An empirical security study of the native code in the JDK

Gang Tan, Jason Croft

Research output: Contribution to conferencePaper

46 Scopus citations

Abstract

It is well known that the use of native methods in Java defeats Java’s guarantees of safety and security, which is why the default policy of Java applets, for example, does not allow loading non-local native code. However, there is already a large amount of trusted native C/C++ code that comprises a significant portion of the Java Development Kit (JDK). We have carried out an empirical security study on a portion of the native code in Sun’s JDK 1.6. By applying static analysis tools and manual inspection, we have identified in this security-critical code previously undiscovered bugs. Based on our study, we describe a taxonomy to classify bugs. Our taxonomy provides guidance to construction of automated and accurate bug-finding tools. We also suggest systematic remedies that can mediate the threats posed by the native code.

Original languageEnglish (US)
Pages365-377
Number of pages13
StatePublished - Jan 1 2008
Event17th USENIX Security Symposium - San Jose, United States
Duration: Jul 28 2008Aug 1 2008

Conference

Conference17th USENIX Security Symposium
CountryUnited States
CitySan Jose
Period7/28/088/1/08

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Information Systems
  • Safety, Risk, Reliability and Quality

Fingerprint Dive into the research topics of 'An empirical security study of the native code in the JDK'. Together they form a unique fingerprint.

  • Cite this

    Tan, G., & Croft, J. (2008). An empirical security study of the native code in the JDK. 365-377. Paper presented at 17th USENIX Security Symposium, San Jose, United States.