Lightweight Modeling of Java Virtual Machine Security Constraints using Alloy Mark Reynolds BU CS511 Midterm Report March 26, 2008.

Slides:



Advertisements
Similar presentations
Chapter 16 Java Virtual Machine. To compile a java program in Simple.java, enter javac Simple.java javac outputs Simple.class, a file that contains bytecode.
Advertisements

Virtual Machines Matthew Dwyer 324E Nichols Hall
Goal: Write Programs in Assembly
1 Lecture 10 Intermediate Representations. 2 front end »produces an intermediate representation (IR) for the program. optimizer »transforms the code in.
Code Generation Introduction. Compiler (scalac, gcc) Compiler (scalac, gcc) machine code (e.g. x86, arm, JVM) efficient to execute i=0 while (i < 10)
Compilation 2007 Code Generation Michael I. Schwartzbach BRICS, University of Aarhus.
Java security (in a nutshell)
1 1 Lecture 14 Java Virtual Machine Instructors: Fu-Chiung Cheng ( 鄭福炯 ) Associate Professor Computer Science & Engineering Tatung Institute of Technology.
JAVA Processors and JIT Scheduling. Overview & Literature n Formulation of the problem n JAVA introduction n Description of Caffeine * Literature: “Java.
Introduction to Java Programming
Towards eliminating runtime array bound checks in the Java Virtual Machine Hongwei Songtao
Lightweight Modeling of Java Virtual Machine Security Constraints using Alloy Mark Reynolds BU CS511 Final Report May 7, 2008.
Consider With x = 10 we may proceed as (10-1) = 9 (10-7) = 3 (9*3) = 27 (10-11) = -1 27/(-1) = -27 Writing intermediates on paper.
Chapter 16 Java Virtual Machine. To compile a java program in Simple.java, enter javac Simple.java javac outputs Simple.class, a file that contains bytecode.
5/6/99 Ashish Sabharwal1 JVM Architecture n Local storage area –Randomly accessible –Just like standard RAM –Stores variables (eg. an array) –Have to specify.
Compiler design Computer Science Rensselaer Polytechnic Lecture 1.
1 Further OO Concepts II – Java Program at run-time Overview l Steps in Executing a Java Program. l Loading l Linking l Initialization l Creation of Objects.
Chapter 7Louden, Programming Languages1 Chapter 7 - Control I: Expressions and Statements "Control" is the general study of the semantics of execution.
Code Generation Introduction. Compiler (scalac, gcc) Compiler (scalac, gcc) machine code (e.g. x86, arm, JVM) efficient to execute i=0 while (i < 10)
Java Security Updated May Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.
Intro to Java The Java Virtual Machine. What is the JVM  a software emulation of a hypothetical computing machine that runs Java bytecodes (Java compiler.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)
Principles of Computer Programming (using Java) Review Haidong Xue Summer 2011, at GSU.
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
Compiler Construction Lecture 17 Mapping Variables to Memory.
M1G Introduction to Programming 2 4. Enhancing a class:Room.
Application Security Tom Chothia Computer Security, Lecture 14.
JVM And CLR Dan Agar April 16, Outline Java and.NET Design Philosophies Overview of Virtual Machines Technical Look at JVM and CLR Comparison of.
1 Intro to Computer Science I Chapter 1 Introduction to Computation Algorithms, Processors, and Programs.
Krakatoa: Decompilation in Java “Does Bytecode Reveal Source?” Todd A. Proebsting Scott A. Watterson The University of Arizona Presented by Karl von Randow.
Implement High-level Program Language on JVM CSCE 531 ZHONGHAO LIU ZHONGHAO LIU XIAO LIN.
Java Bytecode What is a.class file anyway? Dan Fleck George Mason University Fall 2007.
ITEC 352 Lecture 20 JVM Intro. Functions + Assembly Review Questions? Project due today Activation record –How is it used?
Java Programming Introduction & Concepts. Introduction to Java Developed at Sun Microsystems by James Gosling in 1991 Object Oriented Free Compiled and.
1 Module Objective & Outline Module Objective: After completing this Module, you will be able to, appreciate java as a programming language, write java.
Research supported by IBM CAS, NSERC, CITO Context Threading: A flexible and efficient dispatch technique for virtual machine interpreters Marc Berndl.
1 Introduction to JVM Based on material produced by Bill Venners.
Roopa.T PESIT, Bangalore. Source and Credits Dalvik VM, Dan Bornstein Google IO 2008 The Dalvik virtual machine Architecture by David Ehringer.
An Efficient Stack Machine Martin Schöberl. JOP Stack Architecture2 Overview JVM stack machine Parameter passing Stack access patterns Common stack caches.
Java Virtual Machine Case Study on the Design of JikesRVM.
Java 2 security model Valentina Casola. Components of Java the development environment –development lifecycle –Java language features –class files and.
4-1 Chapter 4 - The Instruction Set Architecture Principles of Computer Architecture by M. Murdocca and V. Heuring © 1999 M. Murdocca and V. Heuring Principles.
Code Optimization 1 Course Overview PART I: overview material 1Introduction 2Language processors (tombstone diagrams, bootstrapping) 3Architecture of a.
Virtual Machines, Interpretation Techniques, and Just-In-Time Compilers Kostis Sagonas
Programming Languages
More on MIPS programs n SPIM does not support everything supported by a general MIPS assembler. For example, –.end doesn’t work Use j $ra –.macro doesn’t.
Code generation exercises. Function body Transform the following code into java bytecode: def middle(small: Int, big: Int): Int = { val mid = small +
Tanenbaum, Structured Computer Organization, Fifth Edition, (c) 2006 Pearson Education, Inc. All rights reserved The Microarchitecture Level.
CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 18: Code Safety and Virtual Machines
Code generation exercises. Function body Transform the following code into java bytecode: def middle(small: Int, big: Int): Int = { val mid = small +
Review on Program Challenge CSc3210 Yuan Long.
Recap: Printing Trees into Bytecodes To evaluate e 1 *e 2 interpreter –evaluates e 1 –evaluates e 2 –combines the result using * Compiler for e 1 *e 2.
RealTimeSystems Lab Jong-Koo, Lim
CS 536 © CS 536 Spring Introduction to Programming Languages and Compilers Charles N. Fischer Lecture 15.
Before You Begin Nahla Abuel-ola /WIT.
Computer Architecture Instruction Set Architecture
CS216: Program and Data Representation
Overview of Compilation The Compiler BACK End
Java security (in a nutshell)
Computer Architecture and Organization Miles Murdocca and Vincent Heuring Chapter 4 – The Instruction Set Architecture.
Topic: Java Security Models
Compiling, Assembling and Executing Java using Java
Java Byte Codes (0xCAFEBABE) cs205: engineering software
Overview of Compilation The Compiler BACK End
Byte Code Verification
Computer Organization and Design Assembly & Compilation
M S COLLEGE ART’S, COMM., SCI. & BMS
CSc 453 Interpreters & Interpretation
SPL – PS1 Introduction to C++.
Presentation transcript:

Lightweight Modeling of Java Virtual Machine Security Constraints using Alloy Mark Reynolds BU CS511 Midterm Report March 26, 2008

Outline Motivation The Model Results Future Work

Motivation Java enforces its security restrictions in three ways: –Compile time –Load time (the Bytecode Verifier) –Runtime Runtime type checks Array bounds checks SecurityManager checks How good are these checks?

A Long History of Java Exploits Edward Felten’s applet attacks (1997) –“Securing Java” McGraw & Felten “Last Stage of Delirium” (Polish hacker group) (2002) –Extensive collection of exploit techniques Defects continue to be found –Search for “jre” or “jdk” on Almost all defects are in the Bytecode Verifier

The Bytecode Verifier Operates on binary class files –“JVM assembly language” Performs a superset of the set of checks performed by the Java compiler Uses a constraint based approach –Local variable constraint –Stack depth invariance constraint –Opcode constraint –Method argument constraint –Many others

Local Variable Constraint Every JVM local variable is written before it is read In the JVM implementation local variables are completely separate from the stack, unlike most other architectures (e.g. x86) Goal: write an Alloy model that can operate on a representation of method bytecode and check the local variable constraint

An Example in Java public int fred(int input) { int tmp; if ( input < 10 ) tmp = input*5; else tmp = input; return tmp; }

An Incorrect Variant public int fred(int input) { int tmp; if ( input < 10 ) /* tmp = input*5; */ {} else tmp = input; return tmp; }

Bytecodes for Correct Variant // 0 0:iload_1 // 1 1:bipush 10 // 2 3:icmpge 13 // 3 6:iload_1 // 4 7:iconst_5 // 5 8:imul // 6 9:istore_2 // 7 10:goto 15 // 8 13:iload_1 // 9 14:istore_2 // 10 15:iload_2 // 11 16:ireturn

Bytecodes for Incorrect Variant // 0 0:iload_1 // 1 1:bipush 10 // 2 3:icmpge 13 // 3 6:iload_1 // 4 7:iconst_5 // 5 8:imul // 6 9:nop // removed the “unnecessary” write to LV2 // 7 10:goto 15 // 8 13:iload_1 // 9 14:istore_2 // 10 15:iload_2 // 11 16:ireturn

The Model Define the relations on a sig Instruction: –map: Int –len: Int –r: set Int –w: set Int –ubt: lone Int –cbt: lone Int –term: lone Int

Relations in the Model map – byte offset of this instruction from start of method len – byte length of instruction r, w – sets of local variables read/written by the instruction ubt – unconditional branch targets for this instruction (e.g. goto) cbt – conditional branch targets for this instruction (e.g. icmpge 13) term – does this instruction terminate the method (e.g. ireturn)

Model Construction Declarations Initialization Body Facts Predicates Assertions Alloy Class2Alloy Translator Class File Method name Java

Example Initialization one sig startup, iload_1a, bipush, icmpge, iload_1b, iconst, imul, istore_2a, goto, iload_1c, istore_2b, iload_2, ireturn extends Instruction {} fact maps { map = startup->(-1) + iload_1a->0 + bipush->1 + icmpge->3 + iload_1b->6 + iconst->7 + imul->8 + istore_2a->9 + goto->10 + iload_1c->13 + istore_2b->14 + iload_2->15 + ireturn->16 } fact terms { term = ireturn->1 } fact lens { len = startup->1 + iload_1a->1 + bipush->2 + icmpge->3 + iload_1b->1 + iconst->1 + imul->1 + istore_2a->1 + goto->3 + iload_1c->1 + istore_2b->1 + iload_2->1 + ireturn->1 } fact rs { r = iload_1a->1 + iload_1b->1 + iload_1c->1 + iload_2->2 } fact ws { w = startup->0 + startup->1 + istore_2a->2 + istore_2b->2 } fact ubts { ubt = goto->15 } fact cbts { cbt = icmpge->13 }

Relations as a table

Model Execution Must simulation operation of the JVM “startup” instruction simulates method entry –Stores “this” and method arguments into local variables 0, 1, … Use ordering module on State sig to keep track of readers and writers “nextInstruction” predicate uses the following algorithm: –If there is an unconditional branch take it –Otherwise, form the set {conditional branches} U next-instruction and choose a member of that set “solve” predicate checks that execution terminated (reached an instruction with non-null value of “term”) “checkit” assertion checks that the set of readers is a subset of the set of writers for all states

Key Components sig State { prog: Instruction, readers: set Int, writers: set Int } pred nextInstruction[from, to: Instruction] { some from.ubt => ( to.map = from.ubt ) else ( ( to.map = add[from.map, from.len] ) || some bt: from.cbt { to.map = bt } ) } pred solve { some finalState : State | finalState.prog.term = 1 } assert checkit { all s: State | s.readers in s.writers }

Results Local variable constraint satisfied => no counterexample to “checkit”, instance of “solve” found (jvm.als) Local variable constraint violated => counterexample of “checkit” found (badjvm.als) Website:

Future Work Use cbt relation for try.. catch blocks Add stack depth invariance constraint Add opcode constraint

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.