skip to main content
research-article

Bringing java's wild native world under control

Published: 06 December 2013 Publication History

Abstract

For performance and for incorporating legacy libraries, many Java applications contain native-code components written in unsafe languages such as C and C++. Native-code components interoperate with Java components through the Java Native Interface (JNI). As native code is not regulated by Java's security model, it poses serious security threats to the managed Java world. We introduce a security framework that extends Java's security model and brings native code under control. Leveraging software-based fault isolation, the framework puts native code in a separate sandbox and allows the interaction between the native world and the Java world only through a carefully designed pathway. Two different implementations were built. In one implementation, the security framework is integrated into a Java Virtual Machine (JVM). In the second implementation, the framework is built outside of the JVM and takes advantage of JVM-independent interfaces. The second implementation provides JVM portability, at the expense of some performance degradation. Evaluation of our framework demonstrates that it incurs modest runtime overhead while significantly enhancing the security of Java applications.

References

[1]
Abadi, M., Budiu, M., Erlingsson, U., and Ligatti, J. 2005. Control-flow integrity. In Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS'05). 340--353.
[2]
Ansel, J., Marchenko, P., Erlingsson, U., Taylor, E., Chen, B., Schuff, D., Sehr, D., Biffle, C., and Yee, B. 2011. Language-independent sandboxing of just-in-time compilation and self-modifying code. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI'11). 355--366.
[3]
Belay, A., Bittau, A., Mashtizadeh, A., Terei, D., Mazieres, D., and Kozyrakis, C. 2012. Dune: Safe user-level access to privileged cpu features. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI'12). 335--348.
[4]
Bittau, A., Marchenko, P., Handley, M., and Karp, B. 2008. Wedge: Splitting applications into reduced-privilege compartments. In Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation. 309--322.
[5]
Blackburn, S. M., Garner, R., Hoffmann, C., Khan, A. M., McKinley, K. S., Bentzur, R., Diwan, A., Feinberg, D., Frampton, D., Guyer, S. Z., Hirzel, M., Hosking, A. L., Jump, M., Lee, H. B., Moss, J. E. B., Phansalkar, A., Stefanovic, D., Vandrunen, T., Von Dincklage, D., and Wiedermann, B. 2006. The dacapo benchmarks: Java benchmarking development and analysis. In Proceedings of the ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA'06). 169--190.
[6]
Cappos, J., Dadgar, A., Rasley, J., Samuel, J., Beschastnikh, I., Barsan, C., Krishnamurthy, A., and Anderson, T. E. 2010. Retaining sandbox containment despite bugs in privileged memory-safe code. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS'10). 212--223.
[7]
Chiba, Y. 2006. Heap protection for java virtual machines. In Proceedings of the 4th International Symposium on Principles and Practice of Programming in Java. 103--112.
[8]
Cox, R. S., Gribble, S. D., Levy, H. M., and Hansen, J. G. 2006. A safety-oriented platform for web applications. In Proceedings of the IEEE Symposium on Security and Privacy (S&P'06). 350--364.
[9]
Douceur, J. R., Elson, J., Howell, J., and Lorch, J. R. 2008. Leveraging legacy code to deploy desktop applications on the web. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI'08). 339--354.
[10]
Drewry, W. 2012. Dynamic seccomp policies (using BPF filters). http://lwn.net/Articles/475019/.
[11]
Efstathopoulos, P., Krohn, M., Vandebogart, S., Frey, C., Ziegler, D., Kohler, E., Mazieres, D., Kaashoek, M. F., and Morris, R. 2005. Labels and event processes in the asbestos operating system. In Proceedings of the ACM SIGOPS Symposium on Operating Systems Principles (SOSP'05). 17--30.
[12]
Erlingsson, U. and Schneider, F. 1999. SASI enforcement of security policies: A retrospective. In Proceedings of the New Security Paradigms Workshop (NSPW'99). ACM Press, New York, 87--95.
[13]
Ford, B. and Cox, R. 2008. Vx32: Lightweight user-level sandboxing on the x86. In Proceedings of the USENIX Annual Technical Conference. 293--306.
[14]
Furr, M. and Foster, J. 2006. Polymorphic type inference for the jni. In Proceedings of the 15th European Symposium on Programming (ESOP'06). 309--324.
[15]
Garfinkel, T., Pfaff, B., and Rosenblum, M. 2004. Ostia: A delegating architecture for secure system call interposition. In Proceedings of the Network and Distributed System Security Symposium (NDSS'04).
[16]
Goldberg, I., Wagner, D., Thomas, R., and Brewer, E. A. 1996. A secure environment for untrusted helper applications: Confining the wily hacker. In Proceedings of the 6th Conference on USENIX Security Symposium.
[17]
Gong, L. 2002. Java 2 Platform Security Architecture. Sun Microsystems.
[18]
Hirzel, M. and Grimm, R. 2007. Jeannie: Granting java native interface developers their wishes. In Proceedings of the ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA'07). 19--38.
[19]
Ioannidis, S., Bellovin, S. M., and Smith, J. M. 2002. Sub-operating systems: a new approach to application security. In Proceedings of the ACM SIGOPS European Workshop. 108--115.
[20]
Jim, T., Morrisett, G., Grossman, D., Hicks, M. W., Cheney, J., and Wang, Y. 2002. Cyclone: A safe dialect of C. In Proceedings of the General Track USENIX Annual Technical Conference. USENIX Association, 275--288.
[21]
Klinkoff, P., Kirda, E., Kruegel, C., and Vigna, G. 2007. Extending .net security to unmanaged code. Int. J. Inf. Secur. 6, 6, 417--428.
[22]
Kondoh, G. and Onodera, T. 2008. Finding bugs in java native Interface programs. In Proceedings of the International Symposium on Software Testing and Analysis (ISSTA'08). ACM Press, New York, 109--118.
[23]
Krishnamurthy, A., Mettler, A., and Wagner, D. 2010. Fine-grained privilege separation for web applications. In Proceedings of the 19th International Conference on World Wide Web (WWW'10). 551--560.
[24]
Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Kaashoek, M. F., Kohler, E., and Morris, R. 2007. Information flow control for standard os abstractions. In Proceedings of the ACM SIGOPS Symposium on Operating Systems Principles (SOSP'07). 321--334.
[25]
Lee, B., Hirzel, M., Grimm, R., Wiedermann, B., and McKinley, K. S. 2010. Jinn: Synthesizing a dynamic bug detector for foreign language interfaces. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI'10). 36--49.
[26]
Leroy, X. 2008. The Objective Caml system. http://caml.inria.fr/pub/docs/manual-ocaml/index.html.
[27]
Li, S. and Tan, G. 2009. Finding bugs in exceptional situations of jni programs. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS'09). 442--452.
[28]
Liang, S. 1999. Java Native Interface: Programmer's Guide and Reference. Addison-Wesley Longman Publishing Co.
[29]
McCamant, S. and Morrisett, G. 2006. Evaluating sfi for a cisc architecture. In Proceedings of the 15th Usenix Security Symposium.
[30]
Mettler, A., Wagner, D., and Close, T. 2010. Joe-E: A security-oriented subset of java. In Proceedings of the Network and Distributed System Security Symposium (NDSS'10).
[31]
Miller, M. 2006. Robust composition: Towards a unified approach to access control and concurrency control. Ph.D. thesis, Johns Hopkins University, Baltimore, MD.
[32]
Mitre. 2012. CVE-2012-4681. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4681.
[33]
Mitre. 2013. CVE-2013-0422. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422.
[34]
Morrisett, G., Walker, D., Crary, K., and Glew, N. 1998. From System F to typed assembly language. In Proceedings of the 25th ACM Symposium on Principles of Programming Languages (POPL'98). ACM Press, New York, 85--97.
[35]
Morrisett, G., Walker, D., Crary, K., and Glew, N. 1999. From system f to typed assembly language. ACM Trans. Program. Lang. Syst. 21, 3, 527--568.
[36]
Necula, G. 1997. Proof-carrying code. In Proceedings of the 24th ACM Symposium on Principles of Programming Languages (POPL'97). ACM Press, New York, 106--119.
[37]
Necula, G., McPeak, S., and Weimer, W. 2002. CCured: Type-safe retrofitting of legacy code. In Proceedings of the 29th ACM Symposium on Principles of Programming Languages (POPL'02). 128--139.
[38]
Neumann, P. and Watson, R. 2010. Capabilities revisited: A holistic approach to bottom-to-top assurance of trustworthy systems. In Proceedings of the 4th Layered Assurance Workshop.
[39]
Oracle. 1999. JAR file specification. http://docs.oracle.com/javase/1.4.2/docs/guide/jar/jar.html.
[40]
Oracle. 2010. JVM tool interface, version 1.0. http://docs.oracle.com/javase/1.5.0/docs/guide/jvmti/jvmti.html.
[41]
Provos, N. 2003. Improving host security with system call policies. In Proceedings of the 12th Usenix Security Symposium. 257--272.
[42]
Python/C FFI. 2009. Python/C api reference manual. http://docs.python.org/c-api/index.html.
[43]
Sehr, D., Muth, R., Biffle, C., Khimenko, V., Pasko, E., Schimpf, K., Yee, B., and Chen, B. 2010. Adapting software fault isolation to contemporary cpu architectures. In Proceedings of the 19th Usenix Security Symposium. 1--12.
[44]
Shacham, H. 2007. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS'07). 552--561.
[45]
Siefers, J., Tan, G., and Morrisett, G. 2010. Robusta: Taming the native beast of the jvm. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS'10). 201--211.
[46]
Small, C. 1997. A tool for constructing safe extensible C++ systems. In Proceedings of the 3rd Conference on USENIX Conference on Object-Oriented Technologies (COOTS'97). 174--184.
[47]
Sun, M. and Tan, G. 2012. JVM-portable sandboxing of java's native libraries. In Proceedings of the 17th European Symposium on Research in Computer Security (ESORICS'12). 842--858.
[48]
Swift, M. M., Annamalai, M., Bershad, B. N., and Levy, H. M. 2004. Recovering device drivers. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI'04). 1--16.
[49]
Tan, G., Appel, A., Chakradhar, S., Raghunathan, A., Ravi, S., and Wang, D. 2006. Safe java native interface. In Proceedings of the IEEE International Symposium on Secure Software Engineering (ISSSE'06). 97--106.
[50]
Tan, G. and Croft, J. 2008. An empirical security study of the native code in the jdk. In Proceedings of the 17th Usenix Security Symposium. 365--377.
[51]
Tan, G. and Morrisett, G. 2007. ILEA: Inter-language analysis across java and C. In Proceedings of the ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA'07). 39--56.
[52]
Wahbe, R., Lucco, S., Anderson, T., and Graham, S. 1993. Efficient software-based fault isolation. In Proceedings of the ACM SIGOPS Symposium on Operating Systems Principles (SOSP'93). ACM Press, New York, 203--216.
[53]
Wallach, D. S. and Felten, E. W. 1998. Understanding java stack inspection. In Proceedings of the IEEE Symposium on Security and Privacy (S&P'98). 52--63.
[54]
Wartell, R., Mohan, V., Hamlen, K. W., and Lin, Z. 2012. Securing untrusted code via compileragnostic binary rewriting. In Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC'12). 299--308.
[55]
Watson, R., Anderson, J., Laurie, B., and Kennaway, K. 2010. Capsicum: Practical capabilities for unix. In Proceedings of the 19th Usenix Security Symposium. 29--46.
[56]
Witchel, E., Rhee, J., and Asanovic, K. 2005. Mondrix: Memory isolation for linux using mondriaan memory protection. In Proceedings of the ACM SIGOPS Symposium on Operating Systems Principles (SOSP'05). 31--44.
[57]
Yee, B., Sehr, D., Dardyk, G., Chen, B., Muth, R., Ormandy, T., Okasaka, S., Narula, N., and Fullagar, N. 2009. Native client: A sandbox for portable, untrusted x86 native code. In Proceedings of the 30th IEEE Symposium on Security and Privacy (S&P'09). 79--93
[58]
Zeldovich, N., Boyd-Wickizer, S., Kohler, E., and Mazieres, D. 2006. Making information flow explicit in histar. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI'06). 263--278.

Cited By

View all
  • (2023)SparkAC: Fine-Grained Access Control in Spark for Secure Data Sharing and AnalyticsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.314954420:2(1104-1123)Online publication date: 1-Mar-2023
  • (2023)Connection of Big Data Analytics & Artificial Intelligence2023 IEEE International Students' Conference on Electrical, Electronics and Computer Science (SCEECS)10.1109/SCEECS57921.2023.10063008(1-6)Online publication date: 18-Feb-2023
  • (2019)A botnet detection method based on FARIMA and hill-climbing algorithmInternational Journal of Modern Physics B10.1142/S0217979218503563(1850356)Online publication date: 11-Jan-2019
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Information and System Security
ACM Transactions on Information and System Security  Volume 16, Issue 3
November 2013
120 pages
ISSN:1094-9224
EISSN:1557-7406
DOI:10.1145/2555946
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 December 2013
Accepted: 01 June 2013
Received: 01 February 2013
Published in TISSEC Volume 16, Issue 3

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Java native interface
  2. Java virtual machine
  3. software-based fault isolation

Qualifiers

  • Research-article
  • Research
  • Refereed

Funding Sources

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)30
  • Downloads (Last 6 weeks)4
Reflects downloads up to 17 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2023)SparkAC: Fine-Grained Access Control in Spark for Secure Data Sharing and AnalyticsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.314954420:2(1104-1123)Online publication date: 1-Mar-2023
  • (2023)Connection of Big Data Analytics & Artificial Intelligence2023 IEEE International Students' Conference on Electrical, Electronics and Computer Science (SCEECS)10.1109/SCEECS57921.2023.10063008(1-6)Online publication date: 18-Feb-2023
  • (2019)A botnet detection method based on FARIMA and hill-climbing algorithmInternational Journal of Modern Physics B10.1142/S0217979218503563(1850356)Online publication date: 11-Jan-2019
  • (2019)Securing Big Data in the Age of AI2019 First IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA)10.1109/TPS-ISA48467.2019.00035(218-220)Online publication date: Dec-2019
  • (2018)Evaluating the Java Native Interface JNIInternational Journal of Distributed Systems and Technologies10.4018/IJDST.20180401049:2(39-61)Online publication date: 1-Apr-2018
  • (2018)Evaluating the Java Native Interface JNIInternational Journal of Distributed Systems and Technologies10.4018/IJDST.20180401039:2(27-38)Online publication date: 1-Apr-2018
  • (2015)Beyond the PDP-11ACM SIGARCH Computer Architecture News10.1145/2786763.269436743:1(117-130)Online publication date: 14-Mar-2015
  • (2015)Beyond the PDP-11ACM SIGPLAN Notices10.1145/2775054.269436750:4(117-130)Online publication date: 14-Mar-2015
  • (2015)Securing AndroidACM Computing Surveys10.1145/273330647:4(1-45)Online publication date: 11-May-2015
  • (2015)GuardMRProceedings of the 10th ACM Symposium on Information, Computer and Communications Security10.1145/2714576.2714624(285-296)Online publication date: 14-Apr-2015
  • Show More Cited By

View Options

Login options

Full Access

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media