safeobjectsharing
Download
Report
Transcript safeobjectsharing
An Approach to Safe Object
Sharing
Ciaran Bryce & Chrislain Razafimahefa
University of Geneva, Switzerland
Goal
Need to isolate mistrusting programs from
one another and protect host platforms
We still want object pointer alias for
performance reason (call-by-value is too
costly for argument that contains large
objects)
Some available solutions (1)
Java’s loader model
Mistrusting programs in distinct loader spaces
can only communicate with each other through
serialization. It’s slow!
Shared system classes are potentially dangerous
Some available solutions (2)
Guarded object
Guard object check permission before giving out
reference of the guarded object
No way to protect against errors in the guard
object’s code
Once the reference is given out, it can not be
easily revoked
Some available solutions (3)
Class-based alias control techniques
Different instances of the class might have
different security policy but are treated
uniformly in this approach
Can only enforce static security constraints
Object Space Model
Each object belongs to a space
An access matrix determines whether a space has
right to access another space
The access matrix could be updated by “grant” and
“revoke” operations
Objects in different spaces might “name” each other
, but access right is checked upon method
invocation
The Space Hierachy
Tree structure with a “RootSpace”, and each
space can create child spaces, every object is
created in one particular space
Root
S1
S3
S2
S4
Access Rights among spaces
Default: parent has access to its child spaces, and a
space has access to itself
Granting rights:
a parent can grant any space the rights to its children
a parent can also grant right it has to its children spaces
Revoking rights
a parent can revoke rights to its children from any spaces
a parent can also revoke rights that its children had
revoke has chain effect to the descendants
Examples – Program Isolation
Root
client1
client2
server
Examples – Guarded Objects
Traditional guarded object
Java guard object
Root
Root
client
Guard
G-Obj
client
Guard
G-Obj
Examples–Server Containment
Root
Root
Server’s right to packet is
revoked by user1 after service
user1
user1
user2
packet
user2
server
packet
server
Implementation - API
IOSObject – contains a pointer to the space
the object belongs to
Space – implements operations, such as
createChildSpace, grant, revoke, newInstance
and checkAccess
RemoteSpace – prevents leaking handle for a
space to objects in different spaces
Implementation - Bridge
Surprise, surprise, if we can “name” objects
from different space, how do we guarantee
that every method invocation on an object
will do proper security check? Answer is a
level of indirection through bridge objects
Objects that are referred cross-space are
actually bridge objects. The bridge objects
are transparent to programmers.
When are the bridge objects
used?
When parent space creates an object in its child
space, it gets a bridge object handle (newInstance)
When a method call has argument objects from
different spaces, they are transferred to bridge
objects before passed into the method
When a method returns an object, the result needs
to be transferred to a bridge object
Exceptions are caught and arguments are
transferred to proper bridge object
Implementing Bridge Class
Every class C has a Bridge class Bc < C
Every object gets a bridge object for every outside
space that refers to it. The bridge object contains
pointers to the protected object and its space, as
well as the space that is using the object
Bc insures the following for every method in C:
Perform security checks using the access matrix
Convert arguments and result to proper bridge objects
Catch exceptions and convert the argument to proper
bridge objects
Bridge Objects
Space 2
Space 1
O1
O3
O2
O4
Space 3
O5
Problems: final and private
clauses / system classes
Bridge class Bc is a subclass of C, so the
object space program either has to reject
classes that contain final or pirvate clauses,
or has to remove the modifiers from class
files before linking
Some system classes, i.e., Object, String,
Integer etc., contain final methods. They
need special treatment
Problems: field access
Field access to the object in a different space
is actually field of the bridge object which
does not contain anything
One solution is to convert field access to
method calls
Problems : static methods and
fields / native methods
Static methods and fields are security holes.
There is no way to rewrite to provide a level
of indirection
No guarantee on the behavior of native
methods
Reject both
Problems : arrays
Element selection “[]” is not a method call
Make local copies when array object is
referred across a space boundary
Each element in the array is modified to be
the proper bridge object
To share an array, wrap it in a class that has
entry selectors as methods
Problems : Synchronization
synchronized statement will mistakenly
synchronize on bridge objects instead of the
original objects
synchronized methods invocation will be
directed to the original object through the
bridge object
Performance evaluation
More efficient than copy-by-value model,
especially when the size of object used
across domain boundary is large
Some cost for creating bridge classes and
loading them
Related work
Java’s loader mechanism
Capability object in J-Kernel
JavaSeal
Real-time Java
SecurityManager
Jflow
Alias control
Discussion
Is the tree-like space hierarchy natural to
programmers?
Do you like the idea of everything being checked
dynamically? “Your program compiles, but you
have to run it to see if it works.”
How to describe the set of security policy that could
be enforced in this model?
Loading bridge classes is insecure and inefficient