JNI Signal Chaining and OWASP (Security)
Florian Weimer
fweimer at redhat.com
Tue Apr 16 12:22:17 UTC 2019
* David Holmes:
> On 15/04/2019 10:22 pm, Florian Weimer wrote:
>> * David Holmes:
>>
>>> On 12/04/2019 9:31 pm, Florian Weimer wrote:
>>>> * Hank Edwards:
>>>>
>>>>> I work on a product that provides a JNI wrapper around a native API,
>>>>> we currently use LD_PRELOAD to enable signal chaining.
>>>>
>>>> What is signal chaining? Why do you need it?
>>>
>>> https://docs.oracle.com/javase/8/docs/technotes/guides/vm/signal-chaining.html
>>
>> Yikes.
>>
>> Has there been an attempt to come up with an interface which does not
>> rely on symbol interposition?
>
> I'm not aware of any issue with signal chaining that would have
> warranted any such attempt. This was, as far as I understand it, a
> point-solution for a specific problem, and it solved that problem.
I'm just surprised it's advertised as a generic mechanism because
interposition interacts so poorly with symbol versioning. But maybe new
symbol versions for sigaction etc. are sufficiently unlikely.
> Anyway this isn't a topic of discussion for the discuss
> list. Technical discussion can happen on hotspot-dev - though I don't
> know who may have knowledge of OWASP. An interposition library is by
> definition code-injection.
It's possible to avoid LD_PRELOAD with a custom launcher that links
againstl libjsig.so, as explained in the web page referenced.
Whether the alleged OWASP requirement makes any sense is a different
matter, of course.
Thanks,
Florian
More information about the discuss
mailing list