Vulnerability Development mailing list archives
RE: Java and buffer overflows
From: "Zacharias Pigadas" <z.pigadas () encode-sec com>
Date: Fri, 28 Jun 2002 10:20:37 +0300
Hello, Basically JNI is an interface developed by SUN as a way to keep using legacy applications through the advancements in technology and business processes or if someone wants to access O/S or hardware specific info. All you need to do is compile the c/c++ application in a loadable object and call it from java. The steps you need to take are: 1. Write Java code that calls a native method through JNI. 2. Compile this Java code. 3. Create an .h file using javah. 4. You have (modify slightly) / create a C function that does the work. 5. Compile the C code into a loadable object (say DLL for the windows oriented). You can then try the java program. I must say I do not prefer this way of doing things (although this is the only way some times, depending in legacy application) as with this way you don't solve existing bugs/problems you just move them forward. You can also call scripting languages such as jpython from within java programs provided someone (SUN) has written a scripting interface for the two languages to communicate) A good reference if you have access to the book is: Java Cookbook Solutions and Examples for Java Developers by O'Reilly - Chapter 26 Hope it sheds some light... Best Regards, Zach ----------------------- Zacharias Pigadas Information Security Consultant ENCODE S.A. 3, R.Melodou Str 151 25 Marousi Athens, Greece Tel: +3010-6178410 Fax: +3010-6109579 web: www.encode-sec.com ------------------------ -----Original Message----- From: KF [mailto:dotslash () snosoft com] Sent: Thursday, June 27, 2002 6:17 AM To: Dave Aitel Cc: Nelson Sampaio Araujo Junior; Rafael Anschau; anschau.ez () terrra com br; vuln-dev () securityfocus com Subject: Re: Java and buffer overflows So what you are saying is that you found a buffer overflow in some code that uses JNI? As in there was some c based code that the java invoked? I am currious to see how this works. -KF Dave Aitel wrote:
Although, as another poster said, native code invocation is going to continue to be a problem for managed languages such as Java and C# in the years to come. I've found a buffer overflow in native code invoked by a major application server that happened to be written in Java. It's fixed now, btw. :> -dave
Current thread:
- Re: Java and buffer overflows, (continued)
- Re: Java and buffer overflows Javier Blanque (Jun 26)
- Re: Java and buffer overflows ash (Jun 26)
- Re: Java and buffer overflows Anibal Ambertin (Jun 27)
- Re: Java and buffer overflows Rafael Anschau (Jun 25)
- Re: Java and buffer overflows Branko Ivanovic (Jun 26)
- Re: Java and buffer overflows Nelson Sampaio Araujo Junior (Jun 26)
- Re: Java and buffer overflows Rafael Anschau (Jun 26)
- Re: Java and buffer overflows Dave Aitel (Jun 26)
- Re: Java and buffer overflows KF (Jun 27)
- Re: Java and buffer overflows Dave Aitel (Jun 27)
- RE: Java and buffer overflows Zacharias Pigadas (Jun 28)
- JNI and buffer overflows (was java and buffer overflows) KF (Jun 28)
- Re: JNI and buffer overflows (was java and buffer overflows) KF (Jun 28)
- Re: JNI and buffer overflows (was java and buffer overflows) KF (Jun 28)
- Re: Java and buffer overflows Loki (Jun 26)