InkTag: Secure Applications on an Untrusted Operating System. Owen Hofmann, Sangman Kim, Alan Dunn, Mike Lee, Emmett Witchel UT Austin

Size: px

Start display at page:

Download "InkTag: Secure Applications on an Untrusted Operating System. Owen Hofmann, Sangman Kim, Alan Dunn, Mike Lee, Emmett Witchel UT Austin"

Posy Randall
5 years ago
Views:

1 InkTag: Secure lications on an Untrusted Operating System Owen Hofmann, Sangman Kim, Alan Dunn, Mike Lee, Emmett Witchel UT Austin

2 You trust your... should you? The is the software root of trust on most systems The is a shared vulnerability compromise infects all The is a vulnerable vulnerability Syscall interface a complex attack surface ioctl() Root often has -level privilege 2

3 You trust your... should you? The is the software root of trust on most systems The is a shared vulnerability compromise infects all The is a vulnerable vulnerability Syscall interface a complex attack surface ioctl() Root often has -level privilege 2

4 You trust your... should you? The is the software root of trust on most systems The is a shared vulnerability compromise infects all The is a vulnerable vulnerability Syscall interface a complex attack surface ioctl() Root often has -level privilege 2

5 You trust your... should you? The is the software root of trust on most systems The is a shared vulnerability compromise infects all The is a vulnerable vulnerability Syscall interface a complex attack surface ioctl() Root often has -level privilege 2

6 You should trust the hypervisor s have become a common part of the software stack Provide a layer of indirection under the s can be more trustworthy Fewer lines of code Thinner interface Fewer vulnerabilities 3

7 But the is still a problem Users want trustworthy applications lications still must trust the 4

8 But the is still a problem Users want trustworthy applications lications still must trust the 4

9 But the is still a problem Users want trustworthy applications lications still must trust the 4

10 Removing trust Why can the kernel compromise applications? No isolation still provides all essential services File I/O Memory mapping 5

11 Isolate and verify Can the hypervisor improve this situation? Previous systems have examined this problem Overshadow [ASPL 08] Trusted hypervisor isolates an application from an untrusted kernel Ensure that the follows its contract with the application 6

12 Verifying behavior 1. lication asks to update high-level state V = mmap(null,..., F, offset); lication expects pages from file F at address V 2. updates low-level state Immediately On-demand (e.g. paging) 3. Do updates match application requests? Did the map a frame containing data from F at the correct offset? page table 7

13 Verifying behavior 1. lication asks to update high-level state V = mmap(null,..., F, offset); lication expects pages from file F at address V 2. updates low-level state Immediately On-demand (e.g. paging) 3. Do updates match application requests? Did the map a frame containing data from F at the correct offset? mmap() 0x7FFCB... page table 7

14 Verifying behavior 1. lication asks to update high-level state V = mmap(file=f, offset=o); lication expects pages from file F at address V 2. updates low-level state Immediately On-demand (e.g. paging) 3. Do updates match application requests? Did the map a frame containing data from F at the correct offset? mmap() 0x7FFCB... page table 8

15 Verifying behavior 1. lication asks to update high-level state V = mmap(file=f, offset=o); lication expects pages from file F at address V 2. updates low-level state Immediately On-demand (e.g. paging) 3. Do updates match application requests? Did the map a frame containing data from F at the correct offset? page table 9

16 Verifying behavior 1. lication asks to update high-level state V = mmap(file=f, offset=o); lication expects pages from file F at address V 2. updates low-level state Immediately On-demand (e.g. paging) 3. Do updates match application requests? Did the map a frame containing data from F at the correct offset? page fault page table 9

17 Verifying behavior 1. lication asks to update high-level state V = mmap(file=f, offset=o); lication expects pages from file F at address V 2. updates low-level state Immediately On-demand (e.g. paging) 3. Do updates match application requests? Did the map a frame containing data from F at the correct offset? page fault page table set_pte() 9

18 Verifying behavior 1. lication asks to update high-level state V = mmap(file=f, offset=o); lication expects pages from file F at address V 2. updates low-level state Immediately On-demand (e.g. paging) 3. Do updates match application requests? Did the map a frame containing data from F at the correct offset? page fault page table 9

19 Verifying behavior 1. lication asks to update high-level state V = mmap(file=f, offset=o); lication expects pages from file F at address V 2. updates low-level state Immediately On-demand (e.g. paging) 3. Do updates match application requests? Did the map a frame containing data from F at the correct offset? page fault page table 10

20 Verifying behavior lication and hypervisor communicate Synchronize on high-level application state interposes on low-level updates Validate updates against expected state requires deep visibility into, application (semantic gap) page table 11

21 Verifying behavior lication and hypervisor communicate Synchronize on high-level application state interposes on low-level updates Validate updates against expected state requires deep visibility into, application (semantic gap) page table set_pte() 11

22 InkTag: secure applications on an untrusted Paraverification: require active participation from the untrusted for simpler, more efficient hypervisor design 12

23 InkTag security guarantees Control flow integrity cannot change program counter, registers Address space integrity cannot read or modify application data File I/O lications access the desired files Privacy and integrity for file data Built on address space integrity Process control lications can fork(), exec() Access control and naming lications can define access control policies, use string filenames Consistency -managed data and hypervisor-managed metadata remain in sync 13

24 InkTag security guarantees Control flow integrity cannot change program counter, registers Address space integrity cannot read or modify application data File I/O lications access the desired files Privacy and integrity for file data Built on address space integrity Process control lications can fork(), exec() Access control and naming lications can define access control policies, use string filenames Consistency -managed data and hypervisor-managed metadata remain in sync 14

25 InkTag security guarantees Control flow integrity cannot change program counter, registers Address space integrity cannot read or modify application data File I/O lications access the desired files Privacy and integrity for file data Built on address space integrity Process control lications can fork(), exec() Access control and naming lications can define access control policies, use string filenames Consistency -managed data and hypervisor-managed metadata remain in sync 15

26 InkTag security guarantees Control flow integrity cannot change program counter, registers Address space integrity cannot read or modify application data File I/O lications access the desired files Privacy and integrity for file data Basic Built memory on address isolation space integrity mechanisms Process Challenges: control why is this difficult? lications can fork(), exec() Paraverification: how can the untrusted help? Access control and naming lications can define access control policies, use string filenames Consistency -managed data and hypervisor-managed metadata remain in sync 16

27 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Common mechanism used by Overshadow, InkTag, others expects to manage memory Show cleartext to application Show ciphertext to Hash for integrity H 17

28 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Common mechanism used by Overshadow, InkTag, others expects to manage memory Show cleartext to application Show ciphertext to Hash for integrity H 17

29 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Common mechanism used by Overshadow, InkTag, others expects to manage memory Show cleartext to application Show ciphertext to Hash for integrity H 17

30 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Common mechanism used by Overshadow, InkTag, others expects to manage memory Show cleartext to application Show ciphertext to Hash for integrity H 17

31 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Common mechanism used by Overshadow, InkTag, others expects to manage memory Show cleartext to application Show ciphertext to Hash for integrity H 17

32 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Common mechanism used by Overshadow, InkTag, others expects to manage memory Show cleartext to application Show ciphertext to Hash for integrity H 17

33 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Common mechanism used by Overshadow, InkTag, others expects to manage memory Show cleartext to application Show ciphertext to Hash for integrity H 18

34 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Common mechanism used by Overshadow, InkTag, others expects to manage memory Show cleartext to application Show ciphertext to Hash for integrity H 18

35 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Common mechanism used by Overshadow, InkTag, others expects to manage memory Show cleartext to application Show ciphertext to Hash for integrity H 18

36 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Common mechanism used by Overshadow, InkTag, others expects to manage memory Show cleartext to application Show ciphertext to Hash for integrity 18

37 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Position of data in address space must match application requests [mmap()] Ensure constructs the correct address space

38 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Position of data in address space must match application requests [mmap()] Ensure constructs the correct address space

39 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Position of data in address space must match application requests [mmap()] Ensure constructs the correct address space

40 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Position of data in address space must match application requests [mmap()] Ensure constructs the correct address space

41 Ensure constructs the correct address space lication maps file F at addr V Are page faults to V handled correctly? Decrypted physical frame has same hash as F Interpose on page table updates Disallow arbitrary mapping Determine high-level update implied by low-level PTE change Match page table updates to application requests Virtual address V = file F, offset O Result of previous mmap() call page table 20

42 Ensure constructs the correct address space lication maps file F at addr V Are page faults to V handled correctly? Decrypted physical frame has same hash as F Interpose on page table updates Disallow arbitrary mapping Determine high-level update implied by low-level PTE change Match page table updates to application requests Virtual address V = file F, offset O Result of previous mmap() call mmap() 0x7FFCB... page table 20

43 Ensure constructs the correct address space lication maps file F at addr V Are page faults to V handled correctly? Decrypted physical frame has same hash as F Interpose on page table updates Disallow arbitrary mapping Determine high-level update implied by low-level PTE change Match page table updates to application requests Virtual address V = file F, offset O Result of previous mmap() call page fault page table 20

44 Ensure constructs the correct address space lication maps file F at addr V Are page faults to V handled correctly? Decrypted physical frame has same hash as F Interpose on page table updates Disallow arbitrary mapping Determine high-level update implied by low-level PTE change Match page table updates to application requests Virtual address V = file F, offset O Result of previous mmap() call page fault page table set_pte() 20

45 Ensure constructs the correct address space lication maps file F at addr V Are page faults to V handled correctly? Decrypted physical frame has same hash as F Interpose on page table updates Disallow arbitrary mapping Determine high-level update implied by low-level PTE change Match page table updates to application requests Virtual address V = file F, offset O Result of previous mmap() call page fault page table 20

46 Ensure constructs the correct address space lication maps file F at addr V Are page faults to V handled correctly? Decrypted physical frame has same hash as F Interpose on page table updates Disallow arbitrary mapping Determine high-level update implied by low-level PTE change Match page table updates to application requests Virtual address V = file F, offset O Result of previous mmap() call page fault page table 21

47 Ensure constructs the correct address space lication maps file F at addr V Are page faults to V handled correctly? Decrypted physical frame has same hash as F Interpose on page table updates Disallow arbitrary mapping Determine high-level update implied by low-level PTE change Match page table updates to application requests Virtual address V = file F, offset O Result of previous mmap() call page fault page table 22

48 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Interpreting low-level page table updates can construct valid, but confusing page tables Order in which updates are seen matters Matching page table updates to application requests lication and hypervisor must communicate complete memory map PT PT(2) 23

49 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Interpreting low-level page table updates can construct valid, but confusing page tables Order in which updates are seen matters Matching page table updates to application requests lication and hypervisor must communicate complete memory map PT (1) PT (2) 23

50 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Interpreting low-level page table updates can construct valid, but confusing page tables Order in which updates are seen matters Matching page table updates to application requests lication and hypervisor must communicate complete memory map PT (1) PT (2) 24

51 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Interpreting low-level page table updates can construct valid, but confusing page tables Order in which updates are seen matters Matching page table updates to application requests lication and hypervisor must communicate complete memory map PT (1) PT (2) 24

52 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Interpreting low-level page table updates can construct valid, but confusing page tables Order in which updates are seen matters Matching page table updates to application requests lication and hypervisor must communicate complete memory map PT (1) PT (2) 24

53 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Interpreting low-level page table updates can construct valid, but confusing page tables Order in which updates are seen matters Matching page table updates to application requests lication and hypervisor must communicate complete memory map PT (1) PT (2) 25

54 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Interpreting low-level page table updates can construct valid, but confusing page tables Order in which updates are seen matters Matching page table updates to application requests lication and hypervisor must communicate complete memory map PT (1) PT (2) 25

55 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Interpreting low-level page table updates can construct valid, but confusing page tables Order in which updates are seen matters Matching page table updates to application requests lication and hypervisor must communicate complete memory map PT (1) PT (2) 25

56 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Stack lication must validate pointer results returned from kernel Iago attacks [ASPL 13] New region 26

57 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Stack New region lication must validate pointer results returned from kernel Iago attacks [ASPL 13] mmap() 0x7FFCB... 26

58 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? The updates page tables Can guarantee sanity and ordering The maintains memory maps Can expose that information to hypervisor and application 27

59 Basic memory isolation mechanisms Challenges: why is this difficult? Paraverification: how can the untrusted help? Paraverification: an untrusted helping to verify its own behavior Take inspiration from paravirtualization Extensive use of existing paravirtual interface must participate, but information cannot be trusted 28

60 Paraverification: validating PTE updates Untrusted notifies hypervisor on page table updates Regular structure In update order 29

61 Paraverification: validating PTE updates Untrusted notifies hypervisor on page table updates Regular structure In update order pte_update( addr=0x7fcb... 29

62 Paraverification: validating PTE updates.file=....addr=....offset=... lication maintains memory mappings in an array of descriptors Interpose on mmap() in libc Generate a token for each mapping Unforgeable identifier describing requested mapping e.g. HMAC(addr, file, offset) In implementation, integer index 30

63 Paraverification: validating PTE updates.file=....addr=....offset=... mmap(file=..., token=5 0x7FCB... lication maintains memory mappings in an array of descriptors Interpose on mmap() in libc Generate a token for each mapping Unforgeable identifier describing requested mapping e.g. HMAC(addr, file, offset) In implementation, integer index 30

64 Paraverification: validating PTE updates.file=....addr=....offset=... lication maintains memory mappings in an array of descriptors Interpose on mmap() in libc Generate a token for each mapping Unforgeable identifier describing requested mapping e.g. HMAC(addr, file, offset) In implementation, integer index 30

65 Paraverification: validating PTE updates.file=....addr=....offset=... lication maintains memory mappings in an array of descriptors Interpose on mmap() in libc Generate a token for each mapping Unforgeable identifier describing requested mapping e.g. HMAC(addr, file, offset) In implementation, integer index 30 pte_update( addr=0x7fcb... token=5

66 Paraverification: validating PTE updates.file=....addr=....offset=... lication maintains memory mappings in an array of descriptors Interpose on mmap() in libc Generate a token for each mapping Unforgeable identifier describing requested mapping e.g. HMAC(addr, file, offset) In implementation, integer index 30 pte_update( addr=0x7fcb... token=5

67 Paraverification: validating PTE updates.file=....addr=....offset=... lication memory listing protected from Entries always allocated in defined virtual address range Invalid entries marked 31

68 Paraverification: validating PTE updates.file=....addr=....offset=... pte_update( addr=0x7fcb... token=eleventy lication memory listing protected from Entries always allocated in defined virtual address range Invalid entries marked 31

69 Paraverification: validating PTE updates.file=....addr=....offset=... pte_update( addr=0x7fcb... token=eleventy lication memory listing protected from Entries always allocated in defined virtual address range Invalid entries marked 31

70 Paraverification: validating PTE updates.file=....addr=....offset=... pte_update( addr=0x7fcb... token=eleventy lication memory listing protected from Entries always allocated in defined virtual address range Invalid entries marked 31

71 Paraverification: validating syscall results.file=....addr=....offset=... returns tokens to application to assist validation lication maintains linked list of mappings specifies previous entry lication checks for overlap, updates list 32

72 Paraverification: validating syscall results.file=....addr=....offset=... mmap(file=..., token=5 0x7FCB... returns tokens to application to assist validation lication maintains linked list of mappings specifies previous entry lication checks for overlap, updates list 32

73 Paraverification: validating syscall results.file=....addr=....offset=... mmap(file=..., token=5 0x7FCB..., prev=2 returns tokens to application to assist validation lication maintains linked list of mappings specifies previous entry lication checks for overlap, updates list 32

74 Paraverification: validating syscall results.file=....addr=....offset=... mmap(file=..., token=5 0x7FCB..., prev=2 Basic memory isolation mechanisms Challenges: why is this difficult? returns tokens to application to assist validation lication maintains linked list of mappings and application specifies previous entry lication checks for overlap, updates list Paraverification: how can the untrusted help? Guarantee sane address space updates Expose internal information to hypervisor 33

75 Implementation & Evaluation Prototype built with KVM, qemu, uclibc ~3500 hypervisor LOC Modify libc to validate syscall results microbenchmarks LMBench lications SPEC Apache DokuWiki 34

76 DokuWiki PHP CGI binary with InkTag extensions InkTag authentication module Use InkTag access control on wiki pages Result: hypervisor-enforced security for a PHP application Integrity for all script files Privacy and integrity for application data 35

77 InkTag overheads LMBench Low-level microbenchmarks 5x - 55x slowdown (for µs operations) High context switch latency SPEC CPU-bound applications Most applications <= 1.03x gcc x; perlbench, h264href x Apache Long-lived processes, infrequent MM activity 1.02x throughput slowdown, 1.13x latency DokuWiki Many short-lived processes, frequent memory mapping 1.54x throughput slowdown 36

78 Related work Untrusted operating systems XOM [Lie et al. SP 03] Overshadow [Chen et al. ASPL 08] SP 3 [Yang & Shin VEE 08] Cloudvisor [Zhang et al. SP 11] 37

79 Conclusion We can enforce trustworthy services from an untrustworthy Paraverification simplifies crucial isolation mechanisms 38

0x1A Great Papers in Computer Security

CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ slide 1 X. Chen, T, Garfinkel, E. Lewis, P. Subrahmanyam, C. Waldspurger, D. Boneh, J. Dwoskin,