| Wiki Markup |
|---|
Native methods are defined in Java and written in traditional languages such as C/ and C++ (see \[[JNI 06|AA. Java References#JNI 06]\]). The added extensibility comes at the cost of flexibility and portability as the code no longer conforms to the policies enforced by Java. In the past, native method were used for performing platform specific operations, interfacing with legacy library code and improving program performance \[[Bloch 08|AA. Java References#Bloch 08]\]. Although this is not completely true in present times (due to poor portability, safety and quite ironically, performance issues), they are still used to interface with legacy code. |
...
Security manager checks are not conducted in case of native method invocations. Additionally, as demonstrated in the noncompliant code example, it is easy to overlook proper input validation before the call. The doOperation method invokes the nativeOperation native method but fails on multiple validation angles. Also, the access specifier of the native method is public which raises risks associated with untrusted callers to provide adequate validation. (Note that native methods may even increase susceptibility to non-Java specific vulnerabilities, such as buffer overflows.)
| Code Block | ||
|---|---|---|
| ||
public final class NativeMethod {
// publicprivate native method
publicprivate native void nativeOperation(byte[] data, int offset, int len);
// wrapper method that does not perform any security checks or input validation
public void doOperation(byte[] data, int offset, int len) {
nativeOperation(data, offset, len);
}
static {
System.loadLibrary("NativeMethodLib"); //load native library in static initializer of class
}
}
|
...