Efficient software-based fault isolation
SOSP '93 Proceedings of the fourteenth ACM symposium on Operating systems principles
Dynamic class loading in the Java virtual machine
Proceedings of the 13th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications
Securing Java: getting down to business with mobile code
Securing Java: getting down to business with mobile code
Bandera: extracting finite-state models from Java source code
Proceedings of the 22nd international conference on Software engineering
Automatic predicate abstraction of C programs
Proceedings of the ACM SIGPLAN 2001 conference on Programming language design and implementation
CCured: type-safe retrofitting of legacy code
POPL '02 Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Flow-sensitive type qualifiers
PLDI '02 Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation
Extended static checking for Java
PLDI '02 Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation
Java Native Interface: Programmer's Guide and Reference
Java Native Interface: Programmer's Guide and Reference
MOPS: an infrastructure for examining security properties of software
Proceedings of the 9th ACM conference on Computer and communications security
ATEC '02 Proceedings of the General Track of the annual conference on USENIX Annual Technical Conference
CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs
CC '02 Proceedings of the 11th International Conference on Compiler Construction
ITS4: A static vulnerability scanner for C and C++ code
ACSAC '00 Proceedings of the 16th Annual Computer Security Applications Conference
A Type System for the Java Bytecode Language and Verifier
Journal of Automated Reasoning
Java Security: From HotJava to Netscape and Beyond
SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
CMC: a pragmatic approach to model checking real code
OSDI '02 Proceedings of the 5th symposium on Operating systems design and implementationCopyright restrictions prevent ACM from being able to make the PDFs for this conference available for downloading
Checking type safety of foreign function calls
Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
Formal certification of a compiler back-end or: programming a compiler with a proof assistant
Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
A machine-checked model for a Java-like language, virtual machine, and compiler
ACM Transactions on Programming Languages and Systems (TOPLAS)
Finding security vulnerabilities in java applications with static analysis
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Evaluating SFI for a CISC architecture
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Jeannie: granting java native interface developers their wishes
Proceedings of the 22nd annual ACM SIGPLAN conference on Object-oriented programming systems and applications
Ilea: inter-language analysis across java and c
Proceedings of the 22nd annual ACM SIGPLAN conference on Object-oriented programming systems and applications
Type qualifier inference for java
Proceedings of the 22nd annual ACM SIGPLAN conference on Object-oriented programming systems and applications
XFI: software guards for system address spaces
OSDI '06 Proceedings of the 7th symposium on Operating systems design and implementation
Polymorphic type inference for the JNI
ESOP'06 Proceedings of the 15th European conference on Programming Languages and Systems
Debug all your code: portable mixed-environment debugging
Proceedings of the 24th ACM SIGPLAN conference on Object oriented programming systems languages and applications
Finding bugs in exceptional situations of JNI programs
Proceedings of the 16th ACM conference on Computer and communications security
Weak updates and separation logic
APLAS '09 Proceedings of the 7th Asian Symposium on Programming Languages and Systems
Jinn: synthesizing dynamic bug detectors for foreign language interfaces
PLDI '10 Proceedings of the 2010 ACM SIGPLAN conference on Programming language design and implementation
Robusta: taming the native beast of the JVM
Proceedings of the 17th ACM conference on Computer and communications security
Retaining sandbox containment despite bugs in privileged memory-safe code
Proceedings of the 17th ACM conference on Computer and communications security
Return-oriented programming without returns
Proceedings of the 17th ACM conference on Computer and communications security
JNI light: an operational model for the core JNI
APLAS'10 Proceedings of the 8th Asian conference on Programming languages and systems
Privilege escalation attacks on android
ISC'10 Proceedings of the 13th international conference on Information security
Quarantine: a framework to mitigate memory errors in JNI applications
Proceedings of the 9th International Conference on Principles and Practice of Programming in Java
DroidChecker: analyzing android applications for capability leak
Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks
Privilege separation in HTML5 applications
Security'12 Proceedings of the 21st USENIX conference on Security symposium
An efficient native function interface for Java
Proceedings of the 2013 International Conference on Principles and Practices of Programming on the Java Platform: Virtual Machines, Languages, and Tools
JNICodejail: native code isolation for Java programs
Proceedings of the 2013 International Conference on Principles and Practices of Programming on the Java Platform: Virtual Machines, Languages, and Tools
Bringing java's wild native world under control
ACM Transactions on Information and System Security (TISSEC)
| Hi-index | 0.00 |
It is well known that the use of native methods in Java defeats Java's guarantees of safety and security, which is why the default policy of Java applets, for example, does not allow loading non-local native code. However, there is already a large amount of trusted native C/C++ code that comprises a significant portion of the Java Development Kit (JDK). We have carried out an empirical security study on a portion of the native code in Sun's JDK 1.6. By applying static analysis tools and manual inspection, we have identified in this security-critical code previously undiscovered bugs. Based on our study, we describe a taxonomy to classify bugs. Our taxonomy provides guidance to construction of automated and accurate bug-finding tools. We also suggest systematic remedies that can mediate the threats posed by the native code.