G. Tan, J. Croft, An empirical study of the native code in the JDK,
in USENIX Security Symposium, pp. 365-378, 2008

Abstract

It is well known that the use of native methods in Java
defeats Java's guarantees of safety and security, which is
why the default policy of Java applets, for example, does
not allow loading non-local native code. However, there
is already a large amount of trusted native C/C++ code
that comprises a significant portion of the Java Development
Kit (JDK). We have carried out an empirical security
study on a portion of the native code in Sun's JDK
1.6. By applying static analysis tools and manual inspection,
we have identified in this security-critical code previously
undiscovered bugs. Based on our study, we describe
a taxonomy to classify bugs. Our taxonomy provides
guidance to construction of automated and accurate
bug-finding tools. We also suggest systematic remedies
that can mediate the threats posed by the native code.

@inproceedings{DBLP:conf/uss/TanC08,
  author    = {Gang Tan and
               Jason Croft},
  title     = {An Empirical Security Study of the Native Code in the JDK},
  booktitle = {USENIX Security Symposium},
  year      = {2008},
  pages     = {365-378},
  ee        =
{http://www.usenix.org/events/sec08/tech/full_papers/tan_g/tan_g.pdf},
  crossref  = {DBLP:conf/uss/2008},
  bibsource = {DBLP, http://dblp.uni-trier.de}
}

@proceedings{DBLP:conf/uss/2008,
  editor    = {Paul C. van Oorschot},
  title     = {Proceedings of the 17th USENIX Security Symposium, July
               28-August 1, 2008, San Jose, CA, USA},
  booktitle = {USENIX Security Symposium},
  publisher = {USENIX Association},
  year      = {2008},
  isbn      = {978-1-931971-60-7},
  bibsource = {DBLP, http://dblp.uni-trier.de}
}