Hardware Enforcement of Application Security Policies Using Tagged - - PowerPoint PPT Presentation

hardware enforcement of application security policies
SMART_READER_LITE
LIVE PREVIEW

Hardware Enforcement of Application Security Policies Using Tagged - - PowerPoint PPT Presentation

Nov 27, 2022 406 likes •560 views

Faculty of Computer Science Institute for System Architecture, Operating Systems Group Hardware Enforcement of Application Security Policies Using Tagged Memory Nickolai Zeldovich, Hari Kannan, Michael Dalton and Christos Kozyrakis Dresden,

slide-1
SLIDE 1

Faculty of Computer Science Institute for System Architecture, Operating Systems Group

Hardware Enforcement of Application Security Policies Using Tagged Memory

Dresden, 2008-12-17 Nickolai Zeldovich, Hari Kannan, Michael Dalton and Christos Kozyrakis

slide-2
SLIDE 2

TU Dresden, 2008-12-17 Tagged Memory Slide 2 von 13

Motivation

  • Gap between security mechanisms and

different abstraction layers

 Facebook example: only friends can see profile

  • Reflect upon data vs. individual operations

 Take primitive mechanism that fits all

  • Need for small TCB, that ensures certain

security policies at runtime, as verification is hard (example: Anti-Virus scanner)

slide-3
SLIDE 3

TU Dresden, 2008-12-17 Tagged Memory Slide 3 von 13

Solution: tagged memory

  • Additional memory protection mechanism in

hardware

  • Word-granular security tags for memory,

enforced by the CPU

  • Hardware extensions are used in new mode
slide-4
SLIDE 4

TU Dresden, 2008-12-17 Tagged Memory Slide 4 von 13

Starting Point: HiStar

  • HiStar is a kind of micro-kernel

 Inspired by AsbestOS's labels  Decentraliced information flow control  In contrast to AsbestOS labels are altered

explicitly

 Provides Unix environment that translates Unix

implicit policies to HiStar's labeling mechanism (remember Flume: Linux enhanced by DIFC)

slide-5
SLIDE 5

TU Dresden, 2008-12-17 Tagged Memory Slide 5 von 13

HiStar labeling mechanism

  • Each kernel object has a label:

 threads, address spaces, segments, gates,

containers, devices

  • Label is a set of categories (61-Bit ID) and

taint levels

  • Thread's label:

 Shows degree of information contamination,

regarding specific categories

 Can be extended explicitly up to specified

clearance

  • Gates have an associated label and clearance
slide-6
SLIDE 6

TU Dresden, 2008-12-17 Tagged Memory Slide 6 von 13

Tagged memory and LoStar

  • Using hardware memory tags to divide kernel

into thread domains

  • New super-supervisor mode running small

kernel subset, that drives tagging hardware

Loki LoStar HiStar

App App App

slide-7
SLIDE 7

TU Dresden, 2008-12-17 Tagged Memory Slide 7 von 13

LoStar's protection

  • Twofold memory tags page-wide or word-wide
  • Integrity protection of all kernel object's labels

and reference counters and the global object hash table by word-tags

  • Monitor call API:

Thread switch (changes permissions)

Allocate or free kernel object (set or free label)

IPC by invoking a Gate (label check)

Increment or decrement object's refcounter

Adjusting the thread's label

...

slide-8
SLIDE 8

TU Dresden, 2008-12-17 Tagged Memory Slide 8 von 13

Cruel thing: Devices

  • Interrupts don't change (non-)monitor mode
  • Interrupt handling code and most device

handling code resides in security monitor

  • Interrupts received by non-monitor world

need to be delivered to monitor!

  • Device driver code that deals with various

tags (like disk driver) will remain in trusted code part

slide-9
SLIDE 9

TU Dresden, 2008-12-17 Tagged Memory Slide 9 von 13

Loki

  • Associates 32-bit tag for each 32-bit word in

physical memory

  • Page-tag array indexed by frame address

contains tags, is cached by TLB like tag-cache

  • Page-tag array entries have a special

indirection-bit to indicate word-granular tags for that page

  • Additional P-cache contains tag-values and

permissions of running thread

  • P-cache misses are handled by monitor
slide-10
SLIDE 10

TU Dresden, 2008-12-17 Tagged Memory Slide 10 von 13

Loki prototype

  • Leon SPARC V8 (FPGA core) 65 MHz
  • Added:

 6 instructions (e.g.: P-cache handling)  7 registers (e.g.: faulting tag value)  32 entry 2-way associative P-cache  8 entry full-associative tag-TLB

  • P-cache gets accessed at least once by each

instruction !!!

slide-11
SLIDE 11

TU Dresden, 2008-12-17 Tagged Memory Slide 11 von 13

Evaluation: TCB

  • Trusted code base shrinks?
  • They didn't state exactly what is meant by

trusted

  • To be sure that my applictions policy is

enforced by the monitor + Loki I need to trust the whole kernel

slide-12
SLIDE 12

TU Dresden, 2008-12-17 Tagged Memory Slide 12 von 13

Performance

slide-13
SLIDE 13

TU Dresden, 2008-12-17 Tagged Memory Slide 13 von 13

Conclusion / Discussion

  • What do they won? TCB size reduction?
  • What about 'more realistic hardware and the

supposable greater overhead?

  • Singularity went in the opposite direction and

left out hardware memory protection at all, who is right?

  • Is there one security mechanism (like labels)

that fits all, or do we need the different layers (example: timing issues, resource accounting ...)

slide-14
SLIDE 14

TU Dresden, 2008-12-17 Tagged Memory Slide 14 von 13

Loki pipeline