High secure serialization

for the JVM and Android

 


MicroStream eliminates the biggest security flaw of Java.
It provides high secure data transfer and makes your software applications immune to dangerous cyber attacks.
Build highly secure software applications with Java that protect your data and create valuable trust.

MicroStream is open source. Latest version 7.

Get Started  GitHub

Standard Java serialization is a high security risk

 

Java serialization is used to transfer data between Java apps and services over network. Serialization is used by almost any library, framework, and business application written in Java. However, Java serialization has serious vulnerabilities that are regularly used to attack and harm Java users.

Security flaws

  • Not only data, but also class information are transferred

  • All serializable classes in the classpath are executed automatically through deserialization

  • Creating and injecting malicious code is scarily easy

  • Using simplistic black- and white-list techniques are insufficient

  • Most dependencies use serialization

Limitations

  • Classes to serialize must implement the interface java.io.Serializable

  • Objects from 3rd party APIs that haven't implemented Serializable can't be serialized

  • Not through API contract, but 'magic'

  • Depth of an object graph is limited

  • Schema evolution is not supported

  • Java serialization is slow

Serialization was a horrible mistake.
Half of all Java vulnerabilities are linked to serialization.

Mark ReinholdChief Architect of the Java Platform
Oracle

Learn from experts how scarily ease serialization can be abused to hack your applications...

When you click the play button, content from the YouTube video platform is loaded. Cookies can be saved in the process.

Steve Poole, Sonatype - Oracle Code One 2018

When you click the play button, content from the YouTube video platform is loaded. Cookies can be saved in the process.

Alexei Kojenov, Google – AppSec USA 2018

When you click the play button, content from the YouTube video platform is loaded. Cookies can be saved in the process.

Brian Goetz & Stuart Marks, both Oracle – DEVOXX Belgium 2019

When you click the play button, content from the YouTube video platform is loaded. Cookies can be saved in the process.

Robert Seacord, NCC Group - Oracle Code One 2019

Other encoding ...

Switching to another encoding doesn't solve the main problem of serialization, which is: how we can safely extract and reconstruct the state of objects to be serialized.

Brian GoetzArchitect of the Java Language
Oracle

Bytecode-based

  • Base on Java serialization and thus inherit its mistakes, security flaws, and limitations

  • Depth of an object graph is limited

  • Schema evolution is not covered

Human-readable

  • Circular references are not possible

  • Not suited for complex object graphs

  • Existing object integrity will be broken

  • With increasing complexity, exponential increasing overhead

  • Data must be parsed twice

Eliminate deserialization attacks and  make your Java applications highly secure ...

High secure serialization platform

 

Java serialization is used to transfer data between Java apps and services over network. Serialization is used by almost any library, framework, and business application written in Java. However, Java serialization has serious vulnerabilities that are regularly used to attack and harm Java users.

Highly secure

  • Strictly separation of data and code

  • Neither code, nor any class information is transferred

  • No code is executed through deserialization

  • Objects are generated by the framework

  • Injecting maliciouscode won't have any consequences, because executing is impossible

  • Biggest security flaw of Java is eliminated

No Limitations

  • Implementing the interface java.io.Serializable is not required at all

  • Serialize any object

  • Any object from 3rd party APIs can be serialized

  • Built for any complex object graphs, circular references are troublefree

  • Depth of an object graph is not limited, no stack-based recursion

  • No requirements to your classes, no interfaces, superclasses or annotations required

DukeJava
// create a serializer which handles byte arrays
Serializer serializer = Serializer.Bytes();

// serialize a company
byte[] data = serializer.serialize(company);

// deserialize the data back to a company
Company company = serializer.deserialize(data);

Serialize any object


MicroStream lets you serialize any object. There are no specific superclasses, interfaces or annotations at all. Even serializing objects from third-party APIs is trouble-free

  • Implementing Serializable is not required

  • No superclasses, interfaces, annotations

  • Inheritance is trouble-free

  • Custom-tailored type handling

DukeJava
public class Customer {

   private String firstname;
   private String lastname;
   private String email;
   private LocalDate dateOfBirth;
   private Boolean active;
   private Set<Order> orders;     
   
   ...
}

Built for complex object graphs


The strength of MicroStream is that you can serialize any object graph of any size and complexity. The more complex your object graph is, the faster MicroStream is in comparison to other encodings

  • Any circular reference

  • Depth of an object graph is not limited

  • No stack-based recursion

Optimized byte format


MicroStream uses a highly optimized byte format. This enables circular references, unlimited size, complexity, and depth of your object graphs, and minimizes overhead.
 
Converter
The MicroStream byte format can be converted into CSV and other encoding formats.
 
Long-term support warranty
The MicroStream byte format is supported for 10 years guaranteed.

Versioning


Classes evolve over time. Therefore, MicroStream provides a legacy type mapping that lets you manage different versions of your classes.

  • New, changed and removed fields

  • Primitive types

  • Any objects

  • Renamed and deleted classes

Native image compatible


MicroStream serialization runs trouble-free and without any adoption effort on GraalVM native images.

Use any JVM Technology

MicroStream is a small Java library that can be used with all JVM languages.

Solutions integrated MicroStream

Enterprise-grade
open source

MicroStream serializer

Open Source

Secure your open-source code, provide high security
and build valuable trust.

  • Driven by our fast growing community

  • Transparent development of new features, concepts and innovations

  • Community support on GitHub & StackOverflow

MicroStream serializer

Enterprise

Recommended for enterprises using MicroStream
for business critical applications or products:

  • Timely adjustments to the latest Java versions

  • Converter
    Convert MicroStream format into another encoding format

  • Enterprise-grade security updates
    Timely security updates to eliminate vulnerabilities

  • Long-term warranty
    MicroStream format support for 10 years guaranteed

  • Enterprise-grade support

Get started with MicroStream today.