Oracle java pdf download

Practice questions help prepare students for not only the concepts, but also the manner in which questions and answer options are presented during the real exam. The focus of the website is to provide accurate, updated, and clear material to help you study and pass.

Users can quickly get to the questions and answer database, which is free of ads or distracting information. The site is mobile friendly to allow testers the ability to study anywhere, as long as you have internet connection or a data plan on your mobile device. We understand the value of your time and money, which is why every question and answer on certification-questions. They are highly qualified individuals, who have many years of professional experience related to the subject of the exam.

The site compiles real exam questions from recent tests to bring you the best method of preparing for the AHIP exam. The test questions database is continuously updated in order to deliver the most accurate resource, free of charge. However, premium access for the AHIP exam offers additional benefits that may be preferable in your studies.

Oracle Java and Middleware certification helps win better job prospects in the industry and even makes you comparatively superior to other candidates. Besides, you might even grab higher salaries to those who are not certified. So, what are you waiting for? Make up your mind for an Oracle certification and move further in your career. The resources available in this language are very vast and of high quality.

Just prepare by giving your best, and the results will follow. Java SE 8 Certification is the key to success of your professional career.

Candidates armed with Oracle certification go a long way in their career and stand out in the average crowd. Here is a comprehensive guideline that will help you score better in the 1Z exam.

These exam topics prove to be very helpful in the preparation. They act as the blueprint for the exam. Some rules in this standard include enumerated exceptions with discussion of the condi- tions under which each exception applies.

When developers invoke an enumerated exception as a reason for deviating from a rule, they must document the relevant exception in the code at or near the point of deviation.

The authors are currently developing a set of Java annotations that will permit pro- grammers to indicate such exceptions in a form that is both human-readable and accessible to static analysis tools. For conformance testing purposes, determination of whether an exception applies in any particular case is made by the SCALe analyst. Third-Party Libraries Static analysis tools, such as FindBugs that analyze Java bytecode, can frequently discover violations of this secure coding standard in third-party libraries in addition to custom code.

Violations of secure coding rules in third-party libraries are treated in the same manner as if they appeared in custom code. Unfortunately, developers are not always in a position to modify third-party library code or perhaps even to convince the vendor to modify the code. The deviation procedure for third-party library code is the same as for custom code—that is, the developer must show that the violation does not cause a vulnerability.

However, the costs may be different. For custom code, it may be more economical to repair the problem, whereas for third-party libraries, it might be easier to document a deviation. Conformance Testing Process For each secure coding standard, the source code is found to be provably nonconforming, conforming, or provably conforming against each rule in the standard.

The code is provably nonconforming if one or more viola- tions of a rule are discovered for which no deviation has been allowed. This may be the result of a design or architecture feature of the software or because the particular violation occurs for a valid reason that was unanticipated by the secure coding standard. In this respect, the deviation procedure allows for the possibility that secure coding rules are overly strict.

Deviations cannot be used for reasons of performance, usability, or to achieve other nonsecurity attributes in the system. A software system that successfully passes con- formance testing must not present known vulnerabilities resulting from coding errors. Once the evaluation process has been completed, a report detailing the conformance or nonconformance of the code to the corresponding rules in the secure coding standard is provided to the developer.

Patches that meet all three of the following criteria do not void the conformance designation:. For more information, email securecoding cert. About the Authors. Fred Long is a senior lecturer and director of learning and teaching in the Department of Computer Science, Aberystwyth University in the United Kingdom.

Recently, his research has involved the investigation of vulnerabilities in Java. Dhruv Mohindra is a senior software engineer at Persistent Systems Limited, India, where he develops monitoring software for widely used enterprise servers.

He has worked for CERT at the Software Engineering Institute and continues to col- laborate to improve the state of security awareness in the pro- gramming community. Dhruv has also worked for Carnegie Mellon University, where he obtained his master of science degree in information security policy and management. He holds an undergraduate degree in computer engineering from Pune University, India, where he researched with Calsoft, Inc.

A writing enthusiast, Dhruv occasionally contributes articles to technology magazines and online resources. He brings forth his experience and learning from developing and securing service oriented applications, server monitoring software, mobile device applica- tions, web-based data miners, and designing user-friendly security interfaces.

Robert C. Seacord is a computer security specialist and writer. He is the author of books on computer security, legacy system modernization, and component-based software engineering.

CERT, among other security-related activities, regularly analyzes software vulnerability reports and assesses the risk to the Internet and other critical infrastruc- ture.

Robert started programming professionally for IBM in , working in communica- tions and operating system software, processor development, and software engineering.

Dean F. Sutherland is a senior software security engineer at CERT. Dean received his Ph. Before his return to academia, he spent 14 years working as a professional software engineer at Tartan, Inc. He spent the last six of those years as a senior mem- ber of the technical staff and a technical lead for compiler back- end technology. David has been the primary developer on a diverse set of software development projects at Carnegie Mellon since , ranging from hierarchical chip modeling and social organization simulation to automated machine translation AMT.

He has over 13 years of Java development experience, starting with Java 2, and his Java projects include Tomcat servlets and Eclipse plug-ins. Chapter 1 Introduction. Software vulnerability reports and reports of software exploitations continue to grow at an alarming rate. To address this growing threat to corporations, educational institutions, governments, and individuals, systems must be developed that are free of software vulnerabilities.

Coding errors cause the majority of software vulnerabilities. Java is a relatively secure language. This is an ordinary Java object of class java. Java program safety, however, can be compromised. The remainder of this chapter describes use cases under which Java programs might be exploited and examples of rules that mitigate against these attacks. Not all of the rules apply to all Java language programs; frequently, their applicability depends on how the software is deployed and assumptions concerning trust.

Software programs often contain multiple components that act as subsystems, where each component operates in one or more trusted domains. Distrustful decomposition and privi- lege separation [Dougherty ] are examples of secure design patterns that reduce the amount of code that runs with special privileges by designing the system using mutually untrusting components. While software components can obey policies that allow them to transmit data across trust boundaries, they cannot specify the level of trust given to any component.

A Java program can contain both internally developed and third-party code. Java was designed to allow the execution of untrusted code; consequently, third-party code can oper- ate in its own trusted domain. The public API of such third-party code can be considered to be a trust boundary.

Data that crosses a trust boundary should be validated unless the code that produces this data provides guarantees of validity. In all other cases, inbound data must be validated. Canonicalization and Input Output Validation Command interpreter Browser normalization sanitization sanitization.

Figure 1—1. Programs must take steps to ensure that data received across a trust boundary is appro- priate and not malicious. These steps can include the following:. Validation: Validation is the process of ensuring that input data falls within the expected domain of valid program input. This requires that inputs conform to type and numeric range requirements as well as to input invariants for the class or subsystem.

Sanitization: In many cases, data is passed directly to a component in a different trusted domain. Data sanitization is the process of ensuring that data conforms to the requirements of the subsystem to which it is passed. Sanitization also involves ensuring that data con- forms to security-related requirements regarding leaking or exposure of sensitive data when output across a trust boundary.

Sanitization may include the elimination of unwanted char- acters from the input by means of removing, replacing, encoding, or escaping the charac- ters. Sanitization may occur following input input sanitization or before the data is passed across a trust boundary output sanitization.

Data sanitization and input validation may coexist and complement each other. See rule IDSJ for more details on data sanitization. Canonicalization and Normalization: Canonicalization is the process of lossless reduction of the input to its equivalent simplest known form.

Normalization is the process of lossy conversion of input data to the simplest known and anticipated form. Canonicaliza- tion and normalization must occur before validation to prevent attackers from exploiting the validation routine to strip away invalid characters and, as a result, constructing an invalid and potentially malicious character sequence.

See rule IDSJ for more infor- mation. Normalization should be performed only on fully assembled user input. Never normalize partial input or combine normalized input with nonnormalized input.

Complex subsystems that accept string data that specify commands or instructions are a special concern. String data passed to these components may contain special characters that can trigger commands or actions, resulting in a software vulnerability. These are examples of components that can interpret commands or instructions:. Sensitive data may include user information such as social security or credit card numbers, passwords, or pri- vate keys. Because Java allows components under different trusted domains to communicate with each other in the same program, data can be transmitted across a trust boundary.

Systems must ensure that data is not transmitted to a component in a different trusted domain if authorized users in that domain are not permitted access to the data.

Java software components provide many opportunities to output sensitive informa- tion. Rules that address the mitigation of sensitive information disclosure include the following:. Do not allow exceptions to expose sensitive information FIOJ. Do not log sensitive information outside a trust boundary IDSJ. Do not log unsanitized user input 41 MSCJ. Never hard code sensitive information SERJ.

Make defensive copies of private mutable components during deserialization. Trusted component Sensitive data filter Untrusted component.

Figure 1—2. These should come as no surprise to the Java expert because they are well-documented, but they may trap the unwary. An x indicates that the particular access is permitted from within that domain.

The same class loader condition applies only to package-private member access. Classes and class members should be given the minimum possible access so that mali- cious code has the least opportunity to compromise security. As far as possible, classes should avoid using interfaces to expose methods that contain or invoke sensitive code; interfaces allow only publicly accessible methods, and such methods are part of the public application programming interface API of the class.

One exception. An additional requirement for access is that the subclasses must be loaded by the class loader that loaded the class containing the package-private members. Subclasses in a different package cannot access such package-private members. Subclass access is permitted without regard to the package location of the subclass.

See rule OBJJ. Methods that perform all necessary security checks, as well as sanitize all inputs, can also be exposed through interfaces. Protected accessibility is invalid for top-level classes, although nested classes may be declared protected.

Furthermore, protected members are part of the API of the class and require con- tinued support. Other classes and members should be declared either package-private or private.

For example, classes that are not critical to security are encouraged to provide public static factories to implement instance control with a private constructor. A capability is a communicable, unforgeable token of authority. The term capability was introduced by Dennis and Van Horn [Dennis ]. It refers to a value that references an object along with an associated set of access rights.

A user program on a capability-based operating system must use a capability to access an object. Each Java object has an unforgeable identity. This unforgeable identity allows use of a reference to an object as a token, serving as an unforgeable proof of authorization to per- form some action [Mettler a].

Authority is embodied by object references, which serve as capabilities. Authority refers to any effects that running code can have other than to perform side-effect-free computa- tions. References to objects whose methods can perform sensitive operations can serve as capabilities that enable the holder to perform those operations or to request that the object perform those operations on behalf of the holder.

Consequently, such references must themselves be treated as sensitive data and must not be leaked to untrusted code. Rules regarding capabilities include the following:. Do not increase the accessibility of overridden or hidden methods OBJJ. Do not expose sensitive private members of an outer class from within a nested class SECJ. Protect sensitive operations with security manager checks SERJ.

Minimize privileges before deserializing from a privileged context Such attacks are generally of greater concern for persistent, server-type systems than for desktop applications; nevertheless, denial-of-service issues can arise for all classes of application. Denial of Service through Resource Exhaustion Denial of service can occur when resource usage is disproportionately large in comparison to the input data that causes the resource usage.

This can be mitigated by setting the XMLConstants. Rules regarding denial-of-service attacks and their prevention resulting from resource exhaustion include the following:. Rule Page. Perform proper cleanup at program termination IDSJ. Do not exhaust heap space SERJ.

Avoid memory and resource leaks during serialization TPSJ. Do not execute interdependent tasks in a bounded thread pool VNAJ. Do not assume that a group of calls to independently atomic methods is atomic. Concurrency-Related Denial of Service Some denial-of-service attacks operate by attempting to induce concurrency-related prob- lems, such as thread deadlock, thread starvation, and race conditions. Rules regarding prevention of denial-of-service attacks resulting from concurrency issues include the following:.

Avoid client-side locking when using classes that do not commit to their locking strategy. Other Denial-of-Service Attacks Additional rules regarding prevention of denial-of-service attacks include the following:. Serialization enables object state in a Java program to be captured and written out to a byte stream [Sun b]. This allows for the object state to be preserved so that it can be rein- stated in the future by deserialization. Serialization also enables Java method calls to be transmitted over a network using remote method invocation RMI , wherein objects are marshalled serialized , exchanged between distributed virtual machines, and unmarshalled deserialized.

Serialization is also extensively used in JavaBeans. An object can be serialized as follows:. Moreover, it may be possible to modify or forge the preserved values so that when the class is deserialized, the values become corrupted.

Classes that require special handling during object serialization or deserialization can implement the following methods with precisely the following signatures [API ]:. This issue is described further in rule SERJ.

Memory that can be shared between threads is called shared memory or heap memory. Variables that are shared between threads are referred to as shared variables. Local variables, formal method parameters, and exception handler parameters are never shared between threads and are unaffected by the memory model. In modern shared-memory multiprocessor architectures, each processor has one or more levels of cache that are periodically reconciled with main memory, as shown in Figure 1—3.

The visibility of writes to shared variables can be problematic because the value of a shared variable may be cached, and writing its value to main memory may be delayed. Consequently, another thread may read a stale value of the variable. A further concern is not only that concurrent executions of code are typically inter- leaved, but also that the compiler or runtime system may reorder statements to optimize performance.

One or more One or more One or more One or more levels of levels of levels of levels of cache cache cache cache. Figure 1—3. Failure to account for possible reorderings is a common source of data races.

The two assignments in Thread 2 may also be freely reordered. Although it may seem counterintuitive, the Java memory model allows a read to see the value of a write that occurs later in the apparent execution order.

This is a possible execution order showing actual assignments:. In this ordering, r1 and r2 read the original values of the variables b and a respectively, even though they are expected to see the updated values, 20 and This is another possible execution order showing actual assignments:. In this ordering, r1 and r2 read the values of b and a written from steps 4 and 3 respec- tively, even before the statements corresponding to these steps have executed.

Concurrency, Visibility, and Memory Restricting the set of possible reorderings makes it easier to reason about the correct- ness of the code. An unlock on a monitor happens-before every subsequent lock on that monitor. A call to Thread. All actions in a thread happen-before any other thread successfully returns from a Thread. The default initialization of any object happens-before any other actions other than default writes of a program. A thread calling interrupt on another thread happens-before the interrupted thread detects the interrupt.

When two operations lack a happens-before relationship, the JVM is free to reorder them. A data race occurs when a variable is written to by at least one thread and read by at least one other thread and the reads and writes lack a happens-before relationship. A cor- rectly synchronized program is one that lacks data races. The JMM guarantees sequential consistency for correctly synchronized programs.

In other words:. Take the read and write operations performed by each thread and put them in the order the thread executes them thread order. Interleave the operations in some way allowed by the happens-before relationships to form an execution order. Read operations must return most recently written data in the total program order for the execution to be sequentially consistent.

This implies that all threads see the same total ordering of reads and writes of shared variables. The actual execution order of instructions and memory accesses can vary as long as the actions of the thread appear to that thread as if program order were followed and provided all values read are allowed for by the memory model. This allows programmers to under- stand the semantics of the programs they write and allows compiler writers and virtual machine implementors to perform various optimizations [JPL ].

There are several concurrency primitives that can help a programmer reason about the semantics of multithreaded programs. The volatile Keyword Declaring shared variables as volatile ensures visibility and limits reordering of accesses. Volatile accesses do not guarantee the atomicity of composite operations such as increment- ing a variable.

Declaring variables as volatile establishes a happens-before relationship such that a write to a volatile variable is always seen by threads performing subsequent reads of the same variable.

Consider two threads that are executing some statements, as shown in Figure 1—4. Statement 1 statement does not use a volatile variable Statement 2 statement does not use a volatile variable Statement 3 statement is a write to a volatile variable v. Statement 4 statement is a read of a volatile variable v. Figure 1—4. In this example, Statement 3 writes to a volatile variable, and Statement 4 in Thread 2 reads the same volatile variable.

The read sees the most recent write to the same variable v from Statement 3. Volatile read and write operations cannot be reordered either with respect to each other or with respect to nonvolatile variable accesses. When Thread 2 reads the volatile variable, it sees the results of all the writes occurring before the write to the volatile variable in Thread 1.

Because of the relatively strong guarantees of volatile, the performance overhead of volatile is almost the same as that of synchronization. The previous example lacks a guarantee that Statements 1 and 2 will be executed in the order in which they appear in the program.

They may be freely reordered by the compiler because of the absence of a happens-before relationship between these two statements.

The possible reorderings between volatile and nonvolatile variables are summarized in Table 1—2. Load and store operations are synonymous with read and write operations, respectively [Lea ]. For the purposes of these guarantees, the actual member is the object reference itself; the objects referred to by volatile object references referents are beyond the scope of the guarantees.

Furthermore, when the referent is mutable and lacks thread-safety, other threads might see a partially constructed object or an object in a temporarily inconsistent state [Goetz ]. Synchronization A correctly synchronized program is one whose sequentially consistent executions lack data races.

The example shown here uses a nonvolatile variable x and a volatile variable y. It is incorrectly synchronized. However, the second sequentially consistent exe- cution case lacks a happens-before relationship between any of the steps. Consequently, this example contains data races. Correct synchronization provides correct visibility and also guarantees that threads access data in a proper order.

For example, the following code ensures that there is only one sequentially consistent execution order that performs all the actions of Thread 1 before Thread 2. When using synchronization, it is unnecessary to declare the variable y volatile. Syn- chronization involves acquiring a lock, performing operations, and then releasing the lock. In the previous example, the doSomething method acquires the intrinsic lock of the class object Assign. This example can also be written to use block synchronization:.

The intrinsic lock used in both examples is the same. The java. Synchronization addresses this requirement but incurs overheads of context switching and frequently causes lock contention. The atomic classes of package java. For example, the AtomicInteger. Other high-level methods such as java.

The Executor Framework The java. A task is a logical unit of work encapsulated by a class that implements Runnable or Callable. The executor frame- work decouples task submission from low-level scheduling and thread management details.

It also provides a thread pool mechanism that allows a system to degrade gracefully when presented with more requests than the system can handle simultaneously. The core interface of the framework is the Executor interface. It is extended by the ExecutorService interface, which provides facilities for thread pool termination and for obtaining return values of tasks. The ExecutorService interface is further extended by the ScheduledExecutorService interface, which provides a mechanism for running tasks either periodically or after some delay.

For example, the Executors. The base actual implementation of the thread pool is provided by the ThreadPoolExecutor class. This class can be instanti- ated to customize the task execution policy. Explicit Locking The ReentrantLock class from the java. For example, the Reentrant- Lock. The JMM semantics for acquiring and releasing a ReentrantLock are identical to those for ac- quiring and releasing an intrinsic lock. According to the principle of least privilege, every program and every user of the system should operate using the least set of privileges necessary to complete their particular task [Saltzer , Saltzer ].

Executing with minimal privileges reduces the severity of exploitation in case a vulnerability is discovered in the code.

Do not grant dangerous combinations of permissions SECJ. Do not allow tainted variables in privileged blocks Java uses code signing as a requirement for granting elevated privileges to code. Many security policies permit signed code to operate with elevated privileges.

Only code that requires elevated privileges should be signed; other code should not be signed. See rule ENVJ. It is recommended that all privileged code be packaged together.

See rule ENVJ for more information. Privileged operations should be limited to the smallest possible code blocks that require such privileges. The Java AccessController mechanism allows only certain parts of code to acquire elevated privileges.

When a class needs to assert its privileges, it executes the privileged code in a doPrivileged block. The AccessController mechanism works in conjunction with the security policy in effect.

When a program runs with no security manager installed, it has no restrictions; it may use any classes or methods provided by the Java API. Any actions not allowed by the security policy cause a SecurityException to be thrown; code can query its security manager to discover which actions are allowed. The security manager can also control the functions that the trusted Java API can perform.

The accessClassInPackage permission provides the required functionality. The applet security manager is used to manage all Java applets. It denies applets all but the most essential privileges. The use of security managers is not limited to client-side protection. Web servers, such as Tomcat and WebSphere, use this facility to isolate Trojan servlets and malicious Java Server Page JSP code, as well as to protect sensitive system resources from inadvertent access. It is also possible to install a security manager programmatically.

This helps create a default sandbox that permits or denies sensitive actions based on the security policy in effect. Enter the email address you signed up with and we'll email you a reset link. Need an account? Click here to sign up. Download Free PDF. Abhinawa Kishore. A short summary of this paper.