a Java P...
Use of Java™ Technology-Based Class Loaders to Design and Implement a Java P...Use of Java™ Technology-Based Class Loaders to Design and Implement a Java P...
Use of Java™ Technology-Based Class Loaders to Design and Implement a Java P...gustavoeliano
 
Java Interview Questions Answers Guide
Java Interview Questions Answers GuideJava Interview Questions Answers Guide
Java Interview Questions Answers GuideDaisyWatson5
 
Introduction to Java Programming
Introduction to Java Programming Introduction to Java Programming
Introduction to Java Programming Saravanakumar R
 
Class loader basic
Class loader basicClass loader basic
Class loader basic명철 강
 
Writing Plugged-in Java EE Apps: Jason Lee
Writing Plugged-in Java EE Apps: Jason LeeWriting Plugged-in Java EE Apps: Jason Lee
Writing Plugged-in Java EE Apps: Jason Leejaxconf
 
How to run java program without IDE
How to run java program without IDEHow to run java program without IDE
How to run java program without IDEShweta Oza
 
Jakarta EE Test Strategies (2022)
Jakarta EE Test Strategies (2022)Jakarta EE Test Strategies (2022)
Jakarta EE Test Strategies (2022)Ryan Cuprak
 

Similar to Java Class Loader (20)

Let's talk about java class loader
Let's talk about java class loaderLet's talk about java class loader
Let's talk about java class loader
 
Chapter three Java_security.ppt
Chapter three Java_security.pptChapter three Java_security.ppt
Chapter three Java_security.ppt
 
Class loaders
Class loadersClass loaders
Class loaders
 
Learn Java with Dr. Rifat Shahriyar
Learn Java with Dr. Rifat ShahriyarLearn Java with Dr. Rifat Shahriyar
Learn Java with Dr. Rifat Shahriyar
 
Understanding ClassLoaders
Understanding ClassLoadersUnderstanding ClassLoaders
Understanding ClassLoaders
 
chap 10 : Development (scjp/ocjp)
chap 10 : Development (scjp/ocjp)chap 10 : Development (scjp/ocjp)
chap 10 : Development (scjp/ocjp)
 
Unit8 security (2) java
Unit8 security (2) javaUnit8 security (2) java
Unit8 security (2) java
 
Use of Java™ Technology-Based Class Loaders to Design and Implement a Java P...
Use of Java™ Technology-Based Class Loaders to Design and Implement a Java P...Use of Java™ Technology-Based Class Loaders to Design and Implement a Java P...
Use of Java™ Technology-Based Class Loaders to Design and Implement a Java P...
 
Java Interview Questions Answers Guide
Java Interview Questions Answers GuideJava Interview Questions Answers Guide
Java Interview Questions Answers Guide
 
Java Classloaders
Java ClassloadersJava Classloaders
Java Classloaders
 
02 cldc
02 cldc02 cldc
02 cldc
 
Introduction to Java Programming
Introduction to Java Programming Introduction to Java Programming
Introduction to Java Programming
 
Class loader basic
Class loader basicClass loader basic
Class loader basic
 
9 cm604.26
9 cm604.269 cm604.26
9 cm604.26
 
Writing Plugged-in Java EE Apps: Jason Lee
Writing Plugged-in Java EE Apps: Jason LeeWriting Plugged-in Java EE Apps: Jason Lee
Writing Plugged-in Java EE Apps: Jason Lee
 
oop unit1.pptx
oop unit1.pptxoop unit1.pptx
oop unit1.pptx
 
Java and the JVM
Java and the JVMJava and the JVM
Java and the JVM
 
How to run java program without IDE
How to run java program without IDEHow to run java program without IDE
How to run java program without IDE
 
Jakarta EE Test Strategies (2022)
Jakarta EE Test Strategies (2022)Jakarta EE Test Strategies (2022)
Jakarta EE Test Strategies (2022)
 
CS8392 OOP
CS8392 OOPCS8392 OOP
CS8392 OOP
 

Recently uploaded

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 

Recently uploaded (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

Java Class Loader

  • 1. Java Class Loader & Security Bhanu Prakash Gopularam Senior Engineer Java Platform Group
  • 2. Agenda • Introduction • Java Class Loader • Java Class Loading Phases • Custom Class loading • Class Loader Exceptions • Debugging Class loader Problems • Questions
  • 3. Java Language Java Platform and Programming language introduced in 1995 • Java Language – General purpose object oriented programming language – Automatic storage management – GC – Platform independent code, security and network mobility • Few Java Language Security features – Built in Security Architecture – Configurable policies and domains – Applet Sand box: Allows securely download and run untrusted Java programs over the network
  • 4. Java Class Loader - Introduction ClassLoader “Reads byte code into JVM” A class is defined by its <class name, defining class loader> Goals of Class Loader: • Make first line of defense • Guard system packages from fake classes and spoofing attacks • Resolve symbolic references from one class to another
  • 5. Java Class loading phases Verification Process: 1.Structural check 2.Semantic check 3.Byte code verification 4.Symbolic references check
  • 6.
  • 7.
  • 8. Java Class Loaders 1. Bootstrap or Primordial Class Loader • rt.jar • -XbootClassPath – use judiciously • System property sun.boot.class.path 1. Extension Class Loader • Installed optional packages, lib/ext (in JRE) or jre/lib/ext (in JDK) • $JRE_HOME/lib/ext • System property java.ext.dirs 1. Application Class Loader • Application classpath $CLASSPATH or -cp variable • System property java.class.path • Misleadingly it is also called as System Classloader • Can be changed using property -Djava.system.class.loader
  • 9. 4. SecureClassLoader – Adds support for code security model in JDK 1.2 • Adds defineClass(String name, CodeSource) • Adds getPermissions(CodeSource) 4. URLClassLoader – Loads classes from specified url path (dir or jar file) – Extends from SecureClassLoader • Supports loading classes from URL code sources 5. Context Class Loader – Context class loader is provided by creator of thread – If Security Manager is present, checkPermission() is invoked with getClassLoader() call Java Class Loaders – contd..
  • 10. Java Class loader Delegation
  • 11. Why to write own class loader ? 1. Alternative delegation model - Java EE web modules  Checks local repositories first, common folder in Tomcat. However loading of system classes remain unchanged  By instantiating class loader again, a class can be reloaded 1. Hot Deployment  Support upgrade 1. Class loader and Security  Add extra code after findClass() and before defineClass(), compression, encryption techniques 1. Modifying the class files  Add extra debugging logic Example: BCEL (Byte code engineering library) and ASM tools
  • 12. Example (1): Jars in same classpath v1/version.java v2/version.java Test.java
  • 13. Example (2): RMI Execution Engine Server taskIntf.execute() Client-2 Client-1 serverIntf.execute(taskIntf) RMI Registry 1. Register 2. Lookup 3. Return server stub 4. Data Comm. common.ServerInterface execute(TaskInterface) common.ServerInterface execute(TaskInterface) Server.ServerImpl execute(TaskInterface) Server.ServerImpl execute(TaskInterface)
  • 14. Example (3): RMI Execution Engine Server fileSystemClassLoader.execute(codeNa me, code) Client-2 Client-1 serverIntf.execute(codeName, byte[]) RMI Registry 1. Register 2. Lookup 3. Return server stub 4. Data Comm. common.ServerInterface execute(CodeName, byte[]) common.ServerInterface execute(CodeName, byte[]) Server.ServerImpl execute(CodeName, byte[]) Server.ServerImpl execute(CodeName, byte[]) common.FileSystemClassLoader ClassLoader
  • 15. Class Loader Security • Classes are separated using namespaces • Built-in checks for identifying malicious classes • Encloses class into ProtectionDomain • Verification of code for valid signature • Class File Verifier does various checks for integrity
  • 16. ClassLoader Exceptions 1. ClassNotFoundException – ClassLoader.findSystemClass(), loadClass() fails – Wrong classloader is used or Dir is not added  Figure out what class loader and parent class loader and see why class cannot be loaded 1. NoClassDefFoundError – Indicates linkage problem, Symbolic reference cannot be found. – Folder or source of class is not made available to parent class loader – Check the stacktrace to find the class name  Figure out class loader and missing symbolic link  List parent class loaders recursively
  • 17. 3. ClassCastException – Casting an object to an unrelated class  Check for type and classloader used 4. UnSatisfiedLinkError – System.loadLibrary(“solaris.image_converter”), loading JNI code  JVM is unable to find proper native library of class, check references 5. ClassCircularityError – Thrown when some class is a indirect superclass of itself, an Interface extends itself or similar, mainly when diff versions of same library is loaded  Check for double class names in classpath ClassLoader Exceptions – Contd.
  • 18. Debugging Class Loading Problems 1. Use java –verbose class HelloWord 2. Use javap –private HelloWord 3. Linux check class file – find *.jar –exec jar –tf ‘{}’ ; | grep HelloWorld 1. Use BCEL or ASM libraries, ByteCode visualizer for Eclipse
  • 19. Questions - 1 • Difference between Class.forName() vs classLoader.loadClass()
  • 20. Questions - 2 • In Java, what is the need for main method? public static void main(String args[])
  • 21. Questions - 3 • Guess first 4 bytes of a class file! Byte code generated by compiler need to have standard data at beginning of the file
  • 22. Resources 1. The Java Language Specification, Java SE 8 Edition, https://docs.oracle.com/javase/specs/jls/se8/jls8.pdf 2. The Java Virtual Machine Specification, Java SE 8 Edition, https://docs.oracle.com/javase/specs/jvms/se8/jvms8.pdf 3. Demystifying Java Platform Security Architecture, Ramesh Nagappan 4. Internals of Java Class Loading, Binildas Christudas, O'Reilly, OnJava.com 5. Core Security Patterns: Best Practices and Strategies for J2EE, Web Services and Identity Management, Sun MicroSystems, Prentice Hall 6. Java and JVM security vulnerabilities and their exploitation techniques 7. http://www.blackhat.com/presentations/bh-asia-02/LSD/bh-asia-02-lsd.pdf 8. GitHub URL - https://github.com/gopularam/developer/tree/master/Classloader 9. Slideshare URL - http://www.slideshare.net/bhanugopularam/java-class-loader- 49366166

Editor's Notes

  1. General purpose object oriented programming language (architectural neutral interpreted and executable byte code) JVM – abstract computing engine, it insulates JVM from underlying differences Rules-based class loading and verification of byte code. Applet Sandbox
  2. Responsible for locating byte code of particular class and and then transform to usable class by runtime system To enforce security it coordinates with SecurityManager and AccessController Protect java classes from spoofing attacks ClassLoader recursively delegates class loading to its parent loader. Can be changed by custom class loaders Developers have two well-known reasons for building customClassLoaders: 1. providing support for a new class repository and 2. partitioning user code in a server
  3. Java byte code verifier: Pass-1 – Structural check, starting bytes in class file, major minor version checks etc Pass -2 – Semantic Check – method descriptors, context-free grammar, adherence to java specification Pass-3 – byte code verification, improper gotos, opcodes vs operands, method arguments, local variable initialization, etc Pass-4 – verification of symbolic references, loading referenced types, dynamic linking, binary compatibility check It is based on data flow analysis. It does by modeling each bytecode instruction and simulates each execution path that can possibly occur Check number of registers, stack height, types of values in register. Class donot forge pointers Class file format is OK Code donot violate access privileges Class definition is correct --------- Security. Your ClassLoader could examine classes before they are handed off to the JVM to see if they have a proper digital signature. You can also create a kind of &amp;quot;sandbox&amp;quot; that disallows certain kinds of method calls by examining the source code and rejecting classes that try to do things outside the sandbox. Encryption. It&amp;apos;s possible to create a ClassLoader that decrypts on the fly, so that your class files on disk are not readable by someone with a decompiler. The user must supply a password to run the program, and the password is used to decrypt the code. * Archiving. Want to distribute your code in a special format or with special compression? Your ClassLoader can pull raw class file bytes from any source it wants. Self-extracting programs. It&amp;apos;s possible to compile an entire Java application into a single executable class file that contains compressed and/or encrypted class file data, along with an integral ClassLoader; when the program is run, it unpacks itself entirely in memory -- no need to install first. * Dynamic generation. They sky&amp;apos;s the limit here. You can generate classes that refer to other classes that haven&amp;apos;t been generated yet -- create entire classes on the fly and bring them into the JVM without missing a beat.
  4. If class is already loaded then return it else call findClass()
  5. Primordial class loader: java applications have capability of loading bootstrap, system and app classed To protect from malicious attacks it uses java.security.SecureClassLoader Load class Finding a class using delegation Defining the class Link class Happens before class initialization or before reflection API calls Byte code verifier – bytecode is typesafe, execution paths Checks like Verification (Semantics, type checking), Preparation (allocate JVM internal objects ) Initialize class Happens once on “first use” Before class first instance creation, Runs static code Before access to static fields or methods Class loading phases Load class – finding the class using delegation Link class – Runs Bytecode verifier, allocates JVM internal objects Initialize class – Happens once on “first use”
  6. A domain conceptually encloses a set of classes whose instances are granted the same set of permissions.  CodeSource - each piece of code has two identity-defining characteristics: origin and signature. These two characteristics are represented in the class java.security.CodeSource the context class loader was invented to give framework code a mechanism to find the &amp;quot;correct&amp;quot; class loader to load application classes. In the case of the web application, the server typically applies the web application class loader as the context class loader. AppletClassLoader SecureClassLoader RMIClasssLoader
  7. Delegation works in bottom-up manner Visbility - Classes loaded by top level classloader are visible to class loaders beneath it and not vice versa.
  8. RMI Execution Engine Clients can supply any tasks that implement common.TaskIntf RMI execution engine loads code only once but executes 2 times based on requests In client VM, separate client.TaskImpl classes are loaded, instantiated and sent to Execution Engine Server VM for execution Each client uses different instances of FileSystem classloader. At server side, in findClass we call defineClass internally with byte[] and class name.
  9. RMI Execution Engine Clients can supply any tasks that implement common.TaskIntf RMI execution engine loads code only once but executes 2 times based on requests In client VM, separate client.TaskImpl classes are loaded, instantiated and sent to Execution Engine Server VM for execution
  10. Whether bytecode was generated by compliant compiler,
  11. ClassNotFoundException Look for code where classloader loadClass() call is involved NoClassDefFoundException Check why class is not available
  12. Javap – java class file disassembler By default it prints package, protected and public fields and methods
  13. Class.forName() uses classloader of the callers’ classloader, it initializes the class (executes static data) classLoader.loadClass() – is used when we need to pass on classloader name as argument. It just loads class and initialization is deferred till class is used for first time