JNI Signal Chaining and OWASP (Security)

Florian Weimer fweimer at redhat.com
Tue Apr 16 12:22:17 UTC 2019

* David Holmes:

> On 15/04/2019 10:22 pm, Florian Weimer wrote:
>> * David Holmes:
>>> On 12/04/2019 9:31 pm, Florian Weimer wrote:
>>>> * Hank Edwards:
>>>>> I work on a product that provides a JNI wrapper around a native API,
>>>>> we currently use LD_PRELOAD to enable signal chaining.
>>>> What is signal chaining?  Why do you need it?
>>> https://docs.oracle.com/javase/8/docs/technotes/guides/vm/signal-chaining.html
>> Yikes.
>> Has there been an attempt to come up with an interface which does not
>> rely on symbol interposition?
> I'm not aware of any issue with signal chaining that would have
> warranted any such attempt. This was, as far as I understand it, a
> point-solution for a specific problem, and it solved that problem.

I'm just surprised it's advertised as a generic mechanism because
interposition interacts so poorly with symbol versioning.  But maybe new
symbol versions for sigaction etc. are sufficiently unlikely.

> Anyway this isn't a topic of discussion for the discuss
> list. Technical discussion can happen on hotspot-dev - though I don't
> know who may have knowledge of OWASP. An interposition library is by
> definition code-injection.

It's possible to avoid LD_PRELOAD with a custom launcher that links
againstl libjsig.so, as explained in the web page referenced.

Whether the alleged OWASP requirement makes any sense is a different
matter, of course.


More information about the discuss mailing list