CHERI JNI: Sinking the Java Security Model into the C

Java provides security and robustness by building a high-level security model atop the foundation of memory protection. Unfortunately, any native code linked into a Java program -- including the million lines used to implement the standard library -- is able to bypass both the memory protection and the higher-level policies. We present a hardware-assisted implementation of the Java native code interface, which extends the guarantees required for Java's security model to native code. Our design supports safe direct access to buffers owned by the JVM, including hardware-enforced read-only access where appropriate. We also present Java language syntax to declaratively describe isolated compartments for native code. We show that it is possible to preserve the memory safety and isolation requirements of the Java security model in C code, allowing native code to run in the same process as Java code with the same impact on security as running equivalent Java code. Our approach has a negligible impact on performance, compared with the existing unsafe native code interface. We demonstrate a prototype implementation running on the CHERI microprocessor synthesized in FPGA.

[1]  Hemma Prafullchandra,et al.  Going Beyond the Sandbox: An Overview of the New Security Architecture in the Java Development Kit 1.2 , 1997, USENIX Symposium on Internet Technologies and Systems.

[2]  Li Gong Java security architecture revisited , 2011, CACM.

[3]  Peter G. Neumann,et al.  CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization , 2015, 2015 IEEE Symposium on Security and Privacy.

[4]  Charles Reis,et al.  Isolating web programs in modern browser architectures , 2009, EuroSys '09.

[5]  Stephen McCamant,et al.  Efficient, Verifiable Binary Sandboxing for a CISC Architecture , 2005 .

[6]  Michael Wolf,et al.  C4: the continuously concurrent compacting collector , 2011, ISMM '11.

[7]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[8]  Hausi A. Müller,et al.  Strategies for Migration from C to Java , 2001, CSMR.

[9]  Hausi A. Müller,et al.  C to Java migration experiences , 2002, Proceedings of the Sixth European Conference on Software Maintenance and Reengineering.

[10]  Douglas Kilpatrick,et al.  Privman: A Library for Partitioning Applications , 2003, USENIX Annual Technical Conference, FREENIX Track.

[11]  Gang Tan,et al.  NativeGuard: protecting android applications from third-party native libraries , 2014, WiSec '14.

[12]  Peter G. Neumann,et al.  The CHERI capability model: Revisiting RISC in an age of risk , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[13]  George Neville-Neil,et al.  The Design and Implementation of the FreeBSD Operating System , 2014 .

[14]  Robert N. M. Watson,et al.  Capsicum: Practical Capabilities for UNIX , 2010, USENIX Security Symposium.

[15]  David A. Wagner,et al.  Joe-E: A Security-Oriented Subset of Java , 2010, NDSS.

[16]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[17]  Mark S. Miller,et al.  Robust composition: towards a unified approach to access control and concurrency control , 2006 .

[18]  Krste Asanovic,et al.  Mondrix: memory isolation for linux using mondriaan memory protection , 2005, SOSP '05.

[19]  Milo M. K. Martin,et al.  Hardbound: architectural support for spatial safety of the C programming language , 2008, ASPLOS.

[20]  J. Gregory Morrisett,et al.  Robusta: taming the native beast of the JVM , 2010, CCS '10.

[21]  Muli Ben-Yehuda,et al.  CODOMs: Protecting software with Code-centric memory Domains , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[22]  Gang Tan,et al.  JVM-Portable Sandboxing of Java's Native Libraries , 2012, ESORICS.

[23]  Steven Hand,et al.  Proceedings of the 26th Symposium on Operating Systems Principles , 2017, SOSP.

[24]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[25]  Johannes Martin Ephedra - A C to Java Migration Environment: Approaches, case studies and tools for migrating legacy systems from C and C++ to Java , 2009 .

[26]  Robert N. M. Watson,et al.  A decade of OS access-control extensibility , 2013, CACM.

[27]  Laurent Daynès,et al.  Automated and portable native code isolation , 2001, Proceedings 12th International Symposium on Software Reliability Engineering.

[28]  Paul A. Karger,et al.  Limiting the Damage Potential of Discretionary Trojan Horses , 1987, 1987 IEEE Symposium on Security and Privacy.

[29]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[30]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[31]  Gang Tan,et al.  An Empirical Security Study of the Native Code in the JDK , 2008, USENIX Security Symposium.

[32]  Robert N. M. Watson,et al.  Exploiting Concurrency Vulnerabilities in System Call Wrappers , 2007, WOOT.

[33]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[34]  Peter G. Neumann,et al.  Beyond the PDP-11: Architectural Support for a Memory-Safe C Abstract Machine , 2015, ASPLOS.