skip to main content
10.1145/1866307.1866331acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Robusta: taming the native beast of the JVM

Published: 04 October 2010 Publication History

Abstract

Java applications often need to incorporate native-code components for efficiency and for reusing legacy code. However, it is well known that the use of native code defeats Java's security model. We describe the design and implementation of Robusta, a complete framework that provides safety and security to native code in Java applications. Starting from software-based fault isolation (SFI), Robusta isolates native code into a sandbox where dynamic linking/loading of libraries in supported and unsafe system modification and confidentiality violations are prevented. It also mediates native system calls according to a security policy by connecting to Java's security manager. Our prototype implementation of Robusta is based onNative Client and OpenJDK. Experiments in this prototype demonstrate Robusta is effective and efficient, with modest runtime overhead on a set of JNI benchmark programs. Robusta can be used to sandbox native libraries used in Java's system classes to prevent attackers from exploiting bugs in the libraries. It can also enable trustworthy execution of mobile Java programs with native libraries. The design of Robusta should also be applicable when other type-safe languages (e.g., C#, Python) want to ensure safe interoperation with native libraries

References

[1]
}}M. Abadi, M. Budiu, Ulfar Erlingsson, and J. Ligatti. Control-flow integrity. In 12th ACM conference on Computer and communications security (CCS), pages 340--353, 2005.
[2]
}}A. Daniele, B. Patrizio, and D. B. Luca. NX bit: hardware-enforced BOF protection. http://patrizioboschi.it/work/nx-bit/NX-bit.pdf.
[3]
}}J. R. Douceur, J. Elson, J. Howell, and J. R. Lorch. Leveraging legacy code to deploy desktop applications on the web. In USENIX Symposium on Operating Systems Design and Implementation (OSDI), pages 339--354, 2008.
[4]
}}U. Erlingsson and F. B. Schneider. SASI enforcement of security policies: a retrospective. In NSPW '99. Proceedings of the 1999 workshop on New security paradigms, pages 87--95, 2000.
[5]
}}B. Ford and R. Cox. Vx32: Lightweight user-level sandboxing on the x86. In USENIX Annual Technical Conference, pages 293--306, 2008.
[6]
}}M. Furr and J. S. Foster. Polymorphic type inference for the JNI. In 15th European Symposium on Programming (ESOP), pages 309--324, 2006.
[7]
}}T. Garfinkel, B. Pfaff, and M. Rosenblum. Ostia: delegating architecture for secure system call interposition. In NDSS, 2004.
[8]
}}I. Goldberg, D. Wagner, R. Thomas, and E. A. Brewer. A secure environment for untrusted helped applications: Confining the wily hacker. In Proceedings of the 6th conference on USENIX Security Symposium, 1996.
[9]
}}L. Gong. Java 2 Platform Security Architecture. Sun Microsystems, 1997--2002.
[10]
}}M. Hirzel and R. Grimm. Jeannie: Granting Java Native Interface developers their wishes. In ACM Conference on Object-Oriented Programming Systems, Languages, and Applications (OOPSLA). pages 19--38, 2007.
[11]
}}S. Ioannidis, S. M. Bellovin, and J. M. Smith. Sub-operating systems: a new approach to application security. In ACM SIGOPS European Workshop, pages 108--115, 2002.
[12]
}}T. Jim, J. G. Morrisett, D. Grossman, M. W. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C. In Proceedings of the General Track: 2002 USENIX Annual Technical Conference, pages 275--288. USENIX Association, 2002.
[13]
}}P. Klinkoff, E. Kirda, C. Kruegel, and G. Vigna. Extending .NET security to unmanaged code. Internation Journal of Information Security. 6(6):417--428, 2007.
[14]
}}G. Kondoh and T. Onodera. Finding bugs in Java Native Interface programs. In ISSTA '08: Proceedings of the 2008 International Symposium on Software Testing and Analysis, pages 109--118, New York, NY. USA, 2008. ACM.
[15]
}}B. Lee, M. Hirzel, R. Grimm, B. Wiedermann, and K. S. McKinley. Jinn: Synthesizing a dynamic bu detector for foreign language interfaces. In ACM Conference on Programming Language Design and Implementation (PLDI), pages 36--49, 2010.
[16]
}}S. Li and G. Tan. Finding bugs in exceptional situations of JNI programs. In 16th ACM conference on Computer and communications security (CCS). pages 442--452, 2009.
[17]
}}S. Liang. Java Native Interface: Programmer's Guide and Reference. Addison-Wesley Longman Publishing Co., Inc., 1999.
[18]
}}S. McCamant and G. Morrisett. Evaluating SFI for CISC architecture. In 15th Usenix Security Symposium, 2006.
[19]
}}G. McGraw and E. W. Felten. Securing Java: Getting Down to Business with Mobile Code. John Wiley Sons, 1999.
[20]
}}A. Mettler, D. Wagner, and T. Close. Joe-E: security-oriented subset of Java. In Network and Distributed Systems Symposium (NDSS), 2010.
[21]
}}G. Morrisett, D. Walker, K. Crary, and N. Glew. From System F to typed assembly language. In 25th ACM Symposium on Principles of Programming Languages (POPL), pages 85--97, New York, 1998. ACM Press.
[22]
}}G. C. Necula. Proof-carrying code. In 24th ACM Symposium on Principles of Programming Languages (POPL), pages 106--119, New York, 1997. ACM Press.
[23]
}}G. C. Necula, S. McPeak, and W. Weimer. CCured type-safe retrofitting of legacy code. In 29th ACM Symposium on Principles of Programming Languages (POPL), pages 128--139, 2002.
[24]
}}N. Provos. Improving host security with system call policies. In Proceedings of the 12th conference on USENIX Security Symposium, pages 257--272, 2003.
[25]
}}M. Seaborn. Segment layout. Sent to the Native Client mailing list, Dec 2008.
[26]
}}D. Sehr, R. Muth, C. Biffle, V. Khimenko, E. Pasko, K. Schimpf, B. Yee, and B. Chen. Adapting software fault isolation to contemporary CPU architectures. In 19th Usenix Security Symposium, 2010. to appear.
[27]
}}H. Shacham. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In 14th ACM conference on Computer and communications security (CCS), pages 552--561, 2007.
[28]
}}C. Small. A tool for constructing safe extensible C++ systems. In COOTS'97: Proceedings of the 3rd conference on USENIX Conference on Object-Oriented Technologies (COOTS), pages 174--184, 1997.
[29]
}}M. M. Swift, M. Annamalai, B. N. Bershad, and H. M. Levy. Recovering device drivers. In USENIX Symposium on Operating Systems Design and Implementation (OSDI), pages 1--16, 2004.
[30]
}}G. Tan, A. W. Appel, S. Chakradhar, A. Raghunathan, S. Ravi, and D. Wang. Safe Java Native Interface. In Proceedings of IEEE International Symposium on Secure Software Engineering, pages 97--106, 2006.
[31]
}}G. Tan and J. Croft. An empirical security study of the native code in the JDK. In 17th Usenix Security Symposium, pages 365--377, 2008.
[32]
}}G. Tan and G. Morrisett. ILEA: Inter-language analysis across Java and C. In ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), pages 39--56, 2007.
[33]
}}R. Wahbe, S. Lucco, T. Anderson, and S. Graham. Efficient software-based fault isolation. In Proc. 14th ACM Symposium on Operating System Principles. pages 203--216, New York, 1993. ACM Press.
[34]
}}B. Yee, D. Sehr, G. Dardyk, B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native client: A sandbox for portable, untrusted x86 native code. In IEEE Symposium on Security and Privacy (S &P), pages 79--93, May 2009.

Cited By

View all
  • (2023)WaVe: a verifiably secure WebAssembly sandboxing runtime2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179357(2940-2955)Online publication date: May-2023
  • (2022)Isolation without taxation: near-zero-cost transitions for WebAssembly and SFIProceedings of the ACM on Programming Languages10.1145/34986886:POPL(1-30)Online publication date: 12-Jan-2022
  • (2020)Securing unsafe rust programs with XRustProceedings of the ACM/IEEE 42nd International Conference on Software Engineering10.1145/3377811.3380325(234-245)Online publication date: 27-Jun-2020
  • Show More Cited By

Index Terms

  1. Robusta: taming the native beast of the JVM

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    CCS '10: Proceedings of the 17th ACM conference on Computer and communications security
    October 2010
    782 pages
    ISBN:9781450302456
    DOI:10.1145/1866307
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 04 October 2010

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. JNI
    2. JVM
    3. SFI
    4. sandboxing

    Qualifiers

    • Research-article

    Conference

    CCS '10
    Sponsor:

    Acceptance Rates

    CCS '10 Paper Acceptance Rate 55 of 325 submissions, 17%;
    Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

    Upcoming Conference

    CCS '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)40
    • Downloads (Last 6 weeks)3
    Reflects downloads up to 17 Jan 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2023)WaVe: a verifiably secure WebAssembly sandboxing runtime2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179357(2940-2955)Online publication date: May-2023
    • (2022)Isolation without taxation: near-zero-cost transitions for WebAssembly and SFIProceedings of the ACM on Programming Languages10.1145/34986886:POPL(1-30)Online publication date: 12-Jan-2022
    • (2020)Securing unsafe rust programs with XRustProceedings of the ACM/IEEE 42nd International Conference on Software Engineering10.1145/3377811.3380325(234-245)Online publication date: 27-Jun-2020
    • (2019)SplitSecond: Flexible Privilege Separation of Android Apps2019 17th International Conference on Privacy, Security and Trust (PST)10.1109/PST47121.2019.8949067(1-10)Online publication date: Aug-2019
    • (2019)A security feature framework for programming languages to minimize application layer vulnerabilitiesSECURITY AND PRIVACY10.1002/spy2.953:1Online publication date: 7-Nov-2019
    • (2018)Evaluating the Java Native Interface JNIInternational Journal of Distributed Systems and Technologies10.4018/IJDST.20180401049:2(39-61)Online publication date: 1-Apr-2018
    • (2018)Evaluating the Java Native Interface JNIInternational Journal of Distributed Systems and Technologies10.4018/IJDST.20180401039:2(27-38)Online publication date: 1-Apr-2018
    • (2018)Protecting chatbots from toxic contentProceedings of the 2018 ACM SIGPLAN International Symposium on New Ideas, New Paradigms, and Reflections on Programming and Software10.1145/3276954.3276958(99-110)Online publication date: 24-Oct-2018
    • (2017)CamForensicsProceedings of the 15th ACM Conference on Embedded Network Sensor Systems10.1145/3131672.3131683(1-13)Online publication date: 6-Nov-2017
    • (2017)CHERI JNIACM SIGARCH Computer Architecture News10.1145/3093337.303772545:1(569-583)Online publication date: 4-Apr-2017
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media