Jumping from https://stackoverflow.com/questions/7016391/difference-between-system-load-and-system-loadlibrary-in-java
What are the security implications of both approach ?
System.loadLibrary("_name_");
lib_name_.so" in $LD_LIBRARY_PATHSystem.load("/PATH/TO/_name_.so");
/PATH/TO/_name_.so"System.loadLibrary() refuses to load "libraries" with the path separator appearing in the name; see this excerpt from Java's source code (in java.lang.Runtime.java):
synchronized void loadLibrary0(Class fromClass, String libname) {
SecurityManager security = System.getSecurityManager();
if (security != null) {
security.checkLink(libname);
}
if (libname.indexOf((int)File.separatorChar) != -1) {
throw new UnsatisfiedLinkError(
"Directory separator should not appear in library name: " + libname);
}
ClassLoader.loadLibrary(fromClass, libname, false);
}
As such, you could imagine allowing System.loadLibrary() but rejecting System.load(), giving access to only a specific set of loadable "safe" libraries... however, this seems indirect and fragile. The "normal" way of restricting native code loading is through SystemManager.checkLink(), which is called from both System.load() and System.loadLibrary(). In that case, there is no real difference in security between the two methods.
Relying on the calling system to help locate things can certainly lead down odd paths. The biggest problem is that the system may provide a file that wasn't intended to be loaded by the application. If an attacker can place a file in a location that falls under the search, then the attacker can inject arbitrary code into the application and execute it. E.g. an arbitrary code execution vulnerability
(http://en.wikipedia.org/wiki/Arbitrary_code_execution). https://cwe.mitre.org/data/definitions/114.html
If you specify the exact path, you have the ability to protect the loaded file through things like file permissions, etc.
