On 4/15/22 10:46 PM, Peter Firmstone wrote:
To securely instrument access controls onto public Java API, we need to have the ability to disable finalizers, to prevent finalizer attacks from circumventing access controls. Since finalizers are planned for removal, as soon as finalizers are officially deprecated, I propose a command line flag be provided to disable jvm calls to finalizer methods.
This is already supported. JEP 421 added a "--finalization=disabled" option to JDK 18:
https://openjdk.java.net/jeps/421#Command-line-option-to-disable-finalization --Sean