240 likes | 338 Views
An Approach to Safe Object Sharing. Ciaran Bryce & Chrislain Razafimahefa University of Geneva, Switzerland. Goal. Need to isolate mistrusting programs from one another and protect host platforms
E N D
An Approach to Safe Object Sharing Ciaran Bryce & Chrislain Razafimahefa University of Geneva, Switzerland
Goal • Need to isolate mistrusting programs from one another and protect host platforms • We still want object pointer alias for performance reason (call-by-value is too costly for argument that contains large objects)
Some available solutions (1) • Java’s loader model • Mistrusting programs in distinct loader spaces can only communicate with each other through serialization. It’s slow! • Shared system classes are potentially dangerous
Some available solutions (2) • Guarded object • Guard object check permission before giving out reference of the guarded object • No way to protect against errors in the guard object’s code • Once the reference is given out, it can not be easily revoked
Some available solutions (3) • Class-based alias control techniques • Different instances of the class might have different security policy but are treated uniformly in this approach • Can only enforce static security constraints
Object Space Model • Each object belongs to a space • An access matrix determines whether a space has right to access another space • The access matrix could be updated by “grant” and “revoke” operations • Objects in different spaces might “name” each other , but access right is checked upon method invocation
Root S1 S2 S3 S4 The Space Hierachy • Tree structure with a “RootSpace”, and each space can create child spaces, every object is created in one particular space
Access Rights among spaces • Default: parent has access to its child spaces, and a space has access to itself • Granting rights: • a parent can grant any space the rights to its children • a parent can also grant right it has to its children spaces • Revoking rights • a parent can revoke rights to its children from any spaces • a parent can also revoke rights that its children had • revoke has chain effect to the descendants
Root client1 client2 server Examples – Program Isolation
Root Root Traditional guarded object Java guard object client client Guard Guard G-Obj G-Obj Examples – Guarded Objects
Root Root user1 user1 user2 server user2 server packet packet Examples–Server Containment Server’s right to packet is revoked by user1 after service
Implementation - API • IOSObject – contains a pointer to the space the object belongs to • Space – implements operations, such as createChildSpace, grant, revoke, newInstance and checkAccess • RemoteSpace – prevents leaking handle for a space to objects in different spaces
Implementation - Bridge • Surprise, surprise, if we can “name” objects from different space, how do we guarantee that every method invocation on an object will do proper security check? Answer is a level of indirection through bridge objects • Objects that are referred cross-space are actually bridge objects. The bridge objects are transparent to programmers.
When are the bridge objects used? • When parent space creates an object in its child space, it gets a bridge object handle (newInstance) • When a method call has argument objects from different spaces, they are transferred to bridge objects before passed into the method • When a method returns an object, the result needs to be transferred to a bridge object • Exceptions are caught and arguments are transferred to proper bridge object
Implementing Bridge Class • Every class C has a Bridge class Bc < C • Every object gets a bridge object for every outside space that refers to it. The bridge object contains pointers to the protected object and its space, as well as the space that is using the object • Bc insures the following for every method in C: • Perform security checks using the access matrix • Convert arguments and result to proper bridge objects • Catch exceptions and convert the argument to proper bridge objects
Space 2 Space 1 O1 O3 O2 O4 Space 3 O5 Bridge Objects
Problems: final and private clauses / system classes • Bridge class Bc is a subclass of C, so the object space program either has to reject classes that contain final or pirvate clauses, or has to remove the modifiers from class files before linking • Some system classes, i.e., Object, String, Integer etc., contain final methods. They need special treatment
Problems: field access • Field access to the object in a different space is actually field of the bridge object which does not contain anything • One solution is to convert field access to method calls
Problems : static methods and fields / native methods • Static methods and fields are security holes. There is no way to rewrite to provide a level of indirection • No guarantee on the behavior of native methods • Reject both
Problems : arrays • Element selection “[]” is not a method call • Make local copies when array object is referred across a space boundary • Each element in the array is modified to be the proper bridge object • To share an array, wrap it in a class that has entry selectors as methods
Problems : Synchronization • synchronized statement will mistakenly synchronize on bridge objects instead of the original objects • synchronized methods invocation will be directed to the original object through the bridge object
Performance evaluation • More efficient than copy-by-value model, especially when the size of object used across domain boundary is large • Some cost for creating bridge classes and loading them
Related work • Java’s loader mechanism • Capability object in J-Kernel • JavaSeal • Real-time Java • SecurityManager • Jflow • Alias control
Discussion • Is the tree-like space hierarchy natural to programmers? • Do you like the idea of everything being checked dynamically? “Your program compiles, but you have to run it to see if it works.” • How to describe the set of security policy that could be enforced in this model? • Loading bridge classes is insecure and inefficient