Re: JNI Signal Chaining and OWASP (Security)

2019-04-15 Thread Bernd Eckenfels
: security-dev im Auftrag von Christian Heinrich Gesendet: Dienstag, April 16, 2019 2:55 AM An: Hank Edwards Cc: security-dev@openjdk.java.net Betreff: Re: JNI Signal Chaining and OWASP (Security) Hank, On Fri, 12 Apr 2019 at 09:41, Hank Edwards wrote: >We've recently discovered that the

Re: JNI Signal Chaining and OWASP (Security)

2019-04-15 Thread Christian Heinrich
Hank, On Fri, 12 Apr 2019 at 09:41, Hank Edwards wrote: >We've recently discovered that the use of C is considered a code injection >risk by security analysis tools, such as ones that check for OWASP 2017. I contribute to https://github.com/OWASP/Top10/pull/450 Can you please disclose the spec

RE: JNI Signal Chaining and OWASP (Security)

2019-04-15 Thread Hank Edwards
After considering this I decided on an attempting an alternate approach. I coded the Java part of our API to perform a System.loadlibrary("jsig"); prior to the call for our JNI library to be loaded. This gave the desired effect when testing; the native code handled the signals and the Java pro

Re: JNI Signal Chaining and OWASP (Security)

2019-04-12 Thread Nico Williams
On Fri, Apr 12, 2019 at 08:24:06PM +, Hank Edwards wrote: > Thanks for the suggestion, I was not aware the libjsig.so could be loaded > like that. I'm assuming you mean a loadlibrary("jsig"); in the .init. It > would also work I suppose to just add the .init to the original shared > library g

RE: JNI Signal Chaining and OWASP (Security)

2019-04-12 Thread Hank Edwards
l? Pensons environnement. -Original Message- From: Nico Williams Sent: Friday, April 12, 2019 3:53 PM To: Hank Edwards Cc: security-dev@openjdk.java.net Subject: Re: JNI Signal Chaining and OWASP (Security) You could simply move the original JNI DLL out of the way and replace it with

Re: JNI Signal Chaining and OWASP (Security)

2019-04-12 Thread Nico Williams
You could simply move the original JNI DLL out of the way and replace it with a wrapper that does the signal handler setup in a .init section and otherwise has stubs for all entry points that simply call the real (now renamed) DLL. In Solaris/Illumos we'd call that wrapper a "filter", and Solaris/

Re: JNI Signal Chaining and OWASP (Security)

2019-04-12 Thread Nico Williams
On Thu, Apr 11, 2019 at 08:45:51PM +, Hank Edwards wrote: > I work on a product that provides a JNI wrapper around a native API, we > currently use LD_PRELOAD to enable signal chaining. We chose LD_PRELOAD as > we do not force our customers to a specific Java vendor or version, nor do we > wan

JNI Signal Chaining and OWASP (Security)

2019-04-11 Thread Hank Edwards
I work on a product that provides a JNI wrapper around a native API, we currently use LD_PRELOAD to enable signal chaining. We chose LD_PRELOAD as we do not force our customers to a specific Java vendor or version, nor do we want to complicate our build process by creating a unique build for ea