: security-dev im Auftrag von
Christian Heinrich
Gesendet: Dienstag, April 16, 2019 2:55 AM
An: Hank Edwards
Cc: security-dev@openjdk.java.net
Betreff: Re: JNI Signal Chaining and OWASP (Security)
Hank,
On Fri, 12 Apr 2019 at 09:41, Hank Edwards wrote:
>We've recently discovered that the
Hank,
On Fri, 12 Apr 2019 at 09:41, Hank Edwards wrote:
>We've recently discovered that the use of C is considered a code injection
>risk by security analysis tools, such as ones that check for OWASP 2017.
I contribute to https://github.com/OWASP/Top10/pull/450
Can you please disclose the spec
After considering this I decided on an attempting an alternate approach. I
coded the Java part of our API to perform a System.loadlibrary("jsig"); prior
to the call for our JNI library to be loaded. This gave the desired effect
when testing; the native code handled the signals and the Java pro
On Fri, Apr 12, 2019 at 08:24:06PM +, Hank Edwards wrote:
> Thanks for the suggestion, I was not aware the libjsig.so could be loaded
> like that. I'm assuming you mean a loadlibrary("jsig"); in the .init. It
> would also work I suppose to just add the .init to the original shared
> library g
l? Pensons environnement.
-Original Message-
From: Nico Williams
Sent: Friday, April 12, 2019 3:53 PM
To: Hank Edwards
Cc: security-dev@openjdk.java.net
Subject: Re: JNI Signal Chaining and OWASP (Security)
You could simply move the original JNI DLL out of the way and replace it with
You could simply move the original JNI DLL out of the way and replace it
with a wrapper that does the signal handler setup in a .init section and
otherwise has stubs for all entry points that simply call the real (now
renamed) DLL.
In Solaris/Illumos we'd call that wrapper a "filter", and Solaris/
On Thu, Apr 11, 2019 at 08:45:51PM +, Hank Edwards wrote:
> I work on a product that provides a JNI wrapper around a native API, we
> currently use LD_PRELOAD to enable signal chaining. We chose LD_PRELOAD as
> we do not force our customers to a specific Java vendor or version, nor do we
> wan
I work on a product that provides a JNI wrapper around a native API, we
currently use LD_PRELOAD to enable signal chaining. We chose LD_PRELOAD as we
do not force our customers to a specific Java vendor or version, nor do we want
to complicate our build process by creating a unique build for ea