...
Noncompliant Code Example
In this noncompliant code example, the nativeOperation() method is both native and public; therefore, untrusted callers may invoke it. Native method invocations bypass security manager checks.
(THIS CODING RULE OR GUIDELINE IS UNDER CONSTRUCTION)
Many static methods in standard Java APIs vary their behavior according to the immediate caller's class. Such methods are considered to be caller-sensitive. For example, the java.lang.System.loadLibrary(library) method uses the immediate caller's class loader to find and dynamically load the specified library containing native method definitions. Because native code bypasses all of the security checks enforced by the Java Runtime Environment and other built-in protections provided by the Java virtual machine, only trusted code should be allowed to load native libraries. None of the loadLibrary methods in the standard APIs should be invoked on behalf of untrusted code since untrusted code may not have the necessary permissions to load the same libraries using its own class loader instance [Oracle 2014].
Noncompliant Code Example
In this noncompliant example, the Trusted class has permission to load libraries while the Untrusted class does not. However, the Trusted class provides a library loading service through a public method thus allowing the Untrusted class to load any libraries it desiresThis example includes the doOperation() wrapper method, which invokes the nativeOperation() native method but fails to provide input validation or security checks.
| Code Block | ||
|---|---|---|
| ||
// Trusted.java import java.security.*; public final class NativeMethodTrusted { // public native method public native void nativeOperation(byte[] data, int offset, int len); // wrapper method that lacks security checks and input validation public void doOperation(byte[] data, int offset, int len) { nativeOperation(data, offset, len); } static { // load native library in static initializer of class System.loadLibrary("NativeMethodLib"); } } |
Compliant Solution
This compliant solution declares the native method private. The doOperation() wrapper method checks permissions, creates a defensive copy of the mutable input array data, and checks the ranges of the arguments. The nativeOperation() method is consequently called with secure inputs. Note that the validation checks must produce outputs that conform to the input requirements of the native methods.
static void loadLibrary(final String library){
AccessController.doPrivileged(new PrivilegedAction<Void>() {
public Void run() {
System.loadLibrary(library);
return null;
}
});
}
}
---------------------------------------------------------------------------------
// Untrusted.java
public class Untrusted {
private native void nativeOperation();
public static void main(String[] args) {
String library = new String("NativeMethodLib");
Trusted.loadLibrary(library);
new Untrusted.nativeOperation(); // invoke the native method
}
} |
Compliant Solution
In this compliant example, the Trusted class loads any necessary native libraries during initialization and then provides access through public native method wrappers. These wrappers perform the necessary security checks and data validation to ensure that untrusted code cannot exploit the native methods (see JNI00-J. Define wrappers around native methods) .
| Code Block | ||
|---|---|---|
| ||
// Trusted.java
import java.security.*;
public class Trusted {
// load native libraries
static{
System.loadLibrary("NativeMethodLib1");
System.loadLibrary("NativeMethodLib2");
...
}
// private native methods
private native void nativeOperation1 | ||
| Code Block | ||
| ||
public final class NativeMethodWrapper { // private native method private native void nativeOperation(byte[] data, int offset, int len); private native void nativeOperation2(...) ... // wrapper methodmethods performsperform SecurityManager and input validation checks public void doOperationdoOperation1(byte[] data, int offset, int len) { // permission needed to invoke native method securityManagerCheck(); if (data == null) { throw new NullPointerException(); } // copy mutable input data = data.clone(); // validate input if ((offset < 0) || (len < 0) || (offset > (data.length - len))) { throw new IllegalArgumentException(); } nativeOperation nativeOperation1(data, offset, len); } static { public // load native library in static initializer of class System.loadLibrary("NativeMethodLib"); void doOperation2(...){ ... } } |
Exceptions
SEC08-EX0: Native methods that do not require security manager checks, validation of arguments or return values, or defensive copying of mutable inputs (for example, the standard C function int rand(void)) do not need to be wrapped.
Risk Assessment
Failure to define wrappers around native methods can allow unprivileged callers to invoke them and exploit inherent vulnerabilities such as buffer overflows in native libraries.
|
Exceptions
Risk Assessment
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|
JNI01-J |
| high |
| likely |
| low |
P27 |
L1 |
Automated Detection
...
Detecting calls, such as java.lang.System.loadLibrary(), that perform tasks using the immediate caller's class loader can be detected automatically. Determining whether the use of these calls is safe cannot be done automatically.
| Tool | Version | Checker | Description |
|---|---|---|---|
| Parasoft Jtest | 9.5 | CERT.JNI01.TDLIB | Protect against Library injection |
Related Guidelines
CWE-111. Direct use of unsafe JNI | |
Guideline |
9- |
9. Safely invoke standard APIs that perform tasks using the immediate caller's class loader instance |
Bibliography
...
...