460 likes | 576 Views
Language-Based Protection in the J-kernel. David Walker COS 598E: Foundations of Language-Based Security Princeton University (slides from Chris Hawblitzel, Dartmouth). Extensible applications. applet. applet. agent. agent. browser. host. servlet. servlet. code. code. server.
E N D
Language-Based Protectionin the J-kernel David Walker COS 598E: Foundations of Language-Based Security Princeton University (slides from Chris Hawblitzel, Dartmouth)
Extensible applications... applet applet agent agent browser host servlet servlet code code server gateway/router ...need protection
Protection virtual memory language-based • share pages • IPC, thread switch address space address space single address space class A { private B b; public C c; public void f() ... } class B {…} class C {…} threads pages IPC A B pages threads C • type safety • public/private
Safe language protection • Promises: • fast IPC • fine-grained sharing • ADT enforcement • capabilities • portability single address space class A { private B b; public C c; public void f() ... } class B {…} class C {…} A B C
Talk outline • Extensible applications, protection • Language-based protection • current state • problems • The J-Kernel • Luna
Java thread groups • Thread groups • Terminate group of threads applet 1 thread group applet 2 thread group browser thread group
Java communication • Communication • Applet-to-browser • Browser-to-applet applet 1 applet 2 method invocation thread switch browser
Problem 1: wrong code interrupted • Applet stops or suspends thread • browser left in inconsistent or deadlocked state applet 1 applet 2 method invocation interruption! browser
Problem 2: damaged objects • Applet stops or suspends thread • ADT left in inconsistent or deadlocked state applet 1 applet 2 damaged object browser
Damaged objects • Only stopping threads leaves damaged objects virtual machine task task
Damaged objects • Only stopping threads leaves damaged objects virtual machine task task
Damaged objects • Only stopping threads leaves damaged objects virtual machine task task
Problem 3: resource accounting • JVM does not know who to blame for denial of service attacks: class TrojanHog extends Vector { private byte[] mydata = new byte[10000000]; public Object elementAt(int i) { attackNetwork(); return super.elementAt(i); } ... } virtual machine trojan hog
Problem 4: weak termination • Garbage collector won’t deallocate reachable data and code • Resources not reclaimed • Malicious code not removed applet 1 applet 2 browser
Problem 4: weak termination • Only stopping threads leaves objects, code • resources not reclaimed • undesired code may get run class TrojanHog extends Vector { private byte[] mydata = new byte[10000000]; public Object elementAt(int i) { attackNetwork(); return super.elementAt(i); } ... } virtual machine task task trojan hog
Tasks task = objects + threads + code • task’s threads only run task’s code • explicit cross-task communication virtual machine task task int sum(int x, int y) {return x + y;} int mom(int x, int y) {return x + y;} task int foo(int x, int y) {return x + y;}
Advantages of tasks • strong termination • resource accounting • clear communication • access control at boundaries • “whole-task” optimization virtual machine task task int sum(int x, int y) {return x + y;} int mom(int x, int y) {return x + y;} task int foo(int x, int y) {return x + y;}
Talk outline • Extensible applications, protection • Language-based protection • The J-Kernel • Prototype implementation of the task model • written in Java • no changes to VM, language • Luna
Cross-task calls • Method invocation on capability • checks for revocation • (simulated) thread switch • passes arguments • capabilities passed by reference • ordinary objects passed by copy method invocation task task cap passed by copy
J-Kernel restricts sharing • Direct, arbitrary cross-task pointers violate task model • disallowed by J-Kernel task task task int foo(int x, int y) {return x + y;} int sum(int x, int y) {return x + y;} int mom(int x, int y) {return x + y;}
J-Kernel capabilities • Special capability objects shared • ordinary objects not shared • Capabilities mediate cross-task communication • method invocations on capabilities are cross-task calls task task task cap cap cap cap int foo(int x, int y) {return x + y;} int sum(int x, int y) {return x + y;} int mom(int x, int y) {return x + y;}
Where are the boundaries? programmer’s intention virtual machine run-time • Which method calls switch domains? • Who “owns” which object? (resource accounting...) • What guarantees does programmer have? applet 1 applet 2 int sum(int x, int y) {return x + y;} int foo(int x, int y) {return x + y;} switch domains switch domains int bar(int x, int y) {return x + y;} int mom(int x, int y) {return x + y;}
Cross-task calls • Method invocation on remote pointer switches tasks • calls another task’s code • switches threads • arguments either: • primitive types • remote pointers virtual machine task task int sum(int x, int y) {return x + y;} int mom(int x, int y) {return x + y;}
Cross-task calls: RMI • Semantics similar to Java Remote method invocation • J-Kernel uses RMI API • based on Java interfaces (“remote interfaces”) • Capability.create(…) generates capability • J-Kernel generates capability classes dynamically method invocation task task implements Servlet cap implements Servlet
Revocation • Task can revoke any of its capabilities at any time: • least privilege, changing trust, termination task task task revoked cap cap cap cap int foo(int x, int y) {return x + y;} int sum(int x, int y) {return x + y;} int mom(int x, int y) {return x + y;}
Termination • threads stopped • capabilities revoked • code, objects become eligible for GC • damaged objects inaccessible task task task cap cap cap cap int foo(int x, int y) {return x + y;} int sum(int x, int y) {return x + y;} int mom(int x, int y) {return x + y;}
The J-Kernel • Prototype implementation of the task model • written in Java • no changes to VM, language Sun javac MS jvc J-Kernel bytecode rewriter Sun VM MS VM
Sample Application • Extensible Web and Telephony Server PBX J-Kernel http tapi phone J-Server T-Server priv. domains servlet voicemail user domains user DB
Network packet example task 1 task 2 task 3 Network driver task accounting 1 3 2 2 3 task 1: 200K left task 2: 80K left incoming packets task 3: 300K left
Similar to RMI • J-Kernel: • Remote method invocation uses stubs to marshal, unmarshal arguments: method invocation task task cap passed by copy host host RMI stub stub passed by copy
Example • Based on Sun’s RMI API: • classes implement remote interfaces: public interface Servlet extends Remote { public void service(Request req); } public class MyServlet implements Servlet { public void service(Request req) {...} } Servlet ms = new MyServlet(); Capability msCap = Capability.create(ms); • capabilities implement remote interfaces: ((Servlet) msCap).service(req);
Performance • Pentium II @300Mhz • Microsoft VM (MS-VM) & Sun JDK w/Symantec JIT (Sun-VM) • Null method invocation • Operation MS-VM Sun-VM • Normal method invocation 0.024ms 0.021ms • J-Kernel “local RMI” 1.20ms 3.55ms • Bottlenecks: thread lookup + 2 locks • 60% of total time with MS-VM, 79% with Sun-VM • Comparison: • Windows NT LRPC: ~100s • L4 round-trip IPC on P5-133: 1.82ms J-Kernel on P5-133: 3.77ms • Exokernel round-trip protected control transfer on DEC-5000: 2.40ms
Talk outline • Extensible applications, protection • Language-based protection • The J-Kernel • Luna • Extends Java type system • Idea: generalize J-Kernel sharing to all types • Runs on customized virtual machine • based on Marmot optimizing VM
Remote pointers local pointer type (can only point to task-local objects) Type = PrimitiveType | ReferenceType | ReferenceType~ PrimitiveType = int | float | long | double | byte | char | short | boolean ReferenceType = ClassType | InterfaceType | Type[] List List~ remote pointer type (can point to objects in other tasks)
List List List i i i next next next Remote pointers List pointer List~ pointer Permit access control revocation flag ... Remote pointers are revocable: class List {int i; List next;} int foo(List~ list) { return list.i + list.next.i; } run-time revocation checks of p
Sharing data structures • Revocation of entire data structures class List {int i; List next;} int sum(List~ list) { int sum = 0; while(list != null) { sum += list.i; list = list.next; } return sum; } task 1 List~ pointer access control Permit List List List i i i next next next task 2
Creating remote pointers List copy into local object @ List~ List l = new List(1, new List(2, new List(3, null))); Permit p1 = new Permit(); Permit p2 = new Permit(); List~ l1 = l@p1; List~ l2 = l@p2; ... p1.revoke(); //selective revocation List copy(List~ l) { if(l == null) return null; else return new List( l.i, copy(l.next)); }
Remote pointer optimization • infer permit reuse • optimize/omit checks in loop • register thread with permit • permit revoked: roll-forward, raise exception // list has type List~ while(list != null) { list.i = 0; list = list.next; } loop: mov dword ptr [eax+8],0 /* list.i = 0 */ mov eax,dword ptr [eax+12] /* list = list.next */ cmp eax,0 /* if(list == 0) goto done */ je done jmp loop
Remote pointer optimization • Operation on remote pointer, worst case: • acquire lock, check flag, operation, release lock • two checks per loop iteration: for(List~ l = ...; l != null; l = l.next) sum += l.i; • Faster: cache revocation flag in a “TLB” • Suspend thread to invalidate cached value
Remote pointer optimization • infer permit reuse • embed inferred reuse in typed intermediate language • add code to cache/uncache permit void zero(List~ list) { while(list != null) { list.i = 0; list = list.next; } } .void zero(List{} list) { cache while(list != null) { list.i = 0; list = list.next; } uncache } result: very fast inner loop loop: mov dword ptr [eax+8],0 /* list.i = 0 */ mov eax,dword ptr [eax+12] /* list = list.next */ cmp eax,0 /* if(list == 0) goto done */ je done jmp loop
Servlet example interface Servlet { void service(Request~ req); } class Request {String url; byte[] content;} class ServletBox {Servlet~ servlet;} class DispatchServlet implements Servlet { Hashtable table; void service(Request~ req) { String url = String.copy(req.url); ServletBox forwardTo = (ServletBox) table.get(url); forwardTo.servlet.service(req); } } servlet servlet servlet dispatch servlet server
Whole-task optimization • Marmot performs whole-program optimizations • but no dynamic loading: would invalidate opts • Luna: whole-task optimization • dynamic loading of tasks servlet task Vector servlet task Vector extends ColorVector inline Vector.elementAt server task Vector inline Vector.elementAt
Performance: JK & Luna • Pentium II @300Mhz • Null method invocation • Operation JK(MS-VM) Luna • Normal method invocation 0.024ms 0.027ms • Cross-task call, uniprocessor 1.20ms 0.37ms • Cross-task call, multiprocessor 1.20ms 0.76ms • Comparison: • Windows NT LRPC: ~100s • L4 round-trip IPC on P5-133: 1.82ms • Exokernel round-trip protected control transfer on DEC-5000: 2.40ms
Related work • DrScheme • no peer-to-peer communication • task model not guaranteed • Alta • shared data • tradeoff between flexibility, resource tracking • KaffeOS • shared data buffers
Conclusions • Safe language tasks: • clear communication • access control • domain termination • resource usage • whole-task optimization • J-Kernel: Capabilities + RMI • Luna: Remote pointers virtual machine task task task local pointer capability/remote pointer