Typestate: A programming language concept for enhancing software reliability
IEEE Transactions on Software Engineering
Precise interprocedural dataflow analysis via graph reachability
POPL '95 Proceedings of the 22nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Interprocedural exception analysis for Java
Proceedings of the 2001 ACM symposium on Applied computing
ESP: path-sensitive program verification in polynomial time
PLDI '02 Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation
Java Native Interface: Programmer's Guide and Reference
Java Native Interface: Programmer's Guide and Reference
Principles of Program Analysis
Principles of Program Analysis
MOPS: an infrastructure for examining security properties of software
Proceedings of the 9th ACM conference on Computer and communications security
CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs
CC '02 Proceedings of the 11th International Conference on Compiler Construction
Using Programmer-Written Compiler Extensions to Catch Security Holes
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Static analysis to support the evolution of exception structure in object-oriented systems
ACM Transactions on Software Engineering and Methodology (TOSEM)
CCured: type-safe retrofitting of legacy software
ACM Transactions on Programming Languages and Systems (TOPLAS)
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Detecting format string vulnerabilities with type qualifiers
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Finding security vulnerabilities in java applications with static analysis
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Static detection of security vulnerabilities in scripting languages
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Exceptional situations and program reliability
ACM Transactions on Programming Languages and Systems (TOPLAS)
Finding bugs in java native interface programs
ISSTA '08 Proceedings of the 2008 international symposium on Software testing and analysis
Efficient and extensible security enforcement using dynamic data flow analysis
Proceedings of the 15th ACM conference on Computer and communications security
STILL: Exploit Code Detection via Static Taint and Initialization Analyses
ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
An empirical security study of the native code in the JDK
SS'08 Proceedings of the 17th conference on Security symposium
Practical exception specifications
Advanced Topics in Exception Handling Techniques
Polymorphic type inference for the JNI
ESOP'06 Proceedings of the 15th European conference on Programming Languages and Systems
Jinn: synthesizing dynamic bug detectors for foreign language interfaces
PLDI '10 Proceedings of the 2010 ACM SIGPLAN conference on Programming language design and implementation
Robusta: taming the native beast of the JVM
Proceedings of the 17th ACM conference on Computer and communications security
Retaining sandbox containment despite bugs in privileged memory-safe code
Proceedings of the 17th ACM conference on Computer and communications security
JNI light: an operational model for the core JNI
APLAS'10 Proceedings of the 8th Asian conference on Programming languages and systems
JET: exception checking in the Java native interface
Proceedings of the 2011 ACM international conference on Object oriented programming systems languages and applications
Quarantine: a framework to mitigate memory errors in JNI applications
Proceedings of the 9th International Conference on Principles and Practice of Programming in Java
Bringing java's wild native world under control
ACM Transactions on Information and System Security (TISSEC)
| Hi-index | 0.00 |
Software flaws in native methods may defeat Java's guarantees of safety and security. One common kind of flaws in native methods results from the discrepancy on how exceptions are handled in Java and in native methods. Unlike exceptions in Java, exceptions raised in the native code through the Java Native Interface (JNI) are not controlled by the Java Virtual Machine (JVM). Only after the native code finishes execution will the JVM's mechanism for exceptions take over. This discrepancy makes handling of JNI exceptions an error prone process and can cause serious security flaws in software written using the JNI. We propose a novel static analysis framework to examine exceptions and report errors in JNI programs. We have built a complete tool consisting of exception analysis, static taint analysis, and warning recovery. Experimental results demonstrated this tool allows finding of mishandling of exceptions with high accuracy (15.4% false-positive rate on over 260k lines of code). Our framework can be easily applied to analyzing software written in other foreign function interfaces, including the Python/C interface and the OCaml/C interface.