...
Defining a wrapper method facilitates installing appropriate security manager checks, performing input validation before passing the arguments to the native code or when obtaining return values, defensively copying mutable inputs and sanitizing user input. Therefore every native method must be private
, and must be invoked only by a wrapper method.
Noncompliant Code Example
In this noncompliant code example, the nativeOperation
is both native and public; hence untrusted callers may invoke it. Native method invocations bypass security manager checks.
...
Code Block | ||
---|---|---|
| ||
public final class NativeMethod { // public native method public native void nativeOperation(byte[] data, int offset, int len); // wrapper method that lacks security checks and input validation public void doOperation(byte[] data, int offset, int len) { nativeOperation(data, offset, len); } static { // load native library in static initializer of class System.loadLibrary("NativeMethodLib"); } } |
Compliant Solution
This compliant solution declares the native method private
. Furthermore, the doOperation()
wrapper method performs routine permission checking to determine whether the succeeding operations are permitted to continue. This is followed by the creation of a defensive copy of the mutable input array data
as well as by range checking of the parameters. The nativeOperation()
method is thus called with safe inputs. Note that the validation checks must produce outputs that conform to the input requirements of the native implementations/libraries.
Code Block | ||
---|---|---|
| ||
public final class NativeMethodWrapper { // private native method private native void nativeOperation(byte[] data, int offset, int len); // wrapper method performs SecurityManager and input validation checks public void doOperation(byte[] data, int offset, int len) { // permission needed to invoke native method securityManagerCheck(); if (data == null) { throw new NullPointerException(); } // copy mutable input data = data.clone(); // validate input if ((offset < 0) || (len < 0) || (offset > (data.length - len))) { throw new IllegalArgumentException(); } nativeOperation(data, offset, len); } static { // load native library in static initializer of class System.loadLibrary("NativeMethodLib"); } } |
Risk Assessment
Failure to define wrappers around native methods can allow unprivileged callers to invoke them and thus exploit inherent vulnerabilities such as those resulting from invalid inputs.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
SEC18-J | medium | probable | high | P4 | L3 |
Automated Detection
Wiki Markup |
---|
Automated detection is not feasible in the fully general case. However, an approach similar to Design Fragments \[[Fairbanks 07|AA. Bibliography#Fairbanks 07]\] could assist both programmers and static analysis tools. |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7c063aaef036f585-f3e04e0f-436e4d9a-8068b507-249a752164df8d38e5112ead"><ac:plain-text-body><![CDATA[ | [[MITRE 2009 | AA. Bibliography#MITRE 09]] | [CWE ID 111 | http://cwe.mitre.org/data/definitions/111.html] "Direct Use of Unsafe JNI" | ]]></ac:plain-text-body></ac:structured-macro> |
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d22c7c0028b75986-9aa75b3e-472a45d7-98838bbd-5588ebf65e4a066ffa532277"><ac:plain-text-body><![CDATA[ | [[Fairbanks 2007 | AA. Bibliography#Fairbanks 07]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e36a6f65cc18d35f-6fc1a9f7-41bd4540-8621923e-32bb886bb51024236cdc9136"><ac:plain-text-body><![CDATA[ | [[JNI 2006 | AA. Bibliography#JNI 06]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="01aa64fb4e54bccf-2c714c43-4b934d7e-8946bc9b-949f533ea78be07d54af51e0"><ac:plain-text-body><![CDATA[ | [[Liang 1997 | AA. Bibliography#Liang 97]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e4ff5ab7b565aa60-1154a307-42944a3d-a1c983a4-86f96ad6ac8dc2ad24e61606"><ac:plain-text-body><![CDATA[ | [[Macgregor 1998 | AA. Bibliography#Macgregor 98]] | Section 2.2.3, Interfaces and Architectures | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c3671970128711c9-031290e0-481542ae-b5539dbc-e910bb0d9e5b8bbc585ffbda"><ac:plain-text-body><![CDATA[ | [[SCG 2007 | AA. Bibliography#SCG 07]] | Guideline 3-3 Define wrappers around native methods | ]]></ac:plain-text-body></ac:structured-macro> |
...