News

Removing Serialization from Java Is a 'Long-Term Goal' at Oracle

• By John K. Waters
• May 30, 2018

Oracle's chief architect says his company intends to remove serialization from Java -- eventually. Answering a question during a live-streamed session at the recent Devoxx UK 2018 conference called "Ask the Architect," Mark Reinhold said it's a long-term goal that has been a long time coming.

"[Serialization] was a horrible mistake in 1997," he said. "Some of us tried to fight it, but it went in, and there it is. ...We like to call serialization 'the gift that keeps on giving,' and the type of gift it keeps on giving is security vulnerabilities.... Probably a third of all Java vulnerabilities have involved serialization; it could be over half. It is an astonishingly fecund source of vulnerabilities, not to mention instabilities."

The question clearly activated a long-held antipathy for Java object serialization, which is the process of converting an object into a stream of bytes for transport and storage. Deserialization reverses the process when the data is received. It can also be used to reconstruct an object graph from a stream.

Reinhold didn't offer a date for a change that many (including Reinhold) believe would plug a large security hole, or even a ballpark timeframe, but he said getting rid of serialization is definitely a long-term goal. Until then, Oracle has taken steps to mitigate the problem, he said. For example, the company recently added a filtering capability for those who must accept untrustable serialization data streams.

"It's shocking the number of reports we get of people running app servers on the network with unprotected ports that take serialization streams," he said. "...Serialization is brittle, it pokes into private field, violates constructor invariance, it's horrible in so many ways. The only thing appealing about it is that it's easy to use in simple use cases. That's what motivated getting it in there. But now, we do have to get it out."

Removing serialization is one of the goals of Project Amber, Reinhold noted, which is the OpenJDK project that aims to "explore and incubate smaller, productivity-oriented Java language features that have been accepted as candidate JEPs under the OpenJDK JEP process," the project page explains, including lambda leftovers, pattern matching, local-variable syntax for lambda parameters, switch expressions, and raw string literals. Announced last year, the project is being led by Oracle's rockstar Java architect Brian Goetz.

"Once we have records, the Java version of data classes, then it's part of the long term vision to have a new small clean serialization framework in the platform that can take a graph of records," Reinhold said. "You'll then be able to plug in a serialization engine of your choice, whether you want JSON, XML or YAML, you can plug in the engine to get the format you want, and serialize records in a very safe way because the records wouldn't allow serialization invariance."

Until Oracle get rid of serialization, Reinhold said, those who use it would be well advised to use it only when they know where the data streams are coming from. He said users would be better off using JSON or XML.