Google is developing a set of extensions for Java that should aid in better securing Java programs against buffer overflow attacks.
Last Friday, Google announced that it open sourced a project that its engineers were working on to add a new functionality into Java called Contracts, or Design-By-Contract (DBC). Google's implementation, called Contracts For Java, or Cofoja for short, is based off of Modern Jass, a set of Java annotations developed by Johannes Rieken.
Primarily touted as a technique to ease programming, Contracts could also provide an easy way for developers to guard against buffer overflow attacks, the researchers said.
One of the oldest techniques in the attacker's virtual arsenal, buffer overflows remain a problem. In December, Microsoft identified 2.6 million possible attacks that could be waged using a stack-based buffer overflow in the JRE (Java Runtime Engine).
In a nutshell, Contracts requires that each time a method is called in a running program, any values passed to the method must meet a set of predefined criteria. Likewise, each time a method returns a value, it must also meet a set of criteria. "DBC should be understood as a contract between components of a software," said Rieken.
The researchers borrowed the idea from another language, Eiffel, where the concept is known as Design-By-Contract (DBC). Eiffel advocates claim DBC makes that language more secure than most.
In their blog post announcing the release, the Google developers touted Contracts as a way to ease Java programming, as it helps pinpoint bugs in a complex body of malfunctioning code. But Contracts can also help make Java code more secure, said Andreas Leitner, a testing software engineer at Google and member of the Cofoja team.
"By annotating your code with contracts you are much more likely to reveal bugs in earlier phases of development," Leitner said. It could be particularly helpful in finding bugs that don't crash a program but nonetheless put them into "funny states," Leitner said. Such states could possibly "be exploited by attackers to gain ownership of data or machines," he said.
Even without DBC, Java already has a number of advantages over many other languages in terms of security, because it runs in a sandbox and requires programmers to define the data types of variables before they are used. However, DBC could provide additional security by preventing buffer overflow-styled attacks, where a program could be crashed or otherwise manipulated by the injection of a larger-than-expected input value.
A contract "can ensure that an input doesn't exceed a certain length," Rieken said. It could also ensure that invariant values remain the same when they are called. "Such checks [are] for situations where the programmer usually says 'it wasn't meant to be used like that,'" he said.
The Google developers behind Cofoja are working on the project during the 20 percent of work time that Google allows its employees to pursue individual projects.