research-article

Public Access

CHERI JNI: Sinking the Java Security Model into the C

Authors:

David Chisnall,

Alexandre Joannou,

Jonathan Woodruff,

A. Theodore Markettos,

J. Edward Maste,

Simon W. Moore,

Peter G. Neumann,

Robert N.M. WatsonAuthors Info & Claims

ASPLOS '17: Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Systems

Pages 569 - 583

https://doi.org/10.1145/3037697.3037725

Published: 04 April 2017 Publication History

Abstract

Java provides security and robustness by building a high-level security model atop the foundation of memory protection. Unfortunately, any native code linked into a Java program -- including the million lines used to implement the standard library -- is able to bypass both the memory protection and the higher-level policies. We present a hardware-assisted implementation of the Java native code interface, which extends the guarantees required for Java's security model to native code.

Our design supports safe direct access to buffers owned by the JVM, including hardware-enforced read-only access where appropriate. We also present Java language syntax to declaratively describe isolated compartments for native code.

We show that it is possible to preserve the memory safety and isolation requirements of the Java security model in C code, allowing native code to run in the same process as Java code with the same impact on security as running equivalent Java code. Our approach has a negligible impact on performance, compared with the existing unsafe native code interface. We demonstrate a prototype implementation running on the CHERI microprocessor synthesized in FPGA.

References

[1]

CHERI open data web site. https://www.cl.cam.ac.uk/research/security/ctsrd/data/. Accessed: 2017-01-27.

[2]

CHERI open-source web site. http://www.cheri-cpu.org/. Accessed: 2017-01-27.

[3]

Java native interface specification. https://docs.oracle.com/javase/7/docs/technotes/guides/jni/spec/jniTOC.html. Accessed: 2016-07-25.

[4]

Jsr 51: New i/o apis for the java platform. https://jcp.org/en/jsr/detail?id=51. Accessed: 2016-07-25.

[5]

Novosoft c2j. http://www.novosoft-us.com/solutions/product_c2j.shtml. Accessed: 2016-07--25.

[6]

Tangible software solutions' C++ to java converter. http://www.tangiblesoftwaresolutions.com/Product_Details/CPlusPlus_to_Java_Converter_Details.html. Accessed: 2016-07-25.

[7]

C++/CLI language specification. (ECMA-372), December 2005.

[8]

David Chisnall, Colin Rothwell, Brooks Davis, Robert N.M. Watson, Jonathan Woodruff, Munraj Vadera, Simon W. Moore, Peter G. Neumann, and Michael Roe. Beyond the PDP-11: Architectural support for a memory-safe c abstract machine. In Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS '15, pages 117--130, New York, NY, USA, 2015. ACM.

Digital Library

[9]

G. Czajkowski, L. Daynes, and M. Wolczko. Automated and portable native code isolation. In Software Reliability Engineering, 2001. ISSRE 2001. Proceedings. 12th International Symposium on, pages 298--307, Nov 2001.

[10]

Joe Devietti, Colin Blundell, Milo M. K. Martin, and Steve Zdancewic. Hardbound: Architectural support for spatial safety of the C programming language. SIGPLAN Not., 43(3):103--114, March 2008.

Digital Library

[11]

L. Gong, M. Mueller, H. Prafullchandra, and R. Schemers. Going beyond the sandbox: An overview of the new security architecture in the Java Development Kit 1.2. In Proceedings of the Symposium on Internet Technologies and Systems. USENIX, December 1997.

[12]

Li Gong. Java security architecture revisited. Commun. ACM, 54(11):48--52, November 2011.

Digital Library

[13]

Intel Plc. Introduction to Intel® memory protection extensions. http://software.intel.com/en-us/articles/introduction-to-intel-memory-protection-extensions, July 2013.

[14]

P.A. Karger. Limiting the damage potential of discretionary Trojan horses. In Proceedings of the 1987 Symposium on Security and Privacy. IEEE, April 1987.

[15]

Douglas Kilpatrick. Privman: A Library for Partitioning Applications. In Proceedings of 2003 USENIX Annual Technical Conference, 2003.

[16]

Johannes Martin. Ephedra - A C to Java Migration Environment: Approaches, Case Studies and Tools for Migrating Legacy Systems from C and C++ to Java. LAP Lambert Academic Publishing, Germany, 2009.

[17]

Johannes Martin and Hausi A. Muller. Strategies for migration from c to java. In Proceedings of the Fifth European Conference on Software Maintenance and Reengineering, CSMR '01, pages 200--, Washington, DC, USA, 2001. IEEE Computer Society.

[18]

Johannes Martin and Hausi A. Müller. C to java migration experiences. In Proceedings of the 6th European Conference on Software Maintenance and Reengineering, CSMR '02, pages 143--153, Washington, DC, USA, 2002. IEEE Computer Society.

[19]

Stephen Mccamant and Greg Morrisett. Efficient, verifiable binary sandboxing for a CISC architecture. Technical Report MIT-LCS-TR-988, May 2005.

[20]

Marshal Kirk McKusick, George V. Neville-Neil, and Robert N. M. Watson. The Design and Implementation of the FreeBSD Operating System. Pearson, 2014.

[21]

Adrian Mettler, David Wagner, and Tyler Close. Joe-E: A Security-Oriented Subset of Java. In NDSS 2010: Proceedings of the Network and Distributed System Security Symposium, 2010.

[22]

Mark S. Miller, Mike Samuel, Ben Laurie, Ihab Awad, and Mike Stay. Caja: Safe active content in sanitized javascript, May 2008. http://google-caja.googlecode.com/files/caja-spec-2008-06-07.pdf.

[23]

Mark Samuel Miller. Robust composition: towards a unified approach to access control and concurrency control. PhD thesis, Johns Hopkins University, Baltimore, MD, USA, 2006.

Digital Library

[24]

Santosh Nagarakatte, Jianzhou Zhao, Milo M.K. Martin, and Steve Zdancewic. Softbound: Highly compatible and complete spatial memory safety for C. In Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '09, pages 245--258, New York, NY, USA, 2009. ACM.

Digital Library

[25]

Neils Provos, Markus Friedl, and Peter Honeyman. Preventing Privilege Escalation. In Proceedings of the 12th USENIX Security Symposium. USENIX, 2003.

[26]

Charles Reis and Steven D. Gribble. Isolating web programs in modern browser architectures. In EuroSys '09: Proceedings of the 4th ACM European Conference on Computer Systems. ACM, 2009.

Digital Library

[27]

Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitry Vyukov. Addresssanitizer: A fast address sanity checker. In USENIX ATC 2012, 2012.

[28]

Joseph Siefers, Gang Tan, and Greg Morrisett. Robusta: Taming the native beast of the jvm. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS '10, pages 201--211, New York, NY, USA, 2010. ACM.

Digital Library

[29]

Mengtao Sun and Gang Tan. JVM-Portable Sandboxing of Java's Native Libraries, pages 842--858. Springer Berlin Heidelberg, Berlin, Heidelberg, 2012.

[30]

Mengtao Sun and Gang Tan. Nativeguard: Protecting android applications from third-party native libraries. In Proceedings of the 2014 ACM Conference on Security and Privacy in Wireless & Mobile Networks, WiSec '14, pages 165--176, New York, NY, USA, 2014. ACM.

[31]

Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. SoK: Eternal war in memory. In IEEE Symposium on Security and Privacy, pages 48--62, 2013.

Digital Library

[32]

Gang Tan and Jason Croft. An empirical security study of the native code in the jdk. In Proceedings of the 17th Conference on Security Symposium, SS'08, pages 365--377, Berkeley, CA, USA, 2008. USENIX Association.

Digital Library

[33]

Gil Tene, Balaji Iyengar, and Michael Wolf. C4: The continuously concurrent compacting collector. SIGPLAN Not., 46(11):79--88, June 2011.

Digital Library

[34]

Lluís Vilanova, Muli Ben-Yehuda, Nacho Navarro, Yoav Etsion, and Mateo Valero. CODOMs: Protecting software with code-centric memory domains. In Proceeding of the 41st Annual International Symposium on Computer Architecuture, ISCA '14, pages 469--480, Piscataway, NJ, USA, 2014. IEEE Press.

Digital Library

[35]

Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham. Efficient software-based fault isolation. In Proceedings of the 14th Symposium on Operating Systems Principles. ACM, 1993.

Digital Library

[36]

R. N. M. Watson, J. Woodruff, P. G. Neumann, S. W. Moore, J. Anderson, D. Chisnall, N. Dave, B. Davis, K. Gudka, B. Laurie, S. J. Murdoch, R. Norton, M. Roe, S. Son, and M. Vadera. Cheri: A hybrid capability-system architecture for scalable software compartmentalization. In 2015 IEEE Symposium on Security and Privacy, pages 20--37, May 2015.

Digital Library

[37]

R.N.M. Watson, J. Anderson, B. Laurie, and K. Kennaway. Capsicum: Practical capabilities for Unix. In Proceedings of the 19th USENIX Security Symposium. USENIX, August 2010.

[38]

Robert N. M. Watson. Exploiting concurrency vulnerabilities in system call wrappers. In WOOT '07: Proceedings of the first USENIX Workshop on Offensive Technologies, pages 1--8, Berkeley, CA, USA, 2007. USENIX Association.

Digital Library

[39]

Robert N. M. Watson. A decade of OS access-control extensibility. Commun. ACM, 56(2), February 2013.

Digital Library

[40]

Emmett Witchel, Junghwan Rhee, and Krste Asanović. Mondrix: Memory isolation for Linux using Mondriaan memory protection. In Proceedings of the 20th ACM Symposium on Operating Systems Principles, October 2005.

Digital Library

[41]

Jonathan Woodruff, Robert N.M. Watson, David Chisnall, Simon W. Moore, Jonathan Anderson, Brooks Davis, Ben Laurie, Peter G. Neumann, Robert Norton, and Michael Roe. The cheri capability model: revisiting risc in an age of risk. In ISCA '14: Proceeding of the 41st annual international symposium on Computer architecture, pages 457--468, Piscataway, NJ, USA, 2014. IEEE Press.

[42]

Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar. Native client: A sandbox for portable, untrusted x86 native code. In Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, pages 79--93, Washington, DC, USA, 2009. IEEE Computer Society.

Digital Library

Cited By

Georges AGuéneau AVan Strydonck TTimany ATrieu ADevriese DBirkedal L(2024)Cerise: Program Verification on a Capability Machine in the Presence of Untrusted CodeJournal of the ACM10.1145/362351071:1(1-59)Online publication date: 11-Feb-2024
https://dl.acm.org/doi/10.1145/3623510
Kressel JLefeuvre HOlivier P(2023)Software Compartmentalization Trade-Offs with Hardware CapabilitiesProceedings of the 12th Workshop on Programming Languages and Operating Systems10.1145/3623759.3624550(49-57)Online publication date: 23-Oct-2023
https://dl.acm.org/doi/10.1145/3623759.3624550
Jero SBurow NWard BSkowyra RKhazan RShrobe HOkhravi H(2022)TAG: Tagged Architecture GuideACM Computing Surveys10.1145/353370455:6(1-34)Online publication date: 7-Dec-2022
https://dl.acm.org/doi/10.1145/3533704
Show More Cited By

Index Terms

CHERI JNI: Sinking the Java Security Model into the C
1. Hardware
  1. Emerging technologies
    1. Analysis and design of emerging devices and systems
      1. Emerging languages and compilers
2. Security and privacy
  1. Software and application security

Recommendations

CHERI JNI: Sinking the Java Security Model into the C
Asplos'17

Java provides security and robustness by building a high-level security model atop the foundation of memory protection. Unfortunately, any native code linked into a Java program -- including the million lines used to implement the standard library -- is ...
CHERI JNI: Sinking the Java Security Model into the C
ASPLOS '17

Java provides security and robustness by building a high-level security model atop the foundation of memory protection. Unfortunately, any native code linked into a Java program -- including the million lines used to implement the standard library -- is ...
JNICodejail: native code isolation for Java programs
PPPJ '13: Proceedings of the 2013 International Conference on Principles and Practices of Programming on the Java Platform: Virtual Machines, Languages, and Tools

The Java Native Interface (JNI) allows Java programmers to inter-operate with code written in other languages like C and C++. One reason to use JNI is to get higher performance. Other reasons are to access low-level implementation features not available ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASPLOS '17: Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Systems

April 2017

856 pages

ISBN:9781450344654

DOI:10.1145/3037697

General Chairs:
Yunji Chen
Institute of Computing Technology, CAS, China
,
Olivier Temam
Google, USA
,
Program Chair:
John Carter
IBM, USA

ACM SIGPLAN Notices Volume 52, Issue 4
ASPLOS '17
April 2017
811 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/3093336
Editor:
Matthew Fluet
Issue’s Table of Contents
ACM SIGARCH Computer Architecture News Volume 45, Issue 1
Asplos'17
March 2017
812 pages
ISSN:0163-5964
DOI:10.1145/3093337
Editor:
Babak Falsafi
Interim
Issue’s Table of Contents

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

In-Cooperation

SIGBED: ACM Special Interest Group on Embedded Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 April 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Google, Inc.
Defense Advanced Research Projects Agency
UK Higher Education Innovation Fund
Isaac Newton Trust
Thales E-Security
Engineering and Physical Sciences Research Council

Conference

ASPLOS '17

Sponsor:

ASPLOS '17: Architectural Support for Programming Languages and Operating Systems

April 8 - 12, 2017

Xi'an, China

Acceptance Rates

ASPLOS '17 Paper Acceptance Rate 53 of 320 submissions, 17%;

Overall Acceptance Rate 535 of 2,713 submissions, 20%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

21
Total Citations
View Citations
1,559
Total Downloads

Downloads (Last 12 months)351
Downloads (Last 6 weeks)38

Reflects downloads up to 14 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Georges AGuéneau AVan Strydonck TTimany ATrieu ADevriese DBirkedal L(2024)Cerise: Program Verification on a Capability Machine in the Presence of Untrusted CodeJournal of the ACM10.1145/362351071:1(1-59)Online publication date: 11-Feb-2024
https://dl.acm.org/doi/10.1145/3623510
Kressel JLefeuvre HOlivier P(2023)Software Compartmentalization Trade-Offs with Hardware CapabilitiesProceedings of the 12th Workshop on Programming Languages and Operating Systems10.1145/3623759.3624550(49-57)Online publication date: 23-Oct-2023
https://dl.acm.org/doi/10.1145/3623759.3624550
Jero SBurow NWard BSkowyra RKhazan RShrobe HOkhravi H(2022)TAG: Tagged Architecture GuideACM Computing Surveys10.1145/353370455:6(1-34)Online publication date: 7-Dec-2022
https://dl.acm.org/doi/10.1145/3533704
Wanninger NBowden JShetty KGarg AHale KBromberg YKermarrec AKozyrakis C(2022)Isolating functions at the hardware limit with virtinesProceedings of the Seventeenth European Conference on Computer Systems10.1145/3492321.3519553(644-662)Online publication date: 28-Mar-2022
https://dl.acm.org/doi/10.1145/3492321.3519553
Hu MZhang Y(2022)An empirical study of the Python/C API on evolution and bug patternsJournal of Software: Evolution and Process10.1002/smr.250735:2Online publication date: 6-Sep-2022
https://doi.org/10.1002/smr.2507
Georges AGuéneau AVan Strydonck TTimany ATrieu AHuyghebaert SDevriese DBirkedal L(2021)Efficient and provable local capability revocation using uninitialized capabilitiesProceedings of the ACM on Programming Languages10.1145/34342875:POPL(1-30)Online publication date: 4-Jan-2021
https://dl.acm.org/doi/10.1145/3434287
Zheng FTian FZhao L(2021)Research and Implementation of Sequence Alignment Model Based on Spark Heterogeneous Cloud Platform2021 IEEE 6th International Conference on Computer and Communication Systems (ICCCS)10.1109/ICCCS52626.2021.9449096(75-80)Online publication date: 23-Apr-2021
https://doi.org/10.1109/ICCCS52626.2021.9449096
Fourtounis GTriantafyllou LSmaragdakis YKhurshid SPăsăreanu C(2020)Identifying Java calls in native code via binary scanningProceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3395363.3397368(388-400)Online publication date: 18-Jul-2020
https://dl.acm.org/doi/10.1145/3395363.3397368
Wesley Filardo NGutstein BWoodruff JAinsworth SPaul-Trifu LDavis BXia HTomasz Napierala ERichardson ABaldwin JChisnall DClarke JGudka KJoannou ATheodore Markettos AMazzinghi ANorton RRoe MSewell PSon SJones TMoore SNeumann PWatson R(2020)Cornucopia: Temporal Safety for CHERI Heaps2020 IEEE Symposium on Security and Privacy (SP)10.1109/SP40000.2020.00098(608-625)Online publication date: May-2020
https://doi.org/10.1109/SP40000.2020.00098
Skorstengaard LDevriese DBirkedal L(2019)Reasoning about a Machine with Local CapabilitiesACM Transactions on Programming Languages and Systems10.1145/336351942:1(1-53)Online publication date: 10-Dec-2019
https://dl.acm.org/doi/10.1145/3363519
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents