CapableVMs
Lead Research Organisation:
King's College London
Department Name: Informatics
Abstract
Virtual machines (VMs, also known as managed language runtimes) are ubiquitous components in the modern software stack. They power the web, running in client-side browsers, server-side applications, and smartphone apps. In any ranking of popular programming languages, at least half of the top ten languages run on VMs (e.g. Python, Java, C#, Javascript, PHP).
A key problem is that VM security has traditionally been a secondary concern relative to performance. Industrial strength VMs have large, complex code-bases, and large numbers of hand-crafted optimizations. Not only are they beyond any one person's ability to understand, but security has tended to be treated reactively: mature, widely used VMs such as HotSpot (the standard Java VM) regularly have 50-100 CVEs per year.
The CapableVMs project hypothesises that CHERI hardware enforced capabilities are the first realistic technique to make VM security proactive. In order to address this hypothesis, we will have to answer two research questions: can VMs be divided into compartments that capabilities can then enforce? and what is the performance impact of compartmentalisation? These two factors are related: some ways of dividing VMs into compartments may cause worse performance than others. We propose a number of different ways of compartmentalising VMs, starting on small VMs to help us understand the problem, before scaling up to V8 (the industrial strength JavaScript VM inside Chrome).
A key problem is that VM security has traditionally been a secondary concern relative to performance. Industrial strength VMs have large, complex code-bases, and large numbers of hand-crafted optimizations. Not only are they beyond any one person's ability to understand, but security has tended to be treated reactively: mature, widely used VMs such as HotSpot (the standard Java VM) regularly have 50-100 CVEs per year.
The CapableVMs project hypothesises that CHERI hardware enforced capabilities are the first realistic technique to make VM security proactive. In order to address this hypothesis, we will have to answer two research questions: can VMs be divided into compartments that capabilities can then enforce? and what is the performance impact of compartmentalisation? These two factors are related: some ways of dividing VMs into compartments may cause worse performance than others. We propose a number of different ways of compartmentalising VMs, starting on small VMs to help us understand the problem, before scaling up to V8 (the industrial strength JavaScript VM inside Chrome).
Planned Impact
CapableVMs will have medium and long term impacts on both VM developers and researchers, software developers in a wider sense, and the general public.
As the first project to tackle the challenge of making high-performance programming language VMs amenable to compartmentalisation using CHERI hardware enforced capabilities, CapableVMs will be of initial interest to VM developers. This is a relatively small community (perhaps around 500-1000 people worldwide) but with an outsized influence: JavaScript VMs, for example, power nearly every webpage we visit; and Java VMs power many server applications from finance to health. Although traditionally this community has been focussed almost entirely on performance, the 2018 Spectre attacks have made the community reconsider security issues.
There is now a realisation that VM security has not received sufficient priority in the past: CapableVMs takes a radical approach to this problem which will be of significant interest to this community. We expect that the community will incorporate our ideas into their VMs and/or change future development plans; some may use the concrete changes we have made to systems like PyPy/RPython and V8 directly. We have excellent contacts within many VM teams, but Arm's open-source group has an even wider network of contacts: Arm's involvement as a project partner therefore amplifies our impact considerably. In addition, to ensure that we have an impact upon current and future VM researchers, we will run a summer school in 2023, to create a forum for dissemination of early project research results, to allow cross-fertilization between projects, and to drive increased research interest and adoption.
One of CapableVMs goal is to enable sandboxing in V8, isolating different JavaScript programs. Some JavaScript programs require non-local access and thus cannot be sandboxed in this fashion. However, it is likely that some programs use non-local access despite there being a better way of achieving their functionality. Our work will highlight such issues to software developers, and will encourage them to reconsider how their programs operate: those that choose to change their program to forsake non-local access will then help end users. All of the changes that we make to open-source VMs such as V8 will be open-source themselves, and we will interact informally with non-VM software developers as the project progresses to understand their needs.
As the first project to tackle the challenge of making high-performance programming language VMs amenable to compartmentalisation using CHERI hardware enforced capabilities, CapableVMs will be of initial interest to VM developers. This is a relatively small community (perhaps around 500-1000 people worldwide) but with an outsized influence: JavaScript VMs, for example, power nearly every webpage we visit; and Java VMs power many server applications from finance to health. Although traditionally this community has been focussed almost entirely on performance, the 2018 Spectre attacks have made the community reconsider security issues.
There is now a realisation that VM security has not received sufficient priority in the past: CapableVMs takes a radical approach to this problem which will be of significant interest to this community. We expect that the community will incorporate our ideas into their VMs and/or change future development plans; some may use the concrete changes we have made to systems like PyPy/RPython and V8 directly. We have excellent contacts within many VM teams, but Arm's open-source group has an even wider network of contacts: Arm's involvement as a project partner therefore amplifies our impact considerably. In addition, to ensure that we have an impact upon current and future VM researchers, we will run a summer school in 2023, to create a forum for dissemination of early project research results, to allow cross-fertilization between projects, and to drive increased research interest and adoption.
One of CapableVMs goal is to enable sandboxing in V8, isolating different JavaScript programs. Some JavaScript programs require non-local access and thus cannot be sandboxed in this fashion. However, it is likely that some programs use non-local access despite there being a better way of achieving their functionality. Our work will highlight such issues to software developers, and will encourage them to reconsider how their programs operate: those that choose to change their program to forsake non-local access will then help end users. All of the changes that we make to open-source VMs such as V8 will be open-source themselves, and we will interact informally with non-VM software developers as the project progresses to understand their needs.
People |
ORCID iD |
| Laurence Tratt (Principal Investigator) |