A Systematic Hardening of Java's Information Hiding

The Java runtime is installed on billions of devices worldwide, and over years it has been a primary attack vector for online criminals. In this work, we address that many attack vectors exploit weaknesses in Java's information hiding, making use of illegal access to private members of system classes. To study to what extent such attacks can be mitigated, and at what cost, this paper demonstrates a proof-of-concept solution to strengthen information hiding. Experiments show that this approach is backward compatible, and that it blocks 84% of all information-hiding attacks in a large-scale sample set at an average performance overhead below 2%. Based on our experiments, we suggest a solution to strengthen information hiding for productive use that has the potential to outperform our proof o f concept in terms of robustness and performance, and also would block the remaining information-hiding attacks. Finally, we conclude with general advice on the design of secure software.