Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tiara Procedure Invocation Crossing domains without Context Switch Enforcing the Call/Return Abstraction Privilege escalation.

Published byIngrid Linch Modified over 9 years ago

Similar presentations

Presentation on theme: "Tiara Procedure Invocation Crossing domains without Context Switch Enforcing the Call/Return Abstraction Privilege escalation."— Presentation transcript:

1 Tiara Procedure Invocation Crossing domains without Context Switch Enforcing the Call/Return Abstraction Privilege escalation

2 Motivation Domain switching is implemented in all current systems by changing address spaces. –User space –Kernel space –Kernel code runs with unlimited privilege Inter-process communication involves double context switch –The kernel stands between me and my friends Expensive and inconvenient because it’s implemented by a special mechanism Can all this be replaced by single, convenient and trusted mechanism

3 Procedure Call Procedure call is a universal mechanism for information flow –We want to avoid proliferation of mechanisms –System calls should be the same as any other call But violation of the call/return abstraction is the vehicle for many attacks –Overwriting return pointer through overflow –Long branches into middle of procedures –… We want to demonstrate that we can have interactions without violations

4 Constraints Complete object orientation –Everything is an object with base, bounds, meta-data including type and compartment All code lives in code-objects –A reference to a code-object is called a procedure-pointer All branches are relative to the base of the code-object and are bounds checked Calls can only be performed on procedure-references

5 Hardware provided support Every thread has an associated Principal –Principle references have meta-data that limit access to them Every word is tagged with meta-data –Type (~ 8 bits = 256 data-types) –Compartment (~ 16 bits = 65,000 compartments) Instructions also have meta-data All internal registers have meta-data –Including the PC On every operation the combination of operand meta-data, PC meta-data, the Principal, the instruction and instruction meta- data are checked. Every object reference is bounds checked

6 Basic Data Structures Procedure-Pointer ReferenceMeta-Data Code-object Size Branch Code-object Size Call All branches are to an offset from the base of the current code-object and are bounds checked as are all references

7 Implications: Well behaved branches A branch instruction is shorthand for – load instruction register –with the instruction –at the specified offset in the code object Like other loads this is bounds checked Therefore: –Can only jump within code block –Can’t jump into another code block at an arbitrary point

8 Implications: Immutable code Instructions have meta-data –Data type is “instruction” –Compartment is one of the “code compartments” All write instructions check the meta-data of the new and old data and the principal register –No principals are allowed to overwrite instructions (in normal policy framework). Therefore: –Code is immutable –In particular branch and call instructions cannot be changed

9 Implications: Can’t create code Creating an instruction requires setting the tag of a register to the specific value for instruction Creating a procedure-pointer requires setting the tag to the specific value for procedure pointer Set-tag is an instruction allowed only to a few principals: GC, Loader Therefore: –Normal code can’t create an instruction –Normal code can’t create a code-block –Normal code can’t create an arbitrary procedure pointer

10 Implications: Can only invoke permitted procedures at their entry point The “call” instruction checks the meta-data of the procedure pointer against the principal of the current thread. –Procedure-pointers can be tagged with compartments denied to specific sets of principals The only procedure invocation mechanism is the “call” and this enters at the first instruction –Multiple entry points can be supported by passing in an entry point number in a register with the first instruction doing a jump to the offset in that register If you’re in a procedure you had the privilege level to invoke it

11 An extra mechanism A processor state bit –Set by “call” instruction –Flipped by “entry” instruction –Traps if it’s on at the end of any instruction other than “call” instruction Call Started InstructionState Call1 Entry0 InstructionState Not a Call0 Entry1 InstructionState Call1 Not Entry0 Trap No Trap

12 Trap Handling A “forced procedure call” to a routine indexed by trap-vector “Processor-trap” state-bit Trap-handler-entry instruction Can only get to a trap-handler by trapping Call Started InstructionState Trap1 Trap-Entry0 InstructionState Not a Trap0 Trap-Entry1 InstructionState Trap1 Not Trap- Entry 0 Trap Started Trap No Trap

13 Elaborated Data Structures Procedure-PointerMeta-Data Code-object Size Entry # Entry Inst Preamble R1 Dispatch Table Entry Code 2 Constants Common Instructions Size Entry Inst Instructions Size Entry Inst Instructions Size Entry Inst Instructions Internal Procedures Entry Code 1 R0 Procedure-call R0, R1, R2 Entry Instruction: Flips procedure-call state bit Checks Entry # is less than number of entries Preamble Code: Does common setup Dispatches to entry point New Frame Pointer R2 Arg0 Continuation Frame Ptr

14 Procedure Return We adopt “continue passing style” at the instruction set level There are no “return” instructions, just continuation calls Uses all checks applied to call Size Entry Inst Instructions Call-1 Data Size Entry Inst Instructions Continuation-1 Size Entry Inst Instructions Call-1 Data Return Pointer

15 Stack Discipline Frame Pointer Previous Frame Continuation Arg0 Arg1 Local 1 Return Values Size Entry Inst Instructions Call-1 Data Size Entry Inst Instructions Continuation-1 PC Size Entry Inst Instructions Call Previous Frame Continuation Arg0 Arg1 Local 1 Garbage Collectable

16 Compiled Code for Calls/Returns Initiate Call (code in caller): –Allocate frame for passed in arguments + previous stack pointer + continuation + locals pointer –Load registers with procedure-pointer and entry # –Make call Complete Call (code in callee): –Allocate frame for locals including return values from called routines –Store local pointer in call frame –Entry instruction Return (code in callee) –Stores return values in locals frame –Calls continuation

17 Cross Domain Calls Simplest variety of system service –Call system service in your own thread System service may need to “run in another domain” –I.e. it may require different privileges than your code –The called routine switches the contents of the Principal register to reflect its needs –Stores old Principal register state first –Restores old Principal before return Can only make cross domain call if previous Principal has ability to invoke the routine Invoked routine has limited rights to caller data

18 Compartmented Stack Structure Frame Pointer Previous Frame Continuation Arg0 Arg1 Local Pointer Previous Frame Continuation Arg0 Arg1 Locals Pointer Return Values Local 1 Local 0 Return Values Local 1 Local 0 CallerCallee Caller R/W Caller R Callee W Caller R/W Caller W Callee R/W

19 Cross Domain Call Procedure-PointerMeta-Data Code-object Size Entry # Entry Inst Ld Principal Preamble R1 Dispatch Table Entry Code 2 Constants Common Instructions Size Entry Inst Instructions Size Entry Inst Instructions Size Entry Inst Instructions Internal Procedures Entry Code 1 R0 Procedure-call R0, R1, R2 New Frame Pointer R2 Arg0 Continuation Frame Ptr Old Principal Ld Principal Return

20 Other Communication Patterns Non Strict Calls Forks-Joins Streamed Communication

21 Non-Strict Calls Build new frame Call scheduler with a procedure pointer and frame –Domain crossing happens here –Scheduler creates a new thread running the procedure in the supplied frame and makes it schedulable –Scheduler returns to caller, caller continues New thread is run eventually –May switch domains Synchronization through “futures” –Initially a value that when referenced causes caller to block –Filled in by callee, with return value

22 Queued (Stream) Communication Service routine runs in its own thread under its own Principal Caller prepares frame –Frame data is Write once for caller –Frame data is R/W for callee Caller calls “Enqueue” routine in its own thread –Possible domain switch for this Callee eventually dequeues request and runs it

23 Other Types of Procedural Objects Closure: –Pair of Environment and Code-block –Typically the Environment is the frame for an enclosing procedure –When invoked code-block is called with the environment as an extra argument –We could make all procedures be closures, most closed around the “global environment” Generic Procedures –Basis for Class-based Object-Oriented Programming –Dispatches to a method based on types and/or identity of one or more arguments, internal data is dispatch table

24 The Loader We assume that only the loader can create a code-object –Input is “late intermediate” pass of compiler –Loader resolves final issues Loader checks that the static code obeys overall system design constraints –If there’s a “Load Principal Register” instruction then code and procedure-reference must be in an appropriate domain for the principal Allows for multi-platform targeting Makes the loader part of the TCB Removes the compiler from the TCB

25 Issues Can the loader be the target of an attack –Create code block that breaks the rules Can the “Load Principal Register” instruction be abused? –Maybe need another HashEx like box that looks at a full datum (e.g. the Principal register) and tags. Can we make more use of the meta-data tags of instructions?

26 Summary Eliminate many forms of unstructured code that lead to vulnerability –Arbitrary jumps –Calls to targets, other than procedure entry point –Ability to overwrite code –Ability to overwrite return/frame pointers Supports very cheap cross domain call –Just a normal procedure call that changes Principal –In some cases, streamed model used –Domains are symmetrically protected from each other. Code in system routine doesn’t get access to user data

27 Closures Actually code-objects are not what is called Closures are Traditionally: Closure = Code-objects + Env –Null Env means global environment? We add Principal to this –Switch to Principal if non-null Code Block Environment Principal Closure Size Entry Inst Preamble Dispatch Table Entry Code 2 Constants Common Instructions Entry Code 1 Environment Continuation Arg0 Arg1 Local 1 Return Values Previous Frame

28 Starting A Call Code-object Size Entry Inst Constants Instructions Current Frame Pointer Principal Env Code Block Arg0 Continuation Env Old Frame Current Principal Arg0 Continuation Env Old Frame Closure Current Frame Size Entry Inst Instructions Continuation Code-Object New Closure For Continuation Size Entry Inst Constants Instructions Principal Env Code Block Current Code-object New Frame New Frame Pointer New Principal

Download ppt "Tiara Procedure Invocation Crossing domains without Context Switch Enforcing the Call/Return Abstraction Privilege escalation."

Similar presentations

More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.

More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.
1 System Calls (TRAPS) and Subroutines Patt and Patel Ch. 9.

1 System Calls (TRAPS) and Subroutines Patt and Patel Ch. 9.
Chapter 9 TRAP Routines and Subroutines. Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 9-2 Subroutines.

Chapter 9 TRAP Routines and Subroutines. Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 9-2 Subroutines.
Procedure Calls Prof. Sirer CS 316 Cornell University.

Procedure Calls Prof. Sirer CS 316 Cornell University.
MODERN OPERATING SYSTEMS Third Edition ANDREW S. TANENBAUM Chapter 3 Memory Management Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall,

MODERN OPERATING SYSTEMS Third Edition ANDREW S. TANENBAUM Chapter 3 Memory Management Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall,
Chapter 12 CPU Structure and Function. CPU Sequence Fetch instructions Interpret instructions Fetch data Process data Write data.

Chapter 12 CPU Structure and Function. CPU Sequence Fetch instructions Interpret instructions Fetch data Process data Write data.
Chapter 6 Limited Direct Execution

Chapter 6 Limited Direct Execution
1 Storage Registers vs. memory Access to registers is much faster than access to memory Goal: store as much data as possible in registers Limitations/considerations:

1 Storage Registers vs. memory Access to registers is much faster than access to memory Goal: store as much data as possible in registers Limitations/considerations:
Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.

Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.
Honors Compilers Addressing of Local Variables Mar 19 th, 2002.

Honors Compilers Addressing of Local Variables Mar 19 th, 2002.
Scheduler Activations Effective Kernel Support for the User-Level Management of Parallelism.

Scheduler Activations Effective Kernel Support for the User-Level Management of Parallelism.
Processes 1 CS502 Spring 2006 Processes Week 2 – CS 502.

Processes 1 CS502 Spring 2006 Processes Week 2 – CS 502.
Run time vs. Compile time

Run time vs. Compile time
OS Spring’03 Introduction Operating Systems Spring 2003.

OS Spring’03 Introduction Operating Systems Spring 2003.
The environment of the computation Declarations introduce names that denote entities. At execution-time, entities are bound to values or to locations:

The environment of the computation Declarations introduce names that denote entities. At execution-time, entities are bound to values or to locations:
1 Run time vs. Compile time The compiler must generate code to handle issues that arise at run time Representation of various data types Procedure linkage.

1 Run time vs. Compile time The compiler must generate code to handle issues that arise at run time Representation of various data types Procedure linkage.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
CSE 451: Operating Systems Autumn 2013 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.

CSE 451: Operating Systems Autumn 2013 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.
System Calls 1.

System Calls 1.
Protection and the Kernel: Mode, Space, and Context.

Protection and the Kernel: Mode, Space, and Context.

Similar presentations

Ads by Google