erim s secure e efficient i in pr proce cess ss iso isola
play

ERIM: S Secure, E , Efficient i in-pr proce cess ss Iso Isola - PowerPoint PPT Presentation

Feb 04, 2024 •136 likes •714 views

ERIM: S Secure, E , Efficient i in-pr proce cess ss Iso Isola latio tion n with ith Memory y Protectio tion n Keys s Anjo Vahldiek-Oberwagner , Eslam Elnikety, Nuno O. Duarte, Michael Sammler, Peter Druschel, Deepak Garg

  1. ERIM: S Secure, E , Efficient i in-pr proce cess ss Iso Isola latio tion n with ith Memory y Protectio tion n Keys s Anjo Vahldiek-Oberwagner , Eslam Elnikety, Nuno O. Duarte, Michael Sammler, Peter Druschel, Deepak Garg

  2. Applications in the Ab Absence of Isolation • All state accessible at all times to • Bugs • Security vulnerabilities Application 2

  3. Applications in the Ab Absence of Isolation Heartbleed Bug ~70% of CVE assigned by Microsoft are memory safety issues. Microsoft Security Response Center: “A proactive approach to more secure code”, 2019 3

  4. Example In-Process Isolation Use Cases Cryptographic Secrets Managed runtimes from native libraries Trusted Untrusted Native Library Crypto Library Application Managed Runtime 4

  5. User-space Threat Model Untrusted Application Trusted Untrusted Compartment Trusted Operating System CPU Attacker’s Capabilities include, but not limited to • Control-flow hijacks • Memory corruption (i.e., out-of-bounds accesses) Out of scope: • Side-channel, row hammer or microarchitectural attacks 5

  6. State of In-Application Isolation Techniques OS/VMM Technique Execution overhead Switch overhead Untrusted Trusted OS/VMM Low Low Medium Sensitive -based 2 Application Data Lang. & Medium – None None Application RT 3 High ERIM Low None Low OS + VMM 1 LwC, SMVs, Shreds, Wedge, Nexen, Dune, SeCage, TrustVisor 2 SFI 6

  7. State of In-Application Isolation Techniques Language and Runtime Techniques Execution overhead Switch overhead Untrusted Trusted OS/VMM- Application Low Low Medium based 2 Lang. & Medium – None None Sensitive RT 3 High Data ERIM Low None Low Operating System 1 LwC, SMVs, Shreds, Wedge, Nexen, Dune, SeCage, TrustVisor 2 SFI 7

  8. State of In-Application Isolation Techniques ERIM Execution overhead Switch overhead Untrusted Trusted OS/VMM- Low Low Medium Application based 2 Lang. & Medium – Sensitive None None RT 3 High data ERIM ERIM Low None Low Operating System 1 LwC, SMVs, Shreds, Wedge, Nexen, Dune, SeCage, TrustVisor 2 SFI, Native Client, Memsentry-MPX 8

  9. Memory Protection Keys (MPK) Address Space • Available in Skylake server CPUs Page 3 • Tag memory pages with PKEY Page 1 Page 2 Page Table Entry (PTE) PKEY Page 1 … … … 0 9

  10. Intel Memory Protection Keys (MPK) Address Space • Available in Skylake server CPUs Page 3 • Tag memory pages with PKEY Page 1 Page 2 Page Table Entry (PTE) PKEY Page 1 … … … 2 10

  11. Intel Memory Protection Keys (MPK) Address Space • Available in Skylake server CPUs Page 3 • Tag memory pages with PKEY • Permission Register (PKRU) Page 1 Page 2 CPU Core PKRU Register Page Table Entry (PTE) 15 15 2 2 1 1 0 0 PKEY … Page 1 … … … W R W R W R W R 2 0 0 … 0 0 0 1 1 0 11

  12. Intel Memory Protection Keys (MPK) Address Space • Available in Skylake server CPUs Page 3 • Tag memory pages with PKEY • Permission Register (PKRU) Page 1 • Userspace instruction to update PKRU Page 2 • Fast switch between 11 – 260 cycles/switch CPU Core PKRU Register Page Table Entry (PTE) 15 15 2 2 1 1 0 0 PKEY … Page 1 … … … W R W R W R W R 2 0 0 … 1 1 0 0 1 1 12

  13. Intel Memory Protection Keys (MPK) Address Space • Available in Skylake server CPUs Page 3 • Tag memory pages with PKEY • Permission Register (PKRU) By itself, Page 1 • Userspace instruction to update PKRU MPK does not protect Page 2 • Fast switch at 50 cycles/switch against malicious attacks. CPU Core PKRU Register Page Table Entry (PTE) 15 15 2 2 1 1 0 0 PKEY … Page 1 … … … W R W R W R W R 2 1 1 … 1 1 1 1 1 1 13

  14. Overview of ERIM • Prevent MPK exploitation Untrusted Application PKEY 0 • Safe call gates Trusted Compartment • Prevent execution of permission PKEY 1 register updates outside of call gates Code: 48 83 c0 08 44 01 fa 83 fa 07 77 0f 01 ef 83 ff 07 0f 96 c2 80 14

  15. Overview of ERIM • Prevent MPK exploitation Untrusted Application PKEY 0 • Safe call gates Trusted Compartment • Prevent execution of permission PKEY 1 register updates outside of call gates Code: 48 83 c0 08 44 01 fa 0f 01 ef 83 fa 07 77 83 ff 07 0f 96 c2 80 15

  16. Overview of ERIM • Prevent MPK exploitation Untrusted Application PKEY 0 • Safe call gates Trusted Compartment • Prevent execution of permission PKEY 1 register updates outside of call gates • Creating usable binaries • Inadvertent PKRU update instruction • Rewrite strategy Code: 48 83 c0 08 44 01 fa 0f 01 ef 0f 90 01 ef 83 fa 07 77 83 ff 07 0f 96 c2 80 16

  17. Overview of ERIM • Prevent MPK exploitation Untrusted Application PKEY 0 • Safe call gates Trusted Compartment • Prevent execution of permission PKEY 1 register updates outside of call gates • Creating usable binaries • Inadvertent PKRU update instruction • Rewrite strategy Code: 48 83 c0 08 44 01 fa • Evaluation 0f 90 01 ef 83 fa 07 77 • Frequently-switching use cases 83 ff 07 0f 96 c2 80 • 10% higher throughput compared to best existing technique 17

  18. Updating the permission in PKRU register • WRPKRU • Write EAX into PKRU • XRSTOR • If bit 9 of EAX is set • Load PKRU register from specified memory address 18

  19. Safe switching using ca call gates Trusted Compartment perm = UNTRUSTED perm = TRUSTED WRPKRU (perm) WRPKRU (perm) perm = TRUSTED goto trusted_entry(T) Untrusted Application 19

  20. Safe switching using ca call gates Trusted Compartment perm = UNTRUSTED perm = TRUSTED WRPKRU (perm) WRPKRU (perm) if ( perm != UNTRUSTED ) goto trusted_entry(T) exit; Untrusted Application 20

  21. Prevent execution of WRPKRU/XRSTOR outside of call gates Trusted Compartment Prevent execution of unvetted pages by New Memory (No Execute) 1) Monitoring system calls and removing the execute permission Untrusted Application 2) ERIM’s fault handler scans memory pages and ensures: System Calls WRPKRU is part of a call gate • XRSTOR is followed by • ERIM if(eax | 0x100) Operating exit(); System 21

  22. Overview of ERIM • Prevent MPK exploitation Untrusted Application PKEY 0 • Safe call gates Trusted Compartment • Prevent execution of permission PKEY 1 register updates outside of call gates • Creating usable binaries • Inadvertent PKRU update instruction • Rewrite strategy Code: 48 83 c0 08 44 01 fa • Evaluation 0f 01 ef 83 fa 07 77 • Frequently-switching use cases 83 ff 07 0f 96 c2 80 • 10% higher throughput compared to best existing technique 22

  23. Creating usable binaries • ERIM halts executables with inadvertent WRPKRUs/XRSTORs Inter-Instruction WRPKRU Intra-Instruction WRPKRU Instruction 1 Instruction 2 Instruction 1 … 0F 01EF … 01 0F01EF 0000 à Eliminate inadvertent WRPKRU/XRSTOR by binary rewriting at compile time , runtime prior to enabling execute permission , or via static binary rewriting for pre-compiled binaries 23

  24. Rewriting inadvertent WRPKRUs/XRSTORs Devise rewrite rules for inadvertent WRPKRUs Inter-Instruction: Instruction 1 Instruction 2 … 0F 01EF … … 0F 90 01EF … Nop 24

  25. Rewriting inadvertent WRPKRUs/XRSTORs Devise rewrite rules for inadvertent WRPKRUs Intra-instruction WRPKRU Simplified x86 instruction format: Prefix Opcode Mod R/M SIB Displacement Immediate Required Optional

  26. Rewriting inadvertent WRPKRUs/XRSTORs Devise rewrite rules for inadvertent WRPKRUs Example rewrite rule: Opcode Mod R/M Displacement add ecx, [ ebx + 0x01EF0000 ] 0x01 0x0F 0x01EF0000 à push eax; mov eax, ebx; Opcode Mod R/M Displacement add ecx, [eax + 0x01EF0000] ; pop eax; 0x01 0x07 0x01EF0000 26

  27. Overview of ERIM • Prevent MPK exploitation Untrusted Application PKEY 0 • Safe call gates Trusted Compartment • Prevent execution of permission PKEY 1 register updates outside of call gates • Creating usable binaries • Inadvertent PKRU update instruction • Rewrite strategy Code: 48 83 c0 08 44 01 fa • Evaluation 0f 90 01 ef 83 fa 07 77 • Frequently-switching use cases 83 ff 07 0f 96 c2 80 • 10% higher throughput compared to best existing technique 27

  28. Prototype implementation • ERIM userspace library • Call gates • Memory allocator for trusted component overloading malloc-like functions • Memory inspection (exclude unsafe WRPKRU/XRSTOR) • Prevent execution on pages with unsafe WRPKRUs/XRSTOR a) P-Trace and seccomp BPF userspace monitor b) Linux Security Module • Remove inadvertent WRPKRUs/XRSTORs • Static binary rewrite tool based on DynInst 28

  29. Evaluation How frequent are inadvertent WRPKRUs/XRSTORs? • Inspected about 200,000 executable files of 5 Linux distributions • Found 1213 inadvertent WRPKRU/XRSTOR in binary code • DynInst disassembled 1,023 • 100% rewrite success What is ERIM’s overhead in frequently-switching use cases? • Isolating session keys in Nginx • Isolating a managed runtime (node.js) from native libraries • Isolating in-memory state of reference monitors (CPI/CPS) 29

  30. Use case: Session Key Isolation Address Space OpenSSL & AES Compartment NGINX LibCrypto Connection Management HTTPS session Content Handshake protocol Cryptographic keys AES encrypt/decrypt AES key initialization 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

La Launching unching a Co a Collabo llaborat rativ ive e Pr Proce cess ss Photo by Jeff

La Launching unching a Co a Collabo llaborat rativ ive e Pr Proce cess ss Photo by Jeff

Stakeholders Forum for the Nantahala and Pisgah Plan Revision La Launching unching a Co a Collabo llaborat rativ ive e Pr Proce cess ss Photo by Jeff Clark Me Meeti ting ng Ob Obje jectiv ctives es Kick-off the Stakeholders

349 views • 15 slides
Simon Molden - The Sports Consultancy OPERATOR A ASSE SESS SSMENT T PROCE CESS SS ITT bid

Simon Molden - The Sports Consultancy OPERATOR A ASSE SESS SSMENT T PROCE CESS SS ITT bid

Operator Procurement Process Cabinet (Leisure Centre) Committee 14 th January 2019 Simon Molden - The Sports Consultancy OPERATOR A ASSE SESS SSMENT T PROCE CESS SS ITT bid return via HCC InTend portal November 2018 Selection

330 views • 6 slides
ST STAR AR-CCM+ / Optimate Kynan Maley ey Optimate Descr crip iptio ion Proce cess ss

ST STAR AR-CCM+ / Optimate Kynan Maley ey Optimate Descr crip iptio ion Proce cess ss

ST STAR AR-CCM+ / Optimate Kynan Maley ey Optimate Descr crip iptio ion Proce cess ss Study exampl ples Toke ken based licensi sing Summary Optimate STAR-CCM+ M+ add-on on Easy y to use! Pan anel to setup multip iple ST

480 views • 19 slides
Secure and Efficient Access to Outsourced Data Secure and Efficient Access to Outsourced Data

Secure and Efficient Access to Outsourced Data Secure and Efficient Access to Outsourced Data

Secure and Efficient Access to Outsourced Data Secure and Efficient Access to Outsourced Data Weichao Wang, Zhiwei Li, Rodney Owens, Bharat Bhargava CCSW 2009: The ACM Cloud Computing Security Workshop 1 The Problem Providing secure and

414 views • 19 slides
Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message

Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message

Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message Transmission Schemes Yvo Desmedt 1 , 2 Stelios Erotokritou 1 Reihaneh Safavi-Naini 3 1 Department of Computer Science University College London, UK 2

459 views • 33 slides
Secure Returns SAFE AS A VAULT Secure SECONDS TO UPLOAD Efficient ACCESSIBLE ANYWHERE

Secure Returns SAFE AS A VAULT Secure SECONDS TO UPLOAD Efficient ACCESSIBLE ANYWHERE

Secure Returns SAFE AS A VAULT Secure SECONDS TO UPLOAD Efficient ACCESSIBLE ANYWHERE Convenient What is Secure Returns ? Secure Returns is a secure website where you and your clients can securely upload & download confidential

202 views • 9 slides
Secure and Efficient Metering Discussion Outline Clarifications Attack on Secure

Secure and Efficient Metering Discussion Outline Clarifications Attack on Secure

Secure and Efficient Metering Discussion Outline Clarifications Attack on Secure Metering Issues and Extensions Real World Other Directions Metering for General Access Structures Understanding the model Audit Agency

480 views • 35 slides
Subdiffusive behaviour generated by some non-hyperbolic (but ergodic) systems Stefano Isola

Subdiffusive behaviour generated by some non-hyperbolic (but ergodic) systems Stefano Isola

Subdiffusive behaviour generated by some non-hyperbolic (but ergodic) systems Stefano Isola Universit di Camerino stefano.isola@unicam.it https://unicam.it/ stefano.isola/index.html/ Prelude Prelude Symmetric random" walk on Z

1.66k views • 151 slides
Secure and efficient deep learning everywhere Octomizer Outline Who we are (recap) Deployment

Secure and efficient deep learning everywhere Octomizer Outline Who we are (recap) Deployment

Secure and efficient deep learning everywhere Octomizer Outline Who we are (recap) Deployment pain The vision The Octomizer: TVM for everyone 2 Simple, secure, and efficient Drive TVM adoption Expand the set of users who can deployment of

370 views • 14 slides
Secure and Efficient Metering Moni Naor and Benny Pinkas Eurocrypt '98 Contents Motivation

Secure and Efficient Metering Moni Naor and Benny Pinkas Eurocrypt '98 Contents Motivation

Secure and Efficient Metering Moni Naor and Benny Pinkas Eurocrypt '98 Contents Motivation One approach Lightweight Security Secure and Efficient Metering Motivation Advertising Webpage popularity Cost Measure

993 views • 49 slides
Efficient Outsourcing GWAS using FHE Wenjie Lu*, Jun Sakuma * * Dept. of CS, University of

Efficient Outsourcing GWAS using FHE Wenjie Lu*, Jun Sakuma * * Dept. of CS, University of

Efficient Outsourcing GWAS using FHE Wenjie Lu*, Jun Sakuma * * Dept. of CS, University of Tsukuba, Japan JST CREST Secure Outsourcing GWAS Secure computation [Cloud] Outline of our solution [data holder] Secure

381 views • 19 slides
Ensuring a secure, reliable and efficient Power System in a Changing Environment Delivering a

Ensuring a secure, reliable and efficient Power System in a Changing Environment Delivering a

Ensuring a secure, reliable and efficient Power System in a Changing Environment Delivering a Secure Sustainable Power System 17 th August 2011 Outline Agenda Chair: Dick Lewis, Manager, Grid Operations Planning 10.00 a.m. Registration (Tea

833 views • 70 slides
More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis

More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis

More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis Hofheinz 2 Lisa Kohl 2 Jiaxin Pan 2 1 ENS Paris, France 2 Karlsruhe Institute of Technology, Germany R. Gay, D. Hofheinz, L. Kohl, J. Pan More Efficient

827 views • 45 slides
PEBB EBB Ope pen En Enrollment ollment Its Mandatory! Oc October ober 1- 31, 1,

PEBB EBB Ope pen En Enrollment ollment Its Mandatory! Oc October ober 1- 31, 1,

PEBB EBB Ope pen En Enrollment ollment Its Mandatory! Oc October ober 1- 31, 1, 201 017 2-Ste Step Proce cess ss for comp mpleting eting Open Enrollment llment* 1. 1. Enroll ll in plans and elect ct Health

416 views • 18 slides
Techniques for Efficient Secure Computation Based on Yaos Protocol Yehuda Lindell Bar-Ilan

Techniques for Efficient Secure Computation Based on Yaos Protocol Yehuda Lindell Bar-Ilan

Techniques for Efficient Secure Computation Based on Yaos Protocol Yehuda Lindell Bar-Ilan University, Israel PKC 2013 Yehuda Lindell Techniques for Efficient Secure Computation 28/2/2013 1 / 39 Secure Computation Background A set of

689 views • 39 slides
ACCESS CESS-A-RIDE IDE SER ERVICES ICES IN NE NEW W YOR ORK CITY What t is A s Access

ACCESS CESS-A-RIDE IDE SER ERVICES ICES IN NE NEW W YOR ORK CITY What t is A s Access

ACCESS CESS-A-RIDE IDE SER ERVICES ICES IN NE NEW W YOR ORK CITY What t is A s Access cess-A-Ride? ide? New York Citys parat atransit ransit service ice providing shared-ride transportation for people with disabilities.

631 views • 33 slides
VT VT-x Deepayan Bhattacharjee VT-x : Motivation To solve the problem that the x86

VT VT-x Deepayan Bhattacharjee VT-x : Motivation To solve the problem that the x86

MMU virtualization in In Intel VT VT-x Deepayan Bhattacharjee VT-x : Motivation To solve the problem that the x86 instructions architecture cannot be virtualized. Simplify VMM software by closing virtualization holes by design of Ring

507 views • 14 slides
The Turtles Project: Design and Implementation of Nested Virtualization Muli Ben-Yehuda

The Turtles Project: Design and Implementation of Nested Virtualization Muli Ben-Yehuda

The Turtles Project: Design and Implementation of Nested Virtualization Muli Ben-Yehuda Michael D. Day Zvi Dubitzky Michael Factor Nadav HarEl Abel Gordon Anthony Liguori Orit Wasserman Ben-Ami Yassour IBM

919 views • 63 slides
Virtual Machine Introspection Isolation Interpretation Interposition Isolation

Virtual Machine Introspection Isolation Interpretation Interposition Isolation

Virtual Machine Introspection Isolation Interpretation Interposition Isolation From in-guest kernel/userspace Provided by Xen Buggy emulation blurres the line From trusted computing base (TCB) Possible via Xen

286 views • 26 slides
Explainable AI: Beware of Inmates Running the Asylum Or: How I Learnt to Stop Worrying and Love

Explainable AI: Beware of Inmates Running the Asylum Or: How I Learnt to Stop Worrying and Love

Explainable AI: Beware of Inmates Running the Asylum Or: How I Learnt to Stop Worrying and Love the Social Sciences Tim Miller School of Computing and Information Systems Co-Director, Centre for AI & Digital Ethics The University of

732 views • 44 slides
HyperTracing Tracing Through Virtualization Layers Abderrahmane Benbachir Linux Plumbers

HyperTracing Tracing Through Virtualization Layers Abderrahmane Benbachir Linux Plumbers

HyperTracing Tracing Through Virtualization Layers Abderrahmane Benbachir Linux Plumbers Conference, September, 2017 cole Polytechnique de Montral Laboratoire DORSAL What is hypertracing? Hy Hypertra racing cing = Offloading traces from

450 views • 8 slides
Dune: Safe User-level Access to Privileged CPU Features

Dune: Safe User-level Access to Privileged CPU Features

Dune: Safe User-level Access to Privileged CPU Features Adam Belay, Andrea Bi>au, Ali MashAzadeh, David Terei, David Mazires, and Christos Kozyrakis

387 views • 38 slides
THE CUMULATIVE DISADVANTAGE OF UNEMPLOYMENT Irma Mooi-Reci University of Melbourne

THE CUMULATIVE DISADVANTAGE OF UNEMPLOYMENT Irma Mooi-Reci University of Melbourne

THE CUMULATIVE DISADVANTAGE OF UNEMPLOYMENT Irma Mooi-Reci University of Melbourne www.melbourneinstitute.com Acknowledgement FUNDING Australian Research Council Discovery Project grant (#DP160101063) COLLABORATORS Anna Manzoni (North

600 views • 22 slides
Towards Virtual M Machine Image M Management for Per ersis isten ent M Mem emory MSST 2019

Towards Virtual M Machine Image M Management for Per ersis isten ent M Mem emory MSST 2019

Towards Virtual M Machine Image M Management for Per ersis isten ent M Mem emory MSST 2019 Jiachen Zhang , Lixiao Cui, Peng Li, Xiaoguang Liu, Gang Wang Nankai-Baidu Joint Lab, Nankai University Agenda Background & Motivation

516 views • 33 slides

More recommend