4th International Conference on Principles and Practices ... - MADOC
4th International Conference on Principles and Practices ... - MADOC
4th International Conference on Principles and Practices ... - MADOC
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
The processor then refers to the entry in the PGD for<br />
L. An entry in the PGD is called a directory entry.<br />
The processor gets the address of the directory entry<br />
for L by adding the highest ten bits of L as an offset<br />
to the PGD address.<br />
2. The processor looks at the bit in the directory entry<br />
that indicates to what the directory entry points.<br />
(a) If the value of the bit is 0, the directory entry<br />
points to a page table, which is an address translati<strong>on</strong><br />
table whose entry points to a 4-KByte page.<br />
In this case, the processor translates L into the<br />
physical address as illustrated in figure 1 (a). The<br />
processor assembles the physical address from the<br />
page table entry <strong>and</strong> the lowest 12 bits of L. The<br />
processor also looks at bits in the page table entry<br />
for access c<strong>on</strong>trol to the page.<br />
(b) If the value of the bit is 1, the directory entry<br />
points to a 4 MByte page (a large page). In this<br />
case, the processor translates L into the physical<br />
address, as illustrated in figure 1 (b). The<br />
processor assembles the physical address from the<br />
directory entry <strong>and</strong> the lowest 22 bits of L.<br />
3.2 Implementati<strong>on</strong> of heap protecti<strong>on</strong> domain<br />
using PGD<br />
The directory entry for a large page c<strong>on</strong>tains bits that<br />
indicate reading or writing permissi<strong>on</strong>, <strong>and</strong> the processor<br />
permits reference to the page based <strong>on</strong> these bits. We implemented<br />
the heap protecti<strong>on</strong> domain using these bits as<br />
follows.<br />
1. In the system call to create a heap protecti<strong>on</strong> domain,<br />
createpd(), the OS creates a PGD. For simplicity,<br />
our implementati<strong>on</strong> allocates <strong>on</strong>ly <strong>on</strong>e PGD <strong>and</strong> shares<br />
page tables am<strong>on</strong>g heap protecti<strong>on</strong> domains. Therefore,<br />
our heap protecti<strong>on</strong> domain can set permissi<strong>on</strong>s<br />
for large pages <strong>on</strong>ly 10 . To set permissi<strong>on</strong>s for 4-KByte<br />
pages, page tables should be created for each protecti<strong>on</strong><br />
domain.<br />
2. In the system call to set permissi<strong>on</strong>s for the large<br />
pages, mprotect(), the OS sets the bits in the directory<br />
entries that indicate reading or writing permissi<strong>on</strong>.<br />
3. In the system call to set the protecti<strong>on</strong> domain for the<br />
current thread, setpd(), the OS looks up the pointer<br />
to the PGD for the target heap protecti<strong>on</strong> domain, <strong>and</strong><br />
loads the pointer into the CR3 register.<br />
4. During task switching, the OS looks up the pointer<br />
to the PGD for the protecti<strong>on</strong> domain to which the<br />
next task bel<strong>on</strong>gs <strong>and</strong> loads the pointer into the CR3<br />
register.<br />
4. HEAP PROTECTION IN HOTSPOT VM<br />
In our implementati<strong>on</strong> of the heap protecti<strong>on</strong> for HotSpot<br />
VM, we protect two heaps that HotSpot VM uses.<br />
10 Linux maps large pages <strong>on</strong>ly to address space that programs<br />
committed specially for large pages.<br />
Heap for Java: HotSpot VM uses this heap to allocate the<br />
data structures Java applicati<strong>on</strong>s allocate, such as Java<br />
instances.<br />
Heap for dynamically compiled code: HotSpot VM’s<br />
dynamic compiler uses this heap for storing dynamically<br />
compiled code.<br />
We protect both heaps from being modified by threads<br />
executing native methods, <strong>and</strong> protect the heap for dynamically<br />
compiled code from being modified by threads executing<br />
Java methods (including the runtime routines HotSpot<br />
VM provides). We permit <strong>on</strong>ly the threads for dynamic<br />
compilati<strong>on</strong> to write to the heap for dynamically compiled<br />
code 11 . This HotSpot VM is thus secured because dynamically<br />
compiled code is protected against threads executing<br />
Java methods that have received malicious inputs that try<br />
to take c<strong>on</strong>trol of the HotSpot VM by using bugs in the<br />
HotSpot VM to overwrite the dynamically compiled code<br />
with malicious code.<br />
The heap protecti<strong>on</strong> feature we implemented works as follows.<br />
1. At start-up, HotSpot VM creates two heap protecti<strong>on</strong><br />
domains. It uses <strong>on</strong>e, PD java, for Java method executi<strong>on</strong>,<br />
<strong>and</strong> the other, PD compiler , for dynamic compilati<strong>on</strong>.<br />
HotSpot VM sets permissi<strong>on</strong>s for its heap<br />
as illustrated in figure 2 by using mprotect(). It permits<br />
both heap protecti<strong>on</strong> domains to write to the Java<br />
heap <strong>and</strong> PD compiler to write to the heap for dynamically<br />
compiled code.<br />
HotSpot VM does not allow PD default to write to both<br />
heaps. PD default is a heap protecti<strong>on</strong> domain created<br />
by default, <strong>and</strong> HotSpot VM uses it to execute C functi<strong>on</strong>s.<br />
HotSpot VM permits PD default to read from<br />
the Java heap, so that JNI calls from C functi<strong>on</strong>s that<br />
cannot modify the heap can be executed without invoking<br />
setpd().<br />
2. At JNI invocati<strong>on</strong>, HotSpot VM causes each thread to<br />
call setpd() to set its heap protecti<strong>on</strong> domain.<br />
When a thread executing a Java method calls a C<br />
functi<strong>on</strong> through JNI, HotSpot VM causes the thread<br />
to call setpd() to set its heap protecti<strong>on</strong> domain to<br />
PD default , <strong>and</strong> it causes the thread to call setpd()<br />
again at the end of the C functi<strong>on</strong> executi<strong>on</strong> to set<br />
its heap protecti<strong>on</strong> domain to PD java. HotSpot VM<br />
does the opposite when a thread executing a C functi<strong>on</strong><br />
calls a Java method through JNI.<br />
3. When an invalid memory access is detected, HotSpot<br />
VM aborts immediately <strong>and</strong> dumps the core file to<br />
show where the invalid memory access has been detected.<br />
5. IMPLEMENTATION OF SETPD()<br />
Because setpd() is called twice for every JNI invocati<strong>on</strong><br />
that may modify the Java heap, its efficiency is important.<br />
Figure 3 shows a can<strong>on</strong>ical implementati<strong>on</strong> of setpd().<br />
11 We temporarily permit threads running Java methods to<br />
write to the heap for dynamically compiled code when they<br />
patch the dynamically compiled code.<br />
106