SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 30

changes.mady.by.user Fred Long

Saved on

compared with

New Version Current

changes.mady.by.user Michal Rozenau

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Parasoft Jtest 2021.1

...

Many static methods in standard Java APIs vary their behavior according to the immediate caller's class. Such methods are considered to be caller-sensitive. For example, the java.lang.System.loadLibrary(library) method uses the immediate caller's class loader to find and dynamically load the specified library containing native method definitions. Because native code bypasses all of the security checks enforced by the Java Runtime Environment and other built-in protections provided by the Java virtual machine, only trusted code should be allowed to load native libraries. None of the loadLibrary methods in the standard APIs should be invoked on behalf of untrusted code since untrusted code may not have the necessary permissions to load the same libraries using its own class loader instance [Oracle 2014].

Noncompliant Code Example

...

Code Block
bgColor#ccccff
 // Trusted.java

import java.security.*;

public class Trusted {

   // load native libraries
   static{
      System.loadLibrary("NativeMethodLib1");
	  System.loadLibrary("NativeMethodLib2");
	  ...
   }

   // private native methods
   private native void nativeOperation1(byte[] data, int offset, int len);
   private native void nativeOperation2(...)
   ...
 
   // wrapper methods perform SecurityManager and input validation checks
   public void doOperation1(byte[] data, int offset, int len) {
      // permission needed to invoke native method
      securityManagerCheck();

      if (data == null) {
         throw new NullPointerException();
      }

      // copy mutable input
      data = data.clone();

      // validate input
      if ((offset < 0) || (len < 0) || (offset > (data.length - len))) {
         throw new IllegalArgumentException();
      }

      nativeOperation1(data, offset, len);
   }
   
   public void doOperation2(...){
      ...
   }
}

Exceptions

 


Risk Assessment

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

JNI01-J

highlikelylow

P27

L1

Automated Detection

Detecting calls, such as java.lang.System.loadLibrary(), that perform tasks using the immediate caller's class loader can be detected automatically.  Determining whether the use of these calls is safe cannot be done automatically.

ToolVersionCheckerDescription
Parasoft Jtest9.5CERT.JNI01.TDLIBProtect against Library injection

Related Guidelines

MITRE CWE

CWE-111. Direct use of unsafe JNI

Secure Coding Guidelines for Java SE, Version 5.0

Guideline 9-9. Safely invoke standard APIs that perform tasks using the immediate caller's class loader instance

Bibliography

 [Oracle 2014]

 

...



...

Image Modified