CHERI JNI: Sinking the Java security model into the C David Chisnall - - PowerPoint PPT Presentation

cheri jni
SMART_READER_LITE
LIVE PREVIEW

CHERI JNI: Sinking the Java security model into the C David Chisnall - - PowerPoint PPT Presentation

Oct 11, 2023 149 likes •322 views

CHERI JNI: Sinking the Java security model into the C David Chisnall , Brooks Davis, Khilan Gudka, David Brazdil, Alexandre Joannou, Jonathan Woodruff, A. Theodore Markettos, J. Edward Maste, Robert Norton, Stacey Son, Michael Roe, Simon W.

slide-1
SLIDE 1

Approved for public release; distribution is unlimited. This research is sponsored by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contract FA8750-10-C-0237. The views, opinions, and/or findings contained in this article/presentation are those of the author(s)/presenter(s) and should not be interpreted as representing the official views or policies of the Department of Defense or the U.S. Government.

CHERI JNI:

Sinking the Java security model into the C

David Chisnall, Brooks Davis, Khilan Gudka, David Brazdil, Alexandre Joannou, Jonathan Woodruff, A. Theodore Markettos,

  • J. Edward Maste, Robert Norton, Stacey Son, Michael Roe,

Simon W. Moore, Peter G. Neumann, Ben Laurie, Robert N. M. Watson

slide-2
SLIDE 2

The Java abstract machine

2

Java VM Native Code JNI Type safe Garbage collected Data hiding Security policy enforcement Fast Full control over memory Basically full of evil

slide-3
SLIDE 3

Native Code Fast Full control over memory Basically full of evil

The Java concrete machine

3

Java VM Type safe Garbage collected Data hiding Security policy enforcement JNI

slide-4
SLIDE 4

JNI is insecure by design

The JNI does not check for programming errors such as passing in NULL pointers or illegal argument types. Most C library functions do not guard against programming errors…The programmer must not pass illegal pointers

  • r arguments of the wrong type to JNI functions. Doing

so could result in arbitrary consequences, including a corrupted system state or VM crash.

4

slide-5
SLIDE 5

BRIEF CHERI PRIMER

5

slide-6
SLIDE 6

Hardware memory safety

6

s pointer (64 bits)

256-bit capability

Virtual address space

v

1-bit tag

permissions (31 bits)

  • bjtype (24bits)

length (64 bits)

  • ffset (64 bits)

base (64 bits)

Compressed representation provides the same abstract model in 128 bits.

slide-7
SLIDE 7

Sealing gives opaque pointers

7

Sealing Capability Data Capability Sealed Capability Seal Unseal Data Capability Trusted code Trusted code Untrusted code Unseal Other data Trap!

slide-8
SLIDE 8

CHERI AND THE JNI

8

slide-9
SLIDE 9

CHERI JNI

9

Java VM Native Code JNI Type safe Garbage collected Data hiding Security policy enforcement Declarative policy for sandboxed native code.

Fast Full control over local memory Memory-safe access to Java buffers Controlled access to Java objects Evil stays in the box

Native Code JNI Native Code JNI

slide-10
SLIDE 10

Sandbox scopes

10

Fast Secure Easy Global Method Object

slide-11
SLIDE 11

Direct buffer access

11

class Foo { @Sandbox(...) native long process(ByteBuffer buf) } JNIEXPORT void JNICALL Java_Foo_process (JNIEnv *env, jobject this, jobject buf) { char *b = (*env)->GetDirectBufferAddress(env, buf); someNativeLibraryThing(buf); } Java NIO class intended to provide C code with direct access to JVM-owned memory

slide-12
SLIDE 12

Direct buffer access

12

class Foo { @Sandbox(...) native long process(ByteBuffer buf) } JNIEXPORT void JNICALL Java_Foo_process (JNIEnv *env, jobject this, jobject buf) { char *b = (*env)->GetDirectBufferAddress(env, buf); someNativeLibraryThing(buf); } Bounds-checked access to JVM-owned buffer and nothing else. No store permission if the ByteBuffer is read only.

slide-13
SLIDE 13

Avoiding type confusion

Exploitable vulnerability in existing state of the art SFI-based technique.

13

// Get the field ID for integer field x jfieldID f = (*env)->GetFieldID(env, cls, "x", "I"); // Set that field to 42 (*env)->SetIntField(env, r, f, 42); JVM does: *(r + (f->offset)) = 42; No type checking of f. CHERI JNI checks f and r are sealed with the correct type, errors if not.

slide-14
SLIDE 14

CHERI vs prior sandboxing work

Mechanism JITs Stack Unwinders Many Sandboxes Direct buffers CHERI ✔ ✔ ✔ ✔ SFI-based X X X X Process-based ✔ ✔ X X

14

slide-15
SLIDE 15

Garbage collection extends to C

  • All Java references in C code are sealed

capabilities

  • All pointers to Java arrays or direct buffers are

unsealed (but bounded) capabilities

  • All capabilities are protected by a tag bit
  • The garbage collector can find them in memory

15

slide-16
SLIDE 16

Conclusion

  • CHERI allows the Java security model to be

extended all of the way through native code

  • Native code cannot violate the invariants of the

JVM

  • Performance is comparable with conventional JNI

implementations

16