JNI Signal Chaining and OWASP (Security)

Hank Edwards hedwards at crawfordtech.com
Thu Apr 11 19:52:15 UTC 2019

I work on a product that provides a JNI wrapper around a native API, we currently use LD_PRELOAD to enable signal chaining.  We chose LD_PRELOAD as we do not force our customers to a specific Java vendor or version, nor do we want to complicate our build process by creating a unique build for each of the various Java vendor/versions our customers may be using.  We've recently discovered that the use of LD_PRELOAD is considered a code injection risk by security analysis tools, such as ones that check for OWASP 2017.  Is there anything we may not be considering to allow our JNI dependent product to be OWASP compliant? Or does anyone know if there are plans to address this in a new or alternate way in the future to allow a JNI application to be OWASP compliant?  Builds linking against each supported JVM would work, but going from 1 to 9 builds (roughly 3 JDK vendors x 3 active JDK version levels) on 5 platforms will certainly add to our maintenance and testing cycles.

More information about the discuss mailing list