It is well known that once a java application uses native C/C++ methods through the java native interface (JNI), any security guarantees provided by java might be invalidated by the native methods. So any vulnerabilit...
详细信息
ISBN:
(纸本)9781450368575
It is well known that once a java application uses native C/C++ methods through the java native interface (JNI), any security guarantees provided by java might be invalidated by the native methods. So any vulnerability in this trusted native code can compromise the security of the java program. Fuzzing test is an approach to software testing whereby the system being tested is bombarded with inputs generated by another program. When using fuzzer to test JNI programs, how to accurately reach the JNI functions and run through them to find the sensitive system APIs is the pre-condition of the test. In this paper, we present a heuristic fuzz generator method on JNI vulnerability detection based on the branch predication information of program. The result in the experiment shows our method can use less fuzzing times to reach more sensitive windows APIs in javanative code.
The use of the java native interface (JNI) allows taking advantage of the existing libraries written in different programming languages for code reuse, performance, and security. Despite the importance of JNI in devel...
详细信息
The use of the java native interface (JNI) allows taking advantage of the existing libraries written in different programming languages for code reuse, performance, and security. Despite the importance of JNI in development, practices on its usages are not well studied yet. In this paper, we investigated the usage of JNI in 100 open source systems collected from OpenHub and Github, around 8k of source code files combined between java and C/C++, including the java class libraries part of the JDK v9. We identified the state of the practice in JNI systems by semi-automatically and manually analyzing the source *** qualitative analysis shows eleven JNI practices where they are mainly related to loading libraries, implementing native methods, exception management, return types, and local/global references management. Basing on our findings, we provided some suggestions and recommendations to developers to facilitate the debugging tasks of JNI in multi-language systems, which can also help them to deal with the java and C memory.
This article describes how the java native interface (JNI) is a powerful feature of the java platform that started to draw attention in the latter years as an efficient programming framework for building and deliverin...
详细信息
This article describes how the java native interface (JNI) is a powerful feature of the java platform that started to draw attention in the latter years as an efficient programming framework for building and delivering innovative technological applications based on disruptive technologies such as mobile, Internet of Things and embedded systems. Developers use it to incorporate native code written in programming languages such as C, C++, python etc., into java. JNI is particularly useful when java applications need to access existing native libraries or code blocks written in other languages to increase performance, avoid recoding and expand interoperability between programming languages for processes that reside in the same process. This article aims to explore JNI features and to discover fundamental operations of the java programming language, such as arrays, objects, classes, threads and exception handling, and to illustrate these by using various algorithms and code samples.
This article aims to explore JNI features and to discover fundamental operations of the java programming language, such as arrays, objects, classes, threads and exception handling, and to illustrate these by using var...
详细信息
This article aims to explore JNI features and to discover fundamental operations of the java programming language, such as arrays, objects, classes, threads and exception handling, and to illustrate these by using various algorithms and code samples. The authors also investigate the JNI Invocation API that allows native applications to interact with the java Virtual Machine (JVM). They focus on attaching native threads to a running JVM and on leveraging existing native code using one-to-one mapping and shared stubs.
A Foreign Function interface (FFI) allows one host programming language to interoperate with another foreign language. It enables efficient software development by permitting developers to assemble components in diffe...
详细信息
A Foreign Function interface (FFI) allows one host programming language to interoperate with another foreign language. It enables efficient software development by permitting developers to assemble components in different languages. One typical FFI is the java native interface (JNI), through which java programs can invoke native-code components developed in C, C++, or assembly code. Although FFIs bring convenience to software development, interface code developed in FFIs is often error prone because of the lack of safety and security enforcement. This paper introduces a static-analysis framework, Turbojet, which finds exception-related bugs in JNI applications. It finds bugs of inconsistent exception declarations and bugs of mishandling JNI exceptions. Turbojet is carefully engineered to achieve both high efficiency and accuracy. We have applied Turbojet on a set of benchmark programs and identified many errors. We have also implemented a practical Eclipse plug-in based on Turbojet that can be used by JNI programmers to find errors in their code. (C) 2014 Elsevier B.V. All rights reserved.
java native interface (JNI) allows java applications to access native libraries, but it is challenging to develop correct JNI programs. By leveraging native code, the JNI enables java developers to implement efficient...
详细信息
java native interface (JNI) allows java applications to access native libraries, but it is challenging to develop correct JNI programs. By leveraging native code, the JNI enables java developers to implement efficient applications and reuse code written in other programming languages such as C and C++. The core java libraries use the JNI to provide system features like graphical user interfaces, and mainstream java Virtual Machines (JVMs) support the JNI. However, implementing correct JNI programs is not trivial due to the complex interoperation semantics between different programming languages. While JVMs do not validate JNI interoperations by default because of the performance overhead, they provide two methods. First, JVMs report the interoperation failures defined in the JNI specification at runtime. Second, they support a debug option, which validates JNI interoperations, degrading the runtime performance. To the best of our knowledge, literature has not thoroughly studied the quality of JVMs' methods, even though erroneous JNI interoperations may result in incorrect behaviors. In this paper, we empirically study the behaviors of JVMs on erroneous JNI interoperations. For a systematic study, we propose JUSTGen, a semi-automatic tool that generates JNI test programs incurring erroneous interoperations from the JNI specification. JUSTGen receives the JNI specification written in our domain-specific language (DSL) and automatically discovers cases that may lead to runtime errors on interoperations using an SMT solver. It then generates test programs that trigger the behaviors on the erroneous cases. Using the generated tests, we empirically evaluate JVM's failure handling mechanisms and the debug option capabilities on erroneous JNI interoperations. Our experiment results show that there exist erroneous cases in which JVMs do not handle failures or handle them differently from the specification. We also found that the JNI debug option does not validate thousands o
The existence of native code in Android apps plays an important role in triggering inconspicuous propagation of secrets and circumventing malware detection. However, the state-of-the-art information-flow analysis tool...
详细信息
The existence of native code in Android apps plays an important role in triggering inconspicuous propagation of secrets and circumventing malware detection. However, the state-of-the-art information-flow analysis tools for Android apps all have limited capabilities of analyzing native code. Due to the complexity of binary-level static analysis, most static analyzers choose to build conservative models for a selected portion of native code. Though the recent inter-language analysis improves the capability of tracking information flow in native code, it is still far from attaining similar effectiveness of the state-of-the-art information-flow analyzers that focus on non-nativejava methods. To overcome the above constraints, we propose a new analysis framework, mu Dep, to detect sensitive information flows of the Android apps containing native code. In this framework, we combine a control-flow based static binary analysis with a mutation-based dynamic analysis to model the tainting behaviors of native code in the apps. Based on the result of the analyses, mDep conducts a stub generation for the related native functions to facilitate the state-of-the-art analyzer DroidSafe with finegrained tainting behavior summaries of native code. The experimental results show that our framework is competitive on the accuracy, and effective in analyzing the information flows in real-world apps and malware compared with the state-of-the-art inter-language static analysis.
JNI programs are widely used thanks to the combined benefits of C and java programs. However, because understanding the interaction behaviors between two different programming languages is challenging, JNI program dev...
详细信息
JNI programs are widely used thanks to the combined benefits of C and java programs. However, because understanding the interaction behaviors between two different programming languages is challenging, JNI program development is difficult to get right and vulnerable to security attacks. Thus, researchers have proposed static analysis of JNI program source code to detect bugs and security vulnerabilities in JNI programs. Unfortunately, such source code analysis is not applicable to compiled JNI programs that are not open-sourced or open-source JNI programs containing third-party binary libraries. While JN-SAF, the state-of-the-art analyzer for compiled JNI programs, can analyze binary code, it has several limitations due to its symbolic execution and summary-based bottom-up analysis. In this paper, we propose a novel approach to statically analyze compiled JNI programs without their source code using binary decompilation. Unlike JN-SAF that analyzes binaries directly, our approach decompiles binaries and analyzes JNI programs with the decompiled binaries using an existing JNI program analyzer for source code. To decompile binaries to compilable C source code with precise JNI-interoperation-related types, we improve an existing decompilation tool by leveraging the characteristics of JNI programs. Our evaluation shows that the approach is precise as almost the same as the state-of-the-art JNI program analyzer for source code, and more precise than JN-SAF.
java native interface (JNI) provides a way for java applications to access native libraries, but it is difficult to develop correct JNI programs. By leveraging native code, the JNI enables java developers to implement...
详细信息
ISBN:
(纸本)9780738113197
java native interface (JNI) provides a way for java applications to access native libraries, but it is difficult to develop correct JNI programs. By leveraging native code, the JNI enables java developers to implement efficient applications and to reuse code written in other programming languages such as C and C++. Besides, the core java libraries already use the JNI to provide system features like a graphical user interface. As a result, many mainstream java Virtual Machines (JVMs) support the JNI. However, due to the complex interoperation semantics between different programming languages, implementing correct JNI programs is not trivial. Moreover, because of the performance overhead, JVMs do not validate erroneous JNI interoperations by default, but they validate them only when the debug feature, the -Xcheck:jni option, is enabled. Therefore, the correctness of JNI programs highly relies on the checks by the -Xcheck:jni option of JVMs. Questions remain, however, on the quality of the checks provided by the feature. Are there any properties that the -Xcheck:jni option fails to validate? If so, what potential issues can arise due to the lack of such validation? To the best of our knowledge, no research has explored these questions in-depth. In this paper, we empirically study the validation quality and impacts of the -Xcheck:jni option on mainstream JVMs using unspecified corner cases in the JNI specification. Such unspecified cases may lead to unexpected run-time behaviors because their semantics is not defined in the specification. For a systematic study, we propose JUSTGEN, a semi-automated approach to identify unspecified cases from a specification and generate test programs. JUSTGEN receives the JNI specification written in our domain specific language (DSL), and automatically discovers unspecified cases using an SMT solver. It then generates test programs that trigger the behaviors of unspecified cases. Using the generated tests, we empirically study the vali
The R language is widely used for data analysis. However, it does not allow for complex object-oriented implementation and it tends to be slower than other languages such as java, C and C++. Consequently, it can be mo...
详细信息
The R language is widely used for data analysis. However, it does not allow for complex object-oriented implementation and it tends to be slower than other languages such as java, C and C++. Consequently, it can be more computationally efficient to run nativejava code in R. To do this, there exist at least two approaches. One is based on the java native interface (JNI) and it has been successfully implemented in the rjava package. An alternative approach consists of running a local server in java and linking it to an R environment through a socket connection. This alternative approach has been implemented in an R package called J4R. This article shows how this approach makes it possible to simplify the calls to java methods and to integrate the R vectorization. The downside is a loss of performance. However, if the vectorization is used in conjunction with multithreading, this loss of performance can be compensated for.
暂无评论