Abstract
For performance and for incorporating legacy libraries, many Java applications contain native-code components written in unsafe languages such as C and C++. Native-code components interoperate with Java components through the Java Native Interface (JNI). As native code is not regulated by Java's security model, it poses serious security threats to the managed Java world. We introduce a security framework that extends Java's security model and brings native code under control. Leveraging software-based fault isolation, the framework puts native code in a separate sandbox and allows the interaction between the native world and the Java world only through a carefully designed pathway. Two different implementations were built. In one implementation, the security framework is integrated into a Java Virtual Machine (JVM). In the second implementation, the framework is built outside of the JVM and takes advantage of JVM-independent interfaces. The second implementation provides JVM portability, at the expense of some performance degradation. Evaluation of our framework demonstrates that it incurs modest runtime overhead while significantly enhancing the security of Java applications.
- Abadi, M., Budiu, M., Erlingsson, U., and Ligatti, J. 2005. Control-flow integrity. In Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS'05). 340--353. Google ScholarDigital Library
- Ansel, J., Marchenko, P., Erlingsson, U., Taylor, E., Chen, B., Schuff, D., Sehr, D., Biffle, C., and Yee, B. 2011. Language-independent sandboxing of just-in-time compilation and self-modifying code. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI'11). 355--366. Google ScholarDigital Library
- Belay, A., Bittau, A., Mashtizadeh, A., Terei, D., Mazieres, D., and Kozyrakis, C. 2012. Dune: Safe user-level access to privileged cpu features. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI'12). 335--348. Google ScholarDigital Library
- Bittau, A., Marchenko, P., Handley, M., and Karp, B. 2008. Wedge: Splitting applications into reduced-privilege compartments. In Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation. 309--322. Google ScholarDigital Library
- Blackburn, S. M., Garner, R., Hoffmann, C., Khan, A. M., McKinley, K. S., Bentzur, R., Diwan, A., Feinberg, D., Frampton, D., Guyer, S. Z., Hirzel, M., Hosking, A. L., Jump, M., Lee, H. B., Moss, J. E. B., Phansalkar, A., Stefanovic, D., Vandrunen, T., Von Dincklage, D., and Wiedermann, B. 2006. The dacapo benchmarks: Java benchmarking development and analysis. In Proceedings of the ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA'06). 169--190. Google ScholarDigital Library
- Cappos, J., Dadgar, A., Rasley, J., Samuel, J., Beschastnikh, I., Barsan, C., Krishnamurthy, A., and Anderson, T. E. 2010. Retaining sandbox containment despite bugs in privileged memory-safe code. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS'10). 212--223. Google ScholarDigital Library
- Chiba, Y. 2006. Heap protection for java virtual machines. In Proceedings of the 4th International Symposium on Principles and Practice of Programming in Java. 103--112. Google ScholarDigital Library
- Cox, R. S., Gribble, S. D., Levy, H. M., and Hansen, J. G. 2006. A safety-oriented platform for web applications. In Proceedings of the IEEE Symposium on Security and Privacy (S&P'06). 350--364. Google ScholarDigital Library
- Douceur, J. R., Elson, J., Howell, J., and Lorch, J. R. 2008. Leveraging legacy code to deploy desktop applications on the web. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI'08). 339--354. Google ScholarDigital Library
- Drewry, W. 2012. Dynamic seccomp policies (using BPF filters). http://lwn.net/Articles/475019/.Google Scholar
- Efstathopoulos, P., Krohn, M., Vandebogart, S., Frey, C., Ziegler, D., Kohler, E., Mazieres, D., Kaashoek, M. F., and Morris, R. 2005. Labels and event processes in the asbestos operating system. In Proceedings of the ACM SIGOPS Symposium on Operating Systems Principles (SOSP'05). 17--30. Google ScholarDigital Library
- Erlingsson, U. and Schneider, F. 1999. SASI enforcement of security policies: A retrospective. In Proceedings of the New Security Paradigms Workshop (NSPW'99). ACM Press, New York, 87--95. Google ScholarDigital Library
- Ford, B. and Cox, R. 2008. Vx32: Lightweight user-level sandboxing on the x86. In Proceedings of the USENIX Annual Technical Conference. 293--306. Google ScholarDigital Library
- Furr, M. and Foster, J. 2006. Polymorphic type inference for the jni. In Proceedings of the 15th European Symposium on Programming (ESOP'06). 309--324. Google ScholarDigital Library
- Garfinkel, T., Pfaff, B., and Rosenblum, M. 2004. Ostia: A delegating architecture for secure system call interposition. In Proceedings of the Network and Distributed System Security Symposium (NDSS'04).Google Scholar
- Goldberg, I., Wagner, D., Thomas, R., and Brewer, E. A. 1996. A secure environment for untrusted helper applications: Confining the wily hacker. In Proceedings of the 6th Conference on USENIX Security Symposium. Google ScholarDigital Library
- Gong, L. 2002. Java 2 Platform Security Architecture. Sun Microsystems.Google Scholar
- Hirzel, M. and Grimm, R. 2007. Jeannie: Granting java native interface developers their wishes. In Proceedings of the ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA'07). 19--38. Google ScholarDigital Library
- Ioannidis, S., Bellovin, S. M., and Smith, J. M. 2002. Sub-operating systems: a new approach to application security. In Proceedings of the ACM SIGOPS European Workshop. 108--115. Google ScholarDigital Library
- Jim, T., Morrisett, G., Grossman, D., Hicks, M. W., Cheney, J., and Wang, Y. 2002. Cyclone: A safe dialect of C. In Proceedings of the General Track USENIX Annual Technical Conference. USENIX Association, 275--288. Google ScholarDigital Library
- Klinkoff, P., Kirda, E., Kruegel, C., and Vigna, G. 2007. Extending .net security to unmanaged code. Int. J. Inf. Secur. 6, 6, 417--428. Google ScholarDigital Library
- Kondoh, G. and Onodera, T. 2008. Finding bugs in java native Interface programs. In Proceedings of the International Symposium on Software Testing and Analysis (ISSTA'08). ACM Press, New York, 109--118. Google ScholarDigital Library
- Krishnamurthy, A., Mettler, A., and Wagner, D. 2010. Fine-grained privilege separation for web applications. In Proceedings of the 19th International Conference on World Wide Web (WWW'10). 551--560. Google ScholarDigital Library
- Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Kaashoek, M. F., Kohler, E., and Morris, R. 2007. Information flow control for standard os abstractions. In Proceedings of the ACM SIGOPS Symposium on Operating Systems Principles (SOSP'07). 321--334. Google ScholarDigital Library
- Lee, B., Hirzel, M., Grimm, R., Wiedermann, B., and McKinley, K. S. 2010. Jinn: Synthesizing a dynamic bug detector for foreign language interfaces. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI'10). 36--49. Google ScholarDigital Library
- Leroy, X. 2008. The Objective Caml system. http://caml.inria.fr/pub/docs/manual-ocaml/index.html.Google Scholar
- Li, S. and Tan, G. 2009. Finding bugs in exceptional situations of jni programs. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS'09). 442--452. Google ScholarDigital Library
- Liang, S. 1999. Java Native Interface: Programmer's Guide and Reference. Addison-Wesley Longman Publishing Co. Google ScholarDigital Library
- McCamant, S. and Morrisett, G. 2006. Evaluating sfi for a cisc architecture. In Proceedings of the 15th Usenix Security Symposium. Google ScholarDigital Library
- Mettler, A., Wagner, D., and Close, T. 2010. Joe-E: A security-oriented subset of java. In Proceedings of the Network and Distributed System Security Symposium (NDSS'10).Google Scholar
- Miller, M. 2006. Robust composition: Towards a unified approach to access control and concurrency control. Ph.D. thesis, Johns Hopkins University, Baltimore, MD. Google ScholarDigital Library
- Mitre. 2012. CVE-2012-4681. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4681.Google Scholar
- Mitre. 2013. CVE-2013-0422. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422.Google Scholar
- Morrisett, G., Walker, D., Crary, K., and Glew, N. 1998. From System F to typed assembly language. In Proceedings of the 25th ACM Symposium on Principles of Programming Languages (POPL'98). ACM Press, New York, 85--97. Google ScholarDigital Library
- Morrisett, G., Walker, D., Crary, K., and Glew, N. 1999. From system f to typed assembly language. ACM Trans. Program. Lang. Syst. 21, 3, 527--568. Google ScholarDigital Library
- Necula, G. 1997. Proof-carrying code. In Proceedings of the 24th ACM Symposium on Principles of Programming Languages (POPL'97). ACM Press, New York, 106--119. Google ScholarDigital Library
- Necula, G., McPeak, S., and Weimer, W. 2002. CCured: Type-safe retrofitting of legacy code. In Proceedings of the 29th ACM Symposium on Principles of Programming Languages (POPL'02). 128--139. Google ScholarDigital Library
- Neumann, P. and Watson, R. 2010. Capabilities revisited: A holistic approach to bottom-to-top assurance of trustworthy systems. In Proceedings of the 4th Layered Assurance Workshop.Google Scholar
- Oracle. 1999. JAR file specification. http://docs.oracle.com/javase/1.4.2/docs/guide/jar/jar.html.Google Scholar
- Oracle. 2010. JVM tool interface, version 1.0. http://docs.oracle.com/javase/1.5.0/docs/guide/jvmti/jvmti.html.Google Scholar
- Provos, N. 2003. Improving host security with system call policies. In Proceedings of the 12th Usenix Security Symposium. 257--272. Google ScholarDigital Library
- Python/C FFI. 2009. Python/C api reference manual. http://docs.python.org/c-api/index.html.Google Scholar
- Sehr, D., Muth, R., Biffle, C., Khimenko, V., Pasko, E., Schimpf, K., Yee, B., and Chen, B. 2010. Adapting software fault isolation to contemporary cpu architectures. In Proceedings of the 19th Usenix Security Symposium. 1--12. Google ScholarDigital Library
- Shacham, H. 2007. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS'07). 552--561. Google ScholarDigital Library
- Siefers, J., Tan, G., and Morrisett, G. 2010. Robusta: Taming the native beast of the jvm. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS'10). 201--211. Google ScholarDigital Library
- Small, C. 1997. A tool for constructing safe extensible C++ systems. In Proceedings of the 3rd Conference on USENIX Conference on Object-Oriented Technologies (COOTS'97). 174--184. Google ScholarDigital Library
- Sun, M. and Tan, G. 2012. JVM-portable sandboxing of java's native libraries. In Proceedings of the 17th European Symposium on Research in Computer Security (ESORICS'12). 842--858.Google Scholar
- Swift, M. M., Annamalai, M., Bershad, B. N., and Levy, H. M. 2004. Recovering device drivers. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI'04). 1--16. Google ScholarDigital Library
- Tan, G., Appel, A., Chakradhar, S., Raghunathan, A., Ravi, S., and Wang, D. 2006. Safe java native interface. In Proceedings of the IEEE International Symposium on Secure Software Engineering (ISSSE'06). 97--106.Google Scholar
- Tan, G. and Croft, J. 2008. An empirical security study of the native code in the jdk. In Proceedings of the 17th Usenix Security Symposium. 365--377. Google ScholarDigital Library
- Tan, G. and Morrisett, G. 2007. ILEA: Inter-language analysis across java and C. In Proceedings of the ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA'07). 39--56. Google ScholarDigital Library
- Wahbe, R., Lucco, S., Anderson, T., and Graham, S. 1993. Efficient software-based fault isolation. In Proceedings of the ACM SIGOPS Symposium on Operating Systems Principles (SOSP'93). ACM Press, New York, 203--216. Google ScholarDigital Library
- Wallach, D. S. and Felten, E. W. 1998. Understanding java stack inspection. In Proceedings of the IEEE Symposium on Security and Privacy (S&P'98). 52--63.Google Scholar
- Wartell, R., Mohan, V., Hamlen, K. W., and Lin, Z. 2012. Securing untrusted code via compileragnostic binary rewriting. In Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC'12). 299--308. Google ScholarDigital Library
- Watson, R., Anderson, J., Laurie, B., and Kennaway, K. 2010. Capsicum: Practical capabilities for unix. In Proceedings of the 19th Usenix Security Symposium. 29--46. Google ScholarDigital Library
- Witchel, E., Rhee, J., and Asanovic, K. 2005. Mondrix: Memory isolation for linux using mondriaan memory protection. In Proceedings of the ACM SIGOPS Symposium on Operating Systems Principles (SOSP'05). 31--44. Google ScholarDigital Library
- Yee, B., Sehr, D., Dardyk, G., Chen, B., Muth, R., Ormandy, T., Okasaka, S., Narula, N., and Fullagar, N. 2009. Native client: A sandbox for portable, untrusted x86 native code. In Proceedings of the 30th IEEE Symposium on Security and Privacy (S&P'09). 79--93 Google ScholarDigital Library
- Zeldovich, N., Boyd-Wickizer, S., Kohler, E., and Mazieres, D. 2006. Making information flow explicit in histar. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI'06). 263--278. Google ScholarDigital Library
Index Terms
- Bringing java's wild native world under control
Recommendations
Evaluating the Java Native Interface JNI: Leveraging Existing Native Code, Libraries and Threads to a Running Java Virtual Machine
This article aims to explore JNI features and to discover fundamental operations of the Java programming language, such as arrays, objects, classes, threads and exception handling, and to illustrate these by using various algorithms and code samples. ...
Evaluating the Java Native Interface JNI: Data Types and Strings
This article describes how the java native interface JNI is a powerful feature of the java platform that started to draw attention in the latter years as an efficient programming framework for building and delivering innovative technological ...
State of practices of Java native interface
CASCON '19: Proceedings of the 29th Annual International Conference on Computer Science and Software EngineeringThe use of the Java Native Interface (JNI) allows taking advantage of the existing libraries written in different programming languages for code reuse, performance, and security. Despite the importance of JNI in development, practices on its usages are ...
Comments