包阅导读总结
1.
关键词:JEP 472、JNI、FFM API、安全、限制使用
2.
总结:JEP 472 提议限制 JNI 的使用,为确保 Java 平台完整性做准备。它将先对 JNI 和 FFM API 的使用发出警告,未来会统一限制,开发者可在启动时设置访问权限,且有不同限制模式和新工具辅助。
3.
主要内容:
– JEP 472 已提升为提议目标,旨在限制 JNI 使用
– 准备为未来统一限制 JNI 和 FFM API 确保完整性,基于增强 Java 平台安全和性能的长期努力
– 举例说明 JNI 与本地代码交互可能带来的风险,如内存损坏、未定义行为、违反 Java 代码完整性
– 提出限制 JNI 使用的分阶段方法
– 初始阶段为加载和链接本地库操作统一发出警告
– 开发者可在启动时为特定 Java 代码启用本地访问避免警告,通过命令行选项设置
– 介绍本地访问限制的影响控制选项
– 包括 allow、warn、deny 模式
– 长期目标是默认转为 deny 模式
– 引入新工具 jnativescan 辅助识别使用 JNI 的库
– 总结强调这是迈向更安全 Java 平台的重要一步,开发者需为变化做准备
思维导图:
文章来源:infoq.com
作者:A N M Bazlur Rahman
发布时间:2024/7/15 0:00
语言:英文
总字数:734字
预计阅读时间:3分钟
评分:88分
标签:Java,JNI,安全,JDK 24,FFM API
以下为原文内容
本内容来源于用户推荐转载,旨在分享知识与观点,如有侵权请联系删除 联系邮箱 media@ilingban.com
JEP 472, Prepare to Restrict the Use of JNI, has been promoted to Proposed to Target. This JEP proposes issuing warnings for the use of the Java Native Interface (JNI) and adjusting the Foreign Function & Memory (FFM) API to issue consistent warnings. Thisprepares developers for a future release that ensures integrity by default by uniformly restricting JNI and the FFM API. This proposal builds on the long-term efforts to enhance the security and performance of the Java Platform, following the examples of JEP 454, Foreign Function & Memory API; JEP 471, Deprecate the Memory-Access Methods of sun.misc.Unsafe; and JEP 451, Prepare to Restrict the Dynamic Loading of Agents. The main goal is to ensure that any use of JNI and the FFM API in future releases will require explicit approval from the application’s developer at startup.
The JNI, introduced in JDK 1.1, has been a standard way for Java code to interoperate with native code. However, any interaction between Java code and native code can compromise the integrity of applications and the Java Platform itself. For example, calling native code can lead to unpredictable issues, including JVM crashes, that cannot be handled by the Java runtime or caught with exceptions. These issues can disrupt the normal operation of the Java Platform and the applications running on it.
For example, consider the following C function that takes a long value passed from Java code and treats it as an address in memory, storing a value at that address:
void Java_pkg_C_setPointerToThree__J(jlong ptr) { *(int*)ptr = 3; // Potential memory corruption}Additionally, exchanging data through direct byte buffers, which are not managed by the JVM’s garbage collector, can expose Java code to invalid memory regions, leading to undefined behavior. Furthermore, native code can bypass JVM access checks and modify fields or call methods, potentially violating the integrity of Java code, such as by mutating String objects.
JEP 472 proposes a staged approach to restrict JNI usage to mitigate these risks. Initially, warnings will be issued for operations that load and link native libraries uniformly in both JNI and the FFM API.
Developers can avoid warnings by enabling native access for specific Java code at startup. The command-line option --enable-native-access=ALL-UNNAMED enables native access to all codes on the classpath. For specific modules, developers can pass a comma-separated list of module names, such as java --enable-native-access=M1,M2,....
Code that calls native methods declared in another module does not need to have native access enabled. However, code that calls System::loadLibrary, System::load, Runtime::loadLibrary, or Runtime::load, or declares a native method is affected by native access restrictions. When a restricted method is called from a module for which native access is not enabled, the JVM runs the method but, by default, issues a warning that identifies the caller:
WARNING: A restricted method in java.lang.System has been calledWARNING: System::load has been called by com.foo.Server in module com.foo (file:/path/to/com.foo.jar)WARNING: Use --enable-native-access=com.foo to avoid a warning for callers in this moduleWARNING: Restricted methods will be blocked in a future release unless native access is enabledDevelopers can avoid these warnings and future restrictions by explicitly enabling native access for specific code at startup using the --enable-native-access command-line option. This option can be applied globally or selectively to specific modules on the module path.
The impact of native access restrictions can be controlled using the --illegal-native-access option. Its modes include:
allow: Allows the restricted operation without warnings.warn: Issues a warning for the first occurrence of illegal native access in a module (default in the upcoming release).deny: Throws anIllegalCallerExceptionfor every illegal native access operation (planned default for a future release).
The long-term goal is to transition the default behavior to deny, enforcing stricter security measures by default. This change aligns with broader efforts to achieve integrity across the Java Platform by default, enhancing security and performance.
Developers are encouraged to use the deny mode to proactively identify code that requires native access and make necessary adjustments. Additionally, a new tool, jnativescan, will be introduced to help identify libraries using JNI.
In conclusion, JEP 472 marks a significant step towards a more secure Java Platform. While the transition to stricter JNI restrictions may require some adjustments, the resulting benefits in terms of security and integrity are expected to be substantial. Developers can ensure a smooth transition and contribute to a more robust Java ecosystem by preparing for these changes.
