Abstract
Java provides security and robustness by building a high-level security model atop the foundation of memory protection. Unfortunately, any native code linked into a Java program -- including the million lines used to implement the standard library -- is able to bypass both the memory protection and the higher-level policies. We present a hardware-assisted implementation of the Java native code interface, which extends the guarantees required for Java's security model to native code.
Our design supports safe direct access to buffers owned by the JVM, including hardware-enforced read-only access where appropriate. We also present Java language syntax to declaratively describe isolated compartments for native code.
We show that it is possible to preserve the memory safety and isolation requirements of the Java security model in C code, allowing native code to run in the same process as Java code with the same impact on security as running equivalent Java code. Our approach has a negligible impact on performance, compared with the existing unsafe native code interface. We demonstrate a prototype implementation running on the CHERI microprocessor synthesized in FPGA.
- CHERI open data web site. https://www.cl.cam.ac.uk/research/security/ctsrd/data/. Accessed: 2017-01-27.Google Scholar
- CHERI open-source web site. http://www.cheri-cpu.org/. Accessed: 2017-01-27.Google Scholar
- Java native interface specification. https://docs.oracle.com/javase/7/docs/technotes/guides/jni/spec/jniTOC.html. Accessed: 2016-07-25.Google Scholar
- Jsr 51: New i/o apis for the java platform. https://jcp.org/en/jsr/detail?id=51. Accessed: 2016-07-25.Google Scholar
- Novosoft c2j. http://www.novosoft-us.com/solutions/product_c2j.shtml. Accessed: 2016-07--25.Google Scholar
- Tangible software solutions' C++ to java converter. http://www.tangiblesoftwaresolutions.com/Product_Details/CPlusPlus_to_Java_Converter_Details.html. Accessed: 2016-07-25.Google Scholar
- C++/CLI language specification. (ECMA-372), December 2005.Google Scholar
- David Chisnall, Colin Rothwell, Brooks Davis, Robert N.M. Watson, Jonathan Woodruff, Munraj Vadera, Simon W. Moore, Peter G. Neumann, and Michael Roe. Beyond the PDP-11: Architectural support for a memory-safe c abstract machine. In Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS '15, pages 117--130, New York, NY, USA, 2015. ACM. Google Scholar
Digital Library
- G. Czajkowski, L. Daynes, and M. Wolczko. Automated and portable native code isolation. In Software Reliability Engineering, 2001. ISSRE 2001. Proceedings. 12th International Symposium on, pages 298--307, Nov 2001. Google Scholar
Cross Ref
- Joe Devietti, Colin Blundell, Milo M. K. Martin, and Steve Zdancewic. Hardbound: Architectural support for spatial safety of the C programming language. SIGPLAN Not., 43(3):103--114, March 2008. Google Scholar
Digital Library
- L. Gong, M. Mueller, H. Prafullchandra, and R. Schemers. Going beyond the sandbox: An overview of the new security architecture in the Java Development Kit 1.2. In Proceedings of the Symposium on Internet Technologies and Systems. USENIX, December 1997.Google Scholar
- Li Gong. Java security architecture revisited. Commun. ACM, 54(11):48--52, November 2011. Google Scholar
Digital Library
- Intel Plc. Introduction to Intel® memory protection extensions. http://software.intel.com/en-us/articles/introduction-to-intel-memory-protection-extensions, July 2013.Google Scholar
- P.A. Karger. Limiting the damage potential of discretionary Trojan horses. In Proceedings of the 1987 Symposium on Security and Privacy. IEEE, April 1987. Google Scholar
Cross Ref
- Douglas Kilpatrick. Privman: A Library for Partitioning Applications. In Proceedings of 2003 USENIX Annual Technical Conference, 2003.Google Scholar
- Johannes Martin. Ephedra - A C to Java Migration Environment: Approaches, Case Studies and Tools for Migrating Legacy Systems from C and C++ to Java. LAP Lambert Academic Publishing, Germany, 2009.Google Scholar
- Johannes Martin and Hausi A. Muller. Strategies for migration from c to java. In Proceedings of the Fifth European Conference on Software Maintenance and Reengineering, CSMR '01, pages 200--, Washington, DC, USA, 2001. IEEE Computer Society. Google Scholar
Cross Ref
- Johannes Martin and Hausi A. Müller. C to java migration experiences. In Proceedings of the 6th European Conference on Software Maintenance and Reengineering, CSMR '02, pages 143--153, Washington, DC, USA, 2002. IEEE Computer Society. Google Scholar
Cross Ref
- Stephen Mccamant and Greg Morrisett. Efficient, verifiable binary sandboxing for a CISC architecture. Technical Report MIT-LCS-TR-988, May 2005.Google Scholar
- Marshal Kirk McKusick, George V. Neville-Neil, and Robert N. M. Watson. The Design and Implementation of the FreeBSD Operating System. Pearson, 2014.Google Scholar
- Adrian Mettler, David Wagner, and Tyler Close. Joe-E: A Security-Oriented Subset of Java. In NDSS 2010: Proceedings of the Network and Distributed System Security Symposium, 2010.Google Scholar
- Mark S. Miller, Mike Samuel, Ben Laurie, Ihab Awad, and Mike Stay. Caja: Safe active content in sanitized javascript, May 2008. http://google-caja.googlecode.com/files/caja-spec-2008-06-07.pdf.Google Scholar
- Mark Samuel Miller. Robust composition: towards a unified approach to access control and concurrency control. PhD thesis, Johns Hopkins University, Baltimore, MD, USA, 2006.Google Scholar
Digital Library
- Santosh Nagarakatte, Jianzhou Zhao, Milo M.K. Martin, and Steve Zdancewic. Softbound: Highly compatible and complete spatial memory safety for C. In Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '09, pages 245--258, New York, NY, USA, 2009. ACM. Google Scholar
Digital Library
- Neils Provos, Markus Friedl, and Peter Honeyman. Preventing Privilege Escalation. In Proceedings of the 12th USENIX Security Symposium. USENIX, 2003.Google Scholar
- Charles Reis and Steven D. Gribble. Isolating web programs in modern browser architectures. In EuroSys '09: Proceedings of the 4th ACM European Conference on Computer Systems. ACM, 2009. Google Scholar
Digital Library
- Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitry Vyukov. Addresssanitizer: A fast address sanity checker. In USENIX ATC 2012, 2012.Google Scholar
- Joseph Siefers, Gang Tan, and Greg Morrisett. Robusta: Taming the native beast of the jvm. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS '10, pages 201--211, New York, NY, USA, 2010. ACM. Google Scholar
Digital Library
- Mengtao Sun and Gang Tan. JVM-Portable Sandboxing of Java's Native Libraries, pages 842--858. Springer Berlin Heidelberg, Berlin, Heidelberg, 2012.Google Scholar
- Mengtao Sun and Gang Tan. Nativeguard: Protecting android applications from third-party native libraries. In Proceedings of the 2014 ACM Conference on Security and Privacy in Wireless & Mobile Networks, WiSec '14, pages 165--176, New York, NY, USA, 2014. ACM.Google Scholar
- Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. SoK: Eternal war in memory. In IEEE Symposium on Security and Privacy, pages 48--62, 2013. Google Scholar
Digital Library
- Gang Tan and Jason Croft. An empirical security study of the native code in the jdk. In Proceedings of the 17th Conference on Security Symposium, SS'08, pages 365--377, Berkeley, CA, USA, 2008. USENIX Association.Google Scholar
Digital Library
- Gil Tene, Balaji Iyengar, and Michael Wolf. C4: The continuously concurrent compacting collector. SIGPLAN Not., 46(11):79--88, June 2011. Google Scholar
Digital Library
- Lluís Vilanova, Muli Ben-Yehuda, Nacho Navarro, Yoav Etsion, and Mateo Valero. CODOMs: Protecting software with code-centric memory domains. In Proceeding of the 41st Annual International Symposium on Computer Architecuture, ISCA '14, pages 469--480, Piscataway, NJ, USA, 2014. IEEE Press. Google Scholar
Digital Library
- Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham. Efficient software-based fault isolation. In Proceedings of the 14th Symposium on Operating Systems Principles. ACM, 1993. Google Scholar
Digital Library
- R. N. M. Watson, J. Woodruff, P. G. Neumann, S. W. Moore, J. Anderson, D. Chisnall, N. Dave, B. Davis, K. Gudka, B. Laurie, S. J. Murdoch, R. Norton, M. Roe, S. Son, and M. Vadera. Cheri: A hybrid capability-system architecture for scalable software compartmentalization. In 2015 IEEE Symposium on Security and Privacy, pages 20--37, May 2015. Google Scholar
Digital Library
- R.N.M. Watson, J. Anderson, B. Laurie, and K. Kennaway. Capsicum: Practical capabilities for Unix. In Proceedings of the 19th USENIX Security Symposium. USENIX, August 2010.Google Scholar
- Robert N. M. Watson. Exploiting concurrency vulnerabilities in system call wrappers. In WOOT '07: Proceedings of the first USENIX Workshop on Offensive Technologies, pages 1--8, Berkeley, CA, USA, 2007. USENIX Association.Google Scholar
Digital Library
- Robert N. M. Watson. A decade of OS access-control extensibility. Commun. ACM, 56(2), February 2013. Google Scholar
Digital Library
- Emmett Witchel, Junghwan Rhee, and Krste Asanović. Mondrix: Memory isolation for Linux using Mondriaan memory protection. In Proceedings of the 20th ACM Symposium on Operating Systems Principles, October 2005. Google Scholar
Digital Library
- Jonathan Woodruff, Robert N.M. Watson, David Chisnall, Simon W. Moore, Jonathan Anderson, Brooks Davis, Ben Laurie, Peter G. Neumann, Robert Norton, and Michael Roe. The cheri capability model: revisiting risc in an age of risk. In ISCA '14: Proceeding of the 41st annual international symposium on Computer architecture, pages 457--468, Piscataway, NJ, USA, 2014. IEEE Press.Google Scholar
Cross Ref
- Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar. Native client: A sandbox for portable, untrusted x86 native code. In Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, pages 79--93, Washington, DC, USA, 2009. IEEE Computer Society. Google Scholar
Digital Library
Index Terms
CHERI JNI: Sinking the Java Security Model into the C
Recommendations
CHERI JNI: Sinking the Java Security Model into the C
ASPLOS '17: Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating SystemsJava provides security and robustness by building a high-level security model atop the foundation of memory protection. Unfortunately, any native code linked into a Java program -- including the million lines used to implement the standard library -- is ...
CHERI JNI: Sinking the Java Security Model into the C
Asplos'17Java provides security and robustness by building a high-level security model atop the foundation of memory protection. Unfortunately, any native code linked into a Java program -- including the million lines used to implement the standard library -- is ...
JNICodejail: native code isolation for Java programs
PPPJ '13: Proceedings of the 2013 International Conference on Principles and Practices of Programming on the Java Platform: Virtual Machines, Languages, and ToolsThe Java Native Interface (JNI) allows Java programmers to inter-operate with code written in other languages like C and C++. One reason to use JNI is to get higher performance. Other reasons are to access low-level implementation features not available ...







Comments