Student Thesis Project: Finding Vulnerabilities in Java 9

Image credit: Photo by Trent Erwin on Unsplash & Java Duke

With Java being one of the top three programming languages on GitHub 2017 1, it has been subject to several vulnerabilities and attacks undermining Java’s sophisticated security model 2. Often attackers found ways to access protected areas in Java, that originally should be isolated and inaccessible.

With the release of version 9, Java introduces the module system Jigsaw. A key point of the module is the encapsulation of module-internal types.
In result, parts of a program can be declared internal, and thus are isolated from the outside. Developers explicitly specify which packages of a module are exported, and which are internal.


The question is:

To which extend, can a module encapsulate its internal classes effectivly?
What are vulnerabilities of Java 9 modules?


While the module system – in principle – prevents access to modules’ internal classes, in fact, several means of interaction exist. These interactions may result in module vulnerabilities. An example is a Denial of Service vulnerability of a module. If a module B passes a collection that always returns hasNext(): true into a module A, module A may crash or may be stuck in an infinite loop.

To enable the secure development of Java 9 applications it is necessary to identify such vulnerabilities and ensure a proper module isolation.

In this thesis, you will identify such vulnerabilities in the context of Java 9 modules, and implement small exploits illustrating them. A starting point is the examination of vulnerabilities in other module systems, e.g., OSGi 3

You will find the thesis description on our website. Please contact me if you are interested in this topic for your Bachelor’s thesis.


You will find an overview of Java 9’s module system here:


  1. Github Octoverse Report 2017; https://octoverse.github.com/ ^
  2. https://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id-19117/Oracle-JRE.html ^
  3. Parrend, P., & Frénot, S. (2007). Java Components Vulnerabilities - An Experimental Classification Targeted at the OSGi Platform. ^

Related