Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2015 Miao Yu, Virgil D. Gligor, and Zongwei Zhou CyLab and ECE Department Carnegie Mellon University {miaoy1,

Published byBrett Small Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright © 2015 Miao Yu, Virgil D. Gligor, and Zongwei Zhou CyLab and ECE Department Carnegie Mellon University {miaoy1,"— Presentation transcript:

1 Copyright © 2015 Miao Yu, Virgil D. Gligor, and Zongwei Zhou CyLab and ECE Department Carnegie Mellon University {miaoy1, virgil}@andrew.cmu.edu, zongwei@alumni.cmu.edu ACM CCS Denver, Colorado October 14, 2015 Trusted Display on Untrusted Commodity Platforms 1

2 Copyright © 2015 2 Picture: GEEK.COM. http://www.geek.com/wp-content/uploads/2010/04/qubesOS_many-appvms.jpg Insensitive Application (App) Insensitive Application (App) Sensitive Application (SecApp) Sensitive Application (SecApp) Sensitive Application (SecApp) Sensitive Application (SecApp) Sensitive Application (SecApp) Sensitive Application (SecApp) Security: no malicious scrapping/painting of SecApps output on Shared Displays Secure Display Sharing

3 Copyright © 2015 3  Security while maintaining: Sec- App 1 Operating System (unmodified) App Graphics Processing Unit (GPU) … Sec- App 2 App SecApp  User Perception Ideal Trusted Display  Compatibility Trusted Computing Base  Assurance Graphics Processing Unit (GPU)

4 Copyright © 2015  Security while maintaining:  Compatibility  Assurance  User Perception App SecApp Sec- App 1 Operating System (unmodified) App Graphics Processing Unit (GPU) … Sec- App 2 Commodity OS X GPU Managed by: Related Work Full Virtualization Hypervisor Full Virtualization Hypervisor X X ✓ ✓ Graphics Processing Unit (GPU) TCB X X Trusted Computing Base (TCB) Graphics Processing Unit (GPU)

5 Copyright © 2015 5 GPU Instructions Local Page Tables CPU Programs (e.g., drivers, Apps) Data (e.g., frame buffers) GPU Address Spaces  Objects Global Page Table (GGTT) Config. Registers Commands Background: GPU

6 Copyright © 2015 6 GPU Config. Registers CommandsInstructions Local Page Tables Display Engine Processing Engine CPU Programs (e.g., drivers, Apps) Other Engines GPU Address Spaces  Objects  Engines Global Page Table (GGTT) Data (e.g., frame buffers) Background: GPU

7 Copyright © 2015 7  Multiplexes GPU among VMs => Access mediation & emulation for GPU objects, e.g. GPU configuration registers  Reduces complexity => “address space ballooning” * Derived from Figure 7 of Tian et al. “A Full GPU Virtualization Solution with Mediated Pass-Through” Background: Full GPU Virtualization VM 2VM 1 GPU Global Page Table (GGTT) Ballooned

8 Copyright © 2015 8 VM 2VM 1 GPU Global Page Table (GGTT) * Derived from Figure 7 of Tian et al. “A Full GPU Virtualization Solution with Mediated Pass-Through” Ballooned  Multiplexes GPU among VMs => Access mediation & emulation for GPU objects, e.g. GPU configuration registers  Reduces complexity => “address space ballooning” => non-contiguous GPU address space Background: Full GPU Virtualization

9 Copyright © 2015 9  GPU instructions could be malicious => base & bound registers High Base Bound VM2 VM1 Low Base Bound High GGTT VM1 VM2 VM1 VM2  Inadequate GPU HW - single register pair for non-contiguous address spaces Insecurity of Full GPU Virtualization

10 Copyright © 2015 10  Insecure: Inadequate GPU HW - malicious GPU instructions break GPU address space separation  Lacks assurance: unverifiable code base - multiplexing GPU among VMs is complex e.g., emulating accesses to all GPU configuration registers Full GPU Virtualization In Summary Trusted Computing Base  Incompatible with commodity OS/Apps - require OS/Apps redesign  TCB loses its assurance - code becomes large and complex

11 Copyright © 2015 11 Step 1: Separate Step 2: Mediate Step 3: Emulate GPU Separation Kernel (GSK)

12 Copyright © 2015 12  Separate security-sensitive from insensitive GPU objects => security model (informal) GSK: Separation App 1 OS (unmodified) Apps GPU

13 Copyright © 2015 Insensitive (vast majority) 13 GSK: Separation Sensitive Object Insensitive Object App 1 OS (unmodified) Apps  Separate security-sensitive from insensitive GPU objects => security model (informal) GSK Sensitive (very few) GPU Addressed: Large and complex (unverifiable) code base

14 Copyright © 2015 14  ALL accesses to security-sensitive objects by ALL GPU instructions inadequate GPU HW for mediation and complex instruction behavior Interfaces for trusted display GSK: Mediation GPU App 1 OS (unmodified) Apps Access Mediation SecApp 1 GSK

15 Copyright © 2015 15  cannot be intercepted by GPU during execution  can access global memory via global page table (GGTT) can access all frame buffers  have complex behaviors when accessing sensitive objects  Assign GPU instructions to separate address spaces  Prevent GPU instruction access to sensitive objects while maintaining compatibility.  Map GPU instruction behaviors to Read/Write & Config. Change accesses. Enforce access invariants. Inadequate GPU HW & complex behaviors Solutions Instructions GSK: Mediation

16 Copyright © 2015 16 GPU Address Space Separation GPU Instructions Global Page Table (GGTT) Physical Memory Sensitive Object Insensitive Object

17 Copyright © 2015 17 GPU Address Space Separation GPU Instructions Global Page Table (GGTT) Physical Memory Sensitive Object Insensitive Object

18 Copyright © 2015 18 GPU Address Space Separation GPU Instructions Global Page Table (GGTT) Physical Memory Shadow GGTT (GGTT’) Sensitive Object Insensitive Object Addressed: Inadequate GPU HW and access mapping

19 Copyright © 2015 19  Preserves compatibility of access to shared objects e.g., both OS/Apps and GSK access the frame buffer base register GSK: Emulation Interfaces for trusted display GPU App 1 Apps SecApp 1 GSK Access Mediation Emulation OS (unmodified) Addressed: Incompatibility with commodity platforms

20 Copyright © 2015 20  Relies on existing primitives of formally verified μHV - access control to CPU physical memory GSK: Design GPU App 1 OS (unmodified) Apps Access Mediation SecApp 1 Emulation GSK Addressed: Maintain assurance of underlying code micro-Hypervisor

21 Copyright © 2015 21 GSK: Design OS/Apps frame buffer SecApps’ frame buffer Screen Addressed: Maintain Users’ Perception  Screen Overlay: displays SecApps over OS/Apps

22 Copyright © 2015 GPU ObjectAll Objects Mediation in Full GPU Virtualization GSK Data (e.g., frame buffer, input/output for processing) 2 GBdata “out-of-the-VM” ~6 MB Configuration Registers62571139 Page TableAll Commands2694321 Instructions6614 (Ignored)0 22  Only few GPU objects require mediation  Much smaller trusted code size << GSK + μHV << Full GPU Virtualization ~36K SLoC >10M SLoC Evaluation: Size & Complexity

23 Copyright © 2015 23 μHV-only μHV + trusted display Un-optimized μHV causes most overhead Evaluation: Performance (Throughput)

24 Copyright © 2015 24 Evaluation: Performance (Latency) Native μHV + trusted display (ms) μHV only (ms) Un-optimized μHV causes most frame jitters (frame)

25 Copyright © 2015 25 Take-Away Points  Trusted display: Secure Compatible with commodity software/hardware Preserve assurance of underlying trusted code Maintain a typical user's perception  Approach: Separate  Mediate  Emulate GPU accesses Screen overlay

26 Copyright © 2015 26 Backup

27 Copyright © 2015 27 Security Protection Sensitive App (SecApp) Operating System (OS) App Keyboard Graphic Controller … Network (w/ crypto) Server ! Sec- App

28 Copyright © 2015 28 Discussion  SecApps require GPU acceleration Need to extend the scope of sensitive GPU objects Still simpler than full GPU virtualization  GPU hardware enhancement Separate sensitive and insensitive GPU registers and memory into different aligned pages Support R/W access control in all GPU page tables

29 Copyright © 2015 29 OS/App frame buffer 1 Screen SecApp frame buffer 2 Challenge: Ideal Trusted Display when Screen & GPU are Shared at Any Time (not exclusively) SecApp frame buffer 3 … Screen Sharing

30 Copyright © 2015 30 Evaluation: Performance (Latency) Native μHV + trusted display (ms) μHV only max acceptable latency (ms) Un-optimized μHV further degrades user experience (frame)

Download ppt "Copyright © 2015 Miao Yu, Virgil D. Gligor, and Zongwei Zhou CyLab and ECE Department Carnegie Mellon University {miaoy1,"

Similar presentations

An Overview Of Virtual Machine Architectures Ross Rosemark.

An Overview Of Virtual Machine Architectures Ross Rosemark.
Unmodified Device Driver Reuse and Improved System Dependability via Virtual Machines J. LeVasseur V. Uhlig J. Stoess S. G¨otz University of Karlsruhe,

Unmodified Device Driver Reuse and Improved System Dependability via Virtual Machines J. LeVasseur V. Uhlig J. Stoess S. G¨otz University of Karlsruhe,
Virtualization Technology

Virtualization Technology
Virtual Switching Without a Hypervisor for a More Secure Cloud Xin Jin Princeton University Joint work with Eric Keller(UPenn) and Jennifer Rexford(Princeton)

Virtual Switching Without a Hypervisor for a More Secure Cloud Xin Jin Princeton University Joint work with Eric Keller(UPenn) and Jennifer Rexford(Princeton)
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.

Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.
MACHINE-INDEPENDENT VIRTUAL MEMORY MANAGEMENT FOR PAGED UNIPROCESSOR AND MULTIPROCESSOR ARCHITECTURES R. Rashid, A. Tevanian, M. Young, D. Golub, R. Baron,

MACHINE-INDEPENDENT VIRTUAL MEMORY MANAGEMENT FOR PAGED UNIPROCESSOR AND MULTIPROCESSOR ARCHITECTURES R. Rashid, A. Tevanian, M. Young, D. Golub, R. Baron,
Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary.

Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O Presenter: Probir Roy Computer Science Department College of William & Mary.
Chapter 6 Security Kernels.

Chapter 6 Security Kernels.
Bart Miller. Outline Definition and goals Paravirtualization System Architecture The Virtual Machine Interface Memory Management CPU Device I/O Network,

Bart Miller. Outline Definition and goals Paravirtualization System Architecture The Virtual Machine Interface Memory Management CPU Device I/O Network,
Chapter 6 User Protections in OS. csci5233 computer security & integrity (Chap. 6) 2 Outline User-level protections 1.Memory protection 2.Control of access.

Chapter 6 User Protections in OS. csci5233 computer security & integrity (Chap. 6) 2 Outline User-level protections 1.Memory protection 2.Control of access.
Virtualization in HPC Minesh Joshi CSC 469 Dr. Box Feb 1, 2012.

Virtualization in HPC Minesh Joshi CSC 469 Dr. Box Feb 1, 2012.
1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.

1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.
G22.3250-001 Robert Grimm New York University Disco.

G Robert Grimm New York University Disco.
Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.

Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.
Network Implementation for Xen and KVM Class project for E6998-01: Network System Design and Implantation 12 Apr 2010 Kangkook Jee (kj2181)

Network Implementation for Xen and KVM Class project for E : Network System Design and Implantation 12 Apr 2010 Kangkook Jee (kj2181)
Towards Application Security On Untrusted OS

Towards Application Security On Untrusted OS
KVM/ARM: The Design and Implementation of the Linux ARM Hypervisor Fall 2014 Presented By: Probir Roy.

KVM/ARM: The Design and Implementation of the Linux ARM Hypervisor Fall 2014 Presented By: Probir Roy.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #29-1 Chapter 33: Virtual Machines Virtual Machine Structure Virtual Machine.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #29-1 Chapter 33: Virtual Machines Virtual Machine Structure Virtual Machine.
Virtual Machines. Virtualization Virtualization deals with “extending or replacing an existing interface so as to mimic the behavior of another system”

Virtual Machines. Virtualization Virtualization deals with “extending or replacing an existing interface so as to mimic the behavior of another system”

Similar presentations

Ads by Google