Safe Java Native Interface

Type safety is a promising approach to enhancing soft- ware security. Programs written in type-safe programming languages such as Java are type-safe by construction. How- ever, in practice, many complex applications are heteroge- neous, i.e., they contain components written in different lan- guages. The Java Native Interface (JNI) allows type-safe Java code to interact with unsafe C code. When a type-safe language interacts with an unsafe language in the same ad- dress space, in general, the overall application becomes un- safe. In this work, we propose a framework called Safe Java Native Interface (SafeJNI) that ensures type safety of het- erogeneous programs that contain Java and C components. We identify the loopholes of using JNI that would permit C code to bypass the type safety of Java. The proposed SafeJNI system fixes these loopholes and guarantees type safety when native C methods are called. The overall ap- proach consists of (i) retro-fitting the native C methods to make them safe, and (ii) developing an enhanced system that captures additional invariants that must be satisfied to guarantee safe interoperation. The SafeJNI framework is implemented through a combination of static and dynamic checks on the C code. We have measured our system's effectiveness and per- formance on a set of benchmarks. During our experiments on the Zlib open source compression library, our system identified one vulnerability in the glue code between Zlib and Java. This vulnerability could be exploited to crash a large number of commercially deployed Java Virtual Ma- chines (JVMs). The performance impact of SafeJNI on Zlib, while considerable, is less than reimplementing the C code