link time enforcement of confined types for jvm bytecode
play

Link-Time Enforcement of Confined Types for JVM Bytecode Philip W. - PowerPoint PPT Presentation

Sep 25, 2023 •8 likes •348 views

Link-Time Enforcement of Confined Types for JVM Bytecode Philip W. L. Fong pwlfong@cs.uregina.ca Department of Computer Science University of Regina Regina, Saskatchewan, Canada Overview Motivation Confined Types A Bytecode-level

  1. Link-Time Enforcement of Confined Types for JVM Bytecode Philip W. L. Fong pwlfong@cs.uregina.ca Department of Computer Science University of Regina Regina, Saskatchewan, Canada

  2. Overview Motivation Confined Types A Bytecode-level Formulation of Confined Types Implementation Efforts Secure Cooperation Link-Time Enforcement of Confined Types for JVM Bytecode – p.1/33

  3. Motivation Link-Time Enforcement of Confined Types for JVM Bytecode – p.2/33

  4. Dynamically Extensible Software Systems Process P Process C R Code Producer Code Consumer Link-Time Enforcement of Confined Types for JVM Bytecode – p.3/33

  5. Dynamically Extensible Software Systems Process P Process C Program Fragment E R Code Producer Code Consumer Link-Time Enforcement of Confined Types for JVM Bytecode – p.4/33

  6. Dynamically Extensible Software Systems Process P Process C Program Fragment E R Code Producer Code Consumer Link-Time Enforcement of Confined Types for JVM Bytecode – p.5/33

  7. Dynamically Extensible Software Systems Process P Process C Program Fragment E R Code Producer Code Consumer Examples: mobile code, OS kernel extensions, application plug-ins, scriptable software Link-Time Enforcement of Confined Types for JVM Bytecode – p.6/33

  8. Language-Based Security Language-based Security: Use a safe language to encode untrusted software extensions Protection via programming language facilities e.g., type systems, program rewriting, interpreters Examples: JVM, CLR Link-Time Enforcement of Confined Types for JVM Bytecode – p.7/33

  9. Encapsulation and Security Data Encapsulation Protecting object states from undisciplined access Well-supported in mainstream OO languages Reference Encapsulation Preventing accidental reference leaking Not supported in mainstream OO languages Reference leaking has led to a security breach in JDK 1.1 Link-Time Enforcement of Confined Types for JVM Bytecode – p.8/33

  10. Confined Types Confined Types (Vitek et al 2001, 2003) a recently proposed lightweight annotation system for supporting reference encapsulation in Java-like languages existing formulations target Java-like source languages enforceable only by code producer at compile time not qualified as language-based protection mechanism for code consumers Link-Time Enforcement of Confined Types for JVM Bytecode – p.9/33

  11. Contributions 1. the first formulation of confined types for JVM bytecode 2. the first implementation to enforce confined types at link-time on behalf of the code consumer 3. employing the bytecode-level formulation of confined types to facilitate a form of secure cooperation Link-Time Enforcement of Confined Types for JVM Bytecode – p.10/33

  12. Confined Types Link-Time Enforcement of Confined Types for JVM Bytecode – p.11/33

  13. JDK 1.1 Security Breach public class Class { private Identity[] signers; public Identity[] getSigners() { return signers; } } Link-Time Enforcement of Confined Types for JVM Bytecode – p.12/33

  14. Manual Fix public class Class { private Identity[] signers; public Identity[] getSigners() { Identity[] dup = new Identity[signers.length]; for (int i = 0; i < signers.length; i++) dup[i] = signers[i]; return dup; } } Link-Time Enforcement of Confined Types for JVM Bytecode – p.13/33

  15. A New Type Qualifier A class can be qualified as being confined . References to confined class instances are not allowed to escape outside of the package in which the class is declared. Examples: confined class ConfinedIdentity { ... } Link-Time Enforcement of Confined Types for JVM Bytecode – p.14/33

  16. Solution (1) public class Identity { ConfinedIdentity rep; Identity(ConfinedIdentity si) { rep = si; } ... } Link-Time Enforcement of Confined Types for JVM Bytecode – p.15/33

  17. Solution (2) public class Class { private ConfinedIdentity[] signers; public Identity[] getSigners() { Identity[] dup = new Identity[signers.length]; for (int i = 0; i < signers.length; i++) dup[i] = new Identity(signers[i]); return dup; } } Link-Time Enforcement of Confined Types for JVM Bytecode – p.16/33

  18. A Bytecode-Level Formulation of Confined Types Link-Time Enforcement of Confined Types for JVM Bytecode – p.17/33

  19. Confined Types as Capabilities (1) Capability Types (Boyland et al 2001): A capability is an unforgeable pair: � object-reference , access-rights � In a strongly typed programming language, a type qualifier plays the role of the access-rights component of a capability: const char *p; Link-Time Enforcement of Confined Types for JVM Bytecode – p.18/33

  20. Confined Types as Capabilities (2) A Capability-based Formulation of Confined Types: In our bytecode-level type system, confined-ness is not just the property of a class, it is a capability type. Every object reference is associated with a capability type to indicate where it can be propagated . Subtype hierarchy: ⊥ < : confined < : anonymous Supertypes are more restrictive than subtypes. Greatly simplifies the formulation of type rules. Link-Time Enforcement of Confined Types for JVM Bytecode – p.19/33

  21. Confined Type Interface Code safety is a whole-program notion, but . . . Lazy, dynamic linking ⇒ not all application classes are loaded at all times. Every classfile carries a confined type interface to facilitate modular type checking . Designed to be backward compatible: Existing classfiles in the Java platform library does not need further annotation. Link-Time Enforcement of Confined Types for JVM Bytecode – p.20/33

  22. Type Rules for Bytecode Instructions invokevirtual � B.m � Operand Stack: . . . , o , a 1 , a 2 , . . . , a k − → . . . , v Operation: Invoke method � B.m � on object instance o , passing arguments a 1 , a 2 , . . . , a k . Any return value v is pushed into the operand stack. Type Constraints: Suppose � B.m � : T 0 ( T 1 , T 2 , . . . , T k ) T ∈ I A . Suppose further that o : T o , a i : T a i , and v : T v . Then T o < : T 0 , T a i < : T i , and T < : T v . Link-Time Enforcement of Confined Types for JVM Bytecode – p.21/33

  23. Intermodular Type Checking Lazy, dynamic linking ⇒ intermodular type checking must be performed incrementally. Intermodular type checking is carefully staged to dovetail with dynamic linking events. Special consideration to preserve laziness in dynamic linking. Link-Time Enforcement of Confined Types for JVM Bytecode – p.22/33

  24. Implementation Efforts Link-Time Enforcement of Confined Types for JVM Bytecode – p.23/33

  25. Set-Up JVM Annotated Java Annotated Link−Time Frontend javac Backend Java Source Type Checker Source Classfile Classfile Internet Type Annotations Implementation Experiences: Linux command-line tool for annotating classfiles Link-time type checker Link-Time Enforcement of Confined Types for JVM Bytecode – p.24/33

  26. Pluggable Verification Modules Aegis VM an open source research VM for Java bytecode verification is a pluggable service third-party verification services can be safely incorporated into the dynamic linking process as a Pluggable Verification Module (PVM) [OOPSLA’04] PVM-based Implementation of Confined Types for both intra- and inter-modular type checking enforces confined types at link time ≈ 3000 lines of moderately commented C code Link-Time Enforcement of Confined Types for JVM Bytecode – p.25/33

  27. Secure Cooperation Link-Time Enforcement of Confined Types for JVM Bytecode – p.26/33

  28. Secure Cooperation Enabling a form of secure cooperation among mutually suspicious code units. 1. Protection by access contracts 2. Trust inspiration 3. Secure software extensions Link-Time Enforcement of Confined Types for JVM Bytecode – p.27/33

  29. Protection via Import Type Annotations Problem: Alice wants to share a Recourse with Bob , but worries that the sharing leads to resource leaking . . . package domain; confined class Resource { ... } public class Alice { static Resource resource = new Resource(); public static void main(String[] args) throws Throwable { Class C = Class.forName(args[0]); Bob b = (Bob) C.newInstance(); b.share(resource); } } public interface Bob { void share(Resource r); } Link-Time Enforcement of Confined Types for JVM Bytecode – p.28/33

  30. Protection via Import Type Annotations Solution: Annotate the classfile of Bob with the following export type assertion: Bob.share : confined → ⊥ Subtypes of Bob must conform to this access contract. Link-Time Enforcement of Confined Types for JVM Bytecode – p.29/33

  31. Non-Compliant Extension package domain; public class Charlie implements Bob { public static Resource leak; public void share(Resource r) { leak = r; } } Link-Time Enforcement of Confined Types for JVM Bytecode – p.30/33

  32. Robustness of Trust Inspiration 1. What if Charlie falsely asserts a matching export type assertion? Consequence: PVM fails to confirm compliance of Charlie.sum to its promised export type. ⇒ Definition of class Charlie will fail. 2. What if Charlie does not supply a matching export type assertion? Consequence: Intermodular type checking will fail. ⇒ Preparation of class Charlie will fail. Link-Time Enforcement of Confined Types for JVM Bytecode – p.31/33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Ventilation of Confined Spaces Confined Space Ventilation Confined spaces are not normally

Ventilation of Confined Spaces Confined Space Ventilation Confined spaces are not normally

Ventilation of Confined Spaces Confined Space Ventilation Confined spaces are not normally designed for convenient ventilation Must take steps to: ensure air is breathable before entering confined space maintain acceptable air

567 views • 31 slides
Supporting Objects in Run-Time Bytecode Specialization Reynald Affeldt, Hidehiko Masuhara, Eijiro

Supporting Objects in Run-Time Bytecode Specialization Reynald Affeldt, Hidehiko Masuhara, Eijiro

Supporting Objects in Run-Time Bytecode Specialization Reynald Affeldt, Hidehiko Masuhara, Eijiro Sumii, Akinori Yonezawa University of Tokyo 1 Run-Time Specialization (RTS) RTS optimizes program code at run-time More precisely: RTS static

425 views • 39 slides
Confined Space Rescue Thats Where We Come In! Working in confined spaces is risky business

Confined Space Rescue Thats Where We Come In! Working in confined spaces is risky business

Confined Space Rescue Thats Where We Come In! Working in confined spaces is risky business that requires organizations to have a rescue plan. START Group provides confined space standby and rescue services designed to keep personnel safe while

125 views • 10 slides
ADEC Environmental Enforcement ADEC Environmental Enforcement Types of Enforcement Alaska

ADEC Environmental Enforcement ADEC Environmental Enforcement Types of Enforcement Alaska

Alaska Department of Environmental Conservation Alaska Department of Environmental Conservation Division of Administrative Services Environmental Crimes Unit ADEC Environmental Enforcement ADEC Environmental Enforcement Types of Enforcement Alaska

345 views • 11 slides
A Block-Based Bytecode Format to Simplify and Improve Just-in-Time Compilation Christian Wimmer

A Block-Based Bytecode Format to Simplify and Improve Just-in-Time Compilation Christian Wimmer

A Block-Based Bytecode Format to Simplify and Improve Just-in-Time Compilation Christian Wimmer cwimmer@uci.edu www.christianwimmer.at June 2009 Department of Computer Science University of California, Irvine Method Granularity Software

384 views • 7 slides
RT-Link: A Time-Synchronized Link Protocol Anthony Rowe, Rahul Mangharam, Raj Rajkumar C

RT-Link: A Time-Synchronized Link Protocol Anthony Rowe, Rahul Mangharam, Raj Rajkumar C

RT-Link: A Time-Synchronized Link Protocol Anthony Rowe, Rahul Mangharam, Raj Rajkumar C Carnegie Mellon University i M ll U i it What is RT-Link? RT-Link is a scalable energy efficient multi-hop link protocol for: Industrial

536 views • 19 slides
Last time on Types ... picture from http://learnyouahaskell.com Last time on Types ...

Last time on Types ... picture from http://learnyouahaskell.com Last time on Types ...

Last time on Types ... picture from http://learnyouahaskell.com Last time on Types ... Simply-typed -calculus (recap) e : Parametric polymorphism let f = x ( x ) in ( f true ) :: ( f nil ) The beginnings of the Mini-ML

402 views • 14 slides
CMSC 430 Introduction to Compilers Spring 2015 Intermediate Representations and Bytecode

CMSC 430 Introduction to Compilers Spring 2015 Intermediate Representations and Bytecode

CMSC 430 Introduction to Compilers Spring 2015 Intermediate Representations and Bytecode Formats Introduction Front end Source AST/IR Lexer Parser Types code IR2 IRn IRn .s Middle end Back end Front end syntax recognition,

379 views • 24 slides
CMSC 430 Introduction to Compilers Spring 2016 Intermediate Representations and Bytecode

CMSC 430 Introduction to Compilers Spring 2016 Intermediate Representations and Bytecode

CMSC 430 Introduction to Compilers Spring 2016 Intermediate Representations and Bytecode Formats Introduction Front end Source AST/IR Lexer Parser Types code IR2 IRn IRn .s Middle end Back end Front end syntax recognition,

278 views • 24 slides
ACT AND QUI TAM ENFORCEMENT The Impact of FCA Enforcement on Federal Procurement Law and Other

ACT AND QUI TAM ENFORCEMENT The Impact of FCA Enforcement on Federal Procurement Law and Other

The Impact of FCA Enforcement on Federal Procurement Law and Other Nontraditional Areas Time for a Change? Marcia G. Madsen Michelle E. Litteken Mayer Brown LLP 1999 K Street, NW Washington, DC 20006 June 5, 2014 ABA 10th NATIONAL

357 views • 22 slides
in Hungary Enforcement procedure Procedure after Ordering enforcement enforcement order

in Hungary Enforcement procedure Procedure after Ordering enforcement enforcement order

Monitoring of enforcement in Hungary Enforcement procedure Procedure after Ordering enforcement enforcement order Ordering enforcement Authorities court notary public Enforcement order certificate of enforcement

540 views • 12 slides
Building openSUSE with link-time optimizations Jan Hubika and Martin Lika SUSElabs

Building openSUSE with link-time optimizations Jan Hubika and Martin Lika SUSElabs

Building openSUSE with link-time optimizations Jan Hubika and Martin Lika SUSElabs jh@suse.cz, mliska@suse.cz Outlilne What is link-time optimization? Link-time optimization and GCC Benchmarks Can we build openSUSE with

603 views • 49 slides
1 Switch link-layer device: smarter than hubs, take active role store, forward Ethernet

1 Switch link-layer device: smarter than hubs, take active role store, forward Ethernet

The Data Link Layer Last time Our goals: link layer services understand principles error detection, correction behind data link layer services: multiple access protocols and LANs error detection, correction link layer

302 views • 18 slides
Specification language and WP calculus for Java Bytecode. joint work in progress Mariela

Specification language and WP calculus for Java Bytecode. joint work in progress Mariela

Specification language and WP calculus for Java Bytecode. joint work in progress Mariela Pavlova, Lilian Burdy INRIA Sophia-Antipolis spopS p. 1 Motivation Proof Carrying ByteCode Proof obligations. What is the language in which

443 views • 31 slides
Decompiling Boolean Expressions from Java TM Bytecode Mangala Gowri Nanda (IBM-IRL) and S.

Decompiling Boolean Expressions from Java TM Bytecode Mangala Gowri Nanda (IBM-IRL) and S.

Decompiling Boolean Expressions from JavaTM Bytecode Decompiling Boolean Expressions from Java TM Bytecode Mangala Gowri Nanda (IBM-IRL) and S. Arun-Kumar (IIT Delhi) Decompiling Boolean Expressions from JavaTM Bytecode Introduction The

570 views • 37 slides
Gradual Ownership Types Ilya Sergey Dave Clarke ESOP 2012 Ownership Types (a gradual

Gradual Ownership Types Ilya Sergey Dave Clarke ESOP 2012 Ownership Types (a gradual

Gradual Ownership Types Ilya Sergey Dave Clarke ESOP 2012 Ownership Types (a gradual introduction) class List { Link head; void add(Data d) { Data Data head = new Link(head, d); } owner Iterator makeIterator() { return new

781 views • 38 slides
Numerical static analysis with Soot Gianluca Amato Universit` a G. dAnnunzio di

Numerical static analysis with Soot Gianluca Amato Universit` a G. dAnnunzio di

Numerical static analysis with Soot Gianluca Amato Universit` a G. dAnnunzio di ChietiPescara ACM SIGPLAN International Workshop on the State Of the Art in Java Program Analysis SOAP 2013 (joint work with Francesca Scozzari and

859 views • 62 slides
JVM Implementation Challenges JVM Implementation Challenges: JVM Unit of execution is a class

JVM Implementation Challenges JVM Implementation Challenges: JVM Unit of execution is a class

Smalltalk on the JVM By James Ladd object@redline.st http://redline.st @redline_st - ESUG 2011 JVM Implementation Challenges JVM Implementation Challenges: JVM Unit of execution is a class Sequence of bytes in class format Class is not an

632 views • 42 slides
An Experimental Evaluation of Garbage Collectors on Big Data Applications Lijie Xu 1 , Tian Guo 2 ,

An Experimental Evaluation of Garbage Collectors on Big Data Applications Lijie Xu 1 , Tian Guo 2 ,

The 45th International Conference on Very Large Data Bases (VLDB 2019) An Experimental Evaluation of Garbage Collectors on Big Data Applications Lijie Xu 1 , Tian Guo 2 , Wensheng Dou 1 , Wei Wang 1 , Jun Wei 1 1 Institute of Software, Chinese

456 views • 45 slides
IN-MEMORY COMPUTING AT SCALE? LOOK BEYOND PHYSICAL DRAM! Iacovos G. Kolokasis , Anastasios

IN-MEMORY COMPUTING AT SCALE? LOOK BEYOND PHYSICAL DRAM! Iacovos G. Kolokasis , Anastasios

IN-MEMORY COMPUTING AT SCALE? LOOK BEYOND PHYSICAL DRAM! Iacovos G. Kolokasis , Anastasios Papagiannis, Polyvios Pratikakis, and Angelos Bilas October 25, 2019 Institute of Computer Science (ICS) Foundation of Research and T echnology

445 views • 11 slides
JavaGuest - A Research Java Virtual Machine on Xen Mick Jordan, Sun Labs Grzegorz Milos,

JavaGuest - A Research Java Virtual Machine on Xen Mick Jordan, Sun Labs Grzegorz Milos,

JavaGuest - A Research Java Virtual Machine on Xen Mick Jordan, Sun Labs Grzegorz Milos, Cambridge University Computer Lab SUN LABS PROJECT: SUN LABS PROJECT: Context Java 6 provides a complete platform for server- side

457 views • 10 slides
Verification of a Java Compiler in Isabelle Martin Strecker 7.1.2002 Java: Types, values,

Verification of a Java Compiler in Isabelle Martin Strecker 7.1.2002 Java: Types, values,

Verification of a Java Compiler in Isabelle Martin Strecker 7.1.2002 Java: Types, values, terms, ... Typing and operational semantics JVM Compiler Definition Proof Techniques Compilation and Bytecode Verification

643 views • 18 slides
JOP: A Java Optimized Processor for Embedded Real-Time Systems Martin Schberl University of

JOP: A Java Optimized Processor for Embedded Real-Time Systems Martin Schberl University of

JOP: A Java Optimized Processor for Embedded Real-Time Systems Martin Schberl University of Technology Vienna, Austria Overview Motivation Related work JOP architecture WCET Analysis Results Conclusions, future work

476 views • 34 slides
Clo j ure A Dynamic Programming Language for the JVM (and CLR) Rich Hickey Agenda

Clo j ure A Dynamic Programming Language for the JVM (and CLR) Rich Hickey Agenda

Clo j ure A Dynamic Programming Language for the JVM (and CLR) Rich Hickey Agenda Fundamentals Rationale Feature Tour Integration with the JVM Q&amp;A Clojure Fundamentals Dynamic a new Lisp, not Common Lisp or

903 views • 41 slides

More recommend