Memory Safety for Low- Level Software/Hardware Interactions

Similar documents
Secure Virtual Architecture: Using LLVM to Provide Memory Safety to the Entire Software Stack

Secure Virtual Architecture. John Criswell University of Illinois at Urbana- Champaign

SPIN Operating System

A Software Solution for Hardware Vulnerabilities

Separating Access Control Policy, Enforcement, and Functionality in Extensible Systems. Robert Grimm University of Washington

SPECTRES, VIRTUAL GHOSTS, AND HARDWARE SUPPORT

CS-527 Software Security

Memory Safety for Embedded Devices with nescheck

SecVisor: A Tiny Hypervisor for Lifetime Kernel Code Integrity

Buffer overflow background

Secure Virtual Architecture: A Safe Execution Environment for Commodity Operating Systems

Extensibility, Safety, and Performance in the Spin Operating System

Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization

SAFECODE: A PLATFORM FOR DEVELOPING RELIABLE SOFTWARE IN UNSAFE LANGUAGES DINAKAR DHURJATI

Recap: Memory Management

Computer Science. ! Other approaches:! Special systems designed for extensibility

A Hardware-Assisted Virtualization Based Approach on How to Protect the Kernel Space from Malicious Actions

Software Speculative Multithreading for Java

6.033 Spring Lecture #6. Monolithic kernels vs. Microkernels Virtual Machines spring 2018 Katrina LaCurts

Semantic Analysis. Outline. The role of semantic analysis in a compiler. Scope. Types. Where we are. The Compiler Front-End

OS Virtualization. Why Virtualize? Introduction. Virtualization Basics 12/10/2012. Motivation. Types of Virtualization.

CCured. One-Slide Summary. Lecture Outline. Type-Safe Retrofitting of C Programs

Kruiser: Semi-synchronized Nonblocking Concurrent Kernel Heap Buffer Overflow Monitoring

SoK: Eternal War in Memory

The role of semantic analysis in a compiler

Operating System Security

Difference Engine: Harnessing Memory Redundancy in Virtual Machines (D. Gupta et all) Presented by: Konrad Go uchowski

Programming Languages Third Edition. Chapter 7 Basic Semantics

Return-Oriented Rootkits

Portland State University ECE 587/687. Virtual Memory and Virtualization

2 nd Half. Memory management Disk management Network and Security Virtual machine

Arsenal. Shadow-Box: Lightweight Hypervisor-Based Kernel Protector. Seunghun Han, Jungwhan Kang (hanseunghun

DieHard: Probabilistic Memory Safety for Unsafe Programming Languages

Oracle Developer Studio Code Analyzer

Lecture 3: O/S Organization. plan: O/S organization processes isolation

Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms

Blink: 3D Display Multiplexing for Virtualized Applications

Xen and the Art of Virtualization. Nikola Gvozdiev Georgian Mihaila

Administrivia. Lab 1 due Friday 12pm. We give will give short extensions to groups that run into trouble. But us:

CSE 120 Principles of Operating Systems

Myths and Realities: The Performance Impact of Garbage Collection

Transparent Pointer Compression for Linked Data Structures

SentinelOne Technical Brief

CIS Operating Systems Memory Management Cache. Professor Qiang Zeng Fall 2017

Thwarting unknown bugs: hardening features in the mainline Linux kernel

Nooks. Robert Grimm New York University

Security Research at Harvard SEAS. Stephen Chong Asst. Prof. of Computer Science Harvard SEAS Cybersecurity Awareness Day Oct

The Challenges of X86 Hardware Virtualization. GCC- Virtualization: Rajeev Wankar 36

Paging. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

Towards High Assurance Networks of Virtual Machines

Beyond the PDP-11: Architectural support for a memory-safe C abstract machine

Segmentation (Apr 5 and 7, 2005)

Introduction to Operating. Chapter Chapter

in memory: an evolution of attacks Mathias Payer Purdue University

COS 318: Operating Systems. Virtual Memory and Address Translation

6.828: OS/Language Co-design. Adam Belay

Short-term Memory for Self-collecting Mutators. Martin Aigner, Andreas Haas, Christoph Kirsch, Ana Sokolova Universität Salzburg

CIS Operating Systems Memory Management Cache and Demand Paging. Professor Qiang Zeng Spring 2018

Part 1: Introduction to device drivers Part 2: Overview of research on device driver reliability Part 3: Device drivers research at ERTOS

Causes of Software Failures

Introduction to Operating Systems. Chapter Chapter

Clotho: Transparent Data Versioning at the Block I/O Level

Distributed Systems Operation System Support

Paging. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Real-World Buffer Overflow Protection in User & Kernel Space

Supporting Operating System Kernel Data Disambiguation using Points-to Analysis

Introduction to Operating Systems. Chapter Chapter

Nested Virtualization and Server Consolidation

Lecture 13: Address Translation

CS 161 Computer Security

Runtime Integrity Checking for Exploit Mitigation on Embedded Devices

The Simple Firmware Interface

G Xen and Nooks. Robert Grimm New York University

Typed Assembly Language for Implementing OS Kernels in SMP/Multi-Core Environments with Interrupts

Xen and the Art of Virtualization

Virtual Memory Oct. 29, 2002

Kernel Support for Paravirtualized Guest OS

CSE 307: Principles of Programming Languages

Semantic Analysis. Outline. The role of semantic analysis in a compiler. Scope. Types. Where we are. The Compiler so far

CS527 Software Security

Memory Management. Disclaimer: some slides are adopted from book authors slides with permission 1

Fast Byte-Granularity Software Fault Isolation

CS3210: Crash consistency

Cling: A Memory Allocator to Mitigate Dangling Pointers. Periklis Akritidis

Modeling Page Replacement: Stack Algorithms. Design Issues for Paging Systems

Advanced Operating Systems (CS 202) Virtualization

Lecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni.

Virtual Machines Measure Up

Outline. Exploiting Program Parallelism. The Hydra Approach. Data Speculation Support for a Chip Multiprocessor (Hydra CMP) HYDRA

Managing Array of SSDs When the Storage Device is No Longer the Performance Bottleneck

User-Level Sandboxing: a Safe and Efficient Mechanism for Extensibility

CSCE Introduction to Computer Systems Spring 2019

Operating Systems 4/27/2015

Lecture 4 September Required reading materials for this class

HA2lloc: Hardware-Assisted Secure Allocator

Intel Virtualization Technology Roadmap and VT-d Support in Xen

PostgreSQL as a benchmarking tool

Virtual memory Paging

CFIXX: Object Type Integrity. Nathan Burow, Derrick McKee, Scott A. Carr, Mathias Payer

4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization

Transcription:

Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray Montreal or Bust! Vikram Adve

Safety Future is Bright User-space memory safety is improving Safe languages SAFECode, CCured, Baggy bounds checking, Softbound, etc safety for operating systems exists! Singularity (C#), SPIN (Modula-3) Linux on Secure Virtual Architecture (C)

A New Enemy Arises: Software/Hardware Interactions What is a low-level software-hardware interaction? Instruction that manipulates hardware resources Below semantics of the programming language Perfectly type-safe code! But: Can corrupt control-flow or data-flow Examples: Processor State I/O Objects MMU mappings

Safety: Processor State Operating systems explicitly manage Processor State Processor states saved in memory buffers Type-safe stores can modify a saved processor state Can subvert control/data-flow integrity P Pointer in OS R1 R2 R3 PC SP

Safety: Processor State Operating systems explicitly manage Processor State Processor states saved in memory buffers Type-safe stores can modify a saved processor state Can subvert control/data-flow integrity P Pointer in OS R1 R2 R3 PC SP

Safety: Processor State Operating systems explicitly manage Processor State Processor states saved in memory buffers Type-safe stores can modify a saved processor state Can subvert control/data-flow integrity P Pointer in OS R1 R2 R3 PC SP Context Switch R1 R2 R3 PC SP CPU

Safety: I/O I/O device memory and RAM in same address space However, I/O memory is different I/O memory incompatible with standard compiler analysis I/O memory has side effects on hardware Intel E1000E Bug on Linux 2.6 Invalid write on I/O memory Damaged Intel E1000E Network Cards Potential DoS Attack

Safety: MMU MMU can violate type safety T1* P1 Pointers T2* P2 Virtual Physical

Safety: MMU MMU can violate type safety T1* P1 Pointers T2* P2 Virtual Physical

Safety: MMU T1* P1 MMU can violate type safety Pointers T2* P2 Virtual Physical MMU can make kernel pages accessible to user-space BID9356, BID9686, BID18177 (www.securityfocus.com) User Kernel Virtual Physical

Safety: MMU T1* P1 MMU can violate type safety Pointers T2* P2 Virtual Physical MMU can make kernel pages accessible to user-space BID9356, BID9686, BID18177 (www.securityfocus.com) User Kernel Virtual Physical

It s Already Here! Intel E1000E Bug MMU exploits in Linux Need solutions before these attacks become more sophisticated and commonplace!

SVA-OS: Safety for Low- Level Software-Hardware Interactions First system to provide comprehensive memory safety for low-level software/hardware interactions Linux 2.4.22 on Secure Virtual Architecture (SVA) Compiler analysis and runtime checks Little overhead above and beyond traditional memory safety Effective at preventing software/hardware exploits

Outline Motivation High-level Solutions Design of SVA-OS Experimental Results Future Work and Conclusions

Foundations: What Do We Need? System that provides traditional memory safety SVA-OS will preserve memory safety Examples Type-safe languages, e.g. Singularity Compiler techniques for commodity operating systems, e.g. Secure Virtual Architecture (SVA)

Solution: Processor State New instruction to save old state and restore new state State saved in internal SVA-OS memory State referenced by ID returned from VM Policy left to OS Scheduling, context switching, signal delivery ID1 ID2 ID3 Process 1: ID 1 Process 3: ID 2 Process 8: ID 3 R1 R2 PC SP R1 R2 PC SP R1 R2 PC SP OS Task Structures SVA-OS CPU

Solution: Mapped I/O New instruction to map I/O memory into address space New instructions to load/store I/O objects Add run-time checks to ensure that: Regular load/stores access memory I/O accesses access I/O memory P1 Pointer P2 I/O Pointer iostore (v, *p1); store (v, *p2);

Solution: Mapped I/O New instruction to map I/O memory into address space New instructions to load/store I/O objects Add run-time checks to ensure that: Regular load/stores access memory I/O accesses access I/O memory P1 Pointer P2 I/O Pointer iostore (v, *p1); store (v, *p2);

Solution: Mapped I/O New instruction to map I/O memory into address space New instructions to load/store I/O objects Add run-time checks to ensure that: Regular load/stores access memory I/O accesses access I/O memory P1 Pointer P2 I/O Pointer iostore (v, *p1); store (v, *p2);

Solution: MMU Add run-time checks on MMU updates Mapping kernel memory into user-space Mapping data inconsistent with types Same mechanism as VMMs Finer-grain checks User Kernel T1* P1 T2* P2 Virtual Physical Virtual Physical

Solution: MMU Add run-time checks on MMU updates Mapping kernel memory into user-space Mapping data inconsistent with types Same mechanism as VMMs Finer-grain checks User Kernel T1* P1 T2* P2 Virtual Physical Virtual Physical

Solution: MMU Add run-time checks on MMU updates Mapping kernel memory into user-space Mapping data inconsistent with types Same mechanism as VMMs Finer-grain checks User Kernel T1* P1 T2* P2 Virtual Physical Virtual Physical

Solution: MMU Add run-time checks on MMU updates Mapping kernel memory into user-space Mapping data inconsistent with types Same mechanism as VMMs Finer-grain checks User Kernel T1* P1 T2* P2 Virtual Physical Virtual Physical

Solution: MMU Add run-time checks on MMU updates Mapping kernel memory into user-space Mapping data inconsistent with types Same mechanism as VMMs Finer-grain checks User Kernel T1* P1 T2* P2 Virtual Physical Virtual Physical

Outline Motivation High-level Solutions Design of SVA-OS Experimental Results Future Work and Conclusions

Secure Virtual Architecture 1 Compiler-based virtual machine Hosts a commodity OS (e.g., Linux) Provides traditional memory safety guarantees (control-flow and data-flow integrity) OS Kernel SVA Run-time Library Safety Compiler Native Code Generator Hardware OS Allocator Safety Run-time Library SVA ISA SVA Virtual Machine Native ISA Hardware 1 Criswell et al. [SOSP 2007]

From SVA to SVA-OS Extend the SVA software/hardware interface New instructions control software/hardware interactions Enforce memory safety for low-level operations Use static analysis when possible Add run-time checks when necessary

Solution: Processor State Save old state and place new state in a single instruction sva_swap_integer Return opaque handle Buffer saved in SVA-OS memory Buffer released on sva_swap_integer call ID1 ID2 ID3 Process 1: ID 1 Process 3: ID 2 Process 8: ID 3 R1 R2 PC SP R1 R2 PC SP R1 R2 PC SP OS Task Structures SVA-OS CPU

Solution: Processor State Save old state and place new state in a single instruction sva_swap_integer Return opaque handle Buffer saved in SVA-OS memory Buffer released on sva_swap_integer call ID1 ID2 Process 1: ID 1 Process 3: ID 2 Process 8: ID 3 R1 R2 PC SP R1 R2 PC SP R1 R2 PC SP OS Task Structures SVA-OS CPU

Solution: Mapped I/O Operating system uses a pseudo-allocator Map I/O objects into virtual address space New instructions for I/O reads and writes sva_io_readb, sva_io_writeb Compiler marks I/O memory as type-unknown Load/store check on each access Load/store checks on memory objects that alias

Solution: MMU VMM-like interface to declare and update MMU mappings sva_declare_l1_page, sva_declare_l2_page sva_update_l1_mapping, sva_update_l2_mapping Runtime checks for typed memory Pointer analysis in SVA segregates data by types SVA-OS ensures this stays consistent Run-time checks for dividing memory SVA-OS memory and kernel memory Kernel memory and user-space memory I/O memory and regular kernel memory

Linux 2.4 Port on SVA-OS Less than 100 lines changes from original SVA Linux port switch_to sva_swap_integer readb sva_io_readb set_pte sva_update_l1_mapping pte_alloc_one sva_declare_l1_page Compiler changes: Allocation of I/O objects: ioremap

Outline Motivation High-level Solutions Design of SVA-OS Experimental Results Future Work and Conclusions

Does It Work? Tested two real world MMU exploits BID9356, BID9686 on Linux 2.4 BID18177 exploit code not available Injected errors into our Linux 2.4 port New system calls Studied the E1000E Intel Network bug Paper study because only on Linux 2.6

MMU Exploits on Linux 2.4 BID9356 Map count = 1 fork, mmap User Kernel Virtual Physical

MMU Exploits on Linux 2.4 BID9356 Map count = 2 fork, mmap User Kernel Virtual Physical

MMU Exploits on Linux 2.4 BID9356 Map count = 3 fork, mmap User Kernel Virtual Physical

MMU Exploits on Linux 2.4 BID9356 Map count = 4 fork, mmap User Kernel Virtual Physical

MMU Exploits on Linux 2.4 BID9356 Map count = 0 fork, mmap User Kernel Virtual Physical

MMU Exploits on Linux 2.4 BID9356 Map count = 0 fork, mmap User Kernel Virtual Physical

MMU Exploits on Linux 2.4 BID9356 Map count = 0 fork, mmap User Kernel Virtual Physical

MMU Exploits on Linux 2.4 BID9356 fork, mmap User Kernel Map count = 0 Virtual Physical BID9686 Missing error check on mremap MMU mappings not cleared

MMU Exploits on Linux 2.4 BID9356 fork, mmap User Kernel Map count = 0 Virtual Physical BID9686 Missing error check on mremap MMU mappings not cleared Both bugs were detected by SVA-OS, not SVA

Error Injection Modification of Processor State Double mapping of a type-safe memory object Modify metadata of SVA with incorrect bounds

Error Injection Modification of Processor State SVA: control flow changed SVA-OS: Caught as an invalid integer to pointer cast Double mapping of a type-safe memory object Modify metadata of SVA with incorrect bounds

Error Injection Modification of Processor State SVA: control flow changed SVA-OS: Caught as an invalid integer to pointer cast Double mapping of a type-safe memory object SVA: Subsequent store succeeds SVA-OS: Second mapping caught by MMU checks Modify metadata of SVA with incorrect bounds

Error Injection Modification of Processor State SVA: control flow changed SVA-OS: Caught as an invalid integer to pointer cast Double mapping of a type-safe memory object SVA: Subsequent store succeeds SVA-OS: Second mapping caught by MMU checks Modify metadata of SVA with incorrect bounds SVA: safety guarantees disabled SVA-OS:Access to SVA memory caught by MMU checks

E1000E Bug on Linux 2.6 cmpxchg on dangling pointer Instruction thought it was code memory Unpredictable behavior on I/O memory Network card damaged With SVA-OS No I/O memory mapped on code page Load/Store checks on I/O memory

Web Server Bandwidth: thttpd Athlon 2100+, 1GB of RAM, 1Gb/s network Higher is better Micro-benchmark overheads in paper SVA SVA-OS 1.0000 Web Server Bandwidth Normalized to Native 0.7500 0.5000 0.2500 0 1 2 4 8 16 32 64 128 256 512 1024 File Size (KB)

User-Application Benchmarks Negligible overhead on user-space applications Benchmark i386 (s) SVA (s) SVA-OS (s) % Increase (i386 to SVA-OS) bzip2 18.7 18.3 18.0 0.0% lame 133.3 132.0 126.0-0.1% perl 22.3 22.3 22.3 0.0%

Outline Motivation High-level Solutions Design of SVA-OS Experimental Results Future Work and Conclusions

Future Work Improve Static Analysis Reduce run-time checks Additional Security Properties Information flow control Apply to other systems Type-safe language OS, e.g. Singularity JVMs, hypervisors

Contributions Identified memory-safety violations from lowlevel software/hardware operations First system to provide comprehensive safety guarantees for such operations Leaves control under OS Incurs little run-time overhead above SVA Questions? See what we do at http://sva.cs.uiuc.edu

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback