Lightweight Modeling of Java Virtual Machine Security Constraints using Alloy Mark Reynolds BU CS511 Final Report May 7, 2008.

Slides:

Advertisements

Similar presentations

Mohamed. M. Saad.  Java Virtual Machine Prototype based on Jikes RVM  Targets  Code profiling/visualization using execution flow  Utilize large number.

Advertisements

Chapter 16 Java Virtual Machine. To compile a java program in Simple.java, enter javac Simple.java javac outputs Simple.class, a file that contains bytecode.

Virtual Machines Matthew Dwyer 324E Nichols Hall

Compilation 2007 Code Generation Michael I. Schwartzbach BRICS, University of Aarhus.

1 1 Lecture 14 Java Virtual Machine Instructors: Fu-Chiung Cheng ( 鄭福炯 ) Associate Professor Computer Science & Engineering Tatung Institute of Technology.

Lightweight Modeling of Java Virtual Machine Security Constraints using Alloy Mark Reynolds BU CS511 Midterm Report March 26, 2008.

Homework Any Questions?. Statements / Blocks, Section 3.1 An expression becomes a statement when it is followed by a semicolon x = 0; Braces are used.

Lab 9 Java Bytecode & The Jasmin Assembler

Towards eliminating runtime array bound checks in the Java Virtual Machine Hongwei Songtao

Procedure calls (1) The fact: Most programming languages support the concept of procedures (methods). Each method has its own local variables that are.

1/28/2004CSCI 315 Operating Systems Design1 Operating System Structures & Processes Notice: The slides for this lecture have been largely based on those.

Mic-1: Microarchitecture University of Fribourg, Switzerland System I: Introduction to Computer Architecture WS January 2006

Consider With x = 10 we may proceed as (10-1) = 9 (10-7) = 3 (9*3) = 27 (10-11) = -1 27/(-1) = -27 Writing intermediates on paper.

Chapter 16 Java Virtual Machine. To compile a java program in Simple.java, enter javac Simple.java javac outputs Simple.class, a file that contains bytecode.

5/6/99 Ashish Sabharwal1 JVM Architecture n Local storage area –Randomly accessible –Just like standard RAM –Stores variables (eg. an array) –Have to specify.

Compiler design Computer Science Rensselaer Polytechnic Lecture 1.

1 Memory Model of A Program, Methods Overview l Memory Model of JVM »Method Area »Heap »Stack.

Introduction To C++ Programming 1.0 Basic C++ Program Structure 2.0 Program Control 3.0 Array And Structures 4.0 Function 5.0 Pointer 6.0 Secure Programming.

Code Generation Introduction. Compiler (scalac, gcc) Compiler (scalac, gcc) machine code (e.g. x86, arm, JVM) efficient to execute i=0 while (i < 10)

Java Security Updated May Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security.

Intro to Java The Java Virtual Machine. What is the JVM  a software emulation of a hypothetical computing machine that runs Java bytecodes (Java compiler.

David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)

Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.

ITEC 352 Lecture 11 ISA - CPU. ISA (2) Review Questions? HW 2 due on Friday ISA –Machine language –Buses –Memory.

Application Security Tom Chothia Computer Security, Lecture 14.

Krakatoa: Decompilation in Java “Does Bytecode Reveal Source?” Todd A. Proebsting Scott A. Watterson The University of Arizona Presented by Karl von Randow.

Implement High-level Program Language on JVM CSCE 531 ZHONGHAO LIU ZHONGHAO LIU XIAO LIN.

Java Bytecode What is a.class file anyway? Dan Fleck George Mason University Fall 2007.

ITEC 352 Lecture 20 JVM Intro. Functions + Assembly Review Questions? Project due today Activation record –How is it used?

Java Programming Introduction & Concepts. Introduction to Java Developed at Sun Microsystems by James Gosling in 1991 Object Oriented Free Compiled and.

Introduction to the Java Virtual Machine 井民全. JVM (Java Virtual Machine) the environment in which the java programs execute The specification define an.

1 Introduction to JVM Based on material produced by Bill Venners.

Roopa.T PESIT, Bangalore. Source and Credits Dalvik VM, Dan Bornstein Google IO 2008 The Dalvik virtual machine Architecture by David Ehringer.

An Efficient Stack Machine Martin Schöberl. JOP Stack Architecture2 Overview JVM stack machine Parameter passing Stack access patterns Common stack caches.

Geoff Holmes and Bernhard Pfahringer COMP206-08S General Programming 2.

Java Virtual Machine Case Study on the Design of JikesRVM.

Java 2 security model Valentina Casola. Components of Java the development environment –development lifecycle –Java language features –class files and.

Code Optimization 1 Course Overview PART I: overview material 1Introduction 2Language processors (tombstone diagrams, bootstrapping) 3Architecture of a.

The Microarchitecture Level

jFuzz – Java based Whitebox Fuzzing

Programming Languages

A Look at Java. Categorize Java Which paradigm? Which paradigm? Scripting? Scripting? Declarative or procedural? Declarative or procedural? Which generation?

More on MIPS programs n SPIM does not support everything supported by a general MIPS assembler. For example, –.end doesn’t work Use j $ra –.macro doesn’t.

Code generation exercises. Function body Transform the following code into java bytecode: def middle(small: Int, big: Int): Int = { val mid = small +

ITEC 352 Lecture 19 Functions in Assembly. Functions + Assembly Review Questions? Project due on Friday Stacks Function activation / deactivation.

By: Cheryl Mok & Sarah Tan. Java is partially interpreted. 1. Programmer writes a program in textual form 2. Runs the compiler, which converts the textual.

Code generation exercises. Function body Transform the following code into java bytecode: def middle(small: Int, big: Int): Int = { val mid = small +

UNDER THE HOOD: THE JAVA VIRTUAL MACHINE II CS2110 Fall 200 Lecture 25 1.

Review on Program Challenge CSc3210 Yuan Long.

Recap: Printing Trees into Bytecodes To evaluate e 1 *e 2 interpreter –evaluates e 1 –evaluates e 2 –combines the result using * Compiler for e 1 *e 2.

Java Programming Fifth Edition Chapter 1 Creating Your First Java Classes.

RealTimeSystems Lab Jong-Koo, Lim

CS 536 © CS 536 Spring Introduction to Programming Languages and Compilers Charles N. Fischer Lecture 15.

Compilers and Security

Fundamental of Java Programming (630002) Unit – 1 Introduction to Java.

Why don’t programmers have to program in machine code?

CS216: Program and Data Representation

Computer Architecture and Organization Miles Murdocca and Vincent Heuring Chapter 4 – The Instruction Set Architecture.

Assembler, Compiler, Interpreter

ECE243 Interpreter Lab.

Java Byte Codes (0xCAFEBABE) cs205: engineering software

Introduction to Algorithm Design

Lecture 19: 0xCAFEBABE (Java Byte Codes) CS201j: Engineering Software

Computer Organization and Design Assembly & Compilation

Assembler, Compiler, Interpreter

Programming language translators

M S COLLEGE ART’S, COMM., SCI. & BMS

Exception Handling.

CSc 453 Interpreters & Interpretation

Presentation transcript:

Lightweight Modeling of Java Virtual Machine Security Constraints using Alloy Mark Reynolds BU CS511 Final Report May 7, 2008

Outline Brief Recap of Model Status at Midterm New Constraints New Results Summary

JVM Bytecode Verifier Operates on binary class files –“JVM assembly language” Performs a superset of the set of checks performed by the Java compiler Uses a constraint based approach –Local variable constraint –Stack depth invariance constraint –Stack guard constraint –Opcode constraint –Method argument constraint –Many others Ideal for an Alloy model

Midterm Status Model template created –“Instruction” sig models instruction properties –“State” sig models instruction execution within a method –Complete Alloy model except for initialization Class2Alloy converter written and tested –Takes class files, converts them to Alloy relation initializers –Class2Alloy output + model template = complete Alloy model Local Variable Constraint checked successfully –“All local variables must be written before being read” –Normal bytecodes pass –Deliberately erroneous bytecodes fail

New Constraints Stack depth invariance constraint –The stack depth at any program point is the same for any path leading to that point Stack guard constraint –The depth of the stack is never negative –JVM is not like the Intel architecture, method arguments are passed and returned in local variables, not on the stack

Stack Depth Invariance No matter how you get there, the stack depth must be the same

Stack Guard Constraint 0 Time Stack depth on method entry = 0 Stack depth on method exit = 0 Stack depth >= 0 always

Stack Constraint Checking Added “smod” relation to “Instruction” sig in order to capture stack modifications carried out by individual instructions Added “Depth” as a relation within “State” sig as a way of modeling stack depth as a function of execution state Modified “nextState” predicate to update stack depth from smod relation value pred nextState[s, s': State] { nextInstruction[s.prog, s'.prog] && nextReader[s.prog, s.readers, s'.readers] && nextWriter[s.prog, s.writers, s'.writers] && (s'.depth = add[s.depth, s.prog.smod]) }

Instruction Relations - Example maplenrwtermubtcbtsmod startup10,10 iload_10111 bipush icmpge iload_16111 iconst_5711 imul81 istore_2912 goto iload_ istore_21412 iload_ ireturn1611

Stack Constraint Assertions assert checkit1 { all s, s' : State | (s.prog.map = s'.prog.map) => (s.depth = s'.depth) } assert checkit2 { all s : State | gte[s.depth, 0] }

Results Normal bytecodes pass both new constraints as well as the original LV constraint! Deliberately aberrant bytecodes fail at least one of the constraints

Summary Alloy is very well suited to modeling JVM execution Three security constraints modeled so far –Many more left to be done Exception handling proved to be difficult –More than one exception handler in a single method was especially tricky –Same for the JVM itself