Efficient Software Based Fault Isolation Author: Robert Wahobe,Steven Lucco,Thomas E Anderson, Susan L Graham Presenter: Maitree kanungo Date:02/17/2010

Overview  Background  Software Fault Isolation  Efficient software encapsulation  Fast communication across fault domains  Performance Result Analysis

Why Software fault isolation:   Hardware-based Fault Isolation   Run modules in separate address spaces   Communicate via Remote Procedure Call   Switch to kernel mode   Copy arguments   Save/Restore registers   Switch address spaces   Return to user mode Context switches are expensive

Software Fault Isolation Virtual address segments Each segment share a unique upper bits called segment identifier Each segment share a unique upper bits called segment identifier Distrusted module can jump to or write to the same upper bit pattern (segment identifier) Distrusted module can jump to or write to the same upper bit pattern (segment identifier)

Techniques of Fault Isolation 2 techniques for software based fault-isolation.  Segment matching  Sandboxing

Techniques of Fault Isolation  This technique involves modifying the software binary to prevent stores or jumps from leaving a certain range of addresses.  All addresses used in store or jump locations are either checked or modified to enforce this.  Straight modification without checking (i.e., by bit substitution) is "sandboxing",  checking and error reporting is "segment matching"

Fault Domain … … … Segment (code)Segment (data) Fault Domain Each segment has unique pattern of upper bits called“ segment identifier”

What is Segment Matching  Static verification: Target address is known at compiling time  Unsafe instruction: Jumps & stores instruction which cannot be statically verified to be correct segment until at runtime. It could corrupt permanent data.  Segment matching  Insert checking code before every unsafe instruction. The checking code determines whether the unsafe instruction’s target address has the correct segment identifier.

Example of segment matching   Say an unsafe instruction is located in segment 101, but wants to write to segment 100. Initially, target address= ;   segment-reg=101; shift-reg=5 (or 101); dedicated-reg = dedicated-reg>>shift-reg = 100, so scratch-reg = 100 segment-reg=101; scratch-reg=100; not equal! A trap is generated to trigger a system error routine outside the distrusted module’s fault domain. If they match, then we know the target address is indeed inside the same segment, so we can run: store value, dedicated-reg

Segment Matching  Requires 4 dedicated registers to hold:  address in data segment  address in code segment  segment shift amount  segment identifier

Address Sandboxing  Segment matching can pinpoint the offending instruction.  Sandboxing reduces runtime overhead further, at the cost of providing no info about the source of faults.  Before each unsafe instruction we simply insert code that sets the upper bits of the target address to the correct segment ID.

Pseudo code for Address Sandboxing Again say an unsafe instruction is located in segment 101, but wants to write to segment 100. Initially, target-reg= ; segment-reg=101; and-mask- reg= ; target-reg&and-mask-reg = so dedicated-reg= segment-reg | dedicated-reg = so dedicated-reg = store value, dedicated-reg Now instead of writing to the intended unsafe location , sandboxing changed the target address to , which is in the same fault domain of the writing instruction. In this case may be this fault domain will be corrupt, but it does not affect other fault domains..

Guard Zone Optimization  RISC architectures include a register-plus-offset instruction mode.  Take instruction “store value, offset(reg)”.  To avoid calculating reg+offset,  we directly sandbox the reg, at the expense of creating guard zones at the top and bottom of each segment.  Avoid sandboxing the use of stack pointer by sandboxing the dedicated register which significantly improves performance.

Cross Fault Domain Communication  Control escapes a distrusted fault domain only via a jump table (to stub instruction).  A call-stub and a return-stub are created for each pair of fault domains.  The stub is also responsible for managing machine states and registers.  Fatal errors are handled by UNIX signal facility. Trusted modules may use a timer facility to interrupt execution or determinate a call.

Jump Table  Allows a fault domain to safely call the a trusted stub routine outside its domain; that stub then safely calls into the destination domain.  Each jump table entry is a control transfer instruction whose target address is a legal entry point outside the domain.  Because the table is kept in the (read-only) code segment in the fault domain, it can only be modified by a trusted module.

Performance result

Conclusion  Despite of the 4% overhead in sandboxing technique in executing distrusted code, this method yields best application performance.  whole approach does not enforce the privacy aspect of security, since addresses used in load instructions are not checked or sandboxed, because to do so would be prohibitively expensive.

References Tom Burkleaux ‘ s Slides for Fault domain and cross fault domain communication (figs) on Efficient software based isolation Carl Yao’s slides for Examples of segment matching and address sandboxing Slides on efficient software based isolation-Sandboxing SFI-Risc.pdf