research-article

Public Access

CHERI JNI: Sinking the Java Security Model into the C

Authors:

David Chisnall,

Alexandre Joannou,

Jonathan Woodruff,

A. Theodore Markettos,

J. Edward Maste,

Simon W. Moore,

Peter G. Neumann,

Robert N.M. WatsonAuthors Info & Claims

ACM SIGARCH Computer Architecture News, Volume 45, Issue 1

Pages 569 - 583

https://doi.org/10.1145/3093337.3037725

Published: 04 April 2017 Publication History

Abstract

Java provides security and robustness by building a high-level security model atop the foundation of memory protection. Unfortunately, any native code linked into a Java program -- including the million lines used to implement the standard library -- is able to bypass both the memory protection and the higher-level policies. We present a hardware-assisted implementation of the Java native code interface, which extends the guarantees required for Java's security model to native code.

Our design supports safe direct access to buffers owned by the JVM, including hardware-enforced read-only access where appropriate. We also present Java language syntax to declaratively describe isolated compartments for native code.

We show that it is possible to preserve the memory safety and isolation requirements of the Java security model in C code, allowing native code to run in the same process as Java code with the same impact on security as running equivalent Java code. Our approach has a negligible impact on performance, compared with the existing unsafe native code interface. We demonstrate a prototype implementation running on the CHERI microprocessor synthesized in FPGA.

References

[1]

CHERI open data web site. https://www.cl.cam.ac.uk/research/security/ctsrd/data/. Accessed: 2017-01-27.

[2]

CHERI open-source web site. http://www.cheri-cpu.org/. Accessed: 2017-01-27.

[3]

Java native interface specification. https://docs.oracle.com/javase/7/docs/technotes/guides/jni/spec/jniTOC.html. Accessed: 2016-07-25.

[4]

Jsr 51: New i/o apis for the java platform. https://jcp.org/en/jsr/detail?id=51. Accessed: 2016-07-25.

[5]

Novosoft c2j. http://www.novosoft-us.com/solutions/product_c2j.shtml. Accessed: 2016-07--25.

[6]

Tangible software solutions' C++ to java converter. http://www.tangiblesoftwaresolutions.com/Product_Details/CPlusPlus_to_Java_Converter_Details.html. Accessed: 2016-07-25.

[7]

C++/CLI language specification. (ECMA-372), December 2005.

[8]

David Chisnall, Colin Rothwell, Brooks Davis, Robert N.M. Watson, Jonathan Woodruff, Munraj Vadera, Simon W. Moore, Peter G. Neumann, and Michael Roe. Beyond the PDP-11: Architectural support for a memory-safe c abstract machine. In Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS '15, pages 117--130, New York, NY, USA, 2015. ACM.

Digital Library

[9]

G. Czajkowski, L. Daynes, and M. Wolczko. Automated and portable native code isolation. In Software Reliability Engineering, 2001. ISSRE 2001. Proceedings. 12th International Symposium on, pages 298--307, Nov 2001.

[10]

Joe Devietti, Colin Blundell, Milo M. K. Martin, and Steve Zdancewic. Hardbound: Architectural support for spatial safety of the C programming language. SIGPLAN Not., 43(3):103--114, March 2008.

Digital Library

[11]

L. Gong, M. Mueller, H. Prafullchandra, and R. Schemers. Going beyond the sandbox: An overview of the new security architecture in the Java Development Kit 1.2. In Proceedings of the Symposium on Internet Technologies and Systems. USENIX, December 1997.

[12]

Li Gong. Java security architecture revisited. Commun. ACM, 54(11):48--52, November 2011.

Digital Library

[13]

Intel Plc. Introduction to Intel® memory protection extensions. http://software.intel.com/en-us/articles/introduction-to-intel-memory-protection-extensions, July 2013.

[14]

P.A. Karger. Limiting the damage potential of discretionary Trojan horses. In Proceedings of the 1987 Symposium on Security and Privacy. IEEE, April 1987.

[15]

Douglas Kilpatrick. Privman: A Library for Partitioning Applications. In Proceedings of 2003 USENIX Annual Technical Conference, 2003.

[16]

Johannes Martin. Ephedra - A C to Java Migration Environment: Approaches, Case Studies and Tools for Migrating Legacy Systems from C and C++ to Java. LAP Lambert Academic Publishing, Germany, 2009.

[17]

Johannes Martin and Hausi A. Muller. Strategies for migration from c to java. In Proceedings of the Fifth European Conference on Software Maintenance and Reengineering, CSMR '01, pages 200--, Washington, DC, USA, 2001. IEEE Computer Society.

[18]

Johannes Martin and Hausi A. Müller. C to java migration experiences. In Proceedings of the 6th European Conference on Software Maintenance and Reengineering, CSMR '02, pages 143--153, Washington, DC, USA, 2002. IEEE Computer Society.

[19]

Stephen Mccamant and Greg Morrisett. Efficient, verifiable binary sandboxing for a CISC architecture. Technical Report MIT-LCS-TR-988, May 2005.

[20]

Marshal Kirk McKusick, George V. Neville-Neil, and Robert N. M. Watson. The Design and Implementation of the FreeBSD Operating System. Pearson, 2014.

[21]

Adrian Mettler, David Wagner, and Tyler Close. Joe-E: A Security-Oriented Subset of Java. In NDSS 2010: Proceedings of the Network and Distributed System Security Symposium, 2010.

[22]

Mark S. Miller, Mike Samuel, Ben Laurie, Ihab Awad, and Mike Stay. Caja: Safe active content in sanitized javascript, May 2008. http://google-caja.googlecode.com/files/caja-spec-2008-06-07.pdf.

[23]

Mark Samuel Miller. Robust composition: towards a unified approach to access control and concurrency control. PhD thesis, Johns Hopkins University, Baltimore, MD, USA, 2006.

Digital Library

[24]

Santosh Nagarakatte, Jianzhou Zhao, Milo M.K. Martin, and Steve Zdancewic. Softbound: Highly compatible and complete spatial memory safety for C. In Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '09, pages 245--258, New York, NY, USA, 2009. ACM.

Digital Library

[25]

Neils Provos, Markus Friedl, and Peter Honeyman. Preventing Privilege Escalation. In Proceedings of the 12th USENIX Security Symposium. USENIX, 2003.

[26]

Charles Reis and Steven D. Gribble. Isolating web programs in modern browser architectures. In EuroSys '09: Proceedings of the 4th ACM European Conference on Computer Systems. ACM, 2009.

Digital Library

[27]

Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitry Vyukov. Addresssanitizer: A fast address sanity checker. In USENIX ATC 2012, 2012.

[28]

Joseph Siefers, Gang Tan, and Greg Morrisett. Robusta: Taming the native beast of the jvm. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS '10, pages 201--211, New York, NY, USA, 2010. ACM.

Digital Library

[29]

Mengtao Sun and Gang Tan. JVM-Portable Sandboxing of Java's Native Libraries, pages 842--858. Springer Berlin Heidelberg, Berlin, Heidelberg, 2012.

[30]

Mengtao Sun and Gang Tan. Nativeguard: Protecting android applications from third-party native libraries. In Proceedings of the 2014 ACM Conference on Security and Privacy in Wireless & Mobile Networks, WiSec '14, pages 165--176, New York, NY, USA, 2014. ACM.

[31]

Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. SoK: Eternal war in memory. In IEEE Symposium on Security and Privacy, pages 48--62, 2013.

Digital Library

[32]

Gang Tan and Jason Croft. An empirical security study of the native code in the jdk. In Proceedings of the 17th Conference on Security Symposium, SS'08, pages 365--377, Berkeley, CA, USA, 2008. USENIX Association.

Digital Library

[33]

Gil Tene, Balaji Iyengar, and Michael Wolf. C4: The continuously concurrent compacting collector. SIGPLAN Not., 46(11):79--88, June 2011.

Digital Library

[34]

Lluís Vilanova, Muli Ben-Yehuda, Nacho Navarro, Yoav Etsion, and Mateo Valero. CODOMs: Protecting software with code-centric memory domains. In Proceeding of the 41st Annual International Symposium on Computer Architecuture, ISCA '14, pages 469--480, Piscataway, NJ, USA, 2014. IEEE Press.

Digital Library

[35]

Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham. Efficient software-based fault isolation. In Proceedings of the 14th Symposium on Operating Systems Principles. ACM, 1993.

Digital Library

[36]

R. N. M. Watson, J. Woodruff, P. G. Neumann, S. W. Moore, J. Anderson, D. Chisnall, N. Dave, B. Davis, K. Gudka, B. Laurie, S. J. Murdoch, R. Norton, M. Roe, S. Son, and M. Vadera. Cheri: A hybrid capability-system architecture for scalable software compartmentalization. In 2015 IEEE Symposium on Security and Privacy, pages 20--37, May 2015.

Digital Library

[37]

R.N.M. Watson, J. Anderson, B. Laurie, and K. Kennaway. Capsicum: Practical capabilities for Unix. In Proceedings of the 19th USENIX Security Symposium. USENIX, August 2010.

[38]

Robert N. M. Watson. Exploiting concurrency vulnerabilities in system call wrappers. In WOOT '07: Proceedings of the first USENIX Workshop on Offensive Technologies, pages 1--8, Berkeley, CA, USA, 2007. USENIX Association.

Digital Library

[39]

Robert N. M. Watson. A decade of OS access-control extensibility. Commun. ACM, 56(2), February 2013.

Digital Library

[40]

Emmett Witchel, Junghwan Rhee, and Krste Asanović. Mondrix: Memory isolation for Linux using Mondriaan memory protection. In Proceedings of the 20th ACM Symposium on Operating Systems Principles, October 2005.

Digital Library

[41]

Jonathan Woodruff, Robert N.M. Watson, David Chisnall, Simon W. Moore, Jonathan Anderson, Brooks Davis, Ben Laurie, Peter G. Neumann, Robert Norton, and Michael Roe. The cheri capability model: revisiting risc in an age of risk. In ISCA '14: Proceeding of the 41st annual international symposium on Computer architecture, pages 457--468, Piscataway, NJ, USA, 2014. IEEE Press.

[42]

Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar. Native client: A sandbox for portable, untrusted x86 native code. In Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, pages 79--93, Washington, DC, USA, 2009. IEEE Computer Society.

Digital Library

Cited By

Dinh Duy KCho KNoh TLee HMeng WJensen CCremers CKirda E(2023)Capacity: Cryptographically-Enforced In-Process Capabilities for Modern ARM ArchitecturesProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623079(874-888)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623079
Johnson ELaufer EZhao ZGohman DNarayan SSavage SStefan DBrown F(2023)WaVe: a verifiably secure WebAssembly sandboxing runtime2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179357(2940-2955)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179357
Sayar IBartel ABodden ELe Traon Y(2022)An In-depth Study of Java Deserialization Remote-Code Execution Exploits and VulnerabilitiesACM Transactions on Software Engineering and Methodology10.1145/355473232:1(1-45)Online publication date: 5-Aug-2022
https://dl.acm.org/doi/10.1145/3554732
Show More Cited By

Index Terms

CHERI JNI: Sinking the Java Security Model into the C
1. Hardware
  1. Emerging technologies
    1. Analysis and design of emerging devices and systems
      1. Emerging languages and compilers
2. Security and privacy
  1. Software and application security

Recommendations

CHERI JNI: Sinking the Java Security Model into the C
ASPLOS '17: Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Systems

Java provides security and robustness by building a high-level security model atop the foundation of memory protection. Unfortunately, any native code linked into a Java program -- including the million lines used to implement the standard library -- is ...
Robusta: taming the native beast of the JVM
CCS '10: Proceedings of the 17th ACM conference on Computer and communications security

Java applications often need to incorporate native-code components for efficiency and for reusing legacy code. However, it is well known that the use of native code defeats Java's security model. We describe the design and implementation of Robusta, a ...
CHERI JNI: Sinking the Java Security Model into the C
ASPLOS '17

Java provides security and robustness by building a high-level security model atop the foundation of memory protection. Unfortunately, any native code linked into a Java program -- including the million lines used to implement the standard library -- is ...

Comments

Information & Contributors

Information

Published In

cover image ACM SIGARCH Computer Architecture News

ACM SIGARCH Computer Architecture News Volume 45, Issue 1

Asplos'17

March 2017

812 pages

ISSN:0163-5964

DOI:10.1145/3093337

Editor:
Babak Falsafi
Interim

Issue’s Table of Contents

ASPLOS '17: Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Systems
April 2017
856 pages
ISBN:9781450344654
DOI:10.1145/3037697
General Chairs:
Yunji Chen
Institute of Computing Technology, CAS, China
,
Olivier Temam
Google, USA
,
Program Chair:
John Carter
IBM, USA

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 April 2017

Published in SIGARCH Volume 45, Issue 1

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Google, Inc.
Defense Advanced Research Projects Agency
UK Higher Education Innovation Fund
Isaac Newton Trust
Thales E-Security
Engineering and Physical Sciences Research Council

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

21
Total Citations
View Citations
1,559
Total Downloads

Downloads (Last 12 months)351
Downloads (Last 6 weeks)38

Reflects downloads up to 14 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Dinh Duy KCho KNoh TLee HMeng WJensen CCremers CKirda E(2023)Capacity: Cryptographically-Enforced In-Process Capabilities for Modern ARM ArchitecturesProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623079(874-888)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623079
Johnson ELaufer EZhao ZGohman DNarayan SSavage SStefan DBrown F(2023)WaVe: a verifiably secure WebAssembly sandboxing runtime2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179357(2940-2955)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179357
Sayar IBartel ABodden ELe Traon Y(2022)An In-depth Study of Java Deserialization Remote-Code Execution Exploits and VulnerabilitiesACM Transactions on Software Engineering and Methodology10.1145/355473232:1(1-45)Online publication date: 5-Aug-2022
https://dl.acm.org/doi/10.1145/3554732
Suchy BGhosh SKersnar DChai SHuang ZNelson ACuevas MBernat AChaudhary GHardavellas NCampanoni SDinda PFalsafi BFerdman MLu SWenisch T(2022)CARAT CAKE: replacing paging via compiler/kernel cooperationProceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3503222.3507771(98-114)Online publication date: 28-Feb-2022
https://dl.acm.org/doi/10.1145/3503222.3507771
Holzinger PBodden EMeng WLi L(2021)A Systematic Hardening of Java's Information HidingProceedings of the 2021 International Symposium on Advanced Security on Software and Systems10.1145/3457340.3458300(11-22)Online publication date: 7-Jun-2021
https://dl.acm.org/doi/10.1145/3457340.3458300
He YZhou YZhou YLi QSun KGu YJiang Y(2020)JNI Global References Are Still Vulnerable: Attacks and DefensesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2020.2995542(1-1)Online publication date: 2020
https://doi.org/10.1109/TDSC.2020.2995542
Georges AGuéneau AVan Strydonck TTimany ATrieu ADevriese DBirkedal L(2024)Cerise: Program Verification on a Capability Machine in the Presence of Untrusted CodeJournal of the ACM10.1145/362351071:1(1-59)Online publication date: 11-Feb-2024
https://dl.acm.org/doi/10.1145/3623510
Kressel JLefeuvre HOlivier P(2023)Software Compartmentalization Trade-Offs with Hardware CapabilitiesProceedings of the 12th Workshop on Programming Languages and Operating Systems10.1145/3623759.3624550(49-57)Online publication date: 23-Oct-2023
https://dl.acm.org/doi/10.1145/3623759.3624550
Jero SBurow NWard BSkowyra RKhazan RShrobe HOkhravi H(2022)TAG: Tagged Architecture GuideACM Computing Surveys10.1145/353370455:6(1-34)Online publication date: 7-Dec-2022
https://dl.acm.org/doi/10.1145/3533704
Wanninger NBowden JShetty KGarg AHale KBromberg YKermarrec AKozyrakis C(2022)Isolating functions at the hardware limit with virtinesProceedings of the Seventeenth European Conference on Computer Systems10.1145/3492321.3519553(644-662)Online publication date: 28-Mar-2022
https://dl.acm.org/doi/10.1145/3492321.3519553
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents