Serialisation is used to encode objects into streams of bytes and it was introduced in 1997. Nearly a third to a half of Java vulnerabilities have involved serialisation. This is mostly because while it is easy to use, in simple use cases it is easier to misuse.
Oracle had been making its removal part of Project Amber, which is focused on productivity-oriented Java language features.
Mark Reinhold, chief architect of the Java platform group at Oracle, said the idea is to install a small serialisation framework into the platform once records, the Java version of data classes, are supported.
The framework could support a graph of records, and developers could plug in a serialisation engine of their choice, supporting formats such as JSON or XML, enabling serialisation of records in a safe way.
Reinhold said it was not clear which release of Java will have the records capability.
Recently, a filtering capability was added to Java so if serialisation is being used on a network and untrusted serialisation data streams must be accepted, there is a way to filter which classes can be mentioned, to provide a defence mechanism against serialisation’s security weaknesses.