research-article

A heuristic fuzz test generator for Java native interface

Authors:

Yan Wen,

Dongxia WangAuthors Info & Claims

SQUADE 2019: Proceedings of the 2nd ACM SIGSOFT International Workshop on Software Qualities and Their Dependencies

Pages 1 - 7

https://doi.org/10.1145/3340495.3342749

Published: 26 August 2019 Publication History

Get Access

Abstract

It is well known that once a Java application uses native C/C++ methods through the Java Native Interface (JNI), any security guarantees provided by Java might be invalidated by the native methods. So any vulnerability in this trusted native code can compromise the security of the Java program. Fuzzing test is an approach to software testing whereby the system being tested is bombarded with inputs generated by another program. When using fuzzer to test JNI programs, how to accurately reach the JNI functions and run through them to find the sensitive system APIs is the pre-condition of the test. In this paper, we present a heuristic fuzz generator method on JNI vulnerability detection based on the branch predication information of program. The result in the experiment shows our method can use less fuzzing times to reach more sensitive windows APIs in Java native code.

References

[1]

Richard McNally, Ken Yiu, Duncan Grove and Damien Gerhardy, Fuzzing: The State of the Art, Technical Note. http://www.dsto.defence.gov.au/publications/scientific.php

Google Scholar

[2]

Fuzzing. From Wikipedia, the free encyclopedia. https://en.wikipedia.org/wiki/Fuzzing

Google Scholar

[3]

John Neystadt (February 2008). "Automated Penetration Testing with White-Box Fuzzing". Microsoft. Retrieved 2009-05-14.

Google Scholar

[4]

Barton Miller (2008). "Preface". In Ari Takanen, Jared DeMott and Charlie Miller, Fuzzing for Software Security Testing and Quality Assurance, ISBN 978-1-59693-214-2

Google Scholar

[5]

Van-Thuan Pham; Marcel Böhme; Abhik Roychoudhury (2016-09-07). "Model-based whitebox fuzzing for program binaries". Proceedings of Automated Software Engineering (ASE'16).

Digital Library

Google Scholar

[6]

Patrice Godefroid; Michael Y. Levin; David Molnar (2008-02-08). "Automated Whitebox Fuzz Testing" (PDF). Proceedings of Network and Distributed Systems Symposium (NDSS'08).

Google Scholar

[7]

Marcel Böhme; Soumya Paul (2015-10-05). "A Probabilistic Analysis of the Efficiency of Automated Software Testing". IEEE Transactions on Software Engineering (TSE).

Google Scholar

[8]

Nick Stephens; John Grosen; Christopher Salls; Andrew Dutcher; Ruoyu Wang; Jacopo Corbetta; Yan Shoshitaishvili; Christopher Kruegel; Giovanni Vigna (2016-02-24). Driller: Augmenting. Fuzzing Through Selective Symbolic Execution (PDF). Proceedings of Network and Distributed Systems Symposium (NDSS'16).

Google Scholar

[9]

Marcel Böhme; Van-Thuan Pham; Abhik Roychoudhury (2016-10-28). "Coverage-based Greybox Fuzzing as a Markov Chain". Proceedings of the ACM Conference on Computer and Communications Security (CCS'16).

Digital Library

Google Scholar

[10]

SCHOENEFELD, M. Denial-of-service holes in JDK 1.3.1 and 1.4.1 01. Retrieved Apr 26th, 2008, from http://www. illegalaccess.org/java/ZipBugs.php, 2003.

Google Scholar

[11]

Gang Tan, Andrew W. Appel, Srimat Chakradhar, etc. Safe Java Native Interface. IEEE International Symposium on Secure Software Engineering, March 2006.

Google Scholar

Cited By

View all

Jia HWen MXie ZGuo XWu RSun MChen KJin HGrundy JPollock LPenta M(2023)Detecting JVM JIT Compiler Bugs via Exploring Two-Dimensional Input SpacesProceedings of the 45th International Conference on Software Engineering10.1109/ICSE48619.2023.00016(43-55)Online publication date: 14-May-2023
https://dl.acm.org/doi/10.1109/ICSE48619.2023.00016

Index Terms

A heuristic fuzz test generator for Java native interface
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging

Recommendations

Evaluating the Java Native Interface JNI: Leveraging Existing Native Code, Libraries and Threads to a Running Java Virtual Machine

This article aims to explore JNI features and to discover fundamental operations of the Java programming language, such as arrays, objects, classes, threads and exception handling, and to illustrate these by using various algorithms and code samples. ...
Evaluating the Java Native Interface JNI: Data Types and Strings

This article describes how the java native interface JNI is a powerful feature of the java platform that started to draw attention in the latter years as an efficient programming framework for building and delivering innovative technological ...
Bringing java's wild native world under control

For performance and for incorporating legacy libraries, many Java applications contain native-code components written in unsafe languages such as C and C++. Native-code components interoperate with Java components through the Java Native Interface (JNI)...

Comments

Information & Contributors

Information

Published In

SQUADE 2019: Proceedings of the 2nd ACM SIGSOFT International Workshop on Software Qualities and Their Dependencies

August 2019

38 pages

ISBN:9781450368575

DOI:10.1145/3340495

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 August 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ESEC/FSE '19

Sponsor:

SIGSOFT

ESEC/FSE '19: 27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering

August 26, 2019

Tallinn, Estonia

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
227
Total Downloads

Downloads (Last 12 months)15
Downloads (Last 6 weeks)0

Reflects downloads up to 28 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Jia HWen MXie ZGuo XWu RSun MChen KJin HGrundy JPollock LPenta M(2023)Detecting JVM JIT Compiler Bugs via Exploring Two-Dimensional Input SpacesProceedings of the 45th International Conference on Software Engineering10.1109/ICSE48619.2023.00016(43-55)Online publication date: 14-May-2023
https://dl.acm.org/doi/10.1109/ICSE48619.2023.00016

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Evaluating the Java Native Interface JNI: Leveraging Existing Native Code, Libraries and Threads to a Running Java Virtual Machine

Evaluating the Java Native Interface JNI: Data Types and Strings

Bringing java's wild native world under control