Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI)

Similar documents
Securing Untrusted Code

Confinement (Running Untrusted Programs)

Inline Reference Monitoring Techniques

0x1A Great Papers in Computer Security

Control Flow Integrity & Software Fault Isolation. David Brumley Carnegie Mellon University

Lecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni.

Lecture 4 September Required reading materials for this class

Sandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018

SECURING SOFTWARE AGAINST LIBRARY ATTACKS

Anne Bracy CS 3410 Computer Science Cornell University

ISOLATION DEFENSES GRAD SEC OCT

4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization

Anne Bracy CS 3410 Computer Science Cornell University

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Syscalls, exceptions, and interrupts, oh my!

CS 5460/6460 Operating Systems

Inject malicious code Call any library functions Modify the original code

Hakim Weatherspoon CS 3410 Computer Science Cornell University

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

kguard++: Improving the Performance of kguard with Low-latency Code Inflation

Spectre and Meltdown. Clifford Wolf q/talk

Efficient Software Based Fault Isolation. Software Extensibility

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Hardware OS & OS- Application interface

CS 550 Operating Systems Spring System Call

0x1A Great Papers in Computer Security

Runtime Integrity Checking for Exploit Mitigation on Embedded Devices

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

CS 537 Lecture 2 Computer Architecture and Operating Systems. OS Tasks

Introduction to Security and User Authentication

Confinement (Running Untrusted Programs)

Portland State University ECE 587/687. Virtual Memory and Virtualization

Buffer overflow background

A Software Solution for Hardware Vulnerabilities

New York University CSCI-UA : Advanced Computer Systems: Spring 2016 Midterm Exam

Control Flow Integrity

SYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Practical and Efficient Exploit Mitigation for Embedded Devices

CSE 227 Computer Security Spring 2010 S f o t ftware D f e enses I Ste St f e an f Sa v Sa a v g a e g

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Solutions

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Remote Procedure Call (RPC) and Transparency

The Geometry of Innocent Flesh on the Bone

in memory: an evolution of attacks Mathias Payer Purdue University

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

Control Flow Integrity for COTS Binaries Report

BlackBox. Lightweight Security Monitoring for COTS Binaries. Byron Hawkins and Brian Demsky University of California, Irvine, USA

Network File System (NFS)

15 Sharing Main Memory Segmentation and Paging

Network File System (NFS)

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Fundamentals of Linux Platform Security

Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include

Outline. V Computer Systems Organization II (Honors) (Introductory Operating Systems) Language-based Protection: Solution

Secure Programming I. Steven M. Bellovin September 28,

The Kernel Abstraction. Chapter 2 OSPP Part I

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

The Kernel Abstraction

CS 6V Control-Flow Integrity Principles, Implementations, and Applications. Sureshbabu Murugesan

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

Module: Advanced Program Vulnerabilities and Defenses. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Lec 22: Interrupts. Kavita Bala CS 3410, Fall 2008 Computer Science Cornell University. Announcements

Least-Privilege Isolation: The OKWS Web Server

20: Exploits and Containment

RISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas

CS 161 Computer Security

Security Architecture

Tolerating Malicious Drivers in Linux. Silas Boyd-Wickizer and Nickolai Zeldovich

CMPSC 497 Buffer Overflow Vulnerabilities

CS261 Scribe Notes: Secure Computation 1

16 Sharing Main Memory Segmentation and Paging

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

String Oriented Programming Exploring Format String Attacks. Mathias Payer

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Bypassing Browser Memory Protections

CS 550 Operating Systems Spring Interrupt

Undermining Information Hiding (And What to do About it)

Secure Coding Techniques

Computer Science. ! Other approaches:! Special systems designed for extensibility

Thwarting unknown bugs: hardening features in the mainline Linux kernel

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

Protection. Thierry Sans

6.828 Fall 2007 Quiz II Solutions

CSE 509: Computer Security

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Background: Operating Systems

Advanced Systems Security: Ordinary Operating Systems

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

Language Security. Lecture 40

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review

typedef void (*type_fp)(void); int a(char *s) { type_fp hf = (type_fp)(&happy_function); char buf[16]; strncpy(buf, s, 18); (*hf)(); return 0; }

Operating Systems. Operating System Structure. Lecture 2 Michael O Boyle

Prof. Kavita Bala and Prof. Hakim Weatherspoon CS 3410, Spring 2014 Computer Science Cornell University. P&H Chapter 4.9, pages , appendix A.

Recall: Address Space Map. 13: Memory Management. Let s be reasonable. Processes Address Space. Send it to disk. Freeing up System Memory

Buffer Overflow Attacks

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

143A: Principles of Operating Systems. Lecture 5: Address translation. Anton Burtsev October, 2018

Reversed Buffer Overflow Cross Stack Attacks. Kris Kaspersky Endeavor Security, Inc.

Transcription:

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011

Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection of arbitrary code return-to-libc (no code injection; malicious invocation of existing code) Vulnerabilities are bugs application behavior not intended by programmer Bugs in C often because memory operations not safe many ways to overwrite stored pointer, cause it to point to arbitrary memory 31

Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection of arbitrary code return-to-libc (no code injection; malicious Can we invocation constrain of existing behavior code) of application code to prevent bugs from corrupting memory, and thus allowing exploits? Vulnerabilities are bugs application behavior not intended by programmer Bugs in C often because memory operations not safe many ways to overwrite stored pointer, cause it to point to arbitrary memory 32

Motivation: Untrusted Extensions Users often wish to extend application with new functionality made available as a binary module, e.g., Flash player plugin for Firefox browser Binary kernel module for new filesystem for Linux Key risk: code from untrusted source (e.g., web site), but will run in your application s address space What if code overwrites your app s data? Or calls functions in your app s code with ill intent? (e.g., calls disable_certificate_check()) 33

Motivation: Untrusted Extensions Users often wish to extend application with new functionality made available as a binary module, e.g., Flash player plugin for Firefox browser N.B. Binary extension kernel code module may for new be malicious filesystem for Linux may merely be buggy Key risk: code from untrusted source (e.g., web site), but will run in your application s address space What if code overwrites your app s data? Or calls functions in your app s code with ill intent? (e.g., calls disable_certificate_check()) 34

Risks of Running Untrusted Code Overwrites trusted data or code Reads private data from trusted code s memory Executes privileged instruction Calls trusted functions with bad arguments Jumps to middle of trusted function Contains vulnerabilities allowing others to do above 35

Allowed Operations for Untrusted Code Reads/writes own memory Executes own code Calls explicitly allowed functions in trusted code at correct entry points 36

Straw Man Solution: Isolation with Processes Run original app code in one process, untrusted extension in another; communicate between them by RPC (Recall NFS over RPC, but between distinct hosts) Memory protection means extension cannot read/write memory of original app Not very transparent for programmer, if app and extension closely coupled Performance hit: context switches between processes trap to kernel, copy arguments, save and restore registers, flush processor s TLB 37

Straw Man Solution: Isolation with Processes Run original app code in one process, untrusted extension in another; communicate between them by RPC (Recall NFS over RPC, but between distinct hosts) Memory protection means extension cannot Can read/write we do better? memory of original app Not very transparent for programmer, if app and extension closely coupled Performance hit: context switches between processes trap to kernel, copy arguments, save and restore registers, flush processor s TLB 38

Today s Topic: Software-Based Fault Isolation Run untrusted binary extension in same process (address space) as trusted app code Place extension s code and data in sandbox: Prevent extension s code from writing to app s memory outside sandbox Prevent extension s code from transferring control to app s code outside sandbox Idea: add instructions before memory writes and jumps to inspect their targets and constrain their behavior 39

SFI Use Scenario Developer runs sandboxer on unsafe extension code, to produce safe, sandboxed version: adds instructions that sandbox unsafe instructions transformation done by compiler or by binary rewriter Before running untrusted binary code, user runs verifier on it: checks that safe instructions don t access memory outside extension code s data checks that sandboxing instructions in place before all unsafe instructions 40

SFI Use Scenario Developer runs sandboxer on unsafe extension code, to produce safe, sandboxed version: adds instructions that sandbox unsafe instructions transformation done by compiler or by binary User need not trust sandboxer; only verifier rewriter Before running untrusted binary code, user runs verifier on it: checks that safe instructions don t access memory outside extension code s data checks that sandboxing instructions in place before all unsafe instructions 41

SFI Unit of Isolation: Fault Domain SFI confines untrusted code within a fault domain, in same address space (process) as trusted code Fault domain consists of: Unique ID (used for access control on syscalls) Code segment: virtual address range with same unique high-order bits, used to hold code Data segment: virtual address range with same unique high-order bits, used to hold data Segment ID: unique high-order bits for a segment 42

Fault Domain Example virtual address 0x10000000 0x100fffff 0x10100000 stack, heap, static data Code Segment Data Segment fault domain Segment IDs are 12 bits long in example Separate segments for code and data allow distinguishing addresses as falling in one or other 0x101fffff 0x10200000 app memory 43

Sandboxing Memory Untrusted code should only be able to: jump within its fault domain s code segment write within its fault domain s data segment Sandboxer must ensure all jump, call, and memory store instructions comply with above Two types of memory addresses in instructions: direct: complete address is specified statically in instruction indirect: address is computed from register s value 44

Sandboxing Memory (2) For directly addressed memory instructions, sandboxer should only emit: directly addressed jumps and calls whose targets fall in fault domain s code segment e.g., JUMP 0x10030000 directly addressed stores whose targets fall in fault domain s data segment e.g., STORE 0x10120000, R1 Directly addressed jumps, calls, stores can be made safe statically 45

Sandboxing Indirectly Addressed Memory Indirectly addressed jumps, calls, stores harder to sandbox full address depends on register whose value not known statically e.g., STORE R0, R1 e.g., JR R3 These are unsafe instructions that must be made safe at runtime 46

Sandboxing Indirectly Addressed Memory (2) Suppose unsafe instruction is STORE R0, R1 ; write R1 to Mem[R0] Sandboxer rewrites code to: MOV Ra, R0 ; copy R0 into Ra SHR Rb, Ra, Rc ; Rb = Ra >> Rc, to get segment ID CMP Rb, Rd ; Rd holds correct data segment ID BNE fault STORE Ra, R1 ; wrong data segment ID ; Ra in data segment, so do write Ra, Rc, and Rd are dedicated may not be used by extension code 47

Sandboxing Indirectly Accessed Memory (3) Why does rewritten code use STORE Ra, R1 and not STORE R0, R1 After all, R0 has passed the check! Extension code may jump directly to STORE, bypassing check instructions! Because Ra, Rc, Rd are dedicated, Ra will always contain safe address inside data segment 48

Sandboxing Indirectly Accessed Memory (3) Why does rewritten code use STORE Ra, R1 and not Remember: STORE R0, R1 extension code may not set After all, R0 has passed the check! Extension code may jump directly to STORE, bypassing check instructions! Because Ra, Rc, Rd are dedicated, Ra will always contain safe address inside data segment dedicated registers! 49

Sandboxing Indirectly Accessed Memory (4) Costs of first sandboxing scheme for indirectly addressed memory: adds 4 instructions before each indirect store uses 6 registers, 5 of which must be dedicated (never available to extension) example used 3 dedicated registers, but need 2 more for sandboxing unsafe code addresses Can we do better, and get away with fewer added instructions? Yes, if we give up being able to identify which instruction accessed outside sandbox! 50

Faster Sandboxing of Indirect Addresses Idea: don t check if target address is in segment; force it to be in segment So we transform STORE R0, R1 into: AND Ra, R0, Re ; clear segment ID bits in Ra OR Ra, Ra, Rf ; set segment ID to correct value STORE Ra, R1 ; do write to safe target address Now segment ID bits in Ra will always be correct; can write anywhere in segment, but not outside it Cost: 2 added instructions, 5 dedicated registers 51

Faster Sandboxing of Indirect Jumps and Calls Very similar to data address sandboxing Transform JR R0 as follows: AND Rg, R0, Re ; clear segment ID bits in Rg OR Rg, Rg, Rh ; set segment ID to correct value JR Rg ; do jump to safe target address N.B. use of separate dedicated registers Rg for code target address, Rh for code segment ID Return from function similar, too (to sandbox return address) 52

Optimization: Guard Zones Some instructions use register+offset addressing: they use register as base, and supply offset for CPU to add to it To sandbox such an instruction, SFI would need to do additional ADD to compute base +offset Clever insight: offsets are of limited size, because of instruction encoding (+/- 64K on MIPS) So if base in correct segment, offset could stray no more than 64K outside that segment 53

Guard Zones (2) virtual address 0x0fff0000 0x10000000 0x100fffff 0x1010ffff 0x101f0000 0x10200000 0x102fffff 0x1030ffff guard zone Code Segment guard zone guard zone Data Segment guard zone 0x10310000 app memory Surround each segment with 64K guard zone of unmapped pages Ignore offsets when sandboxing! Accesses to guard zones cause traps Saves one ADD for reg+offset instrs 54

Optimization: Stack Pointer Insight: stack pointer is read far more often than it s written; used as base address for many reg+offset instructions SFI doesn t sandbox uses of stack pointer as base address; instead sandboxes setting of stack pointer, so stack pointer always contains safe value Reduces number of instructions that pay sandboxing overhead 55

Verifier Upon receiving (supposedly) sandboxed binary, verifier must ensure all instructions safe For instructions that use direct addressing, easy to check statically that segment IDs in addresses are correct For those that use indirect addressing, verifier must ensure instruction preceded by full set of sandboxing instructions 56

Verifier (2) Verifier must ensure no privileged instructions in code Verifier must ensure PC-relative branches fall in code segment If sandboxed code fails any of these checks, verifier rejects it Otherwise, code is correctly sandboxed 57

SFI Limitations on x86 MIPS instructions fixed-length; x86 instructions variable-length Result: can jump into middle of x86 instruction! e.g., binary for AND eax, 0x80CD is 25 CD 80 00 00 If adversary jumps to second byte, he executes the instruction CD 80, which traps to a system call on Linux! Jump to mid-instruction on x86 may even jump out of fault domain into app code! x86 has very few registers (4 generalpurpose ones), so cannot dedicate registers easily 58

SFI vs. Exploits Simple stack-smashing, injecting code in stack buffer? can t execute own injected code can t jump to data segment Return-to-libc? can overwrite return address with one within fault domain s code segment so can do return-to-libc within extension Format string vulnerabilities? same story as above 59

SFI vs. Exploits: Lessons SFI allows write (including buffer overrun, %n overwrite) to extension s data SFI allows jumps anywhere in extension s code segment so attacker can exploit extension s execution and on x86, can probably cause jump out of fault domain 60

SFI vs. Exploits: Lessons SFI allows write (including buffer overrun, %n overwrite) to extension s data SFI allows jumps anywhere in extension s code segment To be fair, SFI wasn t designed for x86, and wasn t designed to prevent exploits, but rather to isolate untrusted extension from main application. so attacker can exploit extension s execution and on x86, can probably cause jump out of fault domain 61

SFI Summary Confines writes and control transfers in extension s data and code segments, respectively Can support direct calls to allowed functions in trusted (app) code Prevents execution of privileged instructions Any write or control transfer within extension s memory is allowed Requires dedicated registers 62

CFI: Control-Flow Integrity Follow-on to SFI; works on x86 Idea: examine control flow graph (CFG) of program, which includes all functions and all transfers of control between them (e.g., calls of named functions, returns from them) Doesn t require dedicated registers like SFI Finds all instruction boundaries Adds instructions to enforce that all jumps, branches, calls, returns transfer control to valid target found in CFG 63

CFI (2) Prevents return to injected code by overwriting return address: transition to return address of injected code not in CFG Prevents return-to-libc attack: enforces that return instruction in function f() can only transfer control to next instruction in some function that calls f() Further reading (not examinable): Abadi et al., Control-Flow Integrity, CCS 2005 64

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback