Tiara Procedure Invocation Crossing domains without Context Switch Enforcing the Call/Return Abstraction Privilege escalation.

Slides:



Advertisements
Similar presentations
More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.
Advertisements

1 System Calls (TRAPS) and Subroutines Patt and Patel Ch. 9.
Chapter 9 TRAP Routines and Subroutines. Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 9-2 Subroutines.
Procedure Calls Prof. Sirer CS 316 Cornell University.
MODERN OPERATING SYSTEMS Third Edition ANDREW S. TANENBAUM Chapter 3 Memory Management Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall,
Chapter 12 CPU Structure and Function. CPU Sequence Fetch instructions Interpret instructions Fetch data Process data Write data.
Chapter 6 Limited Direct Execution
1 Storage Registers vs. memory Access to registers is much faster than access to memory Goal: store as much data as possible in registers Limitations/considerations:
Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.
Honors Compilers Addressing of Local Variables Mar 19 th, 2002.
Scheduler Activations Effective Kernel Support for the User-Level Management of Parallelism.
Processes 1 CS502 Spring 2006 Processes Week 2 – CS 502.
Run time vs. Compile time
OS Spring’03 Introduction Operating Systems Spring 2003.
The environment of the computation Declarations introduce names that denote entities. At execution-time, entities are bound to values or to locations:
1 Run time vs. Compile time The compiler must generate code to handle issues that arise at run time Representation of various data types Procedure linkage.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
CSE 451: Operating Systems Autumn 2013 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.
System Calls 1.
Protection and the Kernel: Mode, Space, and Context.
Programmer's view on Computer Architecture by Istvan Haller.
Recall: Three I/O Methods Synchronous: Wait for I/O operation to complete. Asynchronous: Post I/O request and switch to other work. DMA (Direct Memory.
CS533 Concepts of Operating Systems Jonathan Walpole.
Memory Management 3 Tanenbaum Ch. 3 Silberschatz Ch. 8,9.
Copyright © 2005 Elsevier Chapter 8 :: Subroutines and Control Abstraction Programming Language Pragmatics Michael L. Scott.
Hardware process When the computer is powered up, it begins to execute fetch-execute cycle for the program that is stored in memory at the boot strap entry.
COP4020 Programming Languages Subroutines and Parameter Passing Prof. Xin Yuan.
Lecture 11 Page 1 CS 111 Online Memory Management: Paging and Virtual Memory CS 111 On-Line MS Program Operating Systems Peter Reiher.
© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Memory: Relocation.
RUN-Time Organization Compiler phase— Before writing a code generator, we must decide how to marshal the resources of the target machine (instructions,
Microprocessors The ia32 User Instruction Set Jan 31st, 2002.
Operating Systems Lecture 14 Segments Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing Liu School of Software Engineering.
Processes CS 6560: Operating Systems Design. 2 Von Neuman Model Both text (program) and data reside in memory Execution cycle Fetch instruction Decode.
6-1 Infineon 167 Interrupts The C167CS provides 56 separate interrupt sources that may be assigned to 16 priority levels. The C167CS uses a vectored interrupt.
Processes and Virtual Memory
Efficient Software-based Fault Isolation Robert Wahbe, Steven Lucco, Thomas E. Anderson & Susan L. Graham Presented By Tony Bock.
CS412/413 Introduction to Compilers and Translators Spring ’99 Lecture 11: Functions and stack frames.
Hardware process When the computer is powered up, it begins to execute fetch-execute cycle for the program that is stored in memory at the boot strap entry.
Efficient Software-Based Fault Isolation Authors: Robert Wahbe Steven Lucco Thomas E. Anderson Susan L. Graham Presenter: Gregory Netland.
Interrupts and Exception Handling. Execution We are quite aware of the Fetch, Execute process of the control unit of the CPU –Fetch and instruction as.
Lecture 4 Page 1 CS 111 Online Modularity and Memory Clearly, programs must have access to memory We need abstractions that give them the required access.
LECTURE 19 Subroutines and Parameter Passing. ABSTRACTION Recall: Abstraction is the process by which we can hide larger or more complex code fragments.
7-Nov Fall 2001: copyright ©T. Pearce, D. Hutchinson, L. Marshall Oct lecture23-24-hll-interrupts 1 High Level Language vs. Assembly.
Scheduler activations Landon Cox March 23, What is a process? Informal A program in execution Running code + things it can read/write Process ≠
TIARA Trust-management, Intrusion-tolerance, Accountability and Reconstitution Architecture Howie Shrobe, Andre de Hon, Tom Knight.
Chapter 14 Functions.
Processes and threads.
CS 6560: Operating Systems Design
Outline Paging Swapping and demand paging Virtual memory.
Anton Burtsev February, 2017
Scheduler activations
Modularity and Memory Clearly, programs must have access to memory
The Procedure Abstraction Part IV: Allocating Storage & Establishing Addressability Copyright 2003, Keith D. Cooper, Ken Kennedy & Linda Torczon, all rights.
Arithmetic using a stack
Chapter 9 :: Subroutines and Control Abstraction
Chap. 8 :: Subroutines and Control Abstraction
Chap. 8 :: Subroutines and Control Abstraction
More examples How many processes does this piece of code create?
MIPS Instructions.
CSE 451: Operating Systems Spring 2012 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.
TIARA Thread Management
Process Description and Control
Lecture Topics: 11/1 General Operating System Concepts Processes
Architectural Support for OS
TRAP Routines Privileged Instructions Subroutines
Procedures and Calling Conventions
CS510 Operating System Foundations
Architectural Support for OS
Return-to-libc Attacks
Presentation transcript:

Tiara Procedure Invocation Crossing domains without Context Switch Enforcing the Call/Return Abstraction Privilege escalation

Motivation Domain switching is implemented in all current systems by changing address spaces. –User space –Kernel space –Kernel code runs with unlimited privilege Inter-process communication involves double context switch –The kernel stands between me and my friends Expensive and inconvenient because it’s implemented by a special mechanism Can all this be replaced by single, convenient and trusted mechanism

Procedure Call Procedure call is a universal mechanism for information flow –We want to avoid proliferation of mechanisms –System calls should be the same as any other call But violation of the call/return abstraction is the vehicle for many attacks –Overwriting return pointer through overflow –Long branches into middle of procedures –… We want to demonstrate that we can have interactions without violations

Constraints Complete object orientation –Everything is an object with base, bounds, meta-data including type and compartment All code lives in code-objects –A reference to a code-object is called a procedure-pointer All branches are relative to the base of the code-object and are bounds checked Calls can only be performed on procedure-references

Hardware provided support Every thread has an associated Principal –Principle references have meta-data that limit access to them Every word is tagged with meta-data –Type (~ 8 bits = 256 data-types) –Compartment (~ 16 bits = 65,000 compartments) Instructions also have meta-data All internal registers have meta-data –Including the PC On every operation the combination of operand meta-data, PC meta-data, the Principal, the instruction and instruction meta- data are checked. Every object reference is bounds checked

Basic Data Structures Procedure-Pointer ReferenceMeta-Data Code-object Size Branch Code-object Size Call All branches are to an offset from the base of the current code-object and are bounds checked as are all references

Implications: Well behaved branches A branch instruction is shorthand for – load instruction register –with the instruction –at the specified offset in the code object Like other loads this is bounds checked Therefore: –Can only jump within code block –Can’t jump into another code block at an arbitrary point

Implications: Immutable code Instructions have meta-data –Data type is “instruction” –Compartment is one of the “code compartments” All write instructions check the meta-data of the new and old data and the principal register –No principals are allowed to overwrite instructions (in normal policy framework). Therefore: –Code is immutable –In particular branch and call instructions cannot be changed

Implications: Can’t create code Creating an instruction requires setting the tag of a register to the specific value for instruction Creating a procedure-pointer requires setting the tag to the specific value for procedure pointer Set-tag is an instruction allowed only to a few principals: GC, Loader Therefore: –Normal code can’t create an instruction –Normal code can’t create a code-block –Normal code can’t create an arbitrary procedure pointer

Implications: Can only invoke permitted procedures at their entry point The “call” instruction checks the meta-data of the procedure pointer against the principal of the current thread. –Procedure-pointers can be tagged with compartments denied to specific sets of principals The only procedure invocation mechanism is the “call” and this enters at the first instruction –Multiple entry points can be supported by passing in an entry point number in a register with the first instruction doing a jump to the offset in that register If you’re in a procedure you had the privilege level to invoke it

An extra mechanism A processor state bit –Set by “call” instruction –Flipped by “entry” instruction –Traps if it’s on at the end of any instruction other than “call” instruction Call Started InstructionState Call1 Entry0 InstructionState Not a Call0 Entry1 InstructionState Call1 Not Entry0 Trap No Trap

Trap Handling A “forced procedure call” to a routine indexed by trap-vector “Processor-trap” state-bit Trap-handler-entry instruction Can only get to a trap-handler by trapping Call Started InstructionState Trap1 Trap-Entry0 InstructionState Not a Trap0 Trap-Entry1 InstructionState Trap1 Not Trap- Entry 0 Trap Started Trap No Trap

Elaborated Data Structures Procedure-PointerMeta-Data Code-object Size Entry # Entry Inst Preamble R1 Dispatch Table Entry Code 2 Constants Common Instructions Size Entry Inst Instructions Size Entry Inst Instructions Size Entry Inst Instructions Internal Procedures Entry Code 1 R0 Procedure-call R0, R1, R2 Entry Instruction: Flips procedure-call state bit Checks Entry # is less than number of entries Preamble Code: Does common setup Dispatches to entry point New Frame Pointer R2 Arg0 Continuation Frame Ptr

Procedure Return We adopt “continue passing style” at the instruction set level There are no “return” instructions, just continuation calls Uses all checks applied to call Size Entry Inst Instructions Call-1 Data Size Entry Inst Instructions Continuation-1 Size Entry Inst Instructions Call-1 Data Return Pointer

Stack Discipline Frame Pointer Previous Frame Continuation Arg0 Arg1 Local 1 Return Values Size Entry Inst Instructions Call-1 Data Size Entry Inst Instructions Continuation-1 PC Size Entry Inst Instructions Call Previous Frame Continuation Arg0 Arg1 Local 1 Garbage Collectable

Compiled Code for Calls/Returns Initiate Call (code in caller): –Allocate frame for passed in arguments + previous stack pointer + continuation + locals pointer –Load registers with procedure-pointer and entry # –Make call Complete Call (code in callee): –Allocate frame for locals including return values from called routines –Store local pointer in call frame –Entry instruction Return (code in callee) –Stores return values in locals frame –Calls continuation

Cross Domain Calls Simplest variety of system service –Call system service in your own thread System service may need to “run in another domain” –I.e. it may require different privileges than your code –The called routine switches the contents of the Principal register to reflect its needs –Stores old Principal register state first –Restores old Principal before return Can only make cross domain call if previous Principal has ability to invoke the routine Invoked routine has limited rights to caller data

Compartmented Stack Structure Frame Pointer Previous Frame Continuation Arg0 Arg1 Local Pointer Previous Frame Continuation Arg0 Arg1 Locals Pointer Return Values Local 1 Local 0 Return Values Local 1 Local 0 CallerCallee Caller R/W Caller R Callee W Caller R/W Caller W Callee R/W

Cross Domain Call Procedure-PointerMeta-Data Code-object Size Entry # Entry Inst Ld Principal Preamble R1 Dispatch Table Entry Code 2 Constants Common Instructions Size Entry Inst Instructions Size Entry Inst Instructions Size Entry Inst Instructions Internal Procedures Entry Code 1 R0 Procedure-call R0, R1, R2 New Frame Pointer R2 Arg0 Continuation Frame Ptr Old Principal Ld Principal Return

Other Communication Patterns Non Strict Calls Forks-Joins Streamed Communication

Non-Strict Calls Build new frame Call scheduler with a procedure pointer and frame –Domain crossing happens here –Scheduler creates a new thread running the procedure in the supplied frame and makes it schedulable –Scheduler returns to caller, caller continues New thread is run eventually –May switch domains Synchronization through “futures” –Initially a value that when referenced causes caller to block –Filled in by callee, with return value

Queued (Stream) Communication Service routine runs in its own thread under its own Principal Caller prepares frame –Frame data is Write once for caller –Frame data is R/W for callee Caller calls “Enqueue” routine in its own thread –Possible domain switch for this Callee eventually dequeues request and runs it

Other Types of Procedural Objects Closure: –Pair of Environment and Code-block –Typically the Environment is the frame for an enclosing procedure –When invoked code-block is called with the environment as an extra argument –We could make all procedures be closures, most closed around the “global environment” Generic Procedures –Basis for Class-based Object-Oriented Programming –Dispatches to a method based on types and/or identity of one or more arguments, internal data is dispatch table

The Loader We assume that only the loader can create a code-object –Input is “late intermediate” pass of compiler –Loader resolves final issues Loader checks that the static code obeys overall system design constraints –If there’s a “Load Principal Register” instruction then code and procedure-reference must be in an appropriate domain for the principal Allows for multi-platform targeting Makes the loader part of the TCB Removes the compiler from the TCB

Issues Can the loader be the target of an attack –Create code block that breaks the rules Can the “Load Principal Register” instruction be abused? –Maybe need another HashEx like box that looks at a full datum (e.g. the Principal register) and tags. Can we make more use of the meta-data tags of instructions?

Summary Eliminate many forms of unstructured code that lead to vulnerability –Arbitrary jumps –Calls to targets, other than procedure entry point –Ability to overwrite code –Ability to overwrite return/frame pointers Supports very cheap cross domain call –Just a normal procedure call that changes Principal –In some cases, streamed model used –Domains are symmetrically protected from each other. Code in system routine doesn’t get access to user data

Closures Actually code-objects are not what is called Closures are Traditionally: Closure = Code-objects + Env –Null Env means global environment? We add Principal to this –Switch to Principal if non-null Code Block Environment Principal Closure Size Entry Inst Preamble Dispatch Table Entry Code 2 Constants Common Instructions Entry Code 1 Environment Continuation Arg0 Arg1 Local 1 Return Values Previous Frame

Starting A Call Code-object Size Entry Inst Constants Instructions Current Frame Pointer Principal Env Code Block Arg0 Continuation Env Old Frame Current Principal Arg0 Continuation Env Old Frame Closure Current Frame Size Entry Inst Instructions Continuation Code-Object New Closure For Continuation Size Entry Inst Constants Instructions Principal Env Code Block Current Code-object New Frame New Frame Pointer New Principal

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.