From dalibor.topic at oracle.com Thu Apr 11 12:44:24 2019 From: dalibor.topic at oracle.com (Dalibor Topic) Date: Thu, 11 Apr 2019 14:44:24 +0200 Subject: Code Conventions In-Reply-To: References: <87va0cqzzh.fsf@mid.deneb.enyo.de> Message-ID: <5fd33840-4b95-cdb9-bbee-1eb9d2340376@oracle.com> On 22.03.2019 17:13, Jean-Claude Arbaut wrote: > https://www.oracle.com/technetwork/java/codeconvtoc-136057.html Merci Jean-Claude, I updated the link accordingly. cheers, dalibor topic > Le jeu. 21 mars 2019 ? 11:33, Florian Weimer a ?crit : > >> This page >> >> >> >> contains only a dead link to: >> >> >> >> Is this page archived somewhere? >> >> Right now, I'm particularly interested in formatting guidelines for >> exception messages. Should they begin with a capitable letter? Are >> there rules for producing certain clipped sentences? (Such a rule >> appears to exist for the first sentence in a method documentation.) >> -- Oracle Dalibor Topic | Principal Product Manager Phone: +494089091214 | Mobile: +491737185961 ORACLE Deutschland B.V. & Co. KG | K?hneh?fe 5 | D-22761 Hamburg ORACLE Deutschland B.V. & Co. KG Hauptverwaltung: Riesstr. 25, D-80992 M?nchen Registergericht: Amtsgericht M?nchen, HRA 95603 Komplement?rin: ORACLE Deutschland Verwaltung B.V. Hertogswetering 163/167, 3543 AS Utrecht, Niederlande Handelsregister der Handelskammer Midden-Nederland, Nr. 30143697 Gesch?ftsf?hrer: Alexander van der Ven, Jan Schultheiss, Val Maher Green Oracle Oracle is committed to developing practices and products that help protect the environment From andreas.lundblad at gmail.com Thu Apr 11 13:47:10 2019 From: andreas.lundblad at gmail.com (Andreas Lundblad) Date: Thu, 11 Apr 2019 06:47:10 -0700 Subject: Code Conventions In-Reply-To: <5fd33840-4b95-cdb9-bbee-1eb9d2340376@oracle.com> References: <87va0cqzzh.fsf@mid.deneb.enyo.de> <5fd33840-4b95-cdb9-bbee-1eb9d2340376@oracle.com> Message-ID: That page has said "This section will contain a major revision of our antiquated code conventions" like forever. We came far with that major revision a couple of years ago. Latest draft available here: http://cr.openjdk.java.net/~alundblad/styleguide/index-v6.html I even have a version adapted to openjdk.java.net formatting. I suggest we take this over the finish line and get it published properly. I happen to have time to spare the coming weeks and am happy to contribute. -- Andreas On Thu, Apr 11, 2019 at 5:47 AM Dalibor Topic wrote: > On 22.03.2019 17:13, Jean-Claude Arbaut wrote: > > https://www.oracle.com/technetwork/java/codeconvtoc-136057.html > > Merci Jean-Claude, > > I updated the link accordingly. > > cheers, > dalibor topic > > > Le jeu. 21 mars 2019 ? 11:33, Florian Weimer a ?crit > : > > > >> This page > >> > >> > >> > >> contains only a dead link to: > >> > >> > >> > >> Is this page archived somewhere? > >> > >> Right now, I'm particularly interested in formatting guidelines for > >> exception messages. Should they begin with a capitable letter? Are > >> there rules for producing certain clipped sentences? (Such a rule > >> appears to exist for the first sentence in a method documentation.) > >> > > -- > Oracle > Dalibor Topic | Principal Product Manager > Phone: +494089091214 | Mobile: +491737185961 > > > ORACLE Deutschland B.V. & Co. KG | K?hneh?fe 5 | D-22761 Hamburg > > ORACLE Deutschland B.V. & Co. KG > Hauptverwaltung: Riesstr. 25, D-80992 M?nchen > Registergericht: Amtsgericht M?nchen, HRA 95603 > > Komplement?rin: ORACLE Deutschland Verwaltung B.V. > Hertogswetering 163/167, 3543 AS Utrecht, Niederlande > Handelsregister der Handelskammer Midden-Nederland, Nr. 30143697 > Gesch?ftsf?hrer: Alexander van der Ven, Jan Schultheiss, Val Maher > > Green Oracle Oracle is committed to > developing practices and products that help protect the environment > From hedwards at crawfordtech.com Thu Apr 11 19:52:15 2019 From: hedwards at crawfordtech.com (Hank Edwards) Date: Thu, 11 Apr 2019 19:52:15 +0000 Subject: JNI Signal Chaining and OWASP (Security) Message-ID: I work on a product that provides a JNI wrapper around a native API, we currently use LD_PRELOAD to enable signal chaining. We chose LD_PRELOAD as we do not force our customers to a specific Java vendor or version, nor do we want to complicate our build process by creating a unique build for each of the various Java vendor/versions our customers may be using. We've recently discovered that the use of LD_PRELOAD is considered a code injection risk by security analysis tools, such as ones that check for OWASP 2017. Is there anything we may not be considering to allow our JNI dependent product to be OWASP compliant? Or does anyone know if there are plans to address this in a new or alternate way in the future to allow a JNI application to be OWASP compliant? Builds linking against each supported JVM would work, but going from 1 to 9 builds (roughly 3 JDK vendors x 3 active JDK version levels) on 5 platforms will certainly add to our maintenance and testing cycles. From martijnverburg at gmail.com Thu Apr 11 20:22:26 2019 From: martijnverburg at gmail.com (Martijn Verburg) Date: Thu, 11 Apr 2019 21:22:26 +0100 Subject: JNI Signal Chaining and OWASP (Security) In-Reply-To: References: Message-ID: Hi Hank, I'd this to the security-dev mailing list Cheers, Martijn On Thu, 11 Apr 2019 at 20:52, Hank Edwards wrote: > I work on a product that provides a JNI wrapper around a native API, we > currently use LD_PRELOAD to enable signal chaining. We chose LD_PRELOAD as > we do not force our customers to a specific Java vendor or version, nor do > we want to complicate our build process by creating a unique build for each > of the various Java vendor/versions our customers may be using. We've > recently discovered that the use of LD_PRELOAD is considered a code > injection risk by security analysis tools, such as ones that check for > OWASP 2017. Is there anything we may not be considering to allow our JNI > dependent product to be OWASP compliant? Or does anyone know if there are > plans to address this in a new or alternate way in the future to allow a > JNI application to be OWASP compliant? Builds linking against each > supported JVM would work, but going from 1 to 9 builds (roughly 3 JDK > vendors x 3 active JDK version levels) on 5 platforms will certainly add to > our maintenance and testing cycles. > > From fweimer at redhat.com Fri Apr 12 11:31:47 2019 From: fweimer at redhat.com (Florian Weimer) Date: Fri, 12 Apr 2019 13:31:47 +0200 Subject: JNI Signal Chaining and OWASP (Security) In-Reply-To: (Hank Edwards's message of "Thu, 11 Apr 2019 19:52:15 +0000") References: Message-ID: <87mukva28s.fsf@oldenburg2.str.redhat.com> * Hank Edwards: > I work on a product that provides a JNI wrapper around a native API, > we currently use LD_PRELOAD to enable signal chaining. What is signal chaining? Why do you need it? Thanks, Florian From david.holmes at oracle.com Fri Apr 12 13:03:03 2019 From: david.holmes at oracle.com (David Holmes) Date: Fri, 12 Apr 2019 23:03:03 +1000 Subject: JNI Signal Chaining and OWASP (Security) In-Reply-To: <87mukva28s.fsf@oldenburg2.str.redhat.com> References: <87mukva28s.fsf@oldenburg2.str.redhat.com> Message-ID: <463b0c60-ef1a-8aa9-defd-448cde2dc929@oracle.com> On 12/04/2019 9:31 pm, Florian Weimer wrote: > * Hank Edwards: > >> I work on a product that provides a JNI wrapper around a native API, >> we currently use LD_PRELOAD to enable signal chaining. > > What is signal chaining? Why do you need it? https://docs.oracle.com/javase/8/docs/technotes/guides/vm/signal-chaining.html David > Thanks, > Florian > From fweimer at redhat.com Mon Apr 15 12:22:34 2019 From: fweimer at redhat.com (Florian Weimer) Date: Mon, 15 Apr 2019 14:22:34 +0200 Subject: JNI Signal Chaining and OWASP (Security) In-Reply-To: <463b0c60-ef1a-8aa9-defd-448cde2dc929@oracle.com> (David Holmes's message of "Fri, 12 Apr 2019 23:03:03 +1000") References: <87mukva28s.fsf@oldenburg2.str.redhat.com> <463b0c60-ef1a-8aa9-defd-448cde2dc929@oracle.com> Message-ID: <87sguj31bp.fsf@oldenburg2.str.redhat.com> * David Holmes: > On 12/04/2019 9:31 pm, Florian Weimer wrote: >> * Hank Edwards: >> >>> I work on a product that provides a JNI wrapper around a native API, >>> we currently use LD_PRELOAD to enable signal chaining. >> >> What is signal chaining? Why do you need it? > > https://docs.oracle.com/javase/8/docs/technotes/guides/vm/signal-chaining.html Yikes. Has there been an attempt to come up with an interface which does not rely on symbol interposition? Thanks, Florian From david.holmes at oracle.com Mon Apr 15 13:04:13 2019 From: david.holmes at oracle.com (David Holmes) Date: Mon, 15 Apr 2019 23:04:13 +1000 Subject: JNI Signal Chaining and OWASP (Security) In-Reply-To: <87sguj31bp.fsf@oldenburg2.str.redhat.com> References: <87mukva28s.fsf@oldenburg2.str.redhat.com> <463b0c60-ef1a-8aa9-defd-448cde2dc929@oracle.com> <87sguj31bp.fsf@oldenburg2.str.redhat.com> Message-ID: <59e8bdeb-3277-9e6c-9ece-3a5906a623f8@oracle.com> On 15/04/2019 10:22 pm, Florian Weimer wrote: > * David Holmes: > >> On 12/04/2019 9:31 pm, Florian Weimer wrote: >>> * Hank Edwards: >>> >>>> I work on a product that provides a JNI wrapper around a native API, >>>> we currently use LD_PRELOAD to enable signal chaining. >>> >>> What is signal chaining? Why do you need it? >> >> https://docs.oracle.com/javase/8/docs/technotes/guides/vm/signal-chaining.html > > Yikes. > > Has there been an attempt to come up with an interface which does not > rely on symbol interposition? I'm not aware of any issue with signal chaining that would have warranted any such attempt. This was, as far as I understand it, a point-solution for a specific problem, and it solved that problem. Anyway this isn't a topic of discussion for the discuss list. Technical discussion can happen on hotspot-dev - though I don't know who may have knowledge of OWASP. An interposition library is by definition code-injection. David > Thanks, > Florian > From fweimer at redhat.com Tue Apr 16 12:22:17 2019 From: fweimer at redhat.com (Florian Weimer) Date: Tue, 16 Apr 2019 14:22:17 +0200 Subject: JNI Signal Chaining and OWASP (Security) References: <87mukva28s.fsf@oldenburg2.str.redhat.com> <463b0c60-ef1a-8aa9-defd-448cde2dc929@oracle.com> <87sguj31bp.fsf@oldenburg2.str.redhat.com> <59e8bdeb-3277-9e6c-9ece-3a5906a623f8@oracle.com> Message-ID: <87mukqxhqe.fsf@oldenburg2.str.redhat.com> * David Holmes: > On 15/04/2019 10:22 pm, Florian Weimer wrote: >> * David Holmes: >> >>> On 12/04/2019 9:31 pm, Florian Weimer wrote: >>>> * Hank Edwards: >>>> >>>>> I work on a product that provides a JNI wrapper around a native API, >>>>> we currently use LD_PRELOAD to enable signal chaining. >>>> >>>> What is signal chaining? Why do you need it? >>> >>> https://docs.oracle.com/javase/8/docs/technotes/guides/vm/signal-chaining.html >> >> Yikes. >> >> Has there been an attempt to come up with an interface which does not >> rely on symbol interposition? > > I'm not aware of any issue with signal chaining that would have > warranted any such attempt. This was, as far as I understand it, a > point-solution for a specific problem, and it solved that problem. I'm just surprised it's advertised as a generic mechanism because interposition interacts so poorly with symbol versioning. But maybe new symbol versions for sigaction etc. are sufficiently unlikely. > Anyway this isn't a topic of discussion for the discuss > list. Technical discussion can happen on hotspot-dev - though I don't > know who may have knowledge of OWASP. An interposition library is by > definition code-injection. It's possible to avoid LD_PRELOAD with a custom launcher that links againstl libjsig.so, as explained in the web page referenced. Whether the alleged OWASP requirement makes any sense is a different matter, of course. Thanks, Florian From aph at redhat.com Wed Apr 17 08:21:51 2019 From: aph at redhat.com (Andrew Haley) Date: Wed, 17 Apr 2019 09:21:51 +0100 Subject: JNI Signal Chaining and OWASP (Security) In-Reply-To: <87mukqxhqe.fsf@oldenburg2.str.redhat.com> References: <87mukva28s.fsf@oldenburg2.str.redhat.com> <463b0c60-ef1a-8aa9-defd-448cde2dc929@oracle.com> <87sguj31bp.fsf@oldenburg2.str.redhat.com> <59e8bdeb-3277-9e6c-9ece-3a5906a623f8@oracle.com> <87mukqxhqe.fsf@oldenburg2.str.redhat.com> Message-ID: On 4/16/19 1:22 PM, Florian Weimer wrote: > Whether the alleged OWASP requirement makes any sense is a different > matter, of course. Well, yes, exactly. I'd like to know what the requirement is. I'm concerned that legitimate techniques which people have been using for years are declared insecure. Of course terribly risky practices should be phased out, but some tools (e.g. libffi) have to jump through extraordinary hoops to get around security restrictions. At its most extreme, I wouldn't be surprised if some security expert declared JIT compilation and interpreters insecure. -- Andrew Haley Java Platform Lead Engineer Red Hat UK Ltd. EAC8 43EB D3EF DB98 CC77 2FAD A5CD 6035 332F A671