armlock hardware based fault
play

ARMlock: Hardware-based Fault Isolation for ARM Yajin Zhou , - PowerPoint PPT Presentation

Aug 27, 2023 •618 likes •912 views

ARMlock: Hardware-based Fault Isolation for ARM Yajin Zhou , Xiaoguang Wang, Yue Chen, and Zhi Wang North Carolina State University Xian Jiaotong University Florida State University Software is Complicated and Vulnerable Number of CVEs 17

  1. ARMlock: Hardware-based Fault Isolation for ARM Yajin Zhou , Xiaoguang Wang, Yue Chen, and Zhi Wang North Carolina State University Xi’an Jiaotong University Florida State University

  2. Software is Complicated and Vulnerable Number of CVEs 17 million SLOC 300 266 249 250 189 200 15 million SLOC 175 152 150 125 116 110 102 100 86 78 74 63 2 million SLOC 44 43 50 27 7 4 3 3 0 2010 2011 2012 2013 2014 400 thousands SLOC Linux Chrome Apache Libpng 2

  3. Software is Complicated and Vulnerable  Code: different sources  Third-party libraries, plugins …  Vulnerabilities in one module could compromise the whole application Heartbleed 3

  4. Software Fault Isolation  SFI: security by isolation  Split application into different fault domains  Separate each domain from others  Compromised fault domains cannot affect others  Widely used in x86 systems  Linux kernel: LXFI  User level applications: Native client, Vx32 … Our work focuses on ARM architecture 4

  5. ARM Architecture is Popular 750 million Android devices in 2013 ARM is catching up in the data 99% are based on ARM architecture center server market 5

  6. SFI on ARM Architecture  Native client for ARM  Compiler based solution  Limitations: assumption on memory layout, hard to efficiently support self-modifying code, and JIT compiling  ARMor  Binary rewriting  High performance overhead 6

  7. Our Solution: ARMlock  Strict isolation  Memory read/write, code execution, system calls  Low performance overhead  Sandbox context switch, sandbox itself  Compatibility  Memory layout, self-modifying code, JIT compiling  Leverage an often overlooked hardware feature: Memory domain 7

  8. Background: ARM Memory Domain D0 D1 D14 D15 lw r0, [r1] 01 00 … 00 00 … √ … Domain 0 DACR Register lw r1, [r2] X Domain 1 Sandboxed code ARM domain access control Domain 2 Type Value Description … No Access 00 No access permitted Client 01 Permissions defined by page tables Domain 14 Reserved 10 Reserved Domain 15 Manager 11 No permissions check (unlimited access) Virtual memory space 8

  9. Threat Model  OS kernel is trusted  Host application is benign but could be vulnerable  External modules: vulnerable or malicious Isolate compromised or malicious modules from the host application 9

  10. ARMlock Architecture Sandboxed untrusted module data data function function Host application User mode System call interposition Kernel mode Linux kernel ARMlock kernel extension Cross-sandbox communication (with the help of ARMlock kernel extension) 10 10

  11. Sandbox Creation  Host application asks ARMlock kernel module to create a sandbox  Kernel module initializes the sandbox  Locate first level page table entries  Assign different memory domains to the host application and sandboxes  Memory domain assignment cannot be changed by the sandbox 11 11

  12. Sandbox Switch  DACR register is saved in the thread control block  DACR register is updated when switching sandboxes  Only current domain (and kernel) are accessible, not other domains  Multithreading is naturally supported  Each CPU core has its own DACR register 12 12

  13. Cross-sandbox Communication  Inter-module function call  Inter-module memory reference 13 13

  14. Inter-module Function Invocation  Two new system calls  ARMlock_CALL: inter-module function call  ARMlock_RET: inter-module function return 14 14

  15. Inter-module Function Invocation  Inter-module function invocation caller stub Sandboxed untrusted module gate callee gate Host application User mode Kernel mode Linux kernel ARMlock kernel extension Inter-domain transfer (with the help of ARMlock kernel extension) Intra-domain transfer (with the help of ARMlock user library) 15 15

  16. Inter-module Function Invocation Stub Switch stack etc. Prepare context Set PC to entry gate Entry gate Issue ARMlock_CALL ARMlock_CALL returns Caller Callee Prepare context Call real function Call Sandbox1 Sandbox1 _func _func Issue ARMlock_RET Return gate Switch stack etc. Restore context Set PC to return gate Return ARMlock_RET returns ARMlock kernel module Sandbox 1 Sandbox 0 16 16

  17. Inter-module Memory Reference  Kernel assisted memory copy  Kernel marks both domains as accessible  Copy data into the destination sandbox  Restore the DACR register 17 17

  18. Inter-module Memory Reference  Shared memory domain: using a domain which is accessible in both sandboxes  Data from sandboxed modules should be sanitized Domain 0 Domain 0 Domain 1 Domain 1 lw r0, [r1] lw r3, [r1] Domain 2 Domain 2 … … … … … … lw r1, [r2] lw r5, [r2] Domain 14 Domain 14 Accessible Sandbox 0 Sandbox 1 Domain 15 Domain 15 Non-accessible Memory space Memory space 18 18

  19. System Call Interposition  Recent Linux system has 380+ system calls  Normal applications may use less than that, e.g., around 60  More system calls may expose more kernel vulnerabilities  Host applications in ARMlock could control system calls available to sandboxed modules  Implemented through the seccomp-BPF framework 19 19

  20. Evaluation  Security analysis  Performance overhead  Sandbox switch latency  Sandbox itself 20 20

  21. Security Analysis  Cross-sandbox communication  Inter-module function invocation Host application  Inter-module memory reference 1 Sandboxed module  Kernel assisted memory copy function function  Shared memory domain: race condition data data 2 Linux kernel ARMlock 21 21

  22. Performance Evaluation: Configuration Item Configuration CPU ARM1176JZF-S 700MHz RAM 512MB OS Raspbian (based on Debian) Kernel Linux 3.6.11 LMbench Version 2 nbench Version 2.2.3 22 22

  23. Sandbox Switch Latency  Call a simple inc function inside the sandbox  1 second: 903,343 inter-module calls -- 1.1 μ s for each call 23 23

  24. Sandbox Switch Latency  One sandbox switch: two system calls 10,000 x 2778.3 2631 1,000 x 100 x 17.4 16.4 5.8 10 x 3.1 2.6 1 1 1 x ARMlock clock exec fork getpid null sig_handle sig_install stat 24 24

  25. Performance Overhead 100% 90% 80% 0.661 70% 0.584 60% 50% 40% Internal 30% External 20% 10% 0% 25 25

  26. Discussion  Some developer efforts are required  Refactor the application into domains  Avoid frequent domain switch  Need to use short format page table in latest ARM architecture  Kernel-level sandbox  Other OS support 26 26

  27. Takeaway  ARMlock: a hardware-based fault isolation for ARM  Strict isolation  Low performance overhead  Better compatibility 27 27

  28. Q&A 28 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Fault Injection Characterization on ARM Cortex-A9 George Thessalonikefs

Fault Injection Characterization on ARM Cortex-A9 George Thessalonikefs

ElectroMagnetic Fault Injection Characterization on ARM Cortex-A9 George Thessalonikefs George.Thessalonikefs@os3.nl University of Amsterdam February 5, 2014 Introduction Hardware Fault Injection Induce faults to hardware through side

517 views • 26 slides
Fault Based Almost Universal Forgeries on CLOC and SILC Avik Chakraborti (ISI, Kolkata) Joint

Fault Based Almost Universal Forgeries on CLOC and SILC Avik Chakraborti (ISI, Kolkata) Joint

Motivation Description of CLOC and SILC Fault Based Almost Universal Forgery on CLOC Fault Based Almost Universal Forgery on SILC Implementation of Fault Conclusion Fault Based Almost Universal Forgeries on CLOC and SILC Avik Chakraborti

554 views • 32 slides
Learning objectives Understand the basic ideas of fault-based testing How knowledge of a

Learning objectives Understand the basic ideas of fault-based testing How knowledge of a

Learning objectives Understand the basic ideas of fault-based testing How knowledge of a fault model can be used to Fault-Based Testing create useful tests and judge the quality of test cases Understand the rationale of

296 views • 5 slides
Fault Detection and Mitigation in WLAN RSS Nearest Neighbor Fingerprint-based Positioning

Fault Detection and Mitigation in WLAN RSS Nearest Neighbor Fingerprint-based Positioning

Introduction - Motivation - Fault Model - Measurement Setup Fault Detection and Mitigation in WLAN RSS Nearest Neighbor Fingerprint-based Positioning Algorithm - Fault Detection - Fault Tolerance Hybrid Positioning Algorithm Christos

708 views • 41 slides
hocos SLT Programs hardware-oriented computer science Why This Presentation? Lectures must

hocos SLT Programs hardware-oriented computer science Why This Presentation? Lectures must

Steganography for Our Research Hardware Security DeepFake Detection Foci and Your Secure Opportunities Memristive Composition Cryptography Fault attacks and Ilia Polian Stochastic countermeasures Hardware-oriented Computer Science

706 views • 24 slides
Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault tolerant programming are: Fault Detection - Knowing that a fault exists Fault Recovery - having atomic instructions that can be rolled back in

361 views • 18 slides
Voting-based fault detection and diagnosis in systems with multiple operating conditions Carlos F

Voting-based fault detection and diagnosis in systems with multiple operating conditions Carlos F

Voting-based fault detection and diagnosis in systems with multiple operating conditions Carlos F . Alcala Controls Research Group May 18, 2016 1 / 39 Outline Introduction 1 Fault detection and diagnosis with PCA 2 Voting-based Fault

1.34k views • 108 slides
Fault Simulation for Hardware Emulation John Curtin Faculty Advisor: Dr. Fred Wang Graduate

Fault Simulation for Hardware Emulation John Curtin Faculty Advisor: Dr. Fred Wang Graduate

Fault Simulation for Hardware Emulation John Curtin Faculty Advisor: Dr. Fred Wang Graduate Mentor: Geoff Laughon CURENT Final Presentation 7/14/16 Min Kao Building, University of Tennessee at Knoxville Faults Many different kinds

553 views • 16 slides
Hypervisor-Based Fault-Tolerance Thomas C. Bressoud, Isis

Hypervisor-Based Fault-Tolerance Thomas C. Bressoud, Isis

Hypervisor-Based Fault-Tolerance Thomas C. Bressoud, Isis Distributed Systems Fred B. Schneider, Cornell University SOSP, 1995 Problem Fault tolerance

2.97k views • 8 slides
Chiffre : A Confjgurable Hardware Fault Injection Framework for RISC-V Systems Schuyler Eldridge

Chiffre : A Confjgurable Hardware Fault Injection Framework for RISC-V Systems Schuyler Eldridge

IBM T. J. Watson Research Center Chiffre : A Confjgurable Hardware Fault Injection Framework for RISC-V Systems Schuyler Eldridge Alper Buyuktosunoglu Pradip Bose 2 nd Workshop on Computer Architecture Research with RISC-V Motivation: Selective

395 views • 15 slides
Nonlinear Autoregressive with Exogenous Wathiq R Abed #UDT2019 Outline Aim of Fault

Nonlinear Autoregressive with Exogenous Wathiq R Abed #UDT2019 Outline Aim of Fault

Unmanned Marine Vehicles Motor Fault Classifier Based on Nonlinear Autoregressive with Exogenous Wathiq R Abed #UDT2019 Outline Aim of Fault diagnosis and condition monitoring Task Major Faults in electrical Machines Fault

274 views • 9 slides
What is Smoke Test? Empirical Evaluation of the Fault-detection Effectiveness of Smoke Regression

What is Smoke Test? Empirical Evaluation of the Fault-detection Effectiveness of Smoke Regression

What is Smoke Test? Empirical Evaluation of the Fault-detection Effectiveness of Smoke Regression Test Cases Smoke test for GUI-based Software Borrowed from hardware testing Qing Xie A relatively simple check to see whether the

499 views • 5 slides
Evolving Fault Localisation Shin Yoo, University College London, UK Human Competitive Award,

Evolving Fault Localisation Shin Yoo, University College London, UK Human Competitive Award,

Evolving Fault Localisation Shin Yoo, University College London, UK Human Competitive Award, GECCO 2012, 09 July 2012 Spectra Based Fault Localisation Program Spectra Based Fault Localisation Program Tests Spectra Based Fault Localisation

522 views • 34 slides
A Fault Tolerant Superscalar Processor 1 [Based on Coverage of a Microarchitecture-level

A Fault Tolerant Superscalar Processor 1 [Based on Coverage of a Microarchitecture-level

A Fault Tolerant Superscalar Processor 1 [Based on Coverage of a Microarchitecture-level Fault Check Regimen in a Superscalar Processor by V. Reddy and E. Rotenberg (2008)] P R E S E N T E D B Y N A N Z H E N G [Part of slides borrowed

398 views • 21 slides
Web Application Fault Classification An Exploratory Study Yuepu Guo, Sreedevi Sampath

Web Application Fault Classification An Exploratory Study Yuepu Guo, Sreedevi Sampath

Web Application Fault Classification An Exploratory Study Yuepu Guo, Sreedevi Sampath University of Maryland Baltimore County presentation by Daniel Kellenberger 01.06.2010 Why Do We Need (Another) Fault Classification? Fault-based

647 views • 16 slides
Overview ECE 753: FAULT-TOLERANT Introduction - Sources COMPUTING Hardware redundancy

Overview ECE 753: FAULT-TOLERANT Introduction - Sources COMPUTING Hardware redundancy

2/4/2014 Overview ECE 753: FAULT-TOLERANT Introduction - Sources COMPUTING Hardware redundancy Kewal K Saluja Kewal K.Saluja Information redundancy Information redundancy Department of Electrical and Computer Time

234 views • 5 slides
One Person, One Lock Control of Hazardous Energy H&S Program Standard 7-45 Course Code

One Person, One Lock Control of Hazardous Energy H&S Program Standard 7-45 Course Code

One Person, One Lock Control of Hazardous Energy H&S Program Standard 7-45 Course Code 600009 TRACCESS Module - 2017 Control of Hazardous Energy Training BU Specific Group BU Competency Lockout Increasing Competency Group

1.07k views • 37 slides
Docker File System Isolation By Darrin Schmitz David Huff Destiny Velasquez 1 LA-UR-15-25911

Docker File System Isolation By Darrin Schmitz David Huff Destiny Velasquez 1 LA-UR-15-25911

Docker File System Isolation By Darrin Schmitz David Huff Destiny Velasquez 1 LA-UR-15-25911 Specifications HP ProLiant DL380p Gen8 servers Head node has 32 cores and 32 GB RAM 10 child nodes have 24 cores and 24 GB RAM

523 views • 24 slides
Presentation Q1(19) Jonas Jarvius, CEO Anders Lundin, CFO STRICTLY PRIVATE AND CONFIDENTIAL

Presentation Q1(19) Jonas Jarvius, CEO Anders Lundin, CFO STRICTLY PRIVATE AND CONFIDENTIAL

Presentation Q1(19) Jonas Jarvius, CEO Anders Lundin, CFO STRICTLY PRIVATE AND CONFIDENTIAL Disclaimer DISCLAIMER THIS PRESENTATION AND ITS CONTENTS ARE CONFIDENTIAL AND ARE NOT FOR RELEASE, PUBLICATION OR DISTRIBUTION, IN WHOLE OR IN PART,

835 views • 12 slides
D8.9 Educational Material for University Studies Sustainable Refurbishing of Historic Buildings

D8.9 Educational Material for University Studies Sustainable Refurbishing of Historic Buildings

D8.9 Educational Material for University Studies Sustainable Refurbishing of Historic Buildings and Relevant Building Physical Aspects based on Case Study 5: Secondary School Htting Innsbruck, Austria The research leading to these results

895 views • 72 slides
PRESENTATION FOR TESTING DIRECTIONS The World Health Organization declared COVID-19 a pandemic on

PRESENTATION FOR TESTING DIRECTIONS The World Health Organization declared COVID-19 a pandemic on

EMERGENCY MANAGEMENT ACT 2005 (WA) ( (a) who enters Westero Australia by disembarking from an afgected aircraft onto land anywhere in Western Australia (including any person who entered Westero Australia in this manner on or afuer 29 June 2020);

268 views • 3 slides
Massive Multitenancy with V8 Isolates Kenton Varda - Tech Lead, Cloudflare Workers The Challenge

Massive Multitenancy with V8 Isolates Kenton Varda - Tech Lead, Cloudflare Workers The Challenge

Massive Multitenancy with V8 Isolates Kenton Varda - Tech Lead, Cloudflare Workers The Challenge 165 Locations and growing Scalability can mean... Traffic (requests) Easy: More locations = more capacity. Tenants (apps) Hard: Every tenant in

812 views • 41 slides
AOGV TM Add On Gate Valve Kenneth O. Rosn Manager AOGV Kjetil Aamodt Principal Engineer

AOGV TM Add On Gate Valve Kenneth O. Rosn Manager AOGV Kjetil Aamodt Principal Engineer

If only this flange had an isolation valve Isolation without shut down AOGV TM Add On Gate Valve Kenneth O. Rosn Manager AOGV Kjetil Aamodt Principal Engineer AOGV Kenneth Laatveit Business Development & Sales Manager

931 views • 33 slides
Can Fault Tree Analysis Technique Resolve Fault Isolation Ambiguity? Alpana Gangopadhyaya

Can Fault Tree Analysis Technique Resolve Fault Isolation Ambiguity? Alpana Gangopadhyaya

Reliability Maintenance and Managing Risk Conference 2019 Can Fault Tree Analysis Technique Resolve Fault Isolation Ambiguity? Alpana Gangopadhyaya Supportability Systems Engineer Northrop Grumman Alpana.Gangopadhyaya@ngc.com Phone Number

466 views • 18 slides

More recommend