research-article

Bringing java's wild native world under control

Authors:
Mengtao Sun

Lehigh University, Bethlehem, PA

Lehigh University, Bethlehem, PA
View Profile

,
Gang Tan

Lehigh University, Bethlehem, PA

Lehigh University, Bethlehem, PA
View Profile

,
Joseph Siefers

Lehigh University, Bethlehem, PA

Lehigh University, Bethlehem, PA
View Profile

,
Bin Zeng

Lehigh University, Bethlehem, PA

Lehigh University, Bethlehem, PA
View Profile

,
Greg Morrisett

Harvard University, Cambridge, MA

Harvard University, Cambridge, MA
View Profile

ACM Transactions on Information and System Security Volume 16 Issue 3Article No.: 9pp 1–28https://doi.org/10.1145/2535505

Published:06 December 2013Publication History

ACM Transactions on Information and System Security

Abstract

For performance and for incorporating legacy libraries, many Java applications contain native-code components written in unsafe languages such as C and C++. Native-code components interoperate with Java components through the Java Native Interface (JNI). As native code is not regulated by Java's security model, it poses serious security threats to the managed Java world. We introduce a security framework that extends Java's security model and brings native code under control. Leveraging software-based fault isolation, the framework puts native code in a separate sandbox and allows the interaction between the native world and the Java world only through a carefully designed pathway. Two different implementations were built. In one implementation, the security framework is integrated into a Java Virtual Machine (JVM). In the second implementation, the framework is built outside of the JVM and takes advantage of JVM-independent interfaces. The second implementation provides JVM portability, at the expense of some performance degradation. Evaluation of our framework demonstrates that it incurs modest runtime overhead while significantly enhancing the security of Java applications.

References

Abadi, M., Budiu, M., Erlingsson, U., and Ligatti, J. 2005. Control-flow integrity. In Proceedings of the 12^th ACM Conference on Computer and Communications Security (CCS'05). 340--353. Google ScholarDigital Library
Ansel, J., Marchenko, P., Erlingsson, U., Taylor, E., Chen, B., Schuff, D., Sehr, D., Biffle, C., and Yee, B. 2011. Language-independent sandboxing of just-in-time compilation and self-modifying code. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI'11). 355--366. Google ScholarDigital Library
Belay, A., Bittau, A., Mashtizadeh, A., Terei, D., Mazieres, D., and Kozyrakis, C. 2012. Dune: Safe user-level access to privileged cpu features. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI'12). 335--348. Google ScholarDigital Library
Bittau, A., Marchenko, P., Handley, M., and Karp, B. 2008. Wedge: Splitting applications into reduced-privilege compartments. In Proceedings of the 5^th USENIX Symposium on Networked Systems Design and Implementation. 309--322. Google ScholarDigital Library
Blackburn, S. M., Garner, R., Hoffmann, C., Khan, A. M., McKinley, K. S., Bentzur, R., Diwan, A., Feinberg, D., Frampton, D., Guyer, S. Z., Hirzel, M., Hosking, A. L., Jump, M., Lee, H. B., Moss, J. E. B., Phansalkar, A., Stefanovic, D., Vandrunen, T., Von Dincklage, D., and Wiedermann, B. 2006. The dacapo benchmarks: Java benchmarking development and analysis. In Proceedings of the ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA'06). 169--190. Google ScholarDigital Library
Cappos, J., Dadgar, A., Rasley, J., Samuel, J., Beschastnikh, I., Barsan, C., Krishnamurthy, A., and Anderson, T. E. 2010. Retaining sandbox containment despite bugs in privileged memory-safe code. In Proceedings of the 17^th ACM Conference on Computer and Communications Security (CCS'10). 212--223. Google ScholarDigital Library
Chiba, Y. 2006. Heap protection for java virtual machines. In Proceedings of the 4th International Symposium on Principles and Practice of Programming in Java. 103--112. Google ScholarDigital Library
Cox, R. S., Gribble, S. D., Levy, H. M., and Hansen, J. G. 2006. A safety-oriented platform for web applications. In Proceedings of the IEEE Symposium on Security and Privacy (S&P'06). 350--364. Google ScholarDigital Library
Douceur, J. R., Elson, J., Howell, J., and Lorch, J. R. 2008. Leveraging legacy code to deploy desktop applications on the web. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI'08). 339--354. Google ScholarDigital Library
Drewry, W. 2012. Dynamic seccomp policies (using BPF filters). http://lwn.net/Articles/475019/.Google Scholar
Efstathopoulos, P., Krohn, M., Vandebogart, S., Frey, C., Ziegler, D., Kohler, E., Mazieres, D., Kaashoek, M. F., and Morris, R. 2005. Labels and event processes in the asbestos operating system. In Proceedings of the ACM SIGOPS Symposium on Operating Systems Principles (SOSP'05). 17--30. Google ScholarDigital Library
Erlingsson, U. and Schneider, F. 1999. SASI enforcement of security policies: A retrospective. In Proceedings of the New Security Paradigms Workshop (NSPW'99). ACM Press, New York, 87--95. Google ScholarDigital Library
Ford, B. and Cox, R. 2008. Vx32: Lightweight user-level sandboxing on the x86. In Proceedings of the USENIX Annual Technical Conference. 293--306. Google ScholarDigital Library
Furr, M. and Foster, J. 2006. Polymorphic type inference for the jni. In Proceedings of the 15^th European Symposium on Programming (ESOP'06). 309--324. Google ScholarDigital Library
Garfinkel, T., Pfaff, B., and Rosenblum, M. 2004. Ostia: A delegating architecture for secure system call interposition. In Proceedings of the Network and Distributed System Security Symposium (NDSS'04).Google Scholar
Goldberg, I., Wagner, D., Thomas, R., and Brewer, E. A. 1996. A secure environment for untrusted helper applications: Confining the wily hacker. In Proceedings of the 6^th Conference on USENIX Security Symposium. Google ScholarDigital Library
Gong, L. 2002. Java 2 Platform Security Architecture. Sun Microsystems.Google Scholar
Hirzel, M. and Grimm, R. 2007. Jeannie: Granting java native interface developers their wishes. In Proceedings of the ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA'07). 19--38. Google ScholarDigital Library
Ioannidis, S., Bellovin, S. M., and Smith, J. M. 2002. Sub-operating systems: a new approach to application security. In Proceedings of the ACM SIGOPS European Workshop. 108--115. Google ScholarDigital Library
Jim, T., Morrisett, G., Grossman, D., Hicks, M. W., Cheney, J., and Wang, Y. 2002. Cyclone: A safe dialect of C. In Proceedings of the General Track USENIX Annual Technical Conference. USENIX Association, 275--288. Google ScholarDigital Library
Klinkoff, P., Kirda, E., Kruegel, C., and Vigna, G. 2007. Extending .net security to unmanaged code. Int. J. Inf. Secur. 6, 6, 417--428. Google ScholarDigital Library
Kondoh, G. and Onodera, T. 2008. Finding bugs in java native Interface programs. In Proceedings of the International Symposium on Software Testing and Analysis (ISSTA'08). ACM Press, New York, 109--118. Google ScholarDigital Library
Krishnamurthy, A., Mettler, A., and Wagner, D. 2010. Fine-grained privilege separation for web applications. In Proceedings of the 19^th International Conference on World Wide Web (WWW'10). 551--560. Google ScholarDigital Library
Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Kaashoek, M. F., Kohler, E., and Morris, R. 2007. Information flow control for standard os abstractions. In Proceedings of the ACM SIGOPS Symposium on Operating Systems Principles (SOSP'07). 321--334. Google ScholarDigital Library
Lee, B., Hirzel, M., Grimm, R., Wiedermann, B., and McKinley, K. S. 2010. Jinn: Synthesizing a dynamic bug detector for foreign language interfaces. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI'10). 36--49. Google ScholarDigital Library
Leroy, X. 2008. The Objective Caml system. http://caml.inria.fr/pub/docs/manual-ocaml/index.html.Google Scholar
Li, S. and Tan, G. 2009. Finding bugs in exceptional situations of jni programs. In Proceedings of the 16^th ACM Conference on Computer and Communications Security (CCS'09). 442--452. Google ScholarDigital Library
Liang, S. 1999. Java Native Interface: Programmer's Guide and Reference. Addison-Wesley Longman Publishing Co. Google ScholarDigital Library
McCamant, S. and Morrisett, G. 2006. Evaluating sfi for a cisc architecture. In Proceedings of the 15^th Usenix Security Symposium. Google ScholarDigital Library
Mettler, A., Wagner, D., and Close, T. 2010. Joe-E: A security-oriented subset of java. In Proceedings of the Network and Distributed System Security Symposium (NDSS'10).Google Scholar
Miller, M. 2006. Robust composition: Towards a unified approach to access control and concurrency control. Ph.D. thesis, Johns Hopkins University, Baltimore, MD. Google ScholarDigital Library
Mitre. 2012. CVE-2012-4681. http://web.nvd.nist.gov/view/vuln/detail&quest;vulnId=CVE-2012-4681.Google Scholar
Mitre. 2013. CVE-2013-0422. http://web.nvd.nist.gov/view/vuln/detail&quest;vulnId=CVE-2013-0422.Google Scholar
Morrisett, G., Walker, D., Crary, K., and Glew, N. 1998. From System F to typed assembly language. In Proceedings of the 25^th ACM Symposium on Principles of Programming Languages (POPL'98). ACM Press, New York, 85--97. Google ScholarDigital Library
Morrisett, G., Walker, D., Crary, K., and Glew, N. 1999. From system f to typed assembly language. ACM Trans. Program. Lang. Syst. 21, 3, 527--568. Google ScholarDigital Library
Necula, G. 1997. Proof-carrying code. In Proceedings of the 24^th ACM Symposium on Principles of Programming Languages (POPL'97). ACM Press, New York, 106--119. Google ScholarDigital Library
Necula, G., McPeak, S., and Weimer, W. 2002. CCured: Type-safe retrofitting of legacy code. In Proceedings of the 29^th ACM Symposium on Principles of Programming Languages (POPL'02). 128--139. Google ScholarDigital Library
Neumann, P. and Watson, R. 2010. Capabilities revisited: A holistic approach to bottom-to-top assurance of trustworthy systems. In Proceedings of the 4^th Layered Assurance Workshop.Google Scholar
Oracle. 1999. JAR file specification. http://docs.oracle.com/javase/1.4.2/docs/guide/jar/jar.html.Google Scholar
Oracle. 2010. JVM tool interface, version 1.0. http://docs.oracle.com/javase/1.5.0/docs/guide/jvmti/jvmti.html.Google Scholar
Provos, N. 2003. Improving host security with system call policies. In Proceedings of the 12^th Usenix Security Symposium. 257--272. Google ScholarDigital Library
Python/C FFI. 2009. Python/C api reference manual. http://docs.python.org/c-api/index.html.Google Scholar
Sehr, D., Muth, R., Biffle, C., Khimenko, V., Pasko, E., Schimpf, K., Yee, B., and Chen, B. 2010. Adapting software fault isolation to contemporary cpu architectures. In Proceedings of the 19^th Usenix Security Symposium. 1--12. Google ScholarDigital Library
Shacham, H. 2007. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In Proceedings of the 14^th ACM Conference on Computer and Communications Security (CCS'07). 552--561. Google ScholarDigital Library
Siefers, J., Tan, G., and Morrisett, G. 2010. Robusta: Taming the native beast of the jvm. In Proceedings of the 17^th ACM Conference on Computer and Communications Security (CCS'10). 201--211. Google ScholarDigital Library
Small, C. 1997. A tool for constructing safe extensible C++ systems. In Proceedings of the 3^rd Conference on USENIX Conference on Object-Oriented Technologies (COOTS'97). 174--184. Google ScholarDigital Library
Sun, M. and Tan, G. 2012. JVM-portable sandboxing of java's native libraries. In Proceedings of the 17^th European Symposium on Research in Computer Security (ESORICS'12). 842--858.Google Scholar
Swift, M. M., Annamalai, M., Bershad, B. N., and Levy, H. M. 2004. Recovering device drivers. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI'04). 1--16. Google ScholarDigital Library
Tan, G., Appel, A., Chakradhar, S., Raghunathan, A., Ravi, S., and Wang, D. 2006. Safe java native interface. In Proceedings of the IEEE International Symposium on Secure Software Engineering (ISSSE'06). 97--106.Google Scholar
Tan, G. and Croft, J. 2008. An empirical security study of the native code in the jdk. In Proceedings of the 17^th Usenix Security Symposium. 365--377. Google ScholarDigital Library
Tan, G. and Morrisett, G. 2007. ILEA: Inter-language analysis across java and C. In Proceedings of the ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA'07). 39--56. Google ScholarDigital Library
Wahbe, R., Lucco, S., Anderson, T., and Graham, S. 1993. Efficient software-based fault isolation. In Proceedings of the ACM SIGOPS Symposium on Operating Systems Principles (SOSP'93). ACM Press, New York, 203--216. Google ScholarDigital Library
Wallach, D. S. and Felten, E. W. 1998. Understanding java stack inspection. In Proceedings of the IEEE Symposium on Security and Privacy (S&P'98). 52--63.Google Scholar
Wartell, R., Mohan, V., Hamlen, K. W., and Lin, Z. 2012. Securing untrusted code via compileragnostic binary rewriting. In Proceedings of the 28^th Annual Computer Security Applications Conference (ACSAC'12). 299--308. Google ScholarDigital Library
Watson, R., Anderson, J., Laurie, B., and Kennaway, K. 2010. Capsicum: Practical capabilities for unix. In Proceedings of the 19^th Usenix Security Symposium. 29--46. Google ScholarDigital Library
Witchel, E., Rhee, J., and Asanovic, K. 2005. Mondrix: Memory isolation for linux using mondriaan memory protection. In Proceedings of the ACM SIGOPS Symposium on Operating Systems Principles (SOSP'05). 31--44. Google ScholarDigital Library
Yee, B., Sehr, D., Dardyk, G., Chen, B., Muth, R., Ormandy, T., Okasaka, S., Narula, N., and Fullagar, N. 2009. Native client: A sandbox for portable, untrusted x86 native code. In Proceedings of the 30^th IEEE Symposium on Security and Privacy (S&P'09). 79--93 Google ScholarDigital Library
Zeldovich, N., Boyd-Wickizer, S., Kohler, E., and Mazieres, D. 2006. Making information flow explicit in histar. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI'06). 263--278. Google ScholarDigital Library

Index Terms

Bringing java's wild native world under control
1. Security and privacy
  1. Systems security
    1. Operating systems security
2. Software and its engineering
  1. Software organization and properties
    1. Extra-functional properties
      1. Interoperability

Recommendations

Evaluating the Java Native Interface JNI: Leveraging Existing Native Code, Libraries and Threads to a Running Java Virtual Machine

This article aims to explore JNI features and to discover fundamental operations of the Java programming language, such as arrays, objects, classes, threads and exception handling, and to illustrate these by using various algorithms and code samples. ...
Read More
Evaluating the Java Native Interface JNI: Data Types and Strings

This article describes how the java native interface JNI is a powerful feature of the java platform that started to draw attention in the latter years as an efficient programming framework for building and delivering innovative technological ...
Read More
State of practices of Java native interface
CASCON '19: Proceedings of the 29th Annual International Conference on Computer Science and Software Engineering

The use of the Java Native Interface (JNI) allows taking advantage of the existing libraries written in different programming languages for code reuse, performance, and security. Despite the importance of JNI in development, practices on its usages are ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in

ACM Transactions on Information and System Security Volume 16, Issue 3
November 2013
120 pages
ISSN:1094-9224
EISSN:1557-7406
DOI:10.1145/2555946
Issue’s Table of Contents

Copyright © 2013 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 6 December 2013
- Accepted: 1 June 2013
- Received: 1 February 2013
Published in tissec Volume 16, Issue 3

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Java native interface
Java virtual machine
software-based fault isolation
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 14
  Total Citations
  View Citations
- 547
  Total Downloads
- Downloads (Last 12 months)23
- Downloads (Last 6 weeks)5
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Bringing java's wild native world under control

ACM Transactions on Information and System Security

Abstract

References

Cited By

Index Terms

Recommendations

Evaluating the Java Native Interface JNI: Leveraging Existing Native Code, Libraries and Threads to a Running Java Virtual Machine

Evaluating the Java Native Interface JNI: Data Types and Strings

State of practices of Java native interface

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

Bringing java's wild native world under control

ACM Transactions on Information and System Security

Abstract

References

Cited By

Index Terms

Recommendations

Evaluating the Java Native Interface JNI: Leveraging Existing Native Code, Libraries and Threads to a Running Java Virtual Machine

Evaluating the Java Native Interface JNI: Data Types and Strings

State of practices of Java native interface

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media