1 / 46

Language-Based Protection in the J-kernel

Language-Based Protection in the J-kernel. David Walker COS 598E: Foundations of Language-Based Security Princeton University (slides from Chris Hawblitzel, Dartmouth). Extensible applications. applet. applet. agent. agent. browser. host. servlet. servlet. code. code. server.

ganya
Download Presentation

Language-Based Protection in the J-kernel

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Language-Based Protectionin the J-kernel David Walker COS 598E: Foundations of Language-Based Security Princeton University (slides from Chris Hawblitzel, Dartmouth)

  2. Extensible applications... applet applet agent agent browser host servlet servlet code code server gateway/router ...need protection

  3. Protection virtual memory language-based • share pages • IPC, thread switch address space address space single address space class A { private B b; public C c; public void f() ... } class B {…} class C {…} threads pages IPC A B pages threads C • type safety • public/private

  4. Safe language protection • Promises: • fast IPC • fine-grained sharing • ADT enforcement • capabilities • portability single address space class A { private B b; public C c; public void f() ... } class B {…} class C {…} A B C

  5. Talk outline • Extensible applications, protection • Language-based protection • current state • problems • The J-Kernel • Luna

  6. Java thread groups • Thread groups • Terminate group of threads applet 1 thread group applet 2 thread group browser thread group

  7. Java communication • Communication • Applet-to-browser • Browser-to-applet applet 1 applet 2 method invocation thread switch browser

  8. Problem 1: wrong code interrupted • Applet stops or suspends thread • browser left in inconsistent or deadlocked state applet 1 applet 2 method invocation interruption! browser

  9. Problem 2: damaged objects • Applet stops or suspends thread • ADT left in inconsistent or deadlocked state applet 1 applet 2 damaged object browser

  10. Damaged objects • Only stopping threads leaves damaged objects virtual machine task task

  11. Damaged objects • Only stopping threads leaves damaged objects virtual machine task task

  12. Damaged objects • Only stopping threads leaves damaged objects virtual machine task task

  13. Problem 3: resource accounting • JVM does not know who to blame for denial of service attacks: class TrojanHog extends Vector { private byte[] mydata = new byte[10000000]; public Object elementAt(int i) { attackNetwork(); return super.elementAt(i); } ... } virtual machine trojan hog

  14. Problem 4: weak termination • Garbage collector won’t deallocate reachable data and code • Resources not reclaimed • Malicious code not removed applet 1 applet 2 browser

  15. Problem 4: weak termination • Only stopping threads leaves objects, code • resources not reclaimed • undesired code may get run class TrojanHog extends Vector { private byte[] mydata = new byte[10000000]; public Object elementAt(int i) { attackNetwork(); return super.elementAt(i); } ... } virtual machine task task trojan hog

  16. Tasks task = objects + threads + code • task’s threads only run task’s code • explicit cross-task communication virtual machine task task int sum(int x, int y) {return x + y;} int mom(int x, int y) {return x + y;} task int foo(int x, int y) {return x + y;}

  17. Advantages of tasks • strong termination • resource accounting • clear communication • access control at boundaries • “whole-task” optimization virtual machine task task int sum(int x, int y) {return x + y;} int mom(int x, int y) {return x + y;} task int foo(int x, int y) {return x + y;}

  18. Talk outline • Extensible applications, protection • Language-based protection • The J-Kernel • Prototype implementation of the task model • written in Java • no changes to VM, language • Luna

  19. Cross-task calls • Method invocation on capability • checks for revocation • (simulated) thread switch • passes arguments • capabilities passed by reference • ordinary objects passed by copy method invocation task task cap passed by copy

  20. J-Kernel restricts sharing • Direct, arbitrary cross-task pointers violate task model • disallowed by J-Kernel task task task int foo(int x, int y) {return x + y;} int sum(int x, int y) {return x + y;} int mom(int x, int y) {return x + y;}

  21. J-Kernel capabilities • Special capability objects shared • ordinary objects not shared • Capabilities mediate cross-task communication • method invocations on capabilities are cross-task calls task task task cap cap cap cap int foo(int x, int y) {return x + y;} int sum(int x, int y) {return x + y;} int mom(int x, int y) {return x + y;}

  22. Where are the boundaries? programmer’s intention virtual machine run-time • Which method calls switch domains? • Who “owns” which object? (resource accounting...) • What guarantees does programmer have? applet 1 applet 2 int sum(int x, int y) {return x + y;} int foo(int x, int y) {return x + y;} switch domains switch domains int bar(int x, int y) {return x + y;} int mom(int x, int y) {return x + y;}

  23. Cross-task calls • Method invocation on remote pointer switches tasks • calls another task’s code • switches threads • arguments either: • primitive types • remote pointers virtual machine task task int sum(int x, int y) {return x + y;} int mom(int x, int y) {return x + y;}

  24. Cross-task calls: RMI • Semantics similar to Java Remote method invocation • J-Kernel uses RMI API • based on Java interfaces (“remote interfaces”) • Capability.create(…) generates capability • J-Kernel generates capability classes dynamically method invocation task task implements Servlet cap implements Servlet

  25. Revocation • Task can revoke any of its capabilities at any time: • least privilege, changing trust, termination task task task revoked cap cap cap cap int foo(int x, int y) {return x + y;} int sum(int x, int y) {return x + y;} int mom(int x, int y) {return x + y;}

  26. Termination • threads stopped • capabilities revoked • code, objects become eligible for GC • damaged objects inaccessible task task task cap cap cap cap int foo(int x, int y) {return x + y;} int sum(int x, int y) {return x + y;} int mom(int x, int y) {return x + y;}

  27. The J-Kernel • Prototype implementation of the task model • written in Java • no changes to VM, language Sun javac MS jvc J-Kernel bytecode rewriter Sun VM MS VM

  28. Sample Application • Extensible Web and Telephony Server PBX J-Kernel http tapi phone J-Server T-Server priv. domains servlet voicemail user domains user DB

  29. Network packet example task 1 task 2 task 3 Network driver task accounting 1 3 2 2 3 task 1: 200K left task 2: 80K left incoming packets task 3: 300K left

  30. Similar to RMI • J-Kernel: • Remote method invocation uses stubs to marshal, unmarshal arguments: method invocation task task cap passed by copy host host RMI stub stub passed by copy

  31. Example • Based on Sun’s RMI API: • classes implement remote interfaces: public interface Servlet extends Remote { public void service(Request req); } public class MyServlet implements Servlet { public void service(Request req) {...} } Servlet ms = new MyServlet(); Capability msCap = Capability.create(ms); • capabilities implement remote interfaces: ((Servlet) msCap).service(req);

  32. Performance • Pentium II @300Mhz • Microsoft VM (MS-VM) & Sun JDK w/Symantec JIT (Sun-VM) • Null method invocation • Operation MS-VM Sun-VM • Normal method invocation 0.024ms 0.021ms • J-Kernel “local RMI” 1.20ms 3.55ms • Bottlenecks: thread lookup + 2 locks • 60% of total time with MS-VM, 79% with Sun-VM • Comparison: • Windows NT LRPC: ~100s • L4 round-trip IPC on P5-133: 1.82ms J-Kernel on P5-133: 3.77ms • Exokernel round-trip protected control transfer on DEC-5000: 2.40ms

  33. Talk outline • Extensible applications, protection • Language-based protection • The J-Kernel • Luna • Extends Java type system • Idea: generalize J-Kernel sharing to all types • Runs on customized virtual machine • based on Marmot optimizing VM

  34. Remote pointers local pointer type (can only point to task-local objects) Type = PrimitiveType | ReferenceType | ReferenceType~ PrimitiveType = int | float | long | double | byte | char | short | boolean ReferenceType = ClassType | InterfaceType | Type[] List List~ remote pointer type (can point to objects in other tasks)

  35. List List List i i i next next next Remote pointers List pointer List~ pointer Permit access control revocation flag ... Remote pointers are revocable: class List {int i; List next;} int foo(List~ list) { return list.i + list.next.i; } run-time revocation checks of p

  36. Sharing data structures • Revocation of entire data structures class List {int i; List next;} int sum(List~ list) { int sum = 0; while(list != null) { sum += list.i; list = list.next; } return sum; } task 1 List~ pointer access control Permit List List List i i i next next next task 2

  37. Creating remote pointers List copy into local object @ List~ List l = new List(1, new List(2, new List(3, null))); Permit p1 = new Permit(); Permit p2 = new Permit(); List~ l1 = l@p1; List~ l2 = l@p2; ... p1.revoke(); //selective revocation List copy(List~ l) { if(l == null) return null; else return new List( l.i, copy(l.next)); }

  38. Remote pointer optimization • infer permit reuse • optimize/omit checks in loop • register thread with permit • permit revoked: roll-forward, raise exception // list has type List~ while(list != null) { list.i = 0; list = list.next; } loop: mov dword ptr [eax+8],0 /* list.i = 0 */ mov eax,dword ptr [eax+12] /* list = list.next */ cmp eax,0 /* if(list == 0) goto done */ je done jmp loop

  39. Remote pointer optimization • Operation on remote pointer, worst case: • acquire lock, check flag, operation, release lock • two checks per loop iteration: for(List~ l = ...; l != null; l = l.next) sum += l.i; • Faster: cache revocation flag in a “TLB” • Suspend thread to invalidate cached value

  40. Remote pointer optimization • infer permit reuse • embed inferred reuse in typed intermediate language • add code to cache/uncache permit void zero(List~ list) { while(list != null) { list.i = 0; list = list.next; } } .void zero(List{} list) { cache  while(list != null) { list.i = 0; list = list.next; } uncache  } result: very fast inner loop loop: mov dword ptr [eax+8],0 /* list.i = 0 */ mov eax,dword ptr [eax+12] /* list = list.next */ cmp eax,0 /* if(list == 0) goto done */ je done jmp loop

  41. Servlet example interface Servlet { void service(Request~ req); } class Request {String url; byte[] content;} class ServletBox {Servlet~ servlet;} class DispatchServlet implements Servlet { Hashtable table; void service(Request~ req) { String url = String.copy(req.url); ServletBox forwardTo = (ServletBox) table.get(url); forwardTo.servlet.service(req); } } servlet servlet servlet dispatch servlet server

  42. Whole-task optimization • Marmot performs whole-program optimizations • but no dynamic loading: would invalidate opts • Luna: whole-task optimization • dynamic loading of tasks servlet task Vector servlet task Vector extends ColorVector inline Vector.elementAt server task Vector inline Vector.elementAt

  43. Performance: JK & Luna • Pentium II @300Mhz • Null method invocation • Operation JK(MS-VM) Luna • Normal method invocation 0.024ms 0.027ms • Cross-task call, uniprocessor 1.20ms 0.37ms • Cross-task call, multiprocessor 1.20ms 0.76ms • Comparison: • Windows NT LRPC: ~100s • L4 round-trip IPC on P5-133: 1.82ms • Exokernel round-trip protected control transfer on DEC-5000: 2.40ms

  44. Related work • DrScheme • no peer-to-peer communication • task model not guaranteed • Alta • shared data • tradeoff between flexibility, resource tracking • KaffeOS • shared data buffers

  45. Conclusions • Safe language tasks: • clear communication • access control • domain termination • resource usage • whole-task optimization • J-Kernel: Capabilities + RMI • Luna: Remote pointers virtual machine task task task local pointer capability/remote pointer

More Related