Graphical User Interface for Virtualized Mobile Handsets Janis - - PowerPoint PPT Presentation

Graphical User Interface for Virtualized Mobile Handsets

Janis Danisevskis, Michael Peter, Jan Nordholz, Matthias Petschick, Julian Vetter

Security in Telecommunications Technische Universit¨ at Berlin

MoST San Jos´ e May 21st, 2015

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

Bring You Own Device

Business Phone Policy (possibly) Restricted set of apps Restricted internet access (VPN/Firewall) Remote provisioning

Business

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 2/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

Bring You Own Device

Private

Private Phone Policy (likely) This is my phone, so I do whatever I

• want. And, don’t meddle with my stuff.

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 3/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

Our approach on BYOD

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 4/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

Our approach on BYOD

Hypervisor/Microkernel

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 4/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

Our approach on BYOD

Hypervisor/Microkernel

Private

virtual machine Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 4/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

Our approach on BYOD

Hypervisor/Microkernel

Private

virtual machine

Business

virtual machine Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 4/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

Challenges addressed by this work

Threat Model Private side is under the control of an attacker Impersonation attacks Eavesdropping attacks Evasion of isolation

Corporate Login

Username: Password:

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 5/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

Challenges addressed by this work

Threat Model Private side is under the control of an attacker Impersonation attacks Eavesdropping attacks Evasion of isolation

Corporate Email App

From: Your Boss Subject: New Aquisition Transfer $gazillion to account no: xxxevilxxxx Your Boss

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 5/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

Challenges addressed by this work

Threat Model Private side is under the control of an attacker Impersonation attacks Eavesdropping attacks Evasion of isolation Keylogging/ Logging of touch events Spying on screen output

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 5/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

Challenges addressed by this work

Threat Model Private side is under the control of an attacker Impersonation attacks Eavesdropping attacks Evasion of isolation

DMA devices can threaten isolation [7] Cloudburst (2009) [6] Dark Side of the Shader: Mobile GPU-Aided Malware Delivery (2013) [3, 5, 4] “Fire in the (root) hole!” (2014)

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 5/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

Challenges addressed by this work

Threat Model Private side is under the control of an attacker Impersonation attacks Eavesdropping attacks Evasion of isolation Design Goals High graphics performance Low impact on CPU load Low impact on the TCB

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 5/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

Challenges addressed by this work

Threat Model Private side is under the control of an attacker Impersonation attacks Eavesdropping attacks Evasion of isolation Design Goals High graphics performance Low impact on CPU load Low impact on the TCB Design and Implementation Secure GUI (Trusted path) Secure Mobile GPU Virtualization

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 5/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

Output label

Private Business

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 6/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

client region

label region

framebuffer switch client VM 1 client VM 2

client framebuffers

label framebuffer

1

2

1

Screen is split into label region and client region

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 7/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

client region

label region

framebuffer switch client VM 1 client VM 2

client framebuffers

label framebuffer

1

2

1

Client VMs have private framebuffers

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 7/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

client region

label region

framebuffer switch client VM 1 client VM 2

client framebuffers

label framebuffer

1

2

1

Label controlled by the switcher indicates output routing

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 7/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

client region

label region

framebuffer switch client VM 1 client VM 2

client framebuffers

label framebuffer

1

2

1

Zero copy and composition in hardware

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 7/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

display controller driver client 2 buffer

physical memory

display controller

scan-out region 1 control register

controls

visible not visible

client 2

scan-out region 2 control register

client 1 buffer label buffer

guest physical memory

client 1

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 8/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

input switch input driver display controller driver framebuffer switch

client 1 VM

policy master vsync interrupt input events

• utput data

event == !

client 2 VM

decision maker

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 9/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

Summary: Secure GUI

Unforgeable labels → prevents impersonation Private framebuffers and exclusive input routing → prevent eavesdropping Zero copy with hardware overlays → low CPU load and low complexity

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets10/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

Mobile GPU Driver Stack

Kernel user space GPU driver GPU abstraction (OpenGL/EGL) Application GPU driver Hardware GPU

MMU

User-space driver

Provides: OpenGL/EGL abstraction Comprises: shader compiler, linker, . . .

Kernel-space driver

Schedules rendering tasks Protects memory

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets11/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

Mobile GPU Driver Stack

Kernel user space GPU driver GPU abstraction (OpenGL/EGL) Application GPU driver Hardware GPU

MMU

User-space driver

Provides: OpenGL/EGL abstraction Comprises: shader compiler, linker, . . .

Kernel-space driver

Schedules rendering tasks Protects memory

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets11/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

Mobile GPU Driver Stack

Kernel user space GPU driver GPU abstraction (OpenGL/EGL) Application GPU driver Hardware GPU

MMU

User-space driver

Provides: OpenGL/EGL abstraction Comprises: shader compiler, linker, . . .

Kernel-space driver

Schedules rendering tasks Protects memory

GPU job

GPU address space process address space physical address space

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets11/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

Mobile GPU Driver Stack (paravirtualized)

GPU

MMU

Hardware Guest Kernel user space GPU driver GPU abstraction (OpenGL/EGL) Application GPU driver stub GPU server Hypervisor virtual machine

User-space driver unmodified User-kernel interface unmodified Custom protocol between GPU driver stub and GPU server

No forwarding of high bandwidth data, such as textures, attribute lists, or shader programs Forwards job requests to the GPU server (and job completion notifications to the client) Forwards mapping requests to the GPU server

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets12/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

Mobile GPU Driver Stack (paravirtualized)

GPU

MMU

Hardware Guest Kernel user space GPU driver GPU abstraction (OpenGL/EGL) Application GPU driver stub GPU server Hypervisor virtual machine

User-space driver unmodified User-kernel interface unmodified Custom protocol between GPU driver stub and GPU server

No forwarding of high bandwidth data, such as textures, attribute lists, or shader programs Forwards job requests to the GPU server (and job completion notifications to the client) Forwards mapping requests to the GPU server

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets12/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

Mobile GPU Driver Stack (paravirtualized)

GPU

MMU

Hardware Guest Kernel user space GPU driver GPU abstraction (OpenGL/EGL) Application GPU driver stub GPU server Hypervisor virtual machine

User-space driver unmodified User-kernel interface unmodified Custom protocol between GPU driver stub and GPU server

No forwarding of high bandwidth data, such as textures, attribute lists, or shader programs Forwards job requests to the GPU server (and job completion notifications to the client) Forwards mapping requests to the GPU server

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets12/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

Mobile GPU Driver Stack (paravirtualized)

GPU

MMU

Hardware Guest Kernel user space GPU driver GPU abstraction (OpenGL/EGL) Application GPU driver stub GPU server Hypervisor virtual machine

host physical address space

GPU job

GPU address space guest physical address space VM2 VM1 VM3 effective shadow mappings guest mappings

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets12/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

Prototype

Hardware Samsung Galaxy SIII Exynos4412 SoC 4 × ARM Cortex A9 @ 1.4 GHz ARM Mali 400 MP4 GPU Software Fiasco.OC (based on rev. 38) L4Re (based on rev. 38) L4Linux (based on Linux 3.0.101) Cyanogenmod CM-10.1.3

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets13/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

TCB impact

Module SLOC1 GPU-RG2 2,679 display driver 2,382 framebuffer switch 548 input driver 710 input switch 539 total 6,858

1Source lines of code measured with David A. Wheeler’s “SLOCCount” 2GPU-RG: Name of our GPU-server (RG is for resource governor) Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets14/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

Performance evaluation — experiments

Native Cyanogenmod on Linux on bare metal Pass-through Cyanogenmod on L4Linux on Fiasco.OC GPU driven by the guest kernel GPU-RG Cyanogenmod on L4Linux on Fiasco.OC GPU driven by GPU-RG

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets15/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

Performance evaluation — benchmarks

10 20 30 40 50 60 70 80 Cube Blending Fog Teapot Quake III Frame-rate (fps) Benchmark native GPU-RG pass-through

Cube, Blending, Fog, and Teapot are part of the 0xbench [1] benchmark

• suite. Quake III is the FOUR.DM 68 demo of QuakeIII Arena run with

QIII4A [2].

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets16/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

Performance evaluation — benchmarks

100 200 300 400 500 Cube unsynced Frame-rate [fps] Benchmark native GPU-RG pass-through

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets17/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

Job Submission and Notification cost

experiment GP1 PP1 native submit [µs] 15.0 25.2 pass-through submit [µs] 22.1 34.9 notify [µs] 3.6 3.2 GPU-RG submit [µs] 47.3 67.5 notify [µs] 52.8 49.7 Takeaway: To meet a job submission rate of 60 Hz, an additional 2.3 % of CPU utilization is incurred on one CPU core.

1The ARM Mali 400 MP4 GPU has a geometry processor (GP) and 4 pixel

presenters (PP)

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets18/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

Conclusion

Secure GUI (Trusted Path) addresses: Impersonation attacks Eavesdropping attacks Impact on CPU load and TCB Secure GPU virtualization addresses: Enforced isolation of GPU jobs Low overhead for GPU jobs Low impact on TCB

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets19/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

Questions?

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets20/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

References I

[1] 0xbench. https://code.google.com/p/0xbench/. [2] Qiii4a. https://play.google.com/store/apps/details? id=com.n0n3m4.QIII4A&hl=de. [3] Cve-2014-0972. http://cve.mitre.org/cgi-bin/cvename.cgi? name=CVE-2014-0972, 01 1014.

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets21/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

References II

[4] Rob Clark. Fire in the (root) hole! http://bloggingthemonkey.blogspot.de/2014/ 06/fire-in-root-hole.html. [5] Rob Clark. Kilroy. https://github.com/robclark/kilroy.

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets22/20

Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion

References III

[6] Janis Danisevskis, Marta Piekarska, and Jean-Pierre Seifert. Dark side of the shader: Mobile gpu-aided malware delivery. In Hyang-Sook Lee and Dong-Guk Han, editors, Information Security and Cryptology - ICISC 2013 - 16th International Conference, Seoul, Korea, November 27-29, 2013, Revised Selected Papers, volume 8565 of Lecture Notes in Computer Science, pages 483–495. Springer, 2013. [7] Kostya Kortchinsky. Cloudburst. Black Hat USA June, 2009.

Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets23/20