EP3158489A1 - Sécurité améliorée pour des machines virtuelles java - Google Patents

Sécurité améliorée pour des machines virtuelles java

Info

Publication number
EP3158489A1
EP3158489A1 EP15809533.1A EP15809533A EP3158489A1 EP 3158489 A1 EP3158489 A1 EP 3158489A1 EP 15809533 A EP15809533 A EP 15809533A EP 3158489 A1 EP3158489 A1 EP 3158489A1
Authority
EP
European Patent Office
Prior art keywords
java
untrusted
java api
library
ava
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP15809533.1A
Other languages
German (de)
English (en)
Other versions
EP3158489A4 (fr
Inventor
John Matthew Holt
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Waratek Ltd
Original Assignee
Waratek Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from AU2014902381A external-priority patent/AU2014902381A0/en
Application filed by Waratek Ltd filed Critical Waratek Ltd
Publication of EP3158489A1 publication Critical patent/EP3158489A1/fr
Publication of EP3158489A4 publication Critical patent/EP3158489A4/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45566Nested virtual machines
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances

Definitions

  • the present invention relates to computer programs written in the JAVA language. Background Art
  • Java Platform When the Java Platform was original designed it was conceived to be a secure operating environment for untrusted applications, allowing a user to operate applications from untrusted third parties in a quarantined sandbox environment.
  • the Java Platform today is very different from the time of its inception.
  • the Java Platform is today in its 9th major release (Java SE 8), and can comprise up to 5 million lines of source-code.
  • the volume of source-code in the Java Platform - far more than other similar platforms - has at least in part contributed to the poor security profile and frequent vulnerability discoveries of recent years.
  • Such a large source- code-base is beyond the ability of any one programmer to reason about secure and insecure operations, and this has in turn led to new vulnerabilities and exploitable weaknesses which arise from the unintended consequences of "code-bloat".
  • the original security model provided by the Java Platform is known as the sandbox model, which existed in order to provide a very restricted environment in which to run untrusted code obtained from the open network.
  • the essence of the sandbox model is that local code is trusted to have full access to vital system resources (such as the file and memory systems) while downloaded remote code (an applet) is not trusted and can access only the limited resources provided inside the sandbox.
  • This sandbox model is schematically illustrated in Fig. 1.
  • the JAVA API class library includes for example an "access function" F which is for accessing valuable resources of the host computer.
  • the access function is responsible for determining whether access to a valuable resource is guarded by some security policy, and if so, to consult the java.lang.SecurityManager class to vet such calls and either allow or disallow them.
  • the SecurityManager class which is where the security control policy is implemented and applied, is only used in an "advising" capacity by access function F.
  • access function F queries the SecurityManager class whether access function F is permitted to operate, and the SecurityManager class returns an indication of whether access is allowed or not.
  • the SecurityManager serves a purely advisory role to access function F, and is not capable of directly controlling the operation of access function F, and therefore is not able to directly control operations performed upon valuable resources.
  • a bug or discrepancy in the code or behaviour of access function F - or contextual manipulation by an Application class - can cause access function F to omit to consult the SecurityManager class, and so proceed to allow unsafe access to a valuable resource.
  • an Application Class such as a "ClassLoader” class defines a local name space, which can be used to ensure that an untrusted applet cannot interfere with the running of other programs. Access to crucial system resources was intended to be mediated by a "SecurityManager” class, in combination with
  • ClassLoader classes, to restrict the actions of a piece of untrusted code to the bare minimum.
  • the Java Security Architecture - relying on the SecurityManager class facility - is not able to reliably ensure that an application, and/or the Java API class library on which the application operates, do not undertake undesirable actions that an administrator might want to control or restrict, such as for example denying the application and Java API class library from reading a file of a specified directory. Due to the design flaws of the Java Security Architecture, it is possible to bypass or circumvent the SecurityManager controls and thereby break out of the security controls sought to be enforced by the application administrator.
  • Fig. 2 illustrates a typical prior art security ring arrangement.
  • a "ring” is a layer of privilege within the software architecture. Rings R0, Rl, R2, ... etc. are arranged in a hierarchy from most privileged (most trusted, usually numbered zero), to least privileged (least trusted, usually with the highest ring number). On most operating systems “ring 0" is the level with the most privileges and interacts most directly with the physical hardware such as the CPU and memory.
  • a strict and formally defined interface such as GO, and Gl between rings is provided to allow an outer-ring to access an inner ring's resources in a predefined manner, as opposed to allowing arbitrary usage.
  • an outer (less privileged) ring can only access valuable resources by requesting an inner ring to perform the sought action on the outer ring's behalf.
  • inner rings act as mediating proxies for value resources on behalf of outer rings, and that outer rings do not have direct access to valuable resources or the operations that can be applied directly to outer resources.
  • Correctly gating access between rings improves security by preventing programs from one ring or privilege level from misusing resources intended for programs in another.
  • hypervisors like VMware and Xen
  • hypervisors like VMware and Xen
  • hypervisor exports The hypervisor thus serves as a proxy for the valuable physical computer resources, and therefore can reliably mediate safe and secure access to these valuable resources which cannot be accessed directly by untrusted "guest” software.
  • hypervisor developers used the protection rings and the formal "gated" interface that they defined, to implement emulation facilities for functions which were either too insecure or untrusted to occur on the real physical server. Examples of this are interacting with network interfaces and storage controllers.
  • Java Platform and its components specifically the Java API class libraries, and the Java Virtual Machine, or JVM
  • Java application classes can directly call privileged "native" methods inside the JVM or OS libraries that access valuable resources directly and in an uncontrolled manner, and the only opportunity to enforce security controls is in the advisory check of the SecurityManager class by the Java API class libraries.
  • the genesis of the present invention is a desire to improve the security of operation of computer programs written in the Java language while still maintaining compatibility with third-party Java applications.
  • the present invention is further directed to operating unsafe or "known-vulnerable" Java API class libraries in a secure and quarantined manner.
  • a method of operating one or more untrusted application programs on a JAVA virtual machine (JVM) in an enhanced security mode said JAVA virtual machine comprising a host computer having a memory and functional assets onto which is installed a JVM layer and a single, first, lower, trusted JAVA Application Programming Interface (API) library, said method comprising the steps of running a hypervisor software layer on said first, lower, trusted JAVA API library and running at least one second, upper, untrusted JAVA API library on said hypervisor software layer, at or before runtime, modifying the code of each said second, upper, untrusted JAVA API library to call said hypervisor software layer instead of said JVM to thereby create a silo
  • JVM JAVA virtual machine
  • hypervisor software layer operating said hypervisor software layer to only permit communication between each of said second, upper, untrusted JAVA API libraries and a corresponding portion of the memory and functional assets of said host computer,
  • a computer architecture to be hosted by a host computer having memory and functional assets to form a JAVA Virtual Machine having enhanced security said computer architecture comprising a single, first, trusted JAVA Application Program Interface (API) library above a JVM, a hypervisor software layer above said first trusted JAVA API library, and at least one second, untrusted JAVA API library on said hypervisor layer, the code of each said second, upper, untrusted JAVA API library being modified at or before runtime to call said hypervisor software layer instead of said JVM to thereby create a silo corresponding to each of said second, upper, untrusted JAVA API libraries, each said silo extending between said host computer and the corresponding second, upper, untrusted JAVA API library; wherein said hypervisor software layer only permits communication between each of said second, upper, untrusted JAVA API libraries and a corresponding portion of said memory and functional assets of said host computer, and wherein each of said second, upper,
  • API Application Program Interface
  • a physical computer program product comprising a computer program which, when loaded and run on a host computer, produces a JAVA Virtual Machine having the computer architecture as described above or providing enhanced security in accordance with the method as described above.
  • Fig. 1 is a schematic representation of a prior art sandbox arrangement
  • Fig. 2 is a schematic representation of a prior art security ring arrangement
  • Fig. 3 is a schematic representation of the fundamental security arrangement of the preferred embodiment
  • Fig. 4 is a schematic representation of the preferred embodiment operating multiple application programs on a JVM with enhanced security.
  • the preferred embodiment of the present invention describes a method to address the above described limitation of the Java Platform, and so allow "protection rings" to be applied to the Java Platform in a way that is binary compatible with third party Java applications.
  • Binary compatibility means that such third-party Java applications are operable without any change being required to their source code.
  • This method is achieved by running an upper Java API class library, on top of a hypervisor-like software layer running on top of a lower Java class library, on top of one single JVM.
  • the Java Platform is made up of two major software components: the Java API class- libraries, and the Java Virtual Machine. In a normal Java environment these two software components are tightly integrated together, and decoupling them is not possible.
  • Java API class libraries comprise a set of files, divided into "official packages" which for the Java SE 6 version are the following: java. applet
  • javax.xml. bind. annotation javax.xml.bind. annotation.
  • adapters javax.xml.bind. attachment javax xml .bind.helpers javax xml .bind.util
  • the preferred embodiment of the present invention introduces a "protection ring framework" for quarantining vulnerable or untrusted Java API class libraries, which allows one or more "untrusted" Java API class libraries to operate on top of a
  • the trusted JAVA API class library with its access function F, the JVM and the host computer are as before and as illustrated in Fig. 1.
  • the application class is also as illustrated in Fig. 1 but is now directed to the untrusted access function F of the "upper" untrusted JAVA API class library which in turn invokes the proxy function for F of the hypervisor software, which then invokes the trusted access function F (the "real" access function F) on behalf of the untrusted Application Class caller.
  • This arrangement unlike Fig 1, cannot bypass the security controls, because the access function F called by the Application Class is no longer able to access the "real" access function F and so access the valuable resource directly, and must instead request the hypervisor software to access the valuable resource on its behalf via the Proxy Function for F. Because of this architecture, it is not possible for the security control functions of the hypervisor to be bypassed or otherwise circumvented, because only the hypervisor can invoke the "real" access function F, not the application as in Fig. 1.
  • a small “hypervisor-like” software layer is written, so as to run on top of the "trusted” Java API class library.
  • the "hypervisor-like” layer preferably runs as the single/only application of the "trusted” Java API class library, and where the “hypervisor-like” layer implements a protection-ring interface (or “gate”) between the trusted Java API class library on which it operates, and one or more other Java API class libraries that it will load and run on top of it.
  • the inventor has coined the term "nested or sequential Java Runtime Environments (JREs)" for this arrangement of an upper Java API class library operating on top of a lower Java API class library, regardless of whether the two Java API class libraries are the same versions of the Java API specification(s) or not.
  • JREs Java Runtime Environments
  • the hypervisor-like software has to modify the operation of the small set of "unofficial gate interface" classes of the untrusted Java API class libraries to, instead of calling the JVM or OS libraries directly, to call the hypervisor-like software layer instead.
  • modification is hidden from, or invisible to,
  • the hypervisor-like software layer provides an emulation facility for the unofficial "gate" interface between the untrusted Java API class libraries and the JVM.
  • the untrusted Java API class libraries can be hosted on top of a trusted Java API class library set, with the hypervisor-layer acting as "privilege ring" boundary that mediates the actions of the untrusted Java API class libraries in a way which is not able to be circumvented, and thereby ensure the proper and robust security controls can be enforced and not bypassed.
  • Fig. 4 schematically represents an arrangement in which enhanced security is provided for multiple applications which are simultaneously run on a Java Virtual Machine.
  • the host machine has valuable resources in the form of memory M and functional assets A.
  • the Java Virtual Machine JVM
  • the single trusted JAVA API class library Above this layer again is the Hypervisor described above.
  • Application #1 is able to communicate via its untrusted JAVA API class library #1, the Hypervisor, and the trusted JAVA API class library with the JVM and the host computer.
  • Application #1 is only able to access the memory Ml and functional assets Al allocated to it by the trusted JAVA API class library with the constraints defined by the hypervisor software.
  • Application #1 operates within a corresponding silo having a vertical extent and a tubular characteristic. The walls of each silo are indicated by broken lines in Fig. 4.
  • the untrusted Java API class library operates in a restricted way, where 'untrusted' Java API classes that previously could call directly to the JVM and/or OS libraries, now can only call to the hypervisor 'redirection' layer operating on the trusted Java API class library, and so can examine all requested actions made by the untrusted Java API classes independently of the untrusted Java API class library - something that the prior art Security Manager class of the Java Security Architecture of Fig.l is incapable of.
  • One embodiment of the present invention is described below for constructing a 'hypervisor'-like layer which is able to operate an untrusted Java API classlibrary on top of a trusted Java API class library, and so ensure safe and controlled operation of untrusted and/or vulnerable Java API class library(ies) in a secure manner.
  • the preferred embodiment utilizes a preliminary step followed by a subsequent step. Each of these steps is capable of being realised in various alternative fashions.
  • a hypervisor-like layer for the Java SE 6 Java API class libraries the behaviour of one or more "native" methods of one or more Java API classes, must be modified so as to not invoke Java Native Interface (JNI) functions of the JVM or of OS libraries, and instead to invoke a replacement Java function of one or more Java classes provided in the hypervisor software package for the purpose of emulating or replacing the corresponding/equivalent JAVA Native Interface function(s).
  • JNI Java Native Interface
  • the untrusted Java API classes are modified so as to no longer have the capability to access valuable resource (for example, JNI functions written in non-Java language(s) like C/C++) directly.
  • Java methods can invoke functions that are written in non-Java languages (called “native methods” or “JNI functions”), such as C or C++.
  • JNI functions Java-to-non-Java invocation action
  • a Java class defines a method with a "native” modifier which corresponds to a second function written in a non-Java language and linked to the JVM as an operating- system-dependent library in accordance with the JNI framework.
  • Such methods are called “native” methods or "JNI functions” in Java terminology, and typically represent privileged or important or “valuable” or “unsafe” operations that either cannot be performed in Java or which require special operating system support in order to undertake (examples are writing to a file, sending a network packet, etc).
  • it is necessary to intercept and mediate access to these privileged JNI functions.
  • the Java API class library incorporates many "native" methods, the exact composition of which differs version to version, and which are used for performing a large range of privileged and special operations that, if misused, can represent a significant security risk.
  • the exact list of native methods that may be desirable to emulate or replace with the hypervisor software package may differ from one Java SE version to the next, and from one implementation to the next of the hypervisor software package developed in accordance with embodiments of this invention, but the technique described below will apply mutatis mutandis.
  • JNI functions An incomplete example list of JNI functions that may be desirable to emulate in the hypervisor layer is as follows:
  • JNI functions are implemented by OS libraries provided with the JVM and/or Java API class libraries, and include some of these files on Linux (or their equivalents on other operating systems like Windows, Solaris, or AIX):
  • Redirecting can be achieved by statically modifying the source-code or byte code of the effected Java API classes, prior to their loading and/or execution within a JVM to: (i) change the method modifiers to remove the "native" modifier, (ii) insert a small method body to the now-not-native method, which marshals the parameters and invokes the hypervisor-like replacement function with the same or substantially the same parameters, and
  • BEFORE An example of a before and after replacement in byte code is shown below:
  • Method 1.1 the described static modification may be performed upon individual Java class-files (such as compiled bytecode files saved with the suffix ".class” and optionally stored in JAR file format or similar) or upon individual Java source-files (such as saved with the suffix "java"), where the post- modified result of Method 1.1 is saved to a persistent or transient storage means (such as hard disk drive) as a new or replaced class-file or source-file (optionally overwriting the original input class-file or source-file).
  • a persistent or transient storage means such as hard disk drive
  • the same replacement can be achieved by dynamically modifying the byte-code of the effected Java API classes as or when they are loaded within a JVM, or defined within a JVM, or after they are loaded or defined within a JVM, or executed within a JVM, to:
  • Dynamic modification such as described in Method 1.2 can be accomplished with any of various bytecode or classfile instrumentation libraries such as ASM, BCEL, and AOP libraries.
  • An implementation of Method 1.2 may take the form of a "javaagent” (such as loaded with the "-javaagent:” command line option) or a JVMTI agent (such as loaded with the "-agentlib:” or “-agentpath:” command line option), and may make use of the Java Instrumentation APIs of the package java.lang.instrument or the corresponding JVMTI API functions.
  • the same replacement effect can be achieved with replacement classes for the effected Java API classes.
  • one or more of the Java API classes may be replaced entirely with alternative versions written for the hypervisor layer and that cooperate closely with the hypervisor-like control layer. This may be desirable when the effected class either has a lot of native methods, and so would require a significant number of the methods of a effected Java API class to be modified (as per methods 1.1 - 1.3 above), or the class is considered important to the hypervisor-like control layer's security
  • a non-exhaustive list of replaced classes of the Java API class libraries includes the following: j a a . nio . HeapShortBuffer
  • Any replacement class(es) must be implemented with the same public and protected fields, methods, and constructors as the Java API classes they replace.
  • the same replacement effect can be achieved by modifying non- native method(s) of the untrusted Java API class libraries which, directly or indirectly, invokes one or more native method(s) that are sought to be redirected to a
  • the source-code or bytecode of the chosen non-native method(s) is modified at any time before loading, during loading, or after loading to:
  • anyLocalBouncLAddr Ljava/net/InetAddress ;
  • SocketException protected synchronized native void bind0(int, j ava . net . InetAddress ) throws j ava . net . SocketException;
  • SocketException protected synchronized native void bind0(int, j ava . net . InetAddress ) throws j ava . net . SocketException;
  • the same replacement effect can be achieved by modifying non- native method(s) of the untrusted Java API class libraries which directly or indirectly invoke one or more target method(s) that are sought to be redirected to a replacement hypervisor-layer function.
  • redirection in this manner is to be performed, the source-code or bytecode of the chosen non-native method(s) is modified at any time before loading, during loading, or after loading by:
  • invokeinterface, invokespecial, invokedynamic to the target native or non- native method that is sought to be redirected to a replacement hypervisor- layer function
  • anyLocalBouncLAddr Ljava/net/InetAddress ;
  • SocketException protected synchronized native void bind0(int, j ava . net . InetAddress ) throws j ava . net . SocketException;
  • anyLocalBouncLAddr Ljava/net/InetAddress ;
  • SocketException protected synchronized native void bind0(int, j ava . net . InetAddress ) throws j ava . net . SocketException;
  • Method 1.6 it can be desirable to apply, mutatis mutandis, the modification steps of Method 1.6 to replacing the invocation of one or more target native or non-native methods made by an Application Class.
  • Method 1.6 can achieve an equivalent replacement effect such that if an Application Class attempts to invoke a target native or non-native method of the untrusted Java API class libraries, that that invocation will be equivalently redirected to the replacement hypervisor-layer proxy function as described above.
  • Any single or combined use of the above methods 1.1-1.6 may be desirable in various embodiments of this invention.
  • Method 1.2 might be selected for some of the methods within the untrusted Java API class library, while Method 1.6 might be selected for some other methods within the same untrusted Java API class library.
  • the hypervisor emulation function(s) can undertake a subsequent operation, or step, of quarantine and security-enforcement controls on the untrusted Java API classes.
  • OpenProxyMethod(String)' of class com.hypervisor.FilelnputStreamProxy), with the hypervisor implementing change behaviour to enforce a "less privileged ring" for the second Java API class library is shown below: public static void openProxyMethod ( String name)
  • the small set of classes shared comprises at least the java.lang. Object class.
  • a list of these classes in another implementation includes: j ava . . lang . . Obj ect
  • the method j ava . lang . Class . forName ( String, boolean, ClassLoader ) may be one of the methods that is desirable to be redirected to the hypervisor layer for security control and/or special handling purposes described above.
  • Redirection of unsafe members can be achieved by examining the bytecode of every untrusted Java API class file before it is loaded, or sought to be loaded into the JVM, or as it is loaded into the JVM, or as it is about to be executed by the JVM, to do the following:
  • java.sql.DriverManager in its 'getCallerClass' function, invokes the unsafe member method java.lang. Class. forName(String,boolean,ClassLoader) of the shared class java.lang.Class.
  • java.lang. Class. forName(String,boolean,ClassLoader) is replaced with an invocation of a proxy method provided in the hypervisor class(es) for the purpose of security enforcement or special handling as described above.
  • next steps implement the security enforcement and quarantine controls that are desirable to be applied to an untrusted or vulnerable Java API class library in order to address the security vulnerabilities and weaknesses of that (or those) Java API class library(ies).
  • Method 2.2 modifications of Method 2.2, mutatis mutandis, to the loaded or executed Application Class(es). Applying Method 2.2 to Application Class(es) in this way can then ensure that if an Application Class attempts to access an unsafe member of a Trusted Classes, that that access will be equivalently trapped, intercepted, or redirected to the replacement hypervisor-layer proxy function.
  • hypervisor proxy methods and the hypervisor proxy classes can enforce security constraints to deny a range of actions and operations which are not desirable for the untrusted Java API class library to be allowed to perform.
  • the security constraints to be enforced by the hypervisor software are specified by means of a human-readable "rules file" stored on a hard disk or equivalent storage means, which specifies actions or operations which are undesirable for the "untrusted" Java API class library and/or application class(es) to execute, and for which the hyerpvisor-layer is to deny or block.
  • procfork level : none : deny : warn
  • Unsafe method : theUnsafe ( ) Lsun/misc/Unsafe ; : den y : warn
  • the proxy methods/classes of the hypervisor software can, in addition to enforcing security constraints, or as an alternative to it, perform logging to a security log file maintained by the hypervisor software for that purpose, of actions or operations undertaken by the untrusted Java API class library or application class(es) operating on top of the untrusted Java API class library that may be of interest to an administrator as an indicator of security vulnerabilities or exploit attempts.
  • alert notices of suspicious or malicious operations attempted to be performed by the untrusted Java API class library can be logged and examined at a later time by the administrator to determine whether the actions performed are indeed suspicious or malicious, or not.
  • This log file can then be used to audit untrusted applications and untrusted Java API class library versions, to thereby gain valuable intelligence on vulnerabilities, exploits, and attack stratagems of the executing untrusted application(s) and library(ies).
  • the suspicious or potentially malicious actions or operations desirable to be logged to the security log file are specified by means of a human-readable "rules file" stored on a hard disk or equivalent storage means, which specifies actions or operations for which the hypervisor is allow but to also log an alert or other notice of such action/operation occurring to the security log file provided for that purpose.
  • a human-readable "rules file” stored on a hard disk or equivalent storage means, which specifies actions or operations for which the hypervisor is allow but to also log an alert or other notice of such action/operation occurring to the security log file provided for that purpose.
  • OS libraries is to be understood to include the operating-system dependent libraries provided by, or with, a JVM or the Java API class libraries, and which are written in one or more non-Java languages and which interact with the underlying operating system and computer memory directly.
  • Example 1 trusted being a version of Java SE 6, and untrusted being a version of Java SE 5.
  • Example 2 trusted being Java SE 1.6.0_43 and untrusted being Java SE 1.6.0_24.
  • the hypervisor software can provide the significant benefit of increasing the security of old or legacy application classes (and the old Java API class library upon which they are written to depend) without requiring those application classes to be re-written or modified in order to use a new and less vulnerable Java API class library version.
  • This is a significant operational benefit for administrators who are operating old or legacy application programs, as it allows them to make their old applications more secure and less vulnerable without having to change the source- code or upgrade the Java API class library version that the old application relies on.
  • the trusted Java API class library, and the untrusted Java API class library operate from different JRE and/or JDK directories with different "rt.jar”, “jsse.jar”, “jce.jar” classfile archives.
  • the untrusted Java API class library does not load any native libraries, or load any class with one or more native methods which loads a native library.
  • hypervisor-layer "enforces security constraints" on certain operations attempted to be performed by the untrusted Java API class library.
  • enforced security constraints include logging to a security log file maintained by the hypervisor layer for that purpose, generating alert notices relating to suspicious or malicious operations which have been attempted to be performed by the untrusted Java API class library.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Stored Programmes (AREA)

Abstract

L'invention concerne une architecture informatique offrant une sécurité JVM améliorée, et un procédé offrant une sécurité améliorée pour une JVM. L'ordinateur hôte fait tourner une seule et première bibliothèque d'API JAVA de confiance au-dessus de laquelle se situe une couche logicielle d'hyperviseur, puis au moins une bibliothèque d'API JAVA non sécurisée. Le code de chaque seconde bibliothèque d'API JAVA supérieure non sécurisée est modifié lors du ou avant le temps d'exécution pour appeler la couche logicielle d'hyperviseur au lieu de la JVM de manière à créer ainsi un silo correspondant à chacune des secondes bibliothèques d'API JAVA supérieures non sécurisées. Chaque silo s'étend entre l'ordinateur hôte et la seconde bibliothèque d'API JAVA supérieure non sécurisée correspondante. La couche logicielle d'hyperviseur est actionnée pour permettre uniquement la communication entre chacune des secondes bibliothèques d'API JAVA supérieures non sécurisées et une partie correspondante de la mémoire et des actifs fonctionnels de l'ordinateur hôte. Par conséquent, chacune des secondes bibliothèques d'API JAVA supérieures non sécurisées ne peut pas communiquer avec toute la mémoire de l'ordinateur hôte et/ou tous les actifs fonctionnels de l'ordinateur hôte. L'invention concerne également un produit de type programme informatique.
EP15809533.1A 2014-06-20 2015-06-17 Sécurité améliorée pour des machines virtuelles java Withdrawn EP3158489A4 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
AU2014902381A AU2014902381A0 (en) 2014-06-20 Enhanced Security for JAVA Virtual Machines
PCT/AU2015/050334 WO2015192182A1 (fr) 2014-06-20 2015-06-17 Sécurité améliorée pour des machines virtuelles java

Publications (2)

Publication Number Publication Date
EP3158489A1 true EP3158489A1 (fr) 2017-04-26
EP3158489A4 EP3158489A4 (fr) 2018-03-14

Family

ID=54934575

Family Applications (1)

Application Number Title Priority Date Filing Date
EP15809533.1A Withdrawn EP3158489A4 (fr) 2014-06-20 2015-06-17 Sécurité améliorée pour des machines virtuelles java

Country Status (2)

Country Link
EP (1) EP3158489A4 (fr)
WO (1) WO2015192182A1 (fr)

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6275938B1 (en) * 1997-08-28 2001-08-14 Microsoft Corporation Security enhancement for untrusted executable code
US6834391B2 (en) * 2000-11-28 2004-12-21 Sun Microsystems, Inc. Method and apparatus for automated native code isolation
US7979891B2 (en) * 2006-05-09 2011-07-12 Oracle International Corporation Method and system for securing execution of untrusted applications
US8156298B1 (en) * 2007-10-24 2012-04-10 Adam Stubblefield Virtualization-based security apparatuses, methods, and systems
US20090300599A1 (en) * 2008-05-30 2009-12-03 Matthew Thomas Piotrowski Systems and methods of utilizing virtual machines to protect computer systems
US20150113545A1 (en) * 2012-04-30 2015-04-23 Waratek Limited Modified jvm with multi-tenant application domains and class differentiation
JP2015519646A (ja) * 2012-04-30 2015-07-09 ワラテック リミテッド マルチテナント型アプリケーション・ドメイン及びメモリの管理を伴う修正されたjvm

Also Published As

Publication number Publication date
EP3158489A4 (fr) 2018-03-14
WO2015192182A1 (fr) 2015-12-23

Similar Documents

Publication Publication Date Title
US9830448B2 (en) Enhanced security for java virtual machines
Backes et al. Boxify: Full-fledged app sandboxing for stock android
KR102255767B1 (ko) 가상 머신 감사를 위한 시스템 및 방법들
US9680862B2 (en) Trusted threat-aware microvisor
Smalley et al. Security enhanced (se) android: bringing flexible mac to android.
Ta-Min et al. Splitting interfaces: Making trust between applications and operating systems configurable
US20160004869A1 (en) Verification of trusted threat-aware microvisor
CN110612512A (zh) 保护虚拟执行环境
KR101665894B1 (ko) 가상 머신 내의 강제적 보호 제어
US20170091444A1 (en) Hardware-enforced code paths
Mi et al. (Mostly) exitless {VM} protection from untrusted hypervisor through disaggregated nested virtualization
Sun et al. Jvm-portable sandboxing of java’s native libraries
Payne et al. A layered approach to simplified access control in virtualized systems
Sun et al. Bringing java's wild native world under control
Im et al. The endokernel: Fast, secure, and programmable subprocess virtualization
Findlay et al. Bpfcontain: Fixing the soft underbelly of container security
Yu Os-level virtualization and its applications
Chfouka et al. Trustworthy prevention of code injection in linux on embedded devices
US20220147376A1 (en) Selective substitution of legacy load module programs with classes for execution in a java virtual machine
Potter et al. Secure Isolation of Untrusted Legacy Applications.
Haq et al. Design and implementation of sandbox technique for isolated applications
WO2015192182A1 (fr) Sécurité améliorée pour des machines virtuelles java
Hong et al. NativeProtector: protecting android applications by isolating and intercepting third-party native libraries
Fernandes et al. Decomposable trust for Android applications
Klinkoff et al. Extending. NET security to unmanaged code

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20170112

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
A4 Supplementary search report drawn up and despatched

Effective date: 20180213

RIC1 Information provided on ipc code assigned before grant

Ipc: G06F 21/53 20130101AFI20180208BHEP

Ipc: G06F 9/455 20180101ALI20180208BHEP

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

17Q First examination report despatched

Effective date: 20200221

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN WITHDRAWN

18W Application withdrawn

Effective date: 20221116