Finding bugs in exceptional situations of JNI programs

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2009, Pages 442-452

  Li, Siliang ^a   Tan, Gang ^a  

^a Lehigh University   (United States)

Author keywords

Java native interface; Static analysis; Taint analysis

Indexed keywords

ERROR-PRONE PROCESS; EXCEPTION ANALYSIS; FOREIGN FUNCTION INTERFACE; JAVA NATIVE INTERFACE; JAVA NATIVE INTERFACES; JAVA VIRTUAL MACHINES; LINES OF CODE; NATIVE CODE; SECURITY FLAWS;

JAVA PROGRAMMING LANGUAGE; NETWORK SECURITY; PROGRAM DEBUGGING; STATIC ANALYSIS;

COMPUTER SOFTWARE;

EID: 74049147430     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1653662.1653716     Document Type: Conference Paper

References (34)

1. K. Ashcraft and D. Engler. Using programmer-written compiler extensions to catch security holes. In IEEE Symposium on Security and Privacy (S&P), pages 143-159, Washington, DC, USA, 2002. IEEE Computer Society.
2. B.-M. Chang, J.-W. Jo, K. Yi, and K.-M. Choe. Interprocedural exception analysis for Java. In SAC '01: Proceedings of the 2001 ACM symposium on Applied computing, pages 620-625, New York, NY, USA, 2001. ACM.
3. W. Chang, B. Streiff, and C. Lin. Efficient and extensible security enforcement using dynamic data flow analysis. In CCS '08: Proceedings of the 15th ACM conference on Computer and communications security, pages 39-50, 2008.
4. H. Chen and D. Wagner. Mops: an infrastructure for examining security properties of software. In CCS '02: Proceedings of the 9th ACM conference on Computer and communications security, pages 235-244, 2002.
5. M. Das, S. Lerner, and M. Seigle. ESP: path-sensitive program verification in polynomial time. In ACM Conference on Programming Language Design and Implementation (PLDI), pages 57-68, 2002.
6. M. Furr and J. S. Foster. Polymorphic type inference for the JNI. In 15th European Symposium on Programming (ESOP), pages 309-324, 2006.
7. S. D. Gathman. java-posix. http://www.bmsi.com/java/posix/package.html. Fetched on August 7, 2009.
8. The java-gnome user interface library. http://java-gnome.sourceforge.net/ . Fetched on August 7, 2009.
9. JOGL API project. https://jogl.dev.java.net/. Fetched on August 7, 2009.
10. N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In IEEE Symposium on Security and Privacy (S&P), pages 258-263, 2006.
11. G. Kondoh and T. Onodera. Finding bugs in Java Native Interface programs. In International Symposium on Software Testing and Analysis (ISSTA), pages 109-118, New York, NY, USA, 2008. ACM.
12. X. Leroy. The Objective Caml system, 2008. http://caml.inria.fr/ pub/docs/manual-ocaml/index.html.
13. S. Liang. Java Native Interface: Programmer's Guide and Reference. Addison-Wesley Longman Publishing Co., Inc., 1999.
14. B. Livshits and M. Lam. Finding security vulnerabilities in Java applications with static analysis. In 14th Usenix Security Symposium, pages 271-286, 2005.
15. D. Malayeri and J. Aldrich. Practical exception speci.cations. In Advanced Topics in Exception Handling Techniques, volume 4119 of Lecture Notes in Computer Science, pages 200-220. Springer, 2006.
16. G. C. Necula, J. Condit, M. Harren, S. McPeak, and W. Weimer. Ccured: type-safe retrofitting of legacy software. ACM Transactions on Programming Languages and Systems, 27(3):477-526, 2005.
17. G. C. Necula, S. McPeak, S. P. Rahul, and W. Weimer. CIL: Intermediate language and tools for analysis and transformation of C programs. In International Conference on Compiler Construction (CC), pages 213-228, 2002.
18. J. Newsome and D. Song. Dynamic taint analysis for automatic dedection, analysis, and signature generation of exploits on commodity software. In Network and Distributed System Security Symposium(NDSS), 2005.
19. A. Nguyen-tuong, S. Guarnieri, D. Greene, and D. Evans. Automatically hardening web applications using precise tainting. In In 20th IFIP International Information Security Conference, pages 372-382, 2005.
20. F. Nielson, H. R. Nielson, and C. Hankin. Principles of Program Analysis. Springer-Verlag Berlin, 1999.
21. Python/C API reference manual. http://docs.python.org/c-api/index.html, Apr. 2009.
22. T. Reps, S. Horwitz, and M. Sagiv. Precise interprocedural data.ow analysis via graph reachability. In 22nd ACM Symposium on Principles of Programming Languages (POPL), pages 49-61, 1995.
23. M. P. Robillard and G. C. Murphy. Static analysis to support the evolution of exception structure in object-oriented systems. ACM Transactions on Programming Languages and Systems, 12(2):191-221, 2003.
24. M. Schoenefeld. Denial-of-service holes in JDK 1.3.1 and 1.4.1 01. Retrieved Apr 26th, 2008, from http://www.illegalaccess.org/java/ZipBugs.php, 2003.
25. U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting format string vulnerabilities with type quali.ers. In In Proceedings of the 10th USENIX Security Symposium, pages 201-220, 2001.
26. R. E. Strom and S. Yemini. Typestate: A programming language concept for enhancing software reliability. IEEE Transactions on Software Engineering, 12(1):157-171, 1986.
27. G. Tan, A. W. Appel, S. Chakradhar, A. Raghunathan, S. Ravi, and D. Wang. Safe Java Native Interface. In Proceedings of IEEE International Symposium on Secure Software Engineering, pages 97-106, 2006.
28. G. Tan and J. Croft. An empirical security study of the native code in the JDK. In 17th Usenix Security Symposium, pages 365-377, 2008.
29. US-CERT. Vulnerability note VU#138545: Java Runtime Environment image parsing code buffer overflow vulnerability, June 2007. Credit goes to Chris Evans.
30. US-CERT. Vulnerability note VU#939609: Sun Java JRE vulnerable to arbitrary code execution via an unspecified error, Jan. 2007. Credit goes to Chris Evans.
31. W. Weimer and G. Necula. Exceptional situations and program reliability. ACM Transactions on Programming Languages and Systems, 30(2):1-51, 2008.
32. Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In 15th Usenix Security Symposium, pages 179-192, Berkeley, CA, USA, 2006. USENIX Association.
33. W. Xinran, J. Yoon-Chan, Z. Sencun, and L. Peng. Still: Exploit code detection via static taint and initialization analyses. In ACSAC '08: Proceedings of the 2008 Annual Computer Security Applications Conference, pages 289-298, Washington, DC, USA, 2008. IEEE Computer Society.
34. W. Xu, S. Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks. In 15th Usenix Security Symposium, Berkeley, CA, USA, 2006. USENIX Association.