Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Virtual Architecture: A Safe Execution Environment for Commodity Operating Systems John Criswell, University of Illinois Andrew Lenharth, University.

Published byGillian Berry Modified over 8 years ago

Similar presentations

Presentation on theme: "Secure Virtual Architecture: A Safe Execution Environment for Commodity Operating Systems John Criswell, University of Illinois Andrew Lenharth, University."— Presentation transcript:

1 Secure Virtual Architecture: A Safe Execution Environment for Commodity Operating Systems John Criswell, University of Illinois Andrew Lenharth, University of Illinois Dinakar Dhurjati, DoCoMo Communications Laboratories, USA Vikram Adve, University of Illinois

2 What is a Safe Execution Environment? Intuitively, the environment provided by a safe programming language (e.g., Java, C#) Array indexing stays within object bounds No uses of uninitialized variables All operations are type safe No uses of dangling pointers Control flow obeys program semantics Sound operational semantics

3 State of the Art Research operating systems built with safe languages Not used in commodity OSs (written in C/C++) Windows Mac OS X Linux Solaris AIX BSD … and many, many, many others…

4 Why a Safe Execution Environment for Commodity Systems? Security Memory error vulnerabilities in OS kernel code are a reality 1 Novel Design Opportunities Safe kernel extensions (e.g. SPIN) Single address space OSs (e.g. Singularity) Develop New Solutions to Higher-Level Security Challenges Information flow policies Encoding security policies in type system Preventing memory exhaustion attacks 1. Month of Kernel Bugs (http://projects.info-pull.com/mokb/)

5 Secure Virtual Architecture Compiler-based virtual machine Uses analysis & transformation techniques from compilers Supports commodity operating systems (e.g., Linux) Typed virtual instruction set enables sophisticated program analysis Provide safe execution environment for commodity OSs Commodity OS Hardware Compiler + VM Virtual ISA Native ISA

6 Contributions Compiler-based virtual machine that Hosts a commodity OS Supports sophisticated compiler analysis techniques First system to provide safety guarantees for complete commodity OS (e.g., Linux) Retain explicit memory deallocation Retain custom kernel memory allocators

7 Outline  SVA Architecture SVA Safety Experimental Results

8 Memory Safety Run-time Library Hardware OS Memory Allocator SVA Virtual Machine SVA System Architecture Applications OS Kernel SVA ISA Native ISA Safety Checking Compiler Drivers Native Code Generator SVA-OS Run-time Library Safety Verifier Hardware

9 Software Flow Safety Checking Compiler Safety Verifier Code Generator Compile-Time: Install/Load/Run-Time: Kernel/Application Source Bytecode with Safe Types Bytecode + Run-Time Checks Native Code Hardware TCB

10 Virtual Instruction Set SVA-Core Based on LLVM 1,2 Typed, Explicit Control Flow Graph, Explicit SSA form Sophisticated compiler analysis and transformation SVA-OS OS-neutral instructions support commodity OSs Removes difficult to analyze assembly code Encapsulates privileged operations Like porting to a new hardware architecture 1.[CGO 2004] 2.http://llvm.org

11 Outline SVA Architecture  SVA Safety Experimental Results

12 Secure Virtual Architecture Goals Maximize safety guarantees Minimize reliance on OS correctness Minimize kernel changes Retain original kernel memory allocators Allocators have special semantics and features Custom pool allocators (e.g., Linux kmem_cache_alloc()) Flags for DMA memory, pinned memory, etc.

13 SVA Safety Guarantees Safe LanguageSecure Virtual Architecture Array indexing within bounds No uses of uninitialized variables Type safety for all objectsType safety for subset of objects No uses of dangling pointersDangling pointers are harmless Control flow integrity Sound operational semantics Dangling pointers & non-type-safe objects do not compromise other guarantees Stronger than systems that do not provide any dangling pointer protection

14 Safety Checks & Transforms Safety Checks Load/Store Checks Bounds Checks Illegal Free Checks Indirect Call Checks Safety Transforms Stack to heap promotion Memory initialization Object Bounds Tracking Methods “Fat” Pointers [SafeC, CCured, Cyclone,…] Programmer Annotations [SafeDrive,…] Object Lookups [Jones-Kelly,SAFECode,…]

15 Memory Tracking Data Structure Naive Safety Checks P1=kmem_cache_alloc(inode_cache); pchk_reg_obj (P1, reg_size(inode_cache)); … Dest = &P1[index]; bounds = pchk_get_bounds (P1); pchk_check_bounds (P1, Dest, bounds); … P2=vmalloc(size1); pchk_reg_obj (P2, size1); P3=kmem_cache_alloc(file_cache); pchk_reg_obj (P3, reg_size(file_cache)); P4=kmem_cache_alloc(inode_cache); pchk_reg_obj (P4, reg_size(inode_cache)); P1 P4 P2 SVM Metadata: Kernel Code: P3 Run-time lookups are too slow Limited opportunity to remove run-time checks

16 Improved Object Lookups 1 Alias analysis (DSA) groups objects into logical partitions Run-time records object allocations in partitions Run-time checks only consider objects in a single partition Reduces slowdown from 4x-11x to 10%-30% for nearly all standalone programs, daemons Memory Partitioned Object Set Pointers 1. Dhurjati et al. [ICSE 2006]

17 Type Safe (Homogeneous) Partitions 1 Alias analysis performs type inference Type-homogeneous partitions reduce run-time checks: No load/store checks No indirect call checks Harmless dangling pointers Type-unsafe partitions require all run-time checks Proved sound operational semantics [PLDI 2006] 1. Dhurjati et al. [TECS 2005, PLDI 2006] Memory Blue Partition Red Partition

18 Kernel Pool Allocator Constraints All objects from same pool must be in same partition Only reuse memory internally for type-homogeneous partitions Objects must be aligned at a multiple of the object size Inode Kernel Pool Blue Partition Red Partition

19 SVM Memory Safety P1=kmem_cache_alloc(inode_cache); pchk_reg_obj (MP1, P1, reg_size(inode_cache)); … Dest = &P1[index]; bounds = pchk_get_bounds (MP1, P1); pchk_check_bounds (P1, Dest, bounds); P2=vmalloc(size1); pchk_reg_obj (MP2, P2, size1); P3=kmem_cache_alloc(file_cache); pchk_reg_obj (MP3, P3, reg_size(file_cache)); P4=kmem_cache_alloc(inode_cache); pchk_reg_obj (MP1, P4, reg_size(inode_cache)); P1 P4 P2 SVM Metadata: Kernel Code: P3 MP1 MP3 MP2

20 Outline SVA Architecture SVA Safety  Experimental Results

21 Prototype Implementation Ported Linux to SVA instruction set Similar to porting to new hardware architecture Compiled using LLVM Wrote SVA-OS as run-time library linked into kernel Provide safety guarantees to entire kernel except: Memory management code Architecture-dependent utility library Architecture-independent utility library

22 Linux Kernel Modifications SectionOriginal LOCSVA-OSAllocatorsAnalysisTotal Modified Arch-indep Core9,82241763120 Net Drivers399,872120618 Net Protocols169,8322302952 Core FS18,4997801997 Ext35,2070011 Total Indep603,2321547658288 Arch-dep29,2374,777014,778 Few memory allocator changes needed Architecture-dependent code almost exclusively modified for SVA-OS port Few changes to architecture-independent code

23 Web Server Bandwidth Memory safety overhead less than 59% Transfers of larger file sizes show acceptable overhead

24 Server Latency Overhead Many short data transfers suffer high memory safety overhead Overhead acceptable for larger file sizes Acceptable overhead for security-critical servers

25 Exploits Tried 5 memory exploits that work on Linux 2.4.22 Uncaught exploit due to code not instrumented with checks BugTraq IDKernel ComponentCaught? 11956Console Driver Yes! 10179TCP/IP Yes! 11917TCP/IP Yes! 12911Bluetooth Protocol Yes! 13589ELF/Support LibraryNo

26 Performance Improvements Source code changes Smarter run-time checks Selective use of “fat” pointers Pre-checking all accesses within monotonic loops Removing redundant object lookups and run-time checks Very fast indirect call checks Improve static analysis Stronger type inference More precise call graph Restore context sensitivity Static array bounds checking

27 Future Work Ensure safe use of: SVA-OS instructions MMU configuration DMA operations Novel OS Designs Recovery semantics for the virtual machine Private application memory Information flow

28 Contributions Compiler-based virtual machine that Hosts a commodity OS Supports sophisticated compiler analysis techniques First system to provide safety guarantees for complete commodity OS (e.g., Linux) Retain explicit memory deallocation Retain custom kernel memory allocators Questions? See what we do at http://llvm.org

Download ppt "Secure Virtual Architecture: A Safe Execution Environment for Commodity Operating Systems John Criswell, University of Illinois Andrew Lenharth, University."

Similar presentations

Architectural Support for Software-Based Protection Mihai Budiu Úlfar Erlingsson Martín Abadi ASID Workshop, Oct 21, 2006 Silicon Valley.

Architectural Support for Software-Based Protection Mihai Budiu Úlfar Erlingsson Martín Abadi ASID Workshop, Oct 21, 2006 Silicon Valley.
Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,

Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
SAFECode Memory Safety Without Runtime Checks or Garbage Collection By Dinakar Dhurjati Joint work with Sumant Kowshik, Vikram Adve and Chris Lattner University.

SAFECode Memory Safety Without Runtime Checks or Garbage Collection By Dinakar Dhurjati Joint work with Sumant Kowshik, Vikram Adve and Chris Lattner University.
Introduction to Operating Systems CS-2301 B-term 20081 Introduction to Operating Systems CS-2301, System Programming for Non-majors (Slides include materials.

Introduction to Operating Systems CS-2301 B-term Introduction to Operating Systems CS-2301, System Programming for Non-majors (Slides include materials.
SAFECode SAFECode: Enforcing Alias Analysis for Weakly Typed Languages Dinakar Dhurjati University of Illinois at Urbana-Champaign Joint work with Sumant.

SAFECode SAFECode: Enforcing Alias Analysis for Weakly Typed Languages Dinakar Dhurjati University of Illinois at Urbana-Champaign Joint work with Sumant.
CMPT 300: Final Review Chapters 8 – 12. 2 Memory Management: Ch. 8, 9 Address spaces Logical (virtual): generated by the CPU Physical: seen by the memory.

CMPT 300: Final Review Chapters 8 – Memory Management: Ch. 8, 9 Address spaces Logical (virtual): generated by the CPU Physical: seen by the memory.
Static Analysis of Embedded C Code John Regehr University of Utah Joint work with Nathan Cooprider.

Static Analysis of Embedded C Code John Regehr University of Utah Joint work with Nathan Cooprider.
Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.

Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.
Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.

Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.
Extensibility, Safety and Performance in the SPIN Operating System Bershad et al Presentation by norm Slides shamelessly “borrowed” from Stefan Savage’s.

Extensibility, Safety and Performance in the SPIN Operating System Bershad et al Presentation by norm Slides shamelessly “borrowed” from Stefan Savage’s.
Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.

Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.
Java for High Performance Computing Jordi Garcia Almiñana 14 de Octubre de 1998 de la era post-internet.

Java for High Performance Computing Jordi Garcia Almiñana 14 de Octubre de 1998 de la era post-internet.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,

Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
CMPT 300: Final Review Chapters 8 – 14. 2 Memory Management: Ch. 8, 9 Address spaces Logical (virtual): generated by the CPU Physical: seen by the memory.

CMPT 300: Final Review Chapters 8 – Memory Management: Ch. 8, 9 Address spaces Logical (virtual): generated by the CPU Physical: seen by the memory.

Similar presentations

Ads by Google