Finding bugs in exceptional situations of JNI programs

Siliang Li, Gang Tan

Research output: Chapter in Book/Report/Conference proceedingConference contribution

27 Citations (Scopus)

Abstract

Software flaws in native methods may defeat Java's guarantees of safety and security. One common kind of flaws in native methods results from the discrepancy on how exceptions are handled in Java and in native methods. Unlike exceptions in Java, exceptions raised in the native code through the Java Native Interface (JNI) are not controlled by the Java Virtual Machine (JVM). Only after the native code finishes execution will the JVM's mechanism for exceptions take over. This discrepancy makes handling of JNI exceptions an error prone process and can cause serious security flaws in software written using the JNI. We propose a novel static analysis framework to examine exceptions and report errors in JNI programs. We have built a complete tool consisting of exception analysis, static taint analysis, and warning recovery. Experimental results demonstrated this tool allows finding of mishandling of exceptions with high accuracy (15.4% false-positive rate on over 260k lines of code). Our framework can be easily applied to analyzing software written in other foreign function interfaces, including the Python/C interface and the OCaml/C interface.

Original languageEnglish (US)
Title of host publicationCCS'09 - Proceedings of the 16th ACM Conference on Computer and Communications Security
Pages442-452
Number of pages11
DOIs
StatePublished - Dec 1 2009
Event16th ACM Conference on Computer and Communications Security, CCS'09 - Chicago, IL, United States
Duration: Nov 9 2009Nov 13 2009

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)1543-7221

Other

Other16th ACM Conference on Computer and Communications Security, CCS'09
CountryUnited States
CityChicago, IL
Period11/9/0911/13/09

Fingerprint

Static analysis
Defects
Recovery
Virtual machine

All Science Journal Classification (ASJC) codes

  • Software
  • Computer Networks and Communications

Cite this

Li, S., & Tan, G. (2009). Finding bugs in exceptional situations of JNI programs. In CCS'09 - Proceedings of the 16th ACM Conference on Computer and Communications Security (pp. 442-452). (Proceedings of the ACM Conference on Computer and Communications Security). https://doi.org/10.1145/1653662.1653716
Li, Siliang ; Tan, Gang. / Finding bugs in exceptional situations of JNI programs. CCS'09 - Proceedings of the 16th ACM Conference on Computer and Communications Security. 2009. pp. 442-452 (Proceedings of the ACM Conference on Computer and Communications Security).
@inproceedings{531bc538c9944aa8be49ea5da82e5a56,
title = "Finding bugs in exceptional situations of JNI programs",
abstract = "Software flaws in native methods may defeat Java's guarantees of safety and security. One common kind of flaws in native methods results from the discrepancy on how exceptions are handled in Java and in native methods. Unlike exceptions in Java, exceptions raised in the native code through the Java Native Interface (JNI) are not controlled by the Java Virtual Machine (JVM). Only after the native code finishes execution will the JVM's mechanism for exceptions take over. This discrepancy makes handling of JNI exceptions an error prone process and can cause serious security flaws in software written using the JNI. We propose a novel static analysis framework to examine exceptions and report errors in JNI programs. We have built a complete tool consisting of exception analysis, static taint analysis, and warning recovery. Experimental results demonstrated this tool allows finding of mishandling of exceptions with high accuracy (15.4{\%} false-positive rate on over 260k lines of code). Our framework can be easily applied to analyzing software written in other foreign function interfaces, including the Python/C interface and the OCaml/C interface.",
author = "Siliang Li and Gang Tan",
year = "2009",
month = "12",
day = "1",
doi = "10.1145/1653662.1653716",
language = "English (US)",
isbn = "9781605583525",
series = "Proceedings of the ACM Conference on Computer and Communications Security",
pages = "442--452",
booktitle = "CCS'09 - Proceedings of the 16th ACM Conference on Computer and Communications Security",

}

Li, S & Tan, G 2009, Finding bugs in exceptional situations of JNI programs. in CCS'09 - Proceedings of the 16th ACM Conference on Computer and Communications Security. Proceedings of the ACM Conference on Computer and Communications Security, pp. 442-452, 16th ACM Conference on Computer and Communications Security, CCS'09, Chicago, IL, United States, 11/9/09. https://doi.org/10.1145/1653662.1653716

Finding bugs in exceptional situations of JNI programs. / Li, Siliang; Tan, Gang.

CCS'09 - Proceedings of the 16th ACM Conference on Computer and Communications Security. 2009. p. 442-452 (Proceedings of the ACM Conference on Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Finding bugs in exceptional situations of JNI programs

AU - Li, Siliang

AU - Tan, Gang

PY - 2009/12/1

Y1 - 2009/12/1

N2 - Software flaws in native methods may defeat Java's guarantees of safety and security. One common kind of flaws in native methods results from the discrepancy on how exceptions are handled in Java and in native methods. Unlike exceptions in Java, exceptions raised in the native code through the Java Native Interface (JNI) are not controlled by the Java Virtual Machine (JVM). Only after the native code finishes execution will the JVM's mechanism for exceptions take over. This discrepancy makes handling of JNI exceptions an error prone process and can cause serious security flaws in software written using the JNI. We propose a novel static analysis framework to examine exceptions and report errors in JNI programs. We have built a complete tool consisting of exception analysis, static taint analysis, and warning recovery. Experimental results demonstrated this tool allows finding of mishandling of exceptions with high accuracy (15.4% false-positive rate on over 260k lines of code). Our framework can be easily applied to analyzing software written in other foreign function interfaces, including the Python/C interface and the OCaml/C interface.

AB - Software flaws in native methods may defeat Java's guarantees of safety and security. One common kind of flaws in native methods results from the discrepancy on how exceptions are handled in Java and in native methods. Unlike exceptions in Java, exceptions raised in the native code through the Java Native Interface (JNI) are not controlled by the Java Virtual Machine (JVM). Only after the native code finishes execution will the JVM's mechanism for exceptions take over. This discrepancy makes handling of JNI exceptions an error prone process and can cause serious security flaws in software written using the JNI. We propose a novel static analysis framework to examine exceptions and report errors in JNI programs. We have built a complete tool consisting of exception analysis, static taint analysis, and warning recovery. Experimental results demonstrated this tool allows finding of mishandling of exceptions with high accuracy (15.4% false-positive rate on over 260k lines of code). Our framework can be easily applied to analyzing software written in other foreign function interfaces, including the Python/C interface and the OCaml/C interface.

UR - http://www.scopus.com/inward/record.url?scp=74049147430&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=74049147430&partnerID=8YFLogxK

U2 - 10.1145/1653662.1653716

DO - 10.1145/1653662.1653716

M3 - Conference contribution

AN - SCOPUS:74049147430

SN - 9781605583525

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 442

EP - 452

BT - CCS'09 - Proceedings of the 16th ACM Conference on Computer and Communications Security

ER -

Li S, Tan G. Finding bugs in exceptional situations of JNI programs. In CCS'09 - Proceedings of the 16th ACM Conference on Computer and Communications Security. 2009. p. 442-452. (Proceedings of the ACM Conference on Computer and Communications Security). https://doi.org/10.1145/1653662.1653716