ARMlock: Hardware-based Fault Isolation for ARM Yajin Zhou , - - PowerPoint PPT Presentation

armlock hardware based fault
SMART_READER_LITE
LIVE PREVIEW

ARMlock: Hardware-based Fault Isolation for ARM Yajin Zhou , - - PowerPoint PPT Presentation

Aug 27, 2023 618 likes •915 views

ARMlock: Hardware-based Fault Isolation for ARM Yajin Zhou , Xiaoguang Wang, Yue Chen, and Zhi Wang North Carolina State University Xian Jiaotong University Florida State University Software is Complicated and Vulnerable Number of CVEs 17

slide-1
SLIDE 1

ARMlock: Hardware-based Fault Isolation for ARM

Yajin Zhou, Xiaoguang Wang, Yue Chen, and Zhi Wang North Carolina State University Xi’an Jiaotong University Florida State University

slide-2
SLIDE 2

Software is Complicated and Vulnerable

125 86 116 189 102 152 266 249 175 110 43 44 63 74 78 3 7 3 4 27

50 100 150 200 250 300

2010 2011 2012 2013 2014

Number of CVEs Linux Chrome Apache Libpng

2

17 million SLOC 15 million SLOC 400 thousands SLOC 2 million SLOC

slide-3
SLIDE 3

Software is Complicated and Vulnerable

  • Code: different sources
  • Third-party libraries, plugins …
  • Vulnerabilities in one module could compromise the whole

application

3

Heartbleed

slide-4
SLIDE 4

Software Fault Isolation

  • SFI: security by isolation
  • Split application into different fault domains
  • Separate each domain from others
  • Compromised fault domains cannot affect others
  • Widely used in x86 systems
  • Linux kernel: LXFI
  • User level applications: Native client, Vx32 …

4

Our work focuses on ARM architecture

slide-5
SLIDE 5

ARM Architecture is Popular

5

750 million Android devices in 2013 99% are based on ARM architecture ARM is catching up in the data center server market

slide-6
SLIDE 6

SFI on ARM Architecture

  • Native client for ARM
  • Compiler based solution
  • Limitations: assumption on memory layout, hard to efficiently support

self-modifying code, and JIT compiling

  • ARMor
  • Binary rewriting
  • High performance overhead

6

slide-7
SLIDE 7

Our Solution: ARMlock

  • Strict isolation
  • Memory read/write, code execution, system calls
  • Low performance overhead
  • Sandbox context switch, sandbox itself
  • Compatibility
  • Memory layout, self-modifying code, JIT compiling
  • Leverage an often overlooked hardware feature: Memory domain

7

slide-8
SLIDE 8

Background: ARM Memory Domain

8

Domain 0 Domain 1 Domain 2 Domain 14 … Domain 15 lw r0, [r1] … … lw r1, [r2] D1 D0 D14 D15 Type Value Description No Access 00 No access permitted Client 01 Permissions defined by page tables Reserved 10 Reserved Manager 11 No permissions check (unlimited access) 00 01 … 00 00

X

Virtual memory space Sandboxed code DACR Register ARM domain access control

slide-9
SLIDE 9

Threat Model

  • OS kernel is trusted
  • Host application is benign but could be vulnerable
  • External modules: vulnerable or malicious

9

Isolate compromised or malicious modules from the host application

slide-10
SLIDE 10

ARMlock Architecture

10 10

Sandboxed untrusted module ARMlock kernel extension

Host application Linux kernel function function

Kernel mode User mode Cross-sandbox communication (with the help of ARMlock kernel extension) System call interposition

data data

slide-11
SLIDE 11

Sandbox Creation

  • Host application asks ARMlock kernel module to create a sandbox
  • Kernel module initializes the sandbox
  • Locate first level page table entries
  • Assign different memory domains to the host application and sandboxes
  • Memory domain assignment cannot be changed by the sandbox

11 11

slide-12
SLIDE 12

Sandbox Switch

  • DACR register is saved in the thread control block
  • DACR register is updated when switching sandboxes
  • Only current domain (and kernel) are accessible, not other domains
  • Multithreading is naturally supported
  • Each CPU core has its own DACR register

12 12

slide-13
SLIDE 13

Cross-sandbox Communication

  • Inter-module function call
  • Inter-module memory reference

13 13

slide-14
SLIDE 14

Inter-module Function Invocation

  • Two new system calls
  • ARMlock_CALL: inter-module function call
  • ARMlock_RET: inter-module function return

14 14

slide-15
SLIDE 15

Inter-module Function Invocation

  • Inter-module function invocation

15 15

Sandboxed untrusted module ARMlock kernel extension

Host application Linux kernel stub caller callee gate gate

Kernel mode User mode Inter-domain transfer (with the help of ARMlock kernel extension) Intra-domain transfer (with the help of ARMlock user library)

slide-16
SLIDE 16

Inter-module Function Invocation

16 16

Call Sandbox1 _func Sandbox 0

Prepare context Issue ARMlock_CALL Switch stack etc. Set PC to entry gate ARMlock_CALL returns Prepare context Call real function Issue ARMlock_RET

Sandbox1 _func Sandbox 1

Switch stack etc. Set PC to return gate ARMlock_RET returns Restore context Return

Stub Entry gate Return gate ARMlock kernel module Caller Callee

slide-17
SLIDE 17

Inter-module Memory Reference

  • Kernel assisted memory copy
  • Kernel marks both domains as accessible
  • Copy data into the destination sandbox
  • Restore the DACR register

17 17

slide-18
SLIDE 18

Inter-module Memory Reference

  • Shared memory domain: using a domain which is accessible in

both sandboxes

  • Data from sandboxed modules should be sanitized

18 18

lw r0, [r1] … … lw r1, [r2] Sandbox 0 lw r3, [r1] … … lw r5, [r2] Sandbox 1 Accessible Non-accessible Domain 0 Domain 1 Domain 2 Domain 14 … Domain 15 Memory space Domain 0 Domain 1 Domain 2 Domain 14 … Domain 15 Memory space

slide-19
SLIDE 19

System Call Interposition

  • Recent Linux system has 380+ system calls
  • Normal applications may use less than that, e.g., around 60
  • More system calls may expose more kernel vulnerabilities
  • Host applications in ARMlock could control system calls available

to sandboxed modules

  • Implemented through the seccomp-BPF framework

19 19

slide-20
SLIDE 20

Evaluation

  • Security analysis
  • Performance overhead
  • Sandbox switch latency
  • Sandbox itself

20 20

slide-21
SLIDE 21

Security Analysis

  • Cross-sandbox communication
  • Inter-module function invocation
  • Inter-module memory reference
  • Kernel assisted memory copy
  • Shared memory domain: race condition

21 21

Sandboxed module ARMlock

Host application Linux kernel

1

function function data data

2

slide-22
SLIDE 22

Performance Evaluation: Configuration

22 22

Item Configuration CPU ARM1176JZF-S 700MHz RAM 512MB OS Raspbian (based on Debian) Kernel Linux 3.6.11 LMbench Version 2 nbench Version 2.2.3

slide-23
SLIDE 23

Sandbox Switch Latency

  • Call a simple inc function inside the sandbox
  • 1 second: 903,343 inter-module calls -- 1.1 μs for each call

23 23

slide-24
SLIDE 24

Sandbox Switch Latency

  • One sandbox switch: two system calls

24 24

2.6 5.8 2778.3 2631 1 1 16.4 3.1 17.4

1 x 10 x 100 x 1,000 x 10,000 x ARMlock clock exec fork getpid null sig_handle sig_install stat

slide-25
SLIDE 25

Performance Overhead

0.584 0.661 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Internal External

25 25

slide-26
SLIDE 26

Discussion

  • Some developer efforts are required
  • Refactor the application into domains
  • Avoid frequent domain switch
  • Need to use short format page table in latest ARM architecture
  • Kernel-level sandbox
  • Other OS support

26 26

slide-27
SLIDE 27

Takeaway

  • ARMlock: a hardware-based fault isolation for ARM
  • Strict isolation
  • Low performance overhead
  • Better compatibility

27 27

slide-28
SLIDE 28

28 28

Q&A