JNI Signal Chaining and OWASP (Security)
Martijn Verburg
martijnverburg at gmail.com
Thu Apr 11 20:22:26 UTC 2019
Hi Hank,
I'd this to the security-dev mailing list
Cheers,
Martijn
On Thu, 11 Apr 2019 at 20:52, Hank Edwards <hedwards at crawfordtech.com>
wrote:
> I work on a product that provides a JNI wrapper around a native API, we
> currently use LD_PRELOAD to enable signal chaining. We chose LD_PRELOAD as
> we do not force our customers to a specific Java vendor or version, nor do
> we want to complicate our build process by creating a unique build for each
> of the various Java vendor/versions our customers may be using. We've
> recently discovered that the use of LD_PRELOAD is considered a code
> injection risk by security analysis tools, such as ones that check for
> OWASP 2017. Is there anything we may not be considering to allow our JNI
> dependent product to be OWASP compliant? Or does anyone know if there are
> plans to address this in a new or alternate way in the future to allow a
> JNI application to be OWASP compliant? Builds linking against each
> supported JVM would work, but going from 1 to 9 builds (roughly 3 JDK
> vendors x 3 active JDK version levels) on 5 platforms will certainly add to
> our maintenance and testing cycles.
>
>
More information about the discuss
mailing list