JNI Signal Chaining and OWASP (Security)

Martijn Verburg martijnverburg at gmail.com
Thu Apr 11 20:22:26 UTC 2019

Hi Hank,

I'd this to the security-dev mailing list


On Thu, 11 Apr 2019 at 20:52, Hank Edwards <hedwards at crawfordtech.com>

> I work on a product that provides a JNI wrapper around a native API, we
> currently use LD_PRELOAD to enable signal chaining.  We chose LD_PRELOAD as
> we do not force our customers to a specific Java vendor or version, nor do
> we want to complicate our build process by creating a unique build for each
> of the various Java vendor/versions our customers may be using.  We've
> recently discovered that the use of LD_PRELOAD is considered a code
> injection risk by security analysis tools, such as ones that check for
> OWASP 2017.  Is there anything we may not be considering to allow our JNI
> dependent product to be OWASP compliant? Or does anyone know if there are
> plans to address this in a new or alternate way in the future to allow a
> JNI application to be OWASP compliant?  Builds linking against each
> supported JVM would work, but going from 1 to 9 builds (roughly 3 JDK
> vendors x 3 active JDK version levels) on 5 platforms will certainly add to
> our maintenance and testing cycles.

More information about the discuss mailing list