Strato: A Retargetable Framework for Low- Level Inlined Reference Monitors

Transcription

1 Strato: A Retargetable Framework for Low- Level Inlined Reference Monitors Bin Zeng, Gang Tan, Úlfar Erlingsson Lehigh University Google Inc. USENIX Security DC, USA

2 ASacks How asacks happen Arrive as user input through a communicavon channel Trigger pre- exisvng bugs Take over program execuvons ASack vector Mobile code, untrusted extensions Memory corrupvon asacks [StackSmash] Return Oriented Programming [ROP] 2

3 ExisVng Countermeasures Data ExecuVon ProtecVon [DEP] Address Space Layout RandomizaVon [PaX] Program Shepherding [Shepherding] Inlined Reference Monitors [IRM] Control Flow Integrity [CFI, XFI, HyperSafe] So]ware- based Fault IsolaVon [PiSsfield, NaVve Client] 3

4 Inlined Reference Monitors (IRMs) IRM: embed security checks in programs Well- established against various asacks E.g., buffer overflows, Return- Oriented Programming asacks 4

5 Inlined Reference Monitors (IRMs) CFI (Control- Flow Integrity): checks control flow SFI (So]ware- based Fault IsolaVon) also checks memory reads and writes Example: Google s NaVve Client Verifiable machine code plugins for browsers 5

6 However, Most IRM ImplementaVons are Low- Level Binary rewrivng, assembly instrumentavon, ImplementaVons Tightly coupled with architectures Hard to reuse For example, NaVve Client (NaCl) has mulvple implementavons x86-32; x

7 Our General Idea Perform IRM rewrivng at an Intermediate- RepresentaVon (IR) level Use an IR that is largely architecture- independent (in parvcular, LLVM IR) Benefits Reuse transformavons among architectures IR is amenable to opvmizavons Retain verifiability of low- level code 7

8 Challenges of IR- level RewriVng Compiler transformavons a]er the IR can invalidate security assumpvons Have to trust the compiler back- end from IR to low- level code TCB Bloat 8

9 Are Compilers Trustworthy? Source Code Compiler Binary Code 9

10 Compilers are Buggy Source Code Compiler Binary Code 10

11 Compilers are Buggy Compilers have a huge code base GCC 4.8 has more than 7.3 million lines of code Csmith found 300+ unknown bugs [PLDI 11] LLVM has a steady bug rate 11

12 Buggy Compiler OpVmizaVons Any sufficiently opvmizing compiler is indisvnguishable from magic. - - Paraphrasing Arthur C. Clarke 12

13 Compiler OpVmizaVons Compiler opvmizavons invalidate security assumpvons They only care about funcvonal semanvcs Security properves are o]en non- funcvonal 13

14 Research QuesVon How to do IRM rewrivng at the IR level, and preserve low- level security? Our paper s contribuvon: Strato: a IRM- implementavon framework that performs IR- level rewrivng and preserves low- level security 14

15 Key Challenge Challenge: a]er checks are inserted at the IR level, backend transformavons may invalidate security if all data memory is untrusted Before register allocavon A]er register allocavon ptr.safe = check(ptr) tmp = load *ptr.safe store v, *ptr.safe Register spilling ptr.safe = check(ptr) tmp = load *ptr.safe store ptr.safe, *stack_loc ptr.safe2 = load *stack_loc store v, *ptr.safe2 15

16 ASack Model Guard region is mprotected Anything from memory is untrusted 16

17 Our Idea for Addressing the Problem Insert more- than- enough checks at the IR level ASach constraints to checks to encode condivons that might be invalidated by the compiler A]er compiler transformavons, perform constraint checking at the low level Remove checks iff constraints are svll valid If a compiler transformavon invalidates a constraint, then the check is le] intact for security Let s go through an example next 17

18 Uninstrumented IR Code entry: tmp = 0 if(v > 47) goto then else: tmp = load *ptr goto end then: store v, *ptr end: ret tmp 18

19 Instrumented and OpVmized IR entry: ptr.safe = check(ptr) // check1 tmp = 0 if(v > 47) goto then else: ptr.safe1 = check(ptr.safe) // check2 # nospill(ptr.safe, check1, check2) tmp = load *ptr.safe1 goto end then: ptr.safe2 = call check(ptr.safe) // check3 # nospill(ptr.safe, check1, check3) store v, *ptr.safe2 end: ret tmp Security checks Constraints Original code Redundant Check EliminaVon 19

20 A]er Constraint Checking entry: ptr.safe = check(ptr) // check1 tmp = 0 if(v > 47) goto then else: ptr.safe1 = check(ptr.safe) // check2 # nospill(ptr.safe, check1, check2) tmp = load *ptr.safe goto end then: ptr.safe2 = call check(ptr.safe) // check3 # nospill(ptr.safe, check1, check3) store v, *ptr.safe2 end: ret tmp Assume ptr.safe not spilled between check1 and check2, but spilled between check2 and check3 20

21 Another Example: Uninstrumented IR Code x = gep p, 0, 0 tmp1 = load *x y = gep p, 0, 1 tmp2 = load *y sum = add tmp1, tmp2 ret sum 21

22 Instrumented and OpVmized IR p.safe = check(p) // check1 x = gep p.safe, 0, 0 x.safe = check(x) // check2 # nospill(p.safe, check1, check2) # sizeof(struct s)*0 + sizeof(long)*0 < GZSize tmp1 = load *x.safe y = gep p.safe, 0, 1 y.safe = check(y) // check3 # nospill(p.safe, check1, check3) # sizeof(struct s)*0 + sizeof(long)*1 < GZSize tmp2 = load *y.safe sum = add tmp1, tmp2 ret sum SequenVal Memory Access OpVmizaVon 22

23 A]er Constraint Checking p.safe = check(p) // check1 x = gep p.safe, 0, 0 x.safe = check(x) // check2 # nospill(p.safe, check1, check2) # sizeof(struct s)*0 + sizeof(long)*0 < GSize tmp1 = load *x.safe y = gep p.safe, 0, 1 y.safe = check(y) // check3 # nospill(p.safe, check1, check3) # sizeof(struct s)*0 + sizeof(long)*1 < GSize tmp2 = load *y.safe sum = add tmp1, tmp2 ret sum Assume (1) ptr.safe not spilled between check1 and check2, or check1 and check3 (2) offsets less than guard- zone size 23

24 Strato: Retargetable IRMs InstrumentaVon at intermediate representavon level, i.e. LLVM IR IR- level checks OpVmizaVons of security checks and asach constraints Constraint- checking before lowering If a constraint holds, remove the check Otherwise, lower the IR- level check to machine code VerificaVon at the low level Remove everything else outside the TCB (including constraint checking) 24

25 The Architecture of Strato Source IR IR Secured IR Secured IR Compiler Frontend Compiler Optimizations Check Instrumentation Check Optimizations Code Gen Constraint Checking x32 ASM x64 ASM ASM Check Lowering x32 ASM x64 ASM ASM Verification x32 ASM x64 ASM ASM 25

26 Benefits Retargetable Easy to port to other architectures Enable opvmizavons Structured informavon at the IR level StaVc Single Assignment form Code reuse InstrumentaVon and opvmizavons can be shared among various architectures 26

27 The ImplementaVon of Strato Two policies: CFI & SFI InstrumentaVon FuncVon passes into the end LLVM pipeline OpVmizaVons Redundant Check EliminaVon SequenVal Memory Access OpVmizaVon Loop- based Check OpVmizaVon OpVmizaVons asach constraints Constraint checking Range analysis (interval analysis) based verifier 27

28 VerificaVon Based on CCS paper [CCS 11] A]er all the opvmizavons, constraint checking, a verifier verifies the final result in assembly code Removes everything before out of TCB Based on range analysis Found a few bugs in our implementavon 28

29 Performance EvaluaVon LLVM 2.9 To demonstrate retargetability: x86-32 x86-64 (small changes on x86-32) 29

30 CFI Overhead on SPEC2k 30 % 25 % 20 % 15 % 10 % x86-32: ~6% x86-64: ~8% gzip vpr gcc mcf crafty parser eon perlbmk gap vortex bzip2 twolf avg 5 % 0 % x86-32 x

31 Overhead of CFI with Data Sandboxing for Both Reads and Writes on SPEC2K 70 % 60 % 50 % 40 % 30 % 20 % x86-32: ~20% x86-64: ~25% gzip vpr gcc mcf crafty parser eon perlbmk gap vortex bzip2 twolf avg 10 % 0 % x86-32 x

32 Compare with Previous work s performance Even though our framework is retargetable and trustworthy, the performance is compevvve 32

33 Summary A retargetable framework for IRMs OpVmizaVons on checks CompeVVve performance Constraint language Range analysis based verifier 33

34 References [CFI] Abadi et al. Control- Flow Integrity Principles, ImplementaVons, and ApplicaVons, ACM CCS 2005 [csmith] Yang et al. Finding and Understanding Bugs in C Compilers, PLDI 2011 [HyperSafe] Wang et al. HyperSafe: A Lightweight Approach to Provide LifeVme Hypervisor Control- Flow Integrity, IEEE S&P 2010 [IRM] Erlingsson et al. The Inlined Reference Monitor Approach to Security Policy Enforcement, doctoral dissertavon, 2004 [NaVve Client] Yee et al. NaVve Client: A Sandbox for Portable, Untrusted x86 NaVve Code, IEEE S&P 2009 [PiSsfield] McCamant et al. EvaluaVng SFI for a CISCI Architecture, USENIX Security 2006 [ROP] Roemer et al. Return- oriented Programming: Systems, Languages, and ApplicaVons, ACM TISSEC 2012 [Shepherding] Kiriansky et al. Secure ExecuVon Via Program Shepherding, USENIX Security 2002 [SmashStack] Aleph One. Smashing the stack for fun and profit, Phrack Magazine, 1996 [XFI] Erlingsson et al. XFI: So]ware Guards for System Address Spaces, OSDI

35 Strato: A Retargetable Framework for Low- Level Inlined- Reference Monitors Thank you! QuesVons? Bin Zeng zeb209@lehigh.edu Gang Tan gtan@cse.lehigh.edu Úlfar Erlingsson ulfar@google.com 35