Hi Nico;
Thanks for the suggestion, I was not aware the libjsig.so could be loaded like
that. I'm assuming you mean a loadlibrary("jsig"); in the .init. It would
also work I suppose to just add the .init to the original shared library going
forwards too, instead of putting a wrapper library in-between? I'll give that
a try.
Regards;
Hank
Hank Edwards
Manager, Software Development
+1.416.923.0080
[email protected]
CRAWFORD TECHNOLOGIES INC.
60 St. Clair Avenue East, Suite 1002
Toronto, ON, Canada, M4T 1N5
http://www.crawfordtech.com
This e-mail may be privileged and/or confidential, and the sender does not
waive any related rights and obligations. Any distribution, use or copying of
this e-mail or the information it contains by other than an intended recipient
is unauthorized. If you received this e-mail in error, please advise me (by
return e-mail or otherwise) immediately.
Please consider our environment before printing this email.
Ce courrier électronique est confidentiel et protégé. L'expéditeur ne renonce
pas aux droits et obligations qui s'y rapportent. Toute diffusion, utilisation
ou copie de ce message ou des renseignements qu'il contient par une personne
autre que le (les) destinataire(s) désigné(s) est interdite. Si vous recevez ce
courrier électronique par erreur, veuillez m'en aviser immédiatement, par
retour de courrier électronique ou par un autre moyen.
Devez-vous imprimer ce courriel? Pensons environnement.
-----Original Message-----
From: Nico Williams <[email protected]>
Sent: Friday, April 12, 2019 3:53 PM
To: Hank Edwards <[email protected]>
Cc: [email protected]
Subject: Re: JNI Signal Chaining and OWASP (Security)
You could simply move the original JNI DLL out of the way and replace it with a
wrapper that does the signal handler setup in a .init section and otherwise has
stubs for all entry points that simply call the real (now
renamed) DLL.
In Solaris/Illumos we'd call that wrapper a "filter", and Solaris/ Illumos has
tools to make building a filter easier, but the concept is general enough and
you can build the same sort of thing on Linux and Windows just as well.
Again, this is still code injection. It's still likely to cause false alerts.
Again, I recommend taking this up with the vendors of the relevant security
analysis tools.
Nico
--
