JNI Signal Chaining and OWASP (Security)
fweimer at redhat.com
Tue Apr 16 12:22:17 UTC 2019
* David Holmes:
> On 15/04/2019 10:22 pm, Florian Weimer wrote:
>> * David Holmes:
>>> On 12/04/2019 9:31 pm, Florian Weimer wrote:
>>>> * Hank Edwards:
>>>>> I work on a product that provides a JNI wrapper around a native API,
>>>>> we currently use LD_PRELOAD to enable signal chaining.
>>>> What is signal chaining? Why do you need it?
>> Has there been an attempt to come up with an interface which does not
>> rely on symbol interposition?
> I'm not aware of any issue with signal chaining that would have
> warranted any such attempt. This was, as far as I understand it, a
> point-solution for a specific problem, and it solved that problem.
I'm just surprised it's advertised as a generic mechanism because
interposition interacts so poorly with symbol versioning. But maybe new
symbol versions for sigaction etc. are sufficiently unlikely.
> Anyway this isn't a topic of discussion for the discuss
> list. Technical discussion can happen on hotspot-dev - though I don't
> know who may have knowledge of OWASP. An interposition library is by
> definition code-injection.
It's possible to avoid LD_PRELOAD with a custom launcher that links
againstl libjsig.so, as explained in the web page referenced.
Whether the alleged OWASP requirement makes any sense is a different
matter, of course.
More information about the discuss