address space isolation in the linux kernel
play

Address Space Isolation in the Linux Kernel Mike Rapoport, James - PowerPoint PPT Presentation

Mar 20, 2024 •131 likes •448 views

Address Space Isolation in the Linux Kernel Mike Rapoport, James Bottomley <{rppt,jejb}@linux.ibm.com> This project has received funding from the European Unions Horizon 2020 research and innovation programme under grant agreement No

  1. Address Space Isolation in the Linux Kernel Mike Rapoport, James Bottomley <{rppt,jejb}@linux.ibm.com> This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 825377

  2. Containers, clouds and security ● From chroot to cloud-native ○ Containers are everywhere ● Often containers run inside VMs ● But why? ○ VMs provide isolation ○ Containers are easy for DevOps ● Is this nesting really necessary?

  3. Hardware isolation ● VMs isolation is enforced by hardware ● For containers we have MMU! ○ Address space isolation is one of the best protection methods since the invention of the virtual memory. ○ Vulnerabilities are inevitable, how can we minimize the damage ○ Make parts of the Linux kernel use a restricted address space for better security

  4. Securing containers with MMU ● System call interface is a large attack surface ○ Can we restrict kernel mappings during system call execution? ● Major container isolation are namespaces ○ Can we protect namespaces with page tables?

  5. Related work ● Page Table Isolation ○ Restricted context for kernel-mode code on entry boundary ● WIP: improve mitigation for HyperThreading leaks ○ KVM address space isolation ■ Restricted context for KVM VMExit handlers ○ Process local memory ■ Kernel memory visible only in the context of a specific process

  6. System Call Isolation (SCI) ● Execute system calls in a restricted address space ○ System calls run with very limited page tables ○ Accesses to most of the kernel code and data cause page faults ● Ability to inspect and verify memory accesses ○ For code: only allow calls and jumps to known symbols to prevent ROP attacks ○ For data: TBD? https://lore.kernel.org/lkml/1556228754-12996-1-git-send-email-rppt@linux.ibm.com/

  7. SCI page tables System call User Kernel Page Table Page Table Page Table User space User space User space Kernel entry Kernel entry Kernel entry Syscall entry Kernel space

  8. SCI flow access switch switch system address unmapped page fault address call code space space map Yes is access the safe? page No kill process

  9. SCI in practice ● Weakness ○ Cannot verify RET targets ○ Performance degradation ○ Page granularity ○ Intel CET makes SCI irrelevant ● Follow up possibility ○ Use ftrace to construct shadow stack ○ Utilize compiler return thunk to verify RET targets

  10. Exclusive mappings ● Memory region mapped only in a User Page Table Kernel Page Table single process page table ○ Excluded from the direct map User space User space ● Use-cases ○ Kernel entry Kernel entry Store secrets ○ Protect the entire VM memory Kernel space Kernel space

  11. mmap(MAP_EXCLUSIVE) ● Memory region in a process is isolated from the rest of the system ● Can be used to store secrets in memory: void *addr = mmap(MAP_EXCLUSIVE, ...); struct iovec iov = { .base = addr, .len = PAGE_SIZE, }; fd = open_and_decrypt(“/path/to/secret.file”, O_RDONLY); readv(fd, &iov, 1); https://lore.kernel.org/lkml/1572171452-7958-1-git-send-email-rppt@kernel.org/

  12. mmap(MAP_EXCLUSIVE) + Convenient mmap()/mpropect()/madvise() interfaces ● Plugable into existing allocators ● Can be used at post-allocation time + Simple implementation - Requires page flag and VMA flag ● We have ran out long time ago - Multiple modifications to core mm core — Fragmentation of the direct map

  13. memfd_create(MFD_SECRET) ● Extension to memfd_create() system call int fd, ret; void *p; fd = memfd_create("secure", MFD_CLOEXEC | MFD_SECRET); if (fd < 0) perror("open"), exit(1); if (ioctl(fd, MFD_SECRET_EXCLUSIVE)) perror("ioctl"), exit(1); p = mmap(NULL, PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); if (p == MAP_FAILED) perror("mmap"), exit(1); secure_page = p; https://lore.kernel.org/lkml/20200130162340.GA14232@rapoport-lnx/

  14. memfd_create(MFD_SECRET) + Black magic is behind a file descriptor ● .mmap() and .fault() hide the details from core mm + May use memory preallocated at boot ● Yet to be implemented - Auditing of core mm core is still required - May introduce complexity into page cache and mount APIs — Fragmentation of the direct map

  15. Demo

  16. Protecting namespaces with page tables ● Most objects in a namespace are private ○ No need to map them in other namespaces ● Per-namespace page tables improve isolation ○ Shared between processes in a namespace ○ Private objects are mapped exclusively by owning namespace page table

  17. Address space for netns ● Netns is an independent network stack ○ Network devices, sockets, protocol data ● Objects inside the network namespace are private ○ Except skb ’s that cross namespace boundaries ● Exclusive mappings of netns objects effectively creates isolated networking stack, just like in a VM

  18. Restricted Mappings Framework 1. Create a restricted mapping from an existing mapping 2. Switch to the restricted mapping when entering a particular execution context 3. Switch to the unrestricted mapping when leaving that execution context 4. Keep track of the state * From tglx comment to KVM ASI patches: https://lore.kernel.org/kvm/alpine.DEB.2.21.1907122059430.1669@nanos.tec.linutronix.de/

  19. APIs for Kernel Page Table Management ● Create first class abstraction for page tables ○ Break the assumption ‘page table == struct mm_struct ’ ○ Introduce struct pg_table to represent page table ● Clone and populate restricted page tables ○ Copy page table entries at a specified level ● Drop mappings from the restricted page tables ● On-demand memory mapping and unmapping ● Tear down restricted page tables 19

  20. Restricted Kernel Context Creation ● Pre-built at boot time (PTI) ● When creating process ○ During clone() ○ PTI page table, process-local page table ● When specifying namespace ○ During unshare() or setns() ○ Namespace-local page table ● When creating VM or virtual CPU ○ During KVM vcpu_create() or vm_create() ○ KVM ASI page table 20

  21. Context Switch ● Explicit transitions ○ Syscall boundary (PTI) ○ KVM ASI enter/exit ● Implicit transitions ○ Interrupt/exception, process context switch ● Need unified mechanism to switch kernel page table ○ Same mechanism for PTI and KVM ASI ● No change for processes with private memory 21

  22. Freeing Restricted Page Tables ● Integration with existing TLB management infrastructure ○ Avoid excessive TLB shootdowns ● Special care for shared page table levels ○ Avoid freeing main kernel page tables ● Proper accounting of page table pages

  23. Private Memory Allocations ● Extend alloc_page() and kmalloc() with context awareness ● Pages and objects are visible in a single context ○ Can be a process or all processes in a namespace ● Special care for objects traversing context boundaries 23

  24. Per-Context Allocations ● Allow per-context allocations ○ __GFP_EXCLUSIVE - for pages ○ SLAB_EXCLUSIVE - for slabs ○ PG_exclusive page type ● Drop pages from the direct map on allocation ○ set_memory_np()/set_pages_np() ● Put them back on freeing ○ set_memory_p()/set_pages_p() ● Only allowed in a context of a process with non-default page table ○ if (current->mm && &current->mm.pgt != &init_mm.pgt)

  25. Private SL*B Caches ● First per-context allocation creates a new cache ○ Similar to memcg child caches ├── kmalloc-1k │ └── cgroup │ └── kmalloc-1k(108:A) ├── kmalloc-1k(1) │ └── cgroup ● Allocate pages for cache with __GFP_EXCLUSIVE ● Map/unmap pages for out-of-context accesses ○ SLUB debugging ○ SLAB freeing from other context, e.g. workqueue 25

  26. Address space for netns ● Kernel page table per namespace @@ -52,6 +52,7 @@ struct bpf_prog; #define NETDEV_HASHENTRIES (1 << NETDEV_HASHBITS) struct net { + pg_table *pgt; /* namespace private page table */ refcount_t passive; /* To decide when the network */ /* namespace should be freed. */ ● Processes in a namespace share view of the kernel mappings ○ Switch page table at clone() , unshare() , setns() time. ● Private kernel objects are mapped only in the namespace PGD ○ Enforced at object allocation time

  27. Proof of concept implementation ● Private memory allocations with kmalloc() ○ Mapped only in processes in a single netns ○ Still visible in init_mm address space ● Socket objects, protocol data and skb ’s are allocated using __GFP_EXCLUSIVE ● Backdoor syscall for testing ● Surprisingly, there is network traffic inside a netns ;-)

  28. Putting it all together User-exclusive memory Namespaces isolation KVM isolation Private allocations SL*B Page cache extensions Page Allocator Page Table Management API

  29. Conclusions ● Using restricted contexts reduces the attack surface ● Complexity vs security benefits are yet to be evaluated ● Reworking kernel address space management is a major challenge

  30. Thank You

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Processs Address Space Linux Address Space 0x7fffffff Stack Data (Heap) Data (Heap)

Processs Address Space Linux Address Space 0x7fffffff Stack Data (Heap) Data (Heap)

10/21/2014 Processes, Address Spaces, and PROCESS Memory Management A running program and its associated data Jonathan Misurda jmisurda@cs.pitt.edu Processs Address Space Linux Address Space 0x7fffffff Stack Data (Heap) Data (Heap)

579 views • 3 slides
Kernel Address Space Layout Randomization http://outflux.net/slides/2013/lss/kaslr.pdf gholzer

Kernel Address Space Layout Randomization http://outflux.net/slides/2013/lss/kaslr.pdf gholzer

Kernel Address Space Layout Randomization http://outflux.net/slides/2013/lss/kaslr.pdf gholzer Linux Security Summit, New Orleans 2013 Kees Cook &lt;keescook@google.com&gt; (pronounced Case) Overview Classic Attack Structure

431 views • 15 slides
Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many

Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many

Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many of us need to debug the Linux kernel Proprietary tools like Trace32 and DS-5 are $$$ Open source debuggers like GDB lack kernel

884 views • 40 slides
Harmonizing Performance and Isolation in Microkernels with Efficient Intra-kernel Isolation and

Harmonizing Performance and Isolation in Microkernels with Efficient Intra-kernel Isolation and

Harmonizing Performance and Isolation in Microkernels with Efficient Intra-kernel Isolation and Communication Jinyu Gu , Xinyue Wu, Wentai Li, Nian Liu, Zeyu Mi, Yubin Xia, Haibo Chen Monolithic Kernel and Microkernel 2 Monolithic Kernel and

336 views • 23 slides
Address Space Randomization A n E f f e c t i v e I m p l e m e n t a t i o n Michael Cloppert

Address Space Randomization A n E f f e c t i v e I m p l e m e n t a t i o n Michael Cloppert

Address Space Randomization A n E f f e c t i v e I m p l e m e n t a t i o n Michael Cloppert May, 2006 Address Space Randomization Theory Randomize location of memory objects Libraries Heap User, kernel-space stack Foils attacks like

560 views • 15 slides
Intro to Linux Kernel Programming Don Porter Lab 4 You will write a Linux kernel module

Intro to Linux Kernel Programming Don Porter Lab 4 You will write a Linux kernel module

Intro to Linux Kernel Programming Don Porter Lab 4 You will write a Linux kernel module Linux is written in C, but does not include all standard libraries And some other idiosyncrasies This lecture will give you a crash

1.35k views • 22 slides
1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel vulnerability research Thats unavoidable, but the linux kernel developers dont do very much to make the situation any better. -- Basically, the

625 views • 36 slides
Hacking on Xen in the Linux Kernel Lisa Nguyen, Linux Kernel Intern FOSS Outreach Program for

Hacking on Xen in the Linux Kernel Lisa Nguyen, Linux Kernel Intern FOSS Outreach Program for

Hacking on Xen in the Linux Kernel Lisa Nguyen, Linux Kernel Intern FOSS Outreach Program for Women LinuxCon North America 2013 Agenda Introduction What Got Me Interested in OPW Project Overview Xen Block Ring Protocol

922 views • 13 slides
Introduction to Linux Kernel Modules Luca Abeni luca.abeni@santannapisa.it Linux Kernel Modules

Introduction to Linux Kernel Modules Luca Abeni luca.abeni@santannapisa.it Linux Kernel Modules

Introduction to Linux Kernel Modules Luca Abeni luca.abeni@santannapisa.it Linux Kernel Modules Kernel module: code that can be dynamically loaded/unloaded into the kernel at runtime Change the kernel code without needing to reboot

545 views • 13 slides
GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The

GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The

GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The GNU userland consists of libc, the init system (SystemD) X11 GUI toolkits etc. Ask the audience Who has used

442 views • 22 slides
Derandomizing Kernel Address Space Layout for Memory Introspection and Forensics Yufei Gu, and

Derandomizing Kernel Address Space Layout for Memory Introspection and Forensics Yufei Gu, and

Introduction State-of-the-Art Overview Design Evaluation Discussion Conclusion References Derandomizing Kernel Address Space Layout for Memory Introspection and Forensics Yufei Gu, and Zhiqiang Lin The University of Texas at Dallas March 9

680 views • 67 slides
. Kernel The Variability Model of the Linux Extra Conclusions Linux Study Introduction .

. Kernel The Variability Model of the Linux Extra Conclusions Linux Study Introduction .

. Krzysztof Czarnecki, Andrzej Wsowski The Variability Model of the Linux Kernel . . January 26, 2010 IT University of Copenhagen University of Leipzig University of Waterloo Steven She, Rafael Lotufo, Thorsten Berger, . Kernel The

928 views • 39 slides
Single Address Space o RW RO EX NO o Kernel vfat.o Single Address Space o RW RO EX o

Single Address Space o RW RO EX NO o Kernel vfat.o Single Address Space o RW RO EX o

Single Address Space o RW RO EX NO o Kernel vfat.o Single Address Space o RW RO EX o NO Kernel vfat.o Single Address Space RW RO mprotect o EX NO Kernel (PD-ID=0) vfat.o (PD-ID=1) o o o o o o o o o o o o o

360 views • 34 slides
Linux Kernel Security &amp; Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux

Linux Kernel Security &amp; Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux

Linux Kernel Security &amp; Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux Kernel Widespread Deployed on: powerful (high performance compute clusters) sensitive (bank, gov. systems, ..) safety critical

995 views • 29 slides
Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

3/1/20 COMP 790: OS Implementation COMP 790: OS Implementation Logical Diagram Binary Memory Threads Formats Allocators User Todays Lecture Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

647 views • 8 slides
Linux Kernel Debugging Linux Kernel Debugging Advanced Operating Systems 2018/2019

Linux Kernel Debugging Linux Kernel Debugging Advanced Operating Systems 2018/2019

Linux Kernel Debugging Linux Kernel Debugging Advanced Operating Systems 2018/2019 http://d3s.mff.cuni.cz CHARLES UNIVERSITY IN PRAGUE faculty of mathematjcs and physics faculty of mathematjcs and physics Vlastimil Babka vbabka@suse.cz

1.6k views • 62 slides
Identification of differentially Overview of our method expressed genes Filtering of low

Identification of differentially Overview of our method expressed genes Filtering of low

Application: Classifiaton of Gastric Cancer Tumors from 17 patients with gastric carcinoma was collected for surgically resected stomachs 5 female (aged 45-80, median 70) Learning to Classify Cancer from 11 male (aged 49-93, median

195 views • 5 slides
Disclosures for Andrew D. Zelenetz, MD, PhD Research Support/P.I. Genentech/Roche, Gilead, MEI,

Disclosures for Andrew D. Zelenetz, MD, PhD Research Support/P.I. Genentech/Roche, Gilead, MEI,

Disclosures for Andrew D. Zelenetz, MD, PhD Research Support/P.I. Genentech/Roche, Gilead, MEI, BeiGene Employee None Celegene; Genentech/Roche; Gilead; BeiGene; Amgen; Consultant Novartis; Astra-Zeneca; Verastem Major Stockholder None

528 views • 17 slides
Discrete and Hybrid Methods in Systems Biology Oded Maler CNRS - VERIMAG Grenoble, France SFBT

Discrete and Hybrid Methods in Systems Biology Oded Maler CNRS - VERIMAG Grenoble, France SFBT

Discrete and Hybrid Methods in Systems Biology Oded Maler CNRS - VERIMAG Grenoble, France SFBT 2012 Preamble Je ne suis pas un biologist et je vais parler en anglais so theory is my strongest link to this school Preamble The

1.16k views • 78 slides
Lhasa trusted community KNIME nodes Data processing and metabolism prediction Dr Samuel Webb

Lhasa trusted community KNIME nodes Data processing and metabolism prediction Dr Samuel Webb

Lhasa trusted community KNIME nodes Data processing and metabolism prediction Dr Samuel Webb samuel.webb@lhasalimited.org Who am I? Working within the Research Group at Lhasa Limited Activities include: Software tool development

606 views • 26 slides
Fault Isolation and Quick Recovery in Isolation File Systems Lanyue Lu Andrea C. Arpaci-Dusseau

Fault Isolation and Quick Recovery in Isolation File Systems Lanyue Lu Andrea C. Arpaci-Dusseau

Fault Isolation and Quick Recovery in Isolation File Systems Lanyue Lu Andrea C. Arpaci-Dusseau Remzi H. Arpaci-Dusseau University of Wisconsin - Madison 1 File-System Availability Is Critical 2 File-System Availability Is Critical Main

1.76k views • 171 slides
Notary: A Device for Secure Transaction Approval Anish Athalye Adam Belay Frans Kaashoek

Notary: A Device for Secure Transaction Approval Anish Athalye Adam Belay Frans Kaashoek

Notary: A Device for Secure Transaction Approval Anish Athalye Adam Belay Frans Kaashoek Robert Morris Nickolai Zeldovich MIT CSAIL 1 How to securely approve transactions? Users perform sensitjve transactjonal operatjons Bank

760 views • 49 slides
&amp; Privacy Paul Ratazzi ,Ashok Bommisetti, Nian Ji, and Prof. Wenliang (Kevin) Du Department

&amp; Privacy Paul Ratazzi ,Ashok Bommisetti, Nian Ji, and Prof. Wenliang (Kevin) Du Department

PINPOINT: Efficient &amp; Effective Resource Isolation for Mobile Security &amp; Privacy Paul Ratazzi ,Ashok Bommisetti, Nian Ji, and Prof. Wenliang (Kevin) Du Department of Electrical Engineering &amp; Computer Science Syracuse University,

1.36k views • 21 slides
Identity and Streams Washington DC, Martin Thomson requestIdentity Reminder:

Identity and Streams Washington DC, Martin Thomson requestIdentity Reminder:

W3C stuff 2014-05 Interim, Identity and Streams Washington DC, Martin Thomson requestIdentity Reminder: RTCConfiguration parameter with three values: yes, ifconfigured, no. Originally included in support of

282 views • 11 slides

More recommend