Native Client. Kapil Anand

Similar documents
Fast Byte-Granularity Software Fault Isolation

I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich

Eugene Tsyrklevich. Ozone HIPS: Unbreakable Windows

Fine-Grained User-Space Security Through Virtualization. Mathias Payer and Thomas R. Gross ETH Zurich

Return-oriented programming without returns

Sandy. The Malicious Exploit Analysis. Static Analysis and Dynamic exploit analysis. Garage4Hackers

Last Class: OS and Computer Architecture. Last Class: OS and Computer Architecture

Hotpatching and the Rise of Third-Party Patches

Efficient Monitoring of Untrusted Kernel-Mode Execution

CIS 551 / TCOM 401 Computer and Network Security

Last Class: OS and Computer Architecture. Last Class: OS and Computer Architecture

The V8 JavaScript Engine

CEN 559 Selected Topics in Computer Engineering. Dr. Mostafa H. Dahshan KSU CCIS

Bypassing Memory Protections: The Future of Exploitation

Interpreters and virtual machines. Interpreters. Interpreters. Why interpreters? Tree-based interpreters. Text-based interpreters

CS5460: Operating Systems

Betriebssysteme KU Security

Chapter 3: Operating-System Structures. System Components Operating System Services System Calls System Programs System Structure Virtual Machines

Carlos Villavieja, Nacho Navarro Arati Baliga, Liviu Iftode

x86 ISA Modifications to support Virtual Machines

ELEC 377. Operating Systems. Week 1 Class 3

Agent Languages. Overview. Requirements. Java. Tcl/Tk. Telescript. Evaluation. Artificial Intelligence Intelligent Agents

Code Injection From the Hypervisor: Removing the need for in-guest agents. Matt Conover & Tzi-cker Chiueh Core Research Group, Symantec Research Labs

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering

COS 318: Operating Systems. Virtual Memory and Address Translation

Software Vulnerabilities

Operating System Organization. Purpose of an OS

SkyRecon Cryptographic Module (SCM)

Cloud Computing. Up until now

Introduction. Application Security. Reasons For Reverse Engineering. This lecture. Java Byte Code

An Easier Way for Cross-Platform Data Acquisition Application Development

Attacking Host Intrusion Prevention Systems. Eugene Tsyrklevich

Secure Execution Via Program Shepherding

Bypassing Browser Memory Protections in Windows Vista

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 20: Stack Frames 7 March 08

How do Users and Processes interact with the Operating System? Services for Processes. OS Structure with Services. Services for the OS Itself

Operating Systems and Networks

Exokernel : An Operating System Architecture for Application-Level Resource Management. Joong Won Roh

Chapter 6, The Operating System Machine Level

Automating Mimicry Attacks Using Static Binary Analysis

HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity

Microcontrollers Deserve Protection Too

Hypervisor-Based, Hardware-Assisted System Monitoring

Automated Faultinjection Series - Risk Management and Implementation

Operating System Overview. Otto J. Anshus

SoK: Eternal War in Memory

Custom Penetration Testing

Virtualization for Cloud Computing

Technical Properties. Mobile Operating Systems. Overview Concepts of Mobile. Functions Processes. Lecture 11. Memory Management.

General Introduction

CS52600: Information Security

Operating System Structures

An Implementation Of Multiprocessor Linux

A JIT Compiler for Android s Dalvik VM. Ben Cheng, Bill Buzbee May 2010

DAWSON -- Synthetic Diversity for Intrusion Tolerance 1

Chapter 3: Operating-System Structures. Common System Components

1 The Java Virtual Machine

Software security. Buffer overflow attacks SQL injections. Lecture 11 EIT060 Computer Security

Runtime Verification for Real-Time Automotive Embedded Software

Introduction. What is an Operating System?

Visualizing Information Flow through C Programs

EMET 4.0 PKI MITIGATION. Neil Sikka DefCon 21

Isolating Commodity Hosted Hypervisors with HyperLock

The Beast is Resting in Your Memory On Return-Oriented Programming Attacks and Mitigation Techniques To appear at USENIX Security & BlackHat USA, 2014

Chapter 5 Cloud Resource Virtualization

SecureDoc Disk Encryption Cryptographic Engine

Example of Standard API

Applications of formal verification for secure Cloud environments at CEA LIST

Access Control Fundamentals

Securing software by enforcing data-flow integrity

Homeland Security Red Teaming

Portable Software Fault Isolation

Secure In-VM Monitoring Using Hardware Virtualization

Full and Para Virtualization

Chapter 3 Operating-System Structures

From Faust to Web Audio: Compiling Faust to JavaScript using Emscripten

CS 377: Operating Systems. Outline. A review of what you ve learned, and how it applies to a real operating system. Lecture 25 - Linux Case Study

Attacking Obfuscated Code with IDA Pro. Chris Eagle

CIS433/533 - Computer and Network Security Operating System Security

Exploiting nginx chunked overflow bug, the undisclosed attack vector

Debugging A MotoHawk Application using the Application Monitor

Security Overview of the Integrity Virtual Machines Architecture

The Plan Today... System Calls and API's Basics of OS design Virtual Machines

Bug hunting. Vulnerability finding methods in Windows 32 environments compared. FX of Phenoelit

Real Time Programming: Concepts

Operating System Structures

Automatic Logging of Operating System Effects to Guide Application-Level Architecture Simulation

CS 155 Final Exam. CS 155: Spring 2013 June 11, 2013

Review from last time. CS 537 Lecture 3 OS Structure. OS structure. What you should learn from this lecture

Exceptions in MIPS. know the exception mechanism in MIPS be able to write a simple exception handler for a MIPS machine

UEFI on Dell BizClient Platforms

COS 318: Operating Systems

Thesis Proposal: Improving the Performance of Synchronization in Concurrent Haskell

Encryption Wrapper. on OSX

Restraining Execution Environments

MSc Computer Science Dissertation

Intel Application Software Development Tool Suite 2.2 for Intel Atom processor. In-Depth

RE-TRUST Design Alternatives on JVM

XFI: Software Guards for System Address Spaces

Secure Network Communications FIPS Non Proprietary Security Policy

Transcription:

Native Client Kapil Anand 1

Motivation Web browsers employ languages like JavaScript. Not suitable for performance critical applications Games ( High speed rendering) Fluid dynamics Inability to execute native machine code due to security concerns User based security (Popup) not effective 2

NativeClient Sandboxed environment for execution of native code Native code performance Portability across OS Two main parts Constrained execution of native code Runtime for allowing safe operations 3

Design Sandbox Static analysis to detect security defects Enforces rules on incoming un-trusted modules Runtime Facilities Allows safe execution of possible unsafe operations Inter-module communications 4

Sandbox Implements Software Fault Isolation External state not accessible from these modules Explicit control flow instructions Stipulates a set of rules need to be followed by the incoming binary No unsafe instructions Special indirect control transfers Relies on compiler tool chain to stick to these rules Implements a validation tool to check these rules Reliable disassembly 5

Binary Constrains No self modifying code Not writable after loading into memory Statically linked with a fixed start address of text segment All instructions reachable by fall-through disassembly from starting address Relocation information present (?), not mentioned in paper Ensure reliable disassembly Other constraints Syscall, Instructions modifying segment state, ret No instruction overlapping a 32 byte All functions, basic blocks aligned to 32 byte boundary 6

Data Flow Integrity Data Integrity: Employs segmented memory support Constrains data references to a particular sub range of virtual 32 bit addresses Effective as segment registers not accessible 7

Control flow integrity All control transfers target an instruction identified during disassembly Direct control flow Target should be one of reachable instruction Indirect Control flow Segmented support ( works because a fix start address) No returns Limit target alignment to 32 byte boundary jmp eax -> and eax,0xffffffe0 jmp eax Implemented as a special NaCl jump Lack of segmented support in previous paper required use of and and or instruction to check the segment tag 8

CFI All instructions and pseudo-instructions (including NaCl jmp) are aligned to 32 byte boundary Any indirect jump would follow an and and hence goes to one of the instruction on 32 byte boundary All 32-byte boundary instructions are statically analyzed Insures No skipping of and before jmp NaCl becomes atomic 9

Possible Attacks No Return based attacks as returns not allowed No Code Injection Return to libc or Gadgets Not possible to obtain something like system command as middle of instructions not accessible 10

Exceptions Hardware exceptions not allowed as stack mechanism is invalidated Immediate termination and no recovery Supports C++ exceptions 11

Runtime Service Sandboxing limits unsafe operations Runtime services allow some unsafe operations to be operated in safe way Required for usefulness of modules Isolates incoming binary from host resources Resource abstractions Communication Between Native Client and Browser Communication between Native Client Modules Client module and network like accessing URLs 12

Runtime Services Contains trusted code and data Implemented as a native executable invoked by browser plug-in The process is shared with Native client module Implements dynamic enforcements Maintains integrity of sandbox 13

Runtime Service Small part of module space is used by runtime service Enables control transfer between untrusted user code and trusted runtime service Untrusted code allowed in these trampolines like system calls Runtime service Executable Address space A segment protected address space for module Modifies segment registers and native code executed with normal flat addressing 14

Performance Compiler tool chain need to be modified Alignment constraints Instruction constraints Special control transfers Average 5% performance overhead on SPEC benchmarks Good result 15

Limitations No hardware handled exceptions Tool-chain modifications Applications limited to computation oriented domains: File system accesses, process creation not allowed Not suitable for OS extensions ( User mode only) 16

17

Fast Byte Granularity Software Fault Isolation 18

Motivation Kernel Extensions are used for customizing operating systems Device drivers File systems Fully trusted by kernel for performance reasons Problems Written in unsafe languages Share address space with kernel Most of OS bugs are related to extensions 19

Motivation Existing approaches: Extensions in separate protection domain or in user mode processes Either require hardware modifications or high overhead because extensions used very frequently SFI in Native Client not applicable as it relied on segmented protections A software based Byte-Granularity SFI Previous solutions required hardware changes A complete software solution which isolates drivers with no change in source-code and with no performance overheads 20

Previous Mechanisms Not enough isolation For example, a range of addresses are allowed to be modified Do not prevent writes to kernel objects stored in these addresses No checking of call interface Calling a function with wrong interface 21

BGI Runs code in separate protection domain to contain software faults Kernel and trusted extensions run in trusted domain An Access control list (ACL) specifying the rights of each domain to each byte 22

Protection Model 23

Access Rights Read: available to everyone Write icall Ensures control flow integrity An extension can call a function only if it has icall rights on that function Applicable to function pointers also by analyzing address creation points Type Enforce dynamic type safety for kernel objects Ownership: Maintains the domain which should free the object and type of deallocation to use 24

Memory checks Write Checks Prevent unauthorized write Global variables rights Local variables rights Heap rights Ownership rights Controlled by memory allocation/de-allocation wrappers 25

Memory checks Call checks: Prevent threads from executing code in another domain Checks whether current extension has call right before calling through indirect call For function pointers passed to kernel from extensions, it is checked whether the extension has call right Type Checks: Dynamic type for each object Wrappers check that corresponding domain has proper type rights on incoming object Controlled by allocators/de-allocator wrappers 26

Implementation Compiler changes to compile the driver source code with required changes Assumes that driver developers are benign Interpositional library to be linked with driver ACL Tables for controlling accesses 27

Interposition Library Mediates communication between extensions and kernel All communication through wrappers Kernel wrappers Wrap kernel functions called by extension Extension wrappers Wrap extension wrappers called by functions Wrappers grants, checks or revokes the access protection Trust kernels ( Guides the operation) 28

Compiler Instruments the extension to redirect kernel function calls to interposition wrappers Modifies the address creation points to point to library wrappers Access rights maintenance for local variables Access-Check instruction before each write and indirect call Disallows inline assembly 29

Attack Protection No indirect branches Information about possible functions in module needs to be in read only segment Safety of Access Tables Buffer overflows possible As protection is only on domains, not on functions Inject code to bypass inter-positional library Return based programming 30

Byte Granularity Protection Suggests fast table based mechanism for managing access rights A small integer to encode a pair of domain and access right Kernel table and a user table per process Corresponding conflict tables An entry for each 8 byte memory in the corresponding table specifying access right 31

Example 32

Performance Contains ~98% blue screen faults and ~50% hangs Performance overhead of 12% in one benchmarks, <2% in others, 6.4% on average, as compared to around 20% in previous paper 33

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information