Sugar: Secure GPU Acceleration in Web Browsers

Size: px

Start display at page:

Download "Sugar: Secure GPU Acceleration in Web Browsers"

Domenic Palmer
5 years ago
Views:

1 Sugar: Secure GPU Acceleration in Web Browsers Zhihao Yao, Zongheng Ma, Yingtong Liu, Ardalan Amiri Sani, Aparna Chandramowlishwaran Trustworthy Systems Lab, UC Irvine 1

2 WebGL was released in Source:

3 WebGL is popular WebGL adoption rate by top 100 websites 47.0% 53.0% 3

4 WebGL is popular Browser support rate (48.8 million visitors) Does not support 4.0% 96.0% 4 Source: (2017)

6 WebGL recap 6

7 First, a quick recap on OpenGL Native app user space Kernel mode GPU driver hardware GPU hardware 7

8 First, a quick recap on OpenGL Native app Native functionapp call user space Kernel mode GPU driver hardware GPU hardware 8

9 First, a quick recap on OpenGL Native app Native app user space syscall Kernel mode GPU driver hardware GPU hardware 9

10 Use the same design for WebGL? Web app Buggy Malicious user space Compromised Kernel mode GPU driver hardware GPU hardware 10

11 Web apps are not trusted Web app Buggy Malicious user space Compromised Kernel mode GPU driver hardware GPU hardware 11

12 GPU driver is buggy Web app Buggy Malicious user space Compromised Kernel mode GPU driver hardware GPU hardware 12

13 Kernel driver is compromised Web app web app Buggy Malicious user space Compromised Kernel mode GPU driver hardware GPU hardware 13

14 Current WebGL design GPU Process Web app Web Webapp app Checks Browser user space Kernel mode GPU driver hardware GPU hardware 14

15 Current WebGL design GPU Process IPC Web app Web Webapp app Checks Browser user space Kernel mode GPU driver hardware GPU hardware 15

16 Security checks in GPU Process GPU Process Web app Web Webapp app Checks Browser user space Kernel mode GPU driver hardware GPU hardware 16

driver GPU hardware 17 158,000 LoC (GPU Process)

17 TCB of current WebGL Design GPU Process Web app Web Webapp app Checks Browser Kernel mode GPU driver GPU hardware ,000 LoC (GPU Process) 457,000 LoC (GL libraries) 123,000 LoC (GPU driver)

18 Vulnerabilities in GPU process GPU Process Web app Web Webapp app Checks Browser Kernel mode GPU driver GPU hardware 18 CVE CVE CVE CVE CVE

19 Kernel driver is compromised GPU Process Web app Web Webapp app Checks Browser Kernel mode GPU driver CVE * Chrome Chrome * CVE CVE GPU hardware 19 *Not yet fixed

20 Vulnerability examples CVE CVE CVE CVE CVE Chrome Issue Chrome Issue CVE * Chrome issue Chrome issue * CVE CVE CVE execute arbitrary code execute arbitrary code read browser UI read GPU process memory use of cross-origin contents browser hang leak system username system UI freeze kernel panic system UI freeze read of GPU memory read of GPU memory read of GPU memory 20 *Not yet fixed

21 Our WebGL vulnerability study 21

22 Current WebGL design High performance Known Zero day vulnerabilities vulnerabilities 22 System UI freeze

CVE-2014-3173, read of GPU graphics memory

23 CVE , read of GPU graphics memory We type some private notes in terminal: 23

24 CVE , read of GPU graphics memory 24

25 Overview of Sugar Key idea: Use GPU virtualization to give an untrusted web app a separate vgpu 25

26 Intel GPU virtualization We build a prototype on Intel GPU virtualization Intel GPU virtualization is available since the 4th generation Core processors [1] [1] Photo credit:

27 27

28 vgpu 2 vgpu 1 GPU GPU 28

29 Sugar s design Web app GPU Process vgpu driver Browser Kernel mode GPU driver user space hardware vgpu GPU hardware 29

30 Sugar s design Web app function call GPU Process vgpu driver Browser Kernel mode GPU driver user space hardware vgpu GPU hardware 30

31 Sugar s design Web app GPU Process function call vgpu driver Browser Kernel mode GPU driver user space hardware vgpu GPU hardware 31

32 Sugar s design Web app GPU Process vgpu driver Browser Kernel mode GPU driver user space hardware vgpu GPU hardware 32

33 Sugar s design Web app GPU Process virtual graphics plane vgpu driver Browser Kernel mode GPU driver vgpu GPU hardware 33 primary graphics plane

34 Why is Sugar secure? 34

35 Web app process is untrusted Web app GPU Process vgpu driver Browser Kernel mode GPU driver user space hardware vgpu GPU hardware 35

36 Web app process is sandboxed Web app GPU Process vgpu driver Browser Kernel mode GPU driver user space hardware vgpu GPU hardware 36

37 vgpu is isolated Web app GPU Process vgpu driver Browser Kernel mode GPU driver user space hardware vgpu GPU hardware 37

38 Sugar s TCB is small Web app GPU Process vgpu driver Browser 34,400 LoC (GPU virtualization) Kernel mode GPU driver user space hardware vgpu GPU hardware 38

39 Vulnerability examples CVE CVE CVE CVE CVE Chrome Issue Chrome Issue CVE * Chrome issue Chrome issue * CVE CVE CVE execute arbitrary code execute arbitrary code read browser UI read GPU process memory use of cross-origin contents browser hang leak system username system UI freeze kernel panic system UI freeze read of GPU memory read of GPU memory read of GPU memory 39 *Not yet fixed

40 Limitation of this Sugar design Intel vgpu hang will cause a real GPU hang 40

41 Dual-GPU Sugar Key idea: Use two GPUs to fully isolate the virtual graphics plane and the primary graphics plane. Solves system UI freeze Provides better performance isolation 41

driver hardware vgpu GPU 1 hardware GPU 2 hardware Photo

42 Dual-GPU Sugar s design Web app GPU process vgpu driver user space Browser Kernel mode GPU 1 driver Kernel mode GPU 2 driver hardware vgpu GPU 1 hardware GPU 2 hardware Photo credit:

43 Many computers have two GPUs dell.com/inspiron15 apple.com/macbook-pro store.hp.com/envy 43

44 Intel s 8th Generation Core Processors with Radeon RX Vega M Graphics Source:

45 Sugar s implementation 45

46 WebGL in web app process Reuse most of GPU process code WebKit / Blink Ported from GPU process WebGL frontend WebGL backend vgpu driver 46

47 vgpu driver as a library We modify to issue function calls instead of syscalls WebKit / Blink WebGL frontend WebGL backend function call vgpu driver 47

48 Register: trap and emulate Web app GPU Process vgpu driver Mapped registers Browser Kernel mode GPU driver user space hardware vgpu GPU hardware 48

49 Register: trap and emulate Web app GPU Process vgpu driver Mapped registers Browser Kernel mode GPU driver GPU virtualization layer will emulate user space hardware vgpu GPU hardware 49

50 Interrupt: deliver as signal Web app GPU Process vgpu driver Browser Kernel mode GPU driver Interrupt user space hardware vgpu GPU hardware 50

51 Interrupt: deliver as signal Web app GPU Process vgpu driver Browser The virtualization layer delivers as a signal Kernel mode GPU driver Interrupt user space hardware vgpu GPU hardware 51

52 Interrupt: deliver as signal Web app GPU Process vgpu driver Signal Browser Kernel mode GPU driver Interrupt user space hardware vgpu GPU hardware 52

53 DMA overview GPU DMA 53 Main memory

54 DMA overview vgpu Page table DMA 54 Main memory

55 Evaluations 55

56 Sugar s performance is good under the same WebGL benchmarks that Chrome uses 56

57 Sugar s performance is good under the same WebGL benchmarks that Chrome uses 60 FPS 57

58 Sugar s CPU overhead is low Sugar is better than CPU rendering by 375% on average 58

59 Summary Sugar leverages modern GPU virtualization solutions to isolate WebGL Sugar addresses this by repurposing Intel vgpu driver to a library Thank you! Sugar is open source: 59

Tolerating Malicious Drivers in Linux. Silas Boyd-Wickizer and Nickolai Zeldovich

XXX Tolerating Malicious Drivers in Linux Silas Boyd-Wickizer and Nickolai Zeldovich How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory,...