language-based protection in the j-kernel david walker cos 598e: foundations of language-based...
Post on 20-Dec-2015
215 Views
Preview:
TRANSCRIPT
Language-Based Language-Based ProtectionProtection
in the in the J-kernelJ-kernel
David Walker
COS 598E: Foundations of Language-Based Security
Princeton University
(slides from Chris Hawblitzel, Dartmouth)
Extensible Extensible applications...applications...
...need protection
applet applet
browser
servlet servlet
server
code code
gateway/router
agent agent
host
ProtectionProtection
– share pages– IPC, thread
switch
addressspace
pages
virtual memory language-based
threads
addressspace
pages
threads
IPC
class A { private B b; public C c; public void f() ...}class B {…}class C {…}
– type safety– public/private
single addressspace
A B
C
Safe language Safe language protectionprotection
• Promises:– fast IPC– fine-grained
sharing– ADT enforcement– capabilities– portability
class A { private B b; public C c; public void f() ...}class B {…}class C {…}
single addressspace
A B
C
Talk outlineTalk outline
• Extensible applications, protection• Language-based protection
– current state– problems
• The J-Kernel• Luna
applet 2thread group
Java thread groupsJava thread groups
• Thread groups– Terminate group
of threads
applet 1thread group
browser thread group
Java communicationJava communication
• Communication– Applet-to-
browser– Browser-to-
applet
threadswitch
methodinvocation
applet 2applet 1
browser
applet 2
Problem 1: wrong code Problem 1: wrong code interruptedinterrupted
• Applet stops or suspends thread– browser left in
inconsistent or deadlocked state
applet 1
browser
methodinvocation
interruption!
applet 2
Problem 2: damaged Problem 2: damaged objectsobjects
• Applet stops or suspends thread– ADT left in
inconsistent or deadlocked state
applet 1
browser
damagedobject
Damaged objectsDamaged objects
task
task
virtual machine
• Only stopping threads leaves damaged objects
Damaged objectsDamaged objects
task
task
virtual machine
• Only stopping threads leaves damaged objects
Damaged objectsDamaged objects
task
task
virtual machine
• Only stopping threads leaves damaged objects
Problem 3: Problem 3: resource accountingresource accounting
virtual machine
class TrojanHog extends Vector{ private byte[] mydata = new byte[10000000];
public Object elementAt(int i) { attackNetwork(); return super.elementAt(i); } ...}
trojanhog
• JVM does not know who to blame for denial of service attacks:
applet 2
Problem 4: weak Problem 4: weak terminationtermination
• Garbage collector won’t deallocate reachable data and code– Resources not
reclaimed– Malicious code
not removed
applet 1
browser
Problem 4: weak Problem 4: weak terminationtermination
task task
virtual machine
class TrojanHog extends Vector{ private byte[] mydata = new byte[10000000];
public Object elementAt(int i) { attackNetwork(); return super.elementAt(i); } ...}
trojanhog
• Only stopping threads leaves objects, code – resources not reclaimed– undesired code may get run
TasksTasks
task = objects + threads + code– task’s threads
only run task’s code
– explicit cross-task communication
virtual machine
task task
task
int mom(int x, int y){return x + y;}
int foo(int x, int y){return x + y;}
int sum(int x, int y){return x + y;}
Advantages of tasksAdvantages of tasks
• strong termination• resource
accounting• clear
communication• access control at
boundaries• “whole-task”
optimization
virtual machine
task task
task
int mom(int x, int y){return x + y;}
int foo(int x, int y){return x + y;}
int sum(int x, int y){return x + y;}
Talk outlineTalk outline
• Extensible applications, protection• Language-based protection• The J-Kernel
– Prototype implementation of the task model• written in Java• no changes to VM, language
• Luna
Cross-task callsCross-task calls• Method invocation on capability
– checks for revocation– (simulated) thread switch– passes arguments
• capabilities passed by reference• ordinary objects passed by copy
tasktask
cap
methodinvocation
passed by copy
J-Kernel restricts J-Kernel restricts sharingsharing
• Direct, arbitrary cross-task pointers violate task model– disallowed by J-Kernel
task tasktask
int mom(int x, int y){return x + y;}
int foo(int x, int y){return x + y;} int sum(int x, int y)
{return x + y;}
J-Kernel capabilitiesJ-Kernel capabilities
• Special capability objects shared– ordinary objects not shared
• Capabilities mediate cross-task communication– method invocations on capabilities are cross-task
calls
task tasktask
int mom(int x, int y){return x + y;}
int foo(int x, int y){return x + y;} int sum(int x, int y)
{return x + y;}
cap
cap
cap
cap
Where are the Where are the boundaries?boundaries?
– Which method calls switch domains?– Who “owns” which object? (resource
accounting...)– What guarantees does programmer have?
virtual machine run-time
int bar(int x, int y){return x + y;}
int mom(int x, int y){return x + y;}
int foo(int x, int y){return x + y;}
int sum(int x, int y){return x + y;}
programmer’s intention
switchdomains
applet 2applet 1
switchdomains
Cross-task callsCross-task calls
• Method invocation on remote pointer switches tasks– calls another
task’s code– switches threads– arguments either:
• primitive types• remote pointers
virtual machine
task task
int mom(int x, int y){return x + y;}
int sum(int x, int y){return x + y;}
Cross-task calls: RMICross-task calls: RMI
• Semantics similar to Java Remote method invocation– J-Kernel uses RMI API
• based on Java interfaces (“remote interfaces”)– Capability.create(…) generates capability
• J-Kernel generates capability classes dynamically
tasktask
cap
methodinvocation implements
Servletimplements Servlet
RevocationRevocation
• Task can revoke any of its capabilities at any time:– least privilege, changing trust,
termination
task tasktask
int mom(int x, int y){return x + y;}
int foo(int x, int y){return x + y;} int sum(int x, int y)
{return x + y;}
cap
cap
cap
cap
revoked
TerminationTermination
• threads stopped• capabilities revoked
– code, objects become eligible for GC– damaged objects inaccessible
task tasktask
int mom(int x, int y){return x + y;}
int foo(int x, int y){return x + y;} int sum(int x, int y)
{return x + y;}
cap
cap
cap
cap
The J-KernelThe J-Kernel
• Prototype implementation of the task model– written in Java– no changes to VM, language
J-Kernelbytecode rewriter
Sun javac MS jvc
Sun VM MS VM
• Extensible Web and Telephony Server
PBX
J-K
erne
l
tapihttp
servlet voicemail
phone
J-Server T-Server
user DB
Sample ApplicationSample Application
priv. domains
user domains
Network packet Network packet exampleexample
Network driver task
incoming packets
task 1 task 2 task 3
1 3 322accounting
task 1: 200K lefttask 2: 80K lefttask 3: 300K left
Similar to RMISimilar to RMI
• J-Kernel:
• Remote method invocation uses stubs to marshal, unmarshal arguments:
tasktask
cap
methodinvocation
passed by copy
hosthost
stubRMI
passed by copy
stub
ExampleExample
• Based on Sun’s RMI API:– classes implement remote interfaces:
public interface Servlet extends Remote { public void service(Request req); } public class MyServlet implements Servlet { public void service(Request req) {...} } Servlet ms = new MyServlet(); Capability msCap = Capability.create(ms);
– capabilities implement remote interfaces:
((Servlet) msCap).service(req);
PerformancePerformance– Pentium II @300Mhz– Microsoft VM (MS-VM) & Sun JDK w/Symantec JIT (Sun-VM)
• Null method invocation– Operation MS-VM Sun-VM– Normal method invocation 0.024s 0.021s– J-Kernel “local RMI” 1.20s 3.55s – Bottlenecks: thread lookup + 2 locks
• 60% of total time with MS-VM, 79% with Sun-VM
• Comparison:– Windows NT LRPC: ~100s– L4 round-trip IPC on P5-133: 1.82s J-Kernel on P5-133: 3.77s– Exokernel round-trip protected control transfer on DEC-5000:
2.40s
Talk outlineTalk outline
• Extensible applications, protection• Language-based protection• The J-Kernel• Luna
– Extends Java type system• Idea: generalize J-Kernel sharing to all
types
– Runs on customized virtual machine• based on Marmot optimizing VM
Remote pointersRemote pointers
Type = PrimitiveType | ReferenceType | ReferenceType~ PrimitiveType = int | float | long | double | byte | char | short |
boolean ReferenceType = ClassType | InterfaceType | Type[]
List
List~
local pointer type(can only point to task-local objects)
remote pointer type(can point to objects in other tasks)
Remote pointersRemote pointers
List
List~
pointer
pointer
accesscontrol
i
next
List
i
next
List
i
next
List
revocationflag
...
Permit
Remote pointers are revocable:
class List {int i; List next;}int foo(List~ list) { return list.i + list.next.i;} run-time revocation checks of p
Sharing data structuresSharing data structures
task 2
task 1
i
next
List
i
next
List
i
next
ListPermit
pointeraccesscontrol
List~
• Revocation of entire data structures
class List {int i; List next;}
int sum(List~ list) {
int sum = 0;
while(list != null) {
sum += list.i;
list = list.next;
}
return sum;
}
Creating remote Creating remote pointerspointersList
List~@
copy intolocal object
List l = new List(1, new List(2, new List(3, null)));Permit p1 = new Permit();Permit p2 = new Permit();List~ l1 = l@p1;List~ l2 = l@p2;...p1.revoke(); // selective revocation
List copy(List~ l){ if(l == null) return null; else return new List( l.i, copy(l.next));}
Remote pointer Remote pointer optimizationoptimization
// list has type List~
while(list != null) {
list.i = 0;
list = list.next;
}
loop: mov dword ptr [eax+8],0 /* list.i = 0 */ mov eax,dword ptr [eax+12] /* list = list.next */ cmp eax,0 /* if(list == 0) goto done */ je done jmp loop
• infer permit reuse
• optimize/omit checks in loop
• register thread with permit
• permit revoked: roll-forward, raise exception
Remote pointer Remote pointer optimizationoptimization
• Operation on remote pointer, worst case:– acquire lock, check flag, operation, release
lock– two checks per loop iteration:
for(List~ l = ...; l != null; l = l.next) sum += l.i;
• Faster: cache revocation flag in a “TLB”• Suspend thread to invalidate cached
value
Remote pointer Remote pointer optimizationoptimization
void zero(List~ list) {
while(list != null) {
list.i = 0;
list = list.next;
}
}
.void zero(List{} list) { cache while(list != null) {
list.i = 0;
list = list.next;
}
uncache }
• infer permit reuse• embed inferred reuse in typed intermediate language• add code to cache/uncache permit
loop: mov dword ptr [eax+8],0 /* list.i = 0 */ mov eax,dword ptr [eax+12] /* list = list.next */ cmp eax,0 /* if(list == 0) goto done */ je done jmp loop
result: very fast inner loop
Servlet exampleServlet example
interface Servlet {
void service(Request~ req);
}
class Request {String url; byte[] content;}
class ServletBox {Servlet~ servlet;}
class DispatchServlet implements Servlet {
Hashtable table;
void service(Request~ req) {
String url = String.copy(req.url);
ServletBox forwardTo = (ServletBox) table.get(url);
forwardTo.servlet.service(req);
}
}
servlet servlet servlet
dispatchservlet
server
Whole-task Whole-task optimizationoptimization
• Marmot performs whole-program optimizations– but no dynamic loading: would invalidate
opts
• Luna: whole-task optimization– dynamic loading of tasks
servlet task Vector
inline Vector.elementAt
server task Vector
inline Vector.elementAt
servlet task Vector
ColorVector
extends
Performance: JK & LunaPerformance: JK & Luna
– Pentium II @300Mhz
• Null method invocation– Operation JK(MS-VM) Luna– Normal method invocation 0.024s 0.027s– Cross-task call, uniprocessor 1.20s 0.37s– Cross-task call, multiprocessor 1.20s 0.76s
• Comparison:– Windows NT LRPC: ~100s
– L4 round-trip IPC on P5-133: 1.82s– Exokernel round-trip protected control transfer on DEC-
5000: 2.40s
Related workRelated work• DrScheme
– no peer-to-peer communication– task model not guaranteed
• Alta– shared data– tradeoff between flexibility, resource
tracking• KaffeOS
– shared data buffers
ConclusionsConclusions
• Safe language tasks:– clear communication– access control– domain termination– resource usage– whole-task optimization
• J-Kernel: Capabilities + RMI
• Luna: Remote pointerslocal pointer
capability/remote pointer
task task
virtual machine
task
top related