Creation Review

Type
Creation
State
Successful
End Date of the Review Period

Reviews run for a minimum of one week. The outcome of the review is decided on this date. This is the last day to make comments or ask questions about this review.

Proposal

Eclipse Serializer

Monday, February 20, 2023 - 11:06 by Markus Kett
This proposal is in the Project Proposal Phase (as defined in the Eclipse Development Process) and is written to declare its intent and scope. We solicit additional participation and input from the community. Please login and add your feedback in the comments section.
Parent Project
Proposal State
Created
Background

Ten years ago, we started developing a Java object graph persistence engine called MicroStream. It enables to persistence any Java object graph of any size and complexity into any data storage solution. Because existing serialization libraries for Java have various limitations as well as security flaws, we decided to develop a new serialization from scratch.

In 2021, a technical investigation was done by Robert Seacord for the NCC Group. Conclusion: MicroStream is a serialization written from the ground up that works fundamentally differently from Java serialization and other encodings. MicroStream strictly separates data from code and transfers data only. Through deserialization, no code is executed at all. Thus, injecting and executing malicious code is impossible. Due to this highly-secure design, MicroStream protects against fatal deserialization attacks and eliminates the biggest security flaw of Java. This makes MicroStream the most secure serialization on the market.

Today, the serializer is a core feature of the MicroStream persistence engine which is open-source under EPL and integrated with Helidon and Micronaut.

Now, we want to donate the code to the Eclipse Foundation and continue development as an Eclipse project to deliver value to the Java community and to make it even more attractive for contributors, framework vendors, and developers.

Scope

Eclipse Serializer allows to (de-)serialize any Java object without the need for an annotation, superclass or interface, or a data schema that generates code. Besides the serialization functionality, you can customize many aspects, has support for circular references and data model evolution (refactoring) as you can define mappings for the binary data to your current class model.

Description

Eclipse Serializer is a serialization written from the ground up that works fundamentally differently from Java serialization and other encodings. Eclipse Serializer strictly separates data from code and transfers data only. Through deserialization, no code is executed at all. Thus, injecting and executing malicious code is impossible. Due to this highly-secure design, Eclipse Serializer protects against fatal deserialization attacks and eliminates the biggest security flaw of Java. This makes Eclipse Serializer a highly secure alternative to other serialization. 

Why Here?

Eclipse Serializer delivers value to the Eclipse Ecosystem. It eliminates the biggest security issue of Java: deserialization attacks. By using Eclipse Serializer, end-user applications will become much more secure. At the same time, Eclipse Serializer is simple and convenient to use by eliminating various limitations other encodings have. For example, implementing the interface Serializable is not required anymore. Users become more productive and save time and development effort. Our benefit should be better visibility, traction, and acceptance. 

  

Future Work

Roadmap for the next 12 - 18 months: Eclipse Serializer is already proven in production and is very stable. In the next 12 - 18 months we will increase the security test case base and develop converters. We will talk and exhibit at various Java conferences, write blogs and articles for magazines, and produce videos to promote Eclipse Serializer increasing downloads and the number of contributors.

Project Scheduling

As soon as the paperwork is done, we would like to transfer the code immediately. The first build could be released at the end of February 2023.

Project Leads
Interested Parties

Micronaut Foundation, project Helidon, Oracle, Open Liberty, IBM, Payara Ltd., Spring Boot, XDEV Software GmbH, Allianz SE, Fraport, Infineon, Azul

Initial Contribution

The project already exists and is called MicroStream Serializer. The code is already open source under EPL. There are only 8 committers so far who are MicroStream employees. The copyright belongs to MicroStream Software GmbH. The library does not use any 3rd-party libraries and thus, has no dependencies, but the JDK. MicroStream is integrated with Helidon and Micronaut. Currently, we have 5445 unique IP downloads since open-sourcing 2021. More and more companies are using it in production.

Source Repository Type