Language-Based Protection in the J-kernel David Walker COS 598E: Foundations of Language-Based Security Princeton University (slides from Chris Hawblitzel,

Language-Based Language-Based ProtectionProtection

in the in the J-kernelJ-kernel

David Walker

COS 598E: Foundations of Language-Based Security

Princeton University

(slides from Chris Hawblitzel, Dartmouth)

Extensible Extensible applications...applications...

...need protection

applet applet

browser

servlet servlet

server

code code

gateway/router

agent agent

host

ProtectionProtection

– share pages– IPC, thread

switch

addressspace

pages

virtual memory language-based

threads

addressspace

pages

threads

IPC

class A { private B b; public C c; public void f() ...}class B {…}class C {…}

– type safety– public/private

single addressspace

A B

C

Safe language Safe language protectionprotection

• Promises:– fast IPC– fine-grained

sharing– ADT enforcement– capabilities– portability

class A { private B b; public C c; public void f() ...}class B {…}class C {…}

single addressspace

A B

C

Talk outlineTalk outline

• Extensible applications, protection• Language-based protection

– current state– problems

• The J-Kernel• Luna

applet 2thread group

Java thread groupsJava thread groups

• Thread groups– Terminate group

of threads

applet 1thread group

browser thread group

Java communicationJava communication

• Communication– Applet-to-

browser– Browser-to-

applet

threadswitch

methodinvocation

applet 2applet 1

browser

applet 2

Problem 1: wrong code Problem 1: wrong code interruptedinterrupted

• Applet stops or suspends thread– browser left in

inconsistent or deadlocked state

applet 1

browser

methodinvocation

interruption!

applet 2

Problem 2: damaged Problem 2: damaged objectsobjects

• Applet stops or suspends thread– ADT left in

inconsistent or deadlocked state

applet 1

browser

damagedobject

Damaged objectsDamaged objects

task

task

virtual machine

• Only stopping threads leaves damaged objects


task

task

virtual machine



task

task

virtual machine


Problem 3: Problem 3: resource accountingresource accounting

virtual machine

class TrojanHog extends Vector{ private byte[] mydata = new byte[10000000];

public Object elementAt(int i) { attackNetwork(); return super.elementAt(i); } ...}

trojanhog

• JVM does not know who to blame for denial of service attacks:

applet 2

Problem 4: weak Problem 4: weak terminationtermination

• Garbage collector won’t deallocate reachable data and code– Resources not

reclaimed– Malicious code

not removed

applet 1

browser

Problem 4: weak Problem 4: weak terminationtermination

task task

virtual machine

class TrojanHog extends Vector{ private byte[] mydata = new byte[10000000];

public Object elementAt(int i) { attackNetwork(); return super.elementAt(i); } ...}

trojanhog

• Only stopping threads leaves objects, code – resources not reclaimed– undesired code may get run

TasksTasks

task = objects + threads + code– task’s threads

only run task’s code

– explicit cross-task communication

virtual machine

task task

task

int mom(int x, int y){return x + y;}

int foo(int x, int y){return x + y;}

int sum(int x, int y){return x + y;}

Advantages of tasksAdvantages of tasks

• strong termination• resource

accounting• clear

communication• access control at

boundaries• “whole-task”

optimization

virtual machine

task task

task





• Extensible applications, protection• Language-based protection• The J-Kernel

– Prototype implementation of the task model• written in Java• no changes to VM, language

• Luna

Cross-task callsCross-task calls• Method invocation on capability

– checks for revocation– (simulated) thread switch– passes arguments

• capabilities passed by reference• ordinary objects passed by copy

tasktask

cap

methodinvocation

passed by copy

J-Kernel restricts J-Kernel restricts sharingsharing

• Direct, arbitrary cross-task pointers violate task model– disallowed by J-Kernel

task tasktask


int foo(int x, int y){return x + y;} int sum(int x, int y)

{return x + y;}

J-Kernel capabilitiesJ-Kernel capabilities

• Special capability objects shared– ordinary objects not shared

• Capabilities mediate cross-task communication– method invocations on capabilities are cross-task

calls

task tasktask



{return x + y;}

cap

cap

cap

cap

Where are the Where are the boundaries?boundaries?

– Which method calls switch domains?– Who “owns” which object? (resource

accounting...)– What guarantees does programmer have?

virtual machine run-time

int bar(int x, int y){return x + y;}




programmer’s intention

switchdomains

applet 2applet 1

switchdomains

Cross-task callsCross-task calls

• Method invocation on remote pointer switches tasks– calls another

task’s code– switches threads– arguments either:

• primitive types• remote pointers

virtual machine

task task



Cross-task calls: RMICross-task calls: RMI

• Semantics similar to Java Remote method invocation– J-Kernel uses RMI API

• based on Java interfaces (“remote interfaces”)– Capability.create(…) generates capability

• J-Kernel generates capability classes dynamically

tasktask

cap

methodinvocation implements

Servletimplements Servlet

RevocationRevocation

• Task can revoke any of its capabilities at any time:– least privilege, changing trust,

termination

task tasktask



{return x + y;}

cap

cap

cap

cap

revoked

TerminationTermination

• threads stopped• capabilities revoked

– code, objects become eligible for GC– damaged objects inaccessible

task tasktask



{return x + y;}

cap

cap

cap

cap

The J-KernelThe J-Kernel

• Prototype implementation of the task model– written in Java– no changes to VM, language

J-Kernelbytecode rewriter

Sun javac MS jvc

Sun VM MS VM

• Extensible Web and Telephony Server

PBX

J-K

erne

l

tapihttp

servlet voicemail

phone

J-Server T-Server

user DB

Sample ApplicationSample Application

priv. domains

user domains

Network packet Network packet exampleexample

Network driver task

incoming packets

task 1 task 2 task 3

1 3 322accounting

task 1: 200K lefttask 2: 80K lefttask 3: 300K left

Similar to RMISimilar to RMI

• J-Kernel:

• Remote method invocation uses stubs to marshal, unmarshal arguments:

tasktask

cap

methodinvocation

passed by copy

hosthost

stubRMI

passed by copy

stub

ExampleExample

• Based on Sun’s RMI API:– classes implement remote interfaces:

public interface Servlet extends Remote { public void service(Request req); } public class MyServlet implements Servlet { public void service(Request req) {...} } Servlet ms = new MyServlet(); Capability msCap = Capability.create(ms);

– capabilities implement remote interfaces:

((Servlet) msCap).service(req);

PerformancePerformance– Pentium II @300Mhz– Microsoft VM (MS-VM) & Sun JDK w/Symantec JIT (Sun-VM)

• Null method invocation– Operation MS-VM Sun-VM– Normal method invocation 0.024s 0.021s– J-Kernel “local RMI” 1.20s 3.55s – Bottlenecks: thread lookup + 2 locks

• 60% of total time with MS-VM, 79% with Sun-VM

• Comparison:– Windows NT LRPC: ~100s– L4 round-trip IPC on P5-133: 1.82s J-Kernel on P5-133: 3.77s– Exokernel round-trip protected control transfer on DEC-5000:

2.40s


• Extensible applications, protection• Language-based protection• The J-Kernel• Luna

– Extends Java type system• Idea: generalize J-Kernel sharing to all

types

– Runs on customized virtual machine• based on Marmot optimizing VM

Remote pointersRemote pointers

Type = PrimitiveType | ReferenceType | ReferenceType~ PrimitiveType = int | float | long | double | byte | char | short |

boolean ReferenceType = ClassType | InterfaceType | Type[]

List

List~

local pointer type(can only point to task-local objects)

remote pointer type(can point to objects in other tasks)

Remote pointersRemote pointers

List

List~

pointer

pointer

accesscontrol

i

next

List

i

next

List

i

next

List

revocationflag

...

Permit

Remote pointers are revocable:

class List {int i; List next;}int foo(List~ list) { return list.i + list.next.i;} run-time revocation checks of p

Sharing data structuresSharing data structures

task 2

task 1

i

next

List

i

next

List

i

next

ListPermit

pointeraccesscontrol

List~

• Revocation of entire data structures

class List {int i; List next;}

int sum(List~ list) {

int sum = 0;

while(list != null) {

sum += list.i;

list = list.next;

}

return sum;

}

Creating remote Creating remote pointerspointersList

List~@

copy intolocal object

List l = new List(1, new List(2, new List(3, null)));Permit p1 = new Permit();Permit p2 = new Permit();List~ l1 = l@p1;List~ l2 = l@p2;...p1.revoke(); // selective revocation

List copy(List~ l){ if(l == null) return null; else return new List( l.i, copy(l.next));}

Remote pointer Remote pointer optimizationoptimization

// list has type List~


list.i = 0;

list = list.next;

}

loop: mov dword ptr [eax+8],0 /* list.i = 0 */ mov eax,dword ptr [eax+12] /* list = list.next */ cmp eax,0 /* if(list == 0) goto done */ je done jmp loop

• infer permit reuse

• optimize/omit checks in loop

• register thread with permit

• permit revoked: roll-forward, raise exception


• Operation on remote pointer, worst case:– acquire lock, check flag, operation, release

lock– two checks per loop iteration:

for(List~ l = ...; l != null; l = l.next) sum += l.i;

• Faster: cache revocation flag in a “TLB”• Suspend thread to invalidate cached

value


void zero(List~ list) {


list.i = 0;

list = list.next;

}

}

.void zero(List{} list) { cache while(list != null) {

list.i = 0;

list = list.next;

}

uncache }

• infer permit reuse• embed inferred reuse in typed intermediate language• add code to cache/uncache permit

loop: mov dword ptr [eax+8],0 /* list.i = 0 */ mov eax,dword ptr [eax+12] /* list = list.next */ cmp eax,0 /* if(list == 0) goto done */ je done jmp loop

result: very fast inner loop

Servlet exampleServlet example

interface Servlet {

void service(Request~ req);

}

class Request {String url; byte[] content;}

class ServletBox {Servlet~ servlet;}

class DispatchServlet implements Servlet {

Hashtable table;

void service(Request~ req) {

String url = String.copy(req.url);

ServletBox forwardTo = (ServletBox) table.get(url);

forwardTo.servlet.service(req);

}

}

servlet servlet servlet

dispatchservlet

server

Whole-task Whole-task optimizationoptimization

• Marmot performs whole-program optimizations– but no dynamic loading: would invalidate

opts

• Luna: whole-task optimization– dynamic loading of tasks

servlet task Vector

inline Vector.elementAt

server task Vector

inline Vector.elementAt

servlet task Vector

ColorVector

extends

Performance: JK & LunaPerformance: JK & Luna

– Pentium II @300Mhz

• Null method invocation– Operation JK(MS-VM) Luna– Normal method invocation 0.024s 0.027s– Cross-task call, uniprocessor 1.20s 0.37s– Cross-task call, multiprocessor 1.20s 0.76s

• Comparison:– Windows NT LRPC: ~100s

– L4 round-trip IPC on P5-133: 1.82s– Exokernel round-trip protected control transfer on DEC-

5000: 2.40s

Related workRelated work• DrScheme

– no peer-to-peer communication– task model not guaranteed

• Alta– shared data– tradeoff between flexibility, resource

tracking• KaffeOS

– shared data buffers

ConclusionsConclusions

• Safe language tasks:– clear communication– access control– domain termination– resource usage– whole-task optimization

• J-Kernel: Capabilities + RMI

• Luna: Remote pointerslocal pointer

capability/remote pointer

task task

virtual machine

task

Documents

Language-Based Protection in the J-kernel David Walker COS 598E: Foundations of Language-Based Security Princeton University (slides from Chris Hawblitzel,