skip to main content
research-article
Public Access

CHERI JNI: Sinking the Java Security Model into the C

Authors Info & Claims
Published:04 April 2017Publication History
Skip Abstract Section

Abstract

Java provides security and robustness by building a high-level security model atop the foundation of memory protection. Unfortunately, any native code linked into a Java program -- including the million lines used to implement the standard library -- is able to bypass both the memory protection and the higher-level policies. We present a hardware-assisted implementation of the Java native code interface, which extends the guarantees required for Java's security model to native code.

Our design supports safe direct access to buffers owned by the JVM, including hardware-enforced read-only access where appropriate. We also present Java language syntax to declaratively describe isolated compartments for native code.

We show that it is possible to preserve the memory safety and isolation requirements of the Java security model in C code, allowing native code to run in the same process as Java code with the same impact on security as running equivalent Java code. Our approach has a negligible impact on performance, compared with the existing unsafe native code interface. We demonstrate a prototype implementation running on the CHERI microprocessor synthesized in FPGA.

References

  1. CHERI open data web site. https://www.cl.cam.ac.uk/research/security/ctsrd/data/. Accessed: 2017-01-27.Google ScholarGoogle Scholar
  2. CHERI open-source web site. http://www.cheri-cpu.org/. Accessed: 2017-01-27.Google ScholarGoogle Scholar
  3. Java native interface specification. https://docs.oracle.com/javase/7/docs/technotes/guides/jni/spec/jniTOC.html. Accessed: 2016-07-25.Google ScholarGoogle Scholar
  4. Jsr 51: New i/o apis for the java platform. https://jcp.org/en/jsr/detail?id=51. Accessed: 2016-07-25.Google ScholarGoogle Scholar
  5. Novosoft c2j. http://www.novosoft-us.com/solutions/product_c2j.shtml. Accessed: 2016-07--25.Google ScholarGoogle Scholar
  6. Tangible software solutions' C++ to java converter. http://www.tangiblesoftwaresolutions.com/Product_Details/CPlusPlus_to_Java_Converter_Details.html. Accessed: 2016-07-25.Google ScholarGoogle Scholar
  7. C++/CLI language specification. (ECMA-372), December 2005.Google ScholarGoogle Scholar
  8. David Chisnall, Colin Rothwell, Brooks Davis, Robert N.M. Watson, Jonathan Woodruff, Munraj Vadera, Simon W. Moore, Peter G. Neumann, and Michael Roe. Beyond the PDP-11: Architectural support for a memory-safe c abstract machine. In Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS '15, pages 117--130, New York, NY, USA, 2015. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. G. Czajkowski, L. Daynes, and M. Wolczko. Automated and portable native code isolation. In Software Reliability Engineering, 2001. ISSRE 2001. Proceedings. 12th International Symposium on, pages 298--307, Nov 2001. Google ScholarGoogle ScholarCross RefCross Ref
  10. Joe Devietti, Colin Blundell, Milo M. K. Martin, and Steve Zdancewic. Hardbound: Architectural support for spatial safety of the C programming language. SIGPLAN Not., 43(3):103--114, March 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. L. Gong, M. Mueller, H. Prafullchandra, and R. Schemers. Going beyond the sandbox: An overview of the new security architecture in the Java Development Kit 1.2. In Proceedings of the Symposium on Internet Technologies and Systems. USENIX, December 1997.Google ScholarGoogle Scholar
  12. Li Gong. Java security architecture revisited. Commun. ACM, 54(11):48--52, November 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Intel Plc. Introduction to Intel® memory protection extensions. http://software.intel.com/en-us/articles/introduction-to-intel-memory-protection-extensions, July 2013.Google ScholarGoogle Scholar
  14. P.A. Karger. Limiting the damage potential of discretionary Trojan horses. In Proceedings of the 1987 Symposium on Security and Privacy. IEEE, April 1987. Google ScholarGoogle ScholarCross RefCross Ref
  15. Douglas Kilpatrick. Privman: A Library for Partitioning Applications. In Proceedings of 2003 USENIX Annual Technical Conference, 2003.Google ScholarGoogle Scholar
  16. Johannes Martin. Ephedra - A C to Java Migration Environment: Approaches, Case Studies and Tools for Migrating Legacy Systems from C and C++ to Java. LAP Lambert Academic Publishing, Germany, 2009.Google ScholarGoogle Scholar
  17. Johannes Martin and Hausi A. Muller. Strategies for migration from c to java. In Proceedings of the Fifth European Conference on Software Maintenance and Reengineering, CSMR '01, pages 200--, Washington, DC, USA, 2001. IEEE Computer Society. Google ScholarGoogle ScholarCross RefCross Ref
  18. Johannes Martin and Hausi A. Müller. C to java migration experiences. In Proceedings of the 6th European Conference on Software Maintenance and Reengineering, CSMR '02, pages 143--153, Washington, DC, USA, 2002. IEEE Computer Society. Google ScholarGoogle ScholarCross RefCross Ref
  19. Stephen Mccamant and Greg Morrisett. Efficient, verifiable binary sandboxing for a CISC architecture. Technical Report MIT-LCS-TR-988, May 2005.Google ScholarGoogle Scholar
  20. Marshal Kirk McKusick, George V. Neville-Neil, and Robert N. M. Watson. The Design and Implementation of the FreeBSD Operating System. Pearson, 2014.Google ScholarGoogle Scholar
  21. Adrian Mettler, David Wagner, and Tyler Close. Joe-E: A Security-Oriented Subset of Java. In NDSS 2010: Proceedings of the Network and Distributed System Security Symposium, 2010.Google ScholarGoogle Scholar
  22. Mark S. Miller, Mike Samuel, Ben Laurie, Ihab Awad, and Mike Stay. Caja: Safe active content in sanitized javascript, May 2008. http://google-caja.googlecode.com/files/caja-spec-2008-06-07.pdf.Google ScholarGoogle Scholar
  23. Mark Samuel Miller. Robust composition: towards a unified approach to access control and concurrency control. PhD thesis, Johns Hopkins University, Baltimore, MD, USA, 2006.Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Santosh Nagarakatte, Jianzhou Zhao, Milo M.K. Martin, and Steve Zdancewic. Softbound: Highly compatible and complete spatial memory safety for C. In Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '09, pages 245--258, New York, NY, USA, 2009. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Neils Provos, Markus Friedl, and Peter Honeyman. Preventing Privilege Escalation. In Proceedings of the 12th USENIX Security Symposium. USENIX, 2003.Google ScholarGoogle Scholar
  26. Charles Reis and Steven D. Gribble. Isolating web programs in modern browser architectures. In EuroSys '09: Proceedings of the 4th ACM European Conference on Computer Systems. ACM, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitry Vyukov. Addresssanitizer: A fast address sanity checker. In USENIX ATC 2012, 2012.Google ScholarGoogle Scholar
  28. Joseph Siefers, Gang Tan, and Greg Morrisett. Robusta: Taming the native beast of the jvm. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS '10, pages 201--211, New York, NY, USA, 2010. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Mengtao Sun and Gang Tan. JVM-Portable Sandboxing of Java's Native Libraries, pages 842--858. Springer Berlin Heidelberg, Berlin, Heidelberg, 2012.Google ScholarGoogle Scholar
  30. Mengtao Sun and Gang Tan. Nativeguard: Protecting android applications from third-party native libraries. In Proceedings of the 2014 ACM Conference on Security and Privacy in Wireless & Mobile Networks, WiSec '14, pages 165--176, New York, NY, USA, 2014. ACM.Google ScholarGoogle Scholar
  31. Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. SoK: Eternal war in memory. In IEEE Symposium on Security and Privacy, pages 48--62, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Gang Tan and Jason Croft. An empirical security study of the native code in the jdk. In Proceedings of the 17th Conference on Security Symposium, SS'08, pages 365--377, Berkeley, CA, USA, 2008. USENIX Association.Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Gil Tene, Balaji Iyengar, and Michael Wolf. C4: The continuously concurrent compacting collector. SIGPLAN Not., 46(11):79--88, June 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Lluís Vilanova, Muli Ben-Yehuda, Nacho Navarro, Yoav Etsion, and Mateo Valero. CODOMs: Protecting software with code-centric memory domains. In Proceeding of the 41st Annual International Symposium on Computer Architecuture, ISCA '14, pages 469--480, Piscataway, NJ, USA, 2014. IEEE Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham. Efficient software-based fault isolation. In Proceedings of the 14th Symposium on Operating Systems Principles. ACM, 1993. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. R. N. M. Watson, J. Woodruff, P. G. Neumann, S. W. Moore, J. Anderson, D. Chisnall, N. Dave, B. Davis, K. Gudka, B. Laurie, S. J. Murdoch, R. Norton, M. Roe, S. Son, and M. Vadera. Cheri: A hybrid capability-system architecture for scalable software compartmentalization. In 2015 IEEE Symposium on Security and Privacy, pages 20--37, May 2015. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. R.N.M. Watson, J. Anderson, B. Laurie, and K. Kennaway. Capsicum: Practical capabilities for Unix. In Proceedings of the 19th USENIX Security Symposium. USENIX, August 2010.Google ScholarGoogle Scholar
  38. Robert N. M. Watson. Exploiting concurrency vulnerabilities in system call wrappers. In WOOT '07: Proceedings of the first USENIX Workshop on Offensive Technologies, pages 1--8, Berkeley, CA, USA, 2007. USENIX Association.Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Robert N. M. Watson. A decade of OS access-control extensibility. Commun. ACM, 56(2), February 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Emmett Witchel, Junghwan Rhee, and Krste Asanović. Mondrix: Memory isolation for Linux using Mondriaan memory protection. In Proceedings of the 20th ACM Symposium on Operating Systems Principles, October 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Jonathan Woodruff, Robert N.M. Watson, David Chisnall, Simon W. Moore, Jonathan Anderson, Brooks Davis, Ben Laurie, Peter G. Neumann, Robert Norton, and Michael Roe. The cheri capability model: revisiting risc in an age of risk. In ISCA '14: Proceeding of the 41st annual international symposium on Computer architecture, pages 457--468, Piscataway, NJ, USA, 2014. IEEE Press.Google ScholarGoogle ScholarCross RefCross Ref
  42. Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar. Native client: A sandbox for portable, untrusted x86 native code. In Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, pages 79--93, Washington, DC, USA, 2009. IEEE Computer Society. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. CHERI JNI: Sinking the Java Security Model into the C

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!