Embed Size (px)
Citation preview
Quarantine: A Framework to Mitigate Memory Errors in JNI Applications
Du Li , Witawas Srisa-an
University of Nebraska-Lincoln
JNI(Java Native Interface)
• Integrating legacy code, making use of existing libraries, components.• Developing applications in multiple languages
– Java UI + C backend
Java Code JNI Native Code
Application
2
When Java meets C, C++ …
• Issues in JNI • Type mismatching• Access mechanism mismatching
• Memory leaking• Memory safety• …
3
Example of JNI App
Get()Put()…
Java C
Interface Table
JNI Hashtable
4
Example of JNI App
int addr
Get()Put()…
Java C
Interface Table
32-bit
JNI Hashtable
5
Example of JNI App
int addr
Get()Put()…
Java C
Interface Table
64-bit
JNI Hashtable
6
Example of JNI App
int addr
Get()Put()…
Java C
Interface Table
64-bit
JNI Hashtable
7
And Even Worse …
8
Motivation
• JNI can cause nasty memory bugs
• Lack of mechanism to address or mitigate memory faults in JNI applications
9
Empirical Study on JNI Bugs
• 126 JNI related bugs are identified in OpenJDK 1.6
• 59 out of 126 bugs are security critical
• “A time bomb”
An Empirical Security Study of the Native Code in the JDK. G. Tan and J. Croft. In USENIX Security 2008
10
Bug Patterns
• C pointers as Java integers
• Memory Management Flaws
• Buffer Overflows
• Mishandling JNI exceptions
• Race conditions in file accesses
• Insufficient error checkingAn Empirical Security Study of the Native Code in the JDK. G. Tan and J. Croft. In USENIX Security 2008
11
Bug Patterns
• C pointers as Java integers
• Memory Management Flaws
• Buffer Overflows
• Mishandling JNI exceptions
• Race conditions in file accesses
• Insufficient error checking
Related to memory faults Caused by mismatching of heap management mechanism
An Empirical Security Study of the Native Code in the JDK. G. Tan and J. Croft. In USENIX Security 2008
12
C pointers as Java Integers
• As we showed in JNI hashtable example– Store C pointers as Java integers– Pass back to C and cast to pointers when
needed– Native code will update the Java Interger– It can corrupt Java heap by writing arbitrary
data
13
Memory Management Flaws
• Automatic memory management in Java
• Manual memory management for Java heap in JNI– e.g. Get/ReleaseIntArrayElements,
Get/ReleaseStringUTFChars …
14
Buffer Overflow
• No type safety in some native code– C is not type safe language
• No type checking in JNI read/write – e.g. native code can write a float value to a
byte type variable in Java
15
Challenge
• Existing techniques(DieHard, LeakingChaser) can detect and mitigate the above issues– But the overhead is too high to feasibly
apply such techniques to the whole heap
16
Emery D. Berger and Benjamin G. Zorn. 2006. DieHard: probabilistic memory safety for unsafe languages (PLDI '06)
Xu, Bond, Qin, Rountev, LeakChaser: Helping Programmers Narrow Down Causes of Memory Leaks (PLDI'11)
Unsafe objects are few
Unsafe objects: objects accessible by native code
Less than 1% objects are unsafe.
17
Benchmark Allocated Objects Unsafe Objects % of Unsafe Objects
bloat 4359250 9371 0.215
fop 1365166 5225 0.383
hsqldb 1439461 93 0.006
jython 7464199 2329 0.031
luindex 1238977 4251 0.343
lusearch 3631775 321 0.009
pmd 949971 1617 0.170
xalan 2194726 157 0.007
SPECjbb2005 1579906124 1330 0.000
Status
×
×
×
×
×
×
18
Goal
××××
××
19
Approach
• Quarantine– Identify unsafe objects– Segment identified unsafe objects– Apply treatment to segmented objects
20
Identify Unsafe Objects
• Instrument “native” methods to find– Objects created by native code– Objects created by Java code and exposed
to native code
21
Segmentation
All unsafe objects will be allocated in or copiedto JNI space
22
Implementation
• Based on Jikes RVM 3.1.0– Build object migration mechanism– Change object header to record forwarding
address– Leverage the read/write barriers
23
Runtime Overhead
24
Breaking Down Overhead
25
Experiment: Applying Padding
• Inspired by a mechanism in DieHard– Creating object x-times larger than the
actual size• Do this for every object• Do this for only quarantined objects
a b a b
26
Experiment: Applying Padding
Performance of RVM with Quarantine with 2x Padding
27
Benchmark RVMpad Quarantinepad Speed-Up (%)
bloat 831 706 17.70
fop 198 146 35.61
hsqldb 344 347 -0.87
jython 337 325 3.69
luindex 225 215 4.65
lusearch 751 562 33.63
pmd 20 19 5.25
xalan 595 356 67.13
SPECjbb2005 3865 5249 35.80
Arithmetic mean 22.50
Experiment: Applying Padding
GC Performance of RVM with Quarantine with 2x Padding
28
Benchmark RVMpad Quarantinepad
bloat 12 6
fop 5 2
hsqldb 7 6
jython 16 9
luindex 4 2
lusearch 22 11
pmd 3 2
xalan 12 6
SPECjbb2005 3865 2532
GC Invocations
Conclusion
• Develop a framework – to identify JNI accessible objects– to segment JNI accessible objects– to facilitate applying protection technique to
mitigate JNI related bugs
29
Acknowledgments
• Partial support for this work is provided by NSF (CNS-0720757) and AFOSR (FA9550-
09-1- 0129)
• We thank Laurence Hellyer for making the primitive barrier code available and spending time to answer our questions
30
Question & Answer & Discussion
31
