Protecting the JVM from segfaults

Thu Apr 8 00:56:15 UTC 2021

Yes, there's still a lot of issues to iron out, but it's interesting 
still. What I'm more worried about is that, when you have some other 
large complicated framework like PyTorch or TensorFlow running in the 
same process, and one of those (that doesn't really care about these 
kinds of issues) crash, we'll probably need to restart the whole process 
to get anything going again anyway, so I don't know how useful all this 
can be for that purpose. We'd need to somehow integrate that into a 
language like C, which is what Rust is for I suppose, but it still 
basically allows you to do anything.

Samuel

On 4/7/21 8:58 PM, Maurizio Cimadamore wrote:
> Interesting article.
> 
> I've been reading about ARM's Memory Tagging Extension:
> 
> https://developer.arm.com/tools-and-software/open-source-software/linux-kernel/memory-tagging
> 
> Which is, I believe, very similar to Intel's MPK (at least in spirit).
> 
> I found the whole idea potentially interesting, except for the 
> scalability issues also mentioned in the paper: since there's only a low 
> number of "bits" available for tagging, only a statistical approach to 
> reduce use-after-free as much as possible could be realized.
> 
> The paper main contribution seems to be that of building a "virtual" tag 
> space, so that we're freed from hardware limitations. That said, this 
> virtualization technique is not without issues - as the paper says:
> 
>> For this reason, libmpk does not ensure that a calling thread always 
>> obtains the access due to hardware limitations. That is, if all 
>> hardware keys are actively used, libmpk is no longer able to provide any key
> 
> That is, I suspect that if N threads all ask for a virtual key at the 
> same time, and N exceeds the amount of physical keys that can be handed 
> out by the processor, well, it just bails out.
> 
> While this approach might work in cases where sources of memory 
> allocations are known and monitored - I don't see something like this 
> flying as a general purpose mechanism to achieve pointer safety.
> 
> That said, this is an interesting space to be monitoring (and we've been 
> doing so in the past) - it just doesn't seem to me that the silver 
> bullet exists - yet, but I don't exclude that further refinements of the 
> memory tagging support might bring us closer to that HW-enforced, 
> pointer safety nirvana.
> 
> Maurizio
> 
> On 07/04/2021 12:15, Samuel Audet wrote:
>> I was curious about that myself recently, and I've found interesting 
>> new features in today's CPU known as "memory protection keys" that 
>> could allow us to introduce that kind of protection from segfaults, 
>> essentially isolating the JVM from other code in the same process, 
>> with very low overhead:
>>
>> ERIM: Secure, Efficient In-process Isolation with Protection Keys (MPK)
>> https://www.usenix.org/system/files/sec19-vahldiek-oberwagner_0.pdf