isolation
play

Isolation William Arthur , Sahil Madeka, Reetuparna Das, Todd Austin - PowerPoint PPT Presentation

Mar 27, 2024 •328 likes •654 views

Locking Down Insecure Indirection with Hardware-Based Control-Data Isolation William Arthur , Sahil Madeka, Reetuparna Das, Todd Austin MICRO, Waikiki, Hawaii, US December 7 th 2015 Goal of this work MAKE SOFTWARE MORE SECURE Reducing the

  1. Locking Down Insecure Indirection with Hardware-Based Control-Data Isolation William Arthur , Sahil Madeka, Reetuparna Das, Todd Austin MICRO, Waikiki, Hawaii, US December 7 th 2015

  2. Goal of this work MAKE SOFTWARE MORE SECURE Reducing the software attack surface by subtracting the root cause leading to many software exploits today Accomplished by locking down insecure indirection 2

  3. Locking Down Insecure Indirection (1) Every control transfer in executing application comes from the programmer: Every PC address encoded in instructions, OR Is derived from secure hardware structures Executing application always adheres to the programmer-defined control-flow graph Stopping control-flow attacks which derail the CFG 3

  4. Locking Down Insecure Indirection (2) Achieved by hardware-software co-design Software: Eliminate all indirect control-flow instructions – via Control-Data Isolation (CDI) [1] Hardware: Memoization of secure control transitions in secure hardware – via Indirect Edge Cache [1] Getting in Control of Your Control Flow with Control-Data Isolation , Arthur et al., CGO 2015 4

  5. Outline Software (in)security – Control-Flow Attack Software (in)security Hardware-Based Control-Data Isolation Hardware-Based Control-Data Isolation Measure performance and security Measure performance and security Conclusions Conclusions 5

  6. Control-Flow Attack Control-Flow Attacks violate, at runtime, the CFG of an application by corrupting the PC with user-injected data return ????? Buffer Overflow local variables, return Heap Spray attack value Return-to-libc code Code Gadgets Stack Smash buffer 6

  7. Outline Software (in)security Hardware-Based Control-Data Isolation Measure performance and security Conclusions 7

  8. Control-Data Isolation int bar() { int bar() { int bar() { // function code // function code // function code return; if ([%esp]==_ret1) } jump _ret1; return; Vulnerable Code else if ([%esp]==_ret2) } jump _ret1; ret Vulnerable Code else call _abort; } White-list of valid “ Sled ” of conditional branches CFG edges and direct jumps 9

  9. Hardware-Based CDI Software- only CDI (CGO ’15) retains higher than desired runtime overheads for some applications – 31% for gcc Key insight: Caching previously executed sled edges obviates subsequent re- executions of the sled Addition of hardware edge cache 11

  10. Hardware-Based CDI Algorithm Indirect Instruction Execute (*jmp, *call, ret) Instructions Hit? Check Edge Cache Cache for <source,target> <source,target> of taken branch pair Miss? Fall-through to sled , retain Taken branch <source> from sled 12

  11. Hardware-Based CDI Algorithm Indirect Instruction Execute (jmp, call, ret) Instructions Hit? Check Edge Cache Cache for <source,target> <source,target> of taken branch pair Miss? Fall-through to sled , retain Taken branch <source> from sled 13

  12. Hardware-Based CDI Algorithm Indirect Instruction Execute (*jmp, *call, ret) Instructions Hit? Check Edge Cache Cache for <source,target> <source,target> of taken branch pair Miss? Fall-through to sled, retain Taken branch <source> from sled 14

  13. Hardware-Based CDI Algorithm Indirect Instruction Execute (jmp, call, ret) Instructions Hit? Check Edge Cache Cache for <source,target> <source,target> of taken branch pair Miss? Fall-through to sled , retain Taken branch <source> from sled 15

  14. Hardware-Based CDI Algorithm Indirect Instruction Execute (jmp, call, ret) Instructions Hit? Check Edge Cache Cache for <source,target> <source,target> of taken branch pair Miss? Fall-through to sled , retain Taken branch <source> from sled 16

  15. Hardware-Based CDI Algorithm Indirect Instruction Execute (jmp, call, ret) Instructions Hit? Check Edge Cache Cache for <source,target> <source,target> of taken branch pair Miss? Fall-through to sled, retain Taken branch <source> from sled 17

  16. Hardware-Based CDI Algorithm Indirect Instruction Execute (jmp, call, ret) Instructions Hit? Check Edge Place Cache for <source,target> in the Edge <source,target> Cache pair Miss? Fall-through to sled, retain Taken branch <source> from sled 18

  17. Hardware-Based CDI Algorithm Indirect Instruction Execute (jmp, call, ret) Instructions Hit? Check Edge Cache Cache for <source,target> <source,target> of taken branch pair Miss? Fall-through to sled, retain Taken branch <source> from sled 19

  18. Hardware-Based CDI Algorithm Indirect Instruction Execute (*jmp, *call, ret) Instructions Hit? Check Edge Cache Cache for <source,target> <source,target> of taken branch pair Miss? Fall-through to sled, retain Taken branch <source> from sled 20

  19. Hardware-Based CDI Algorithm Indirect Instruction Execute (jmp, call, ret) Instructions Hit? Check Edge Cache Cache for <source,target> <source,target> of taken branch pair Miss? Fall-through to sled , retain Taken branch <source> from sled 21

  20. Edge Cache(1) New hardware structure – edge cache Memoization of most recent indirect edges 22

  21. Edge Cache(2) Fetch Edge Cache Squash, execute <src,target> sled Commit No = Retire Yes 23

  22. Edge Cache(2) PC BTB Fetch Target Edge Index Cache Squash, GHR execute <src,target> sled Commit No = Retire Yes 24

  23. Challenges Edge Cache Source Target U V Address Address tag, full address 128 + 2 bits per entry! 1k entries = 16 kB 26

  24. Region Table Edge Cache Source Target Region Region G G U V Addr. Offset Addr. Offset Pointer(S) Pointer(T) offset, 18 bits index, 5 bits 27

  25. Region Table Edge Cache Source Target Region Region G G U V Addr. Offset Addr. Offset Pointer(S) Pointer(T) Region Table Region Address G U V 28

  26. Region Table Edge Cache Source Target Region Region G G U V Addr. Offset Addr. Offset Pointer(S) Pointer(T) 50 bits per Region Table entry! Region Address G U V 1k entries 6.75 kB total Region Offset full address 29

  27. Outline Software (in)security Hardware-Based Control-Data Isolation Measure performance and security Conclusions 30

  28. Experimental Setup gem5 architectural simulator Detailed O3 cpu model, configured similar to Intel Haswell processor, x86-64 SPECINT 2000 & 2006 1,024-entry edge cache 4-way set associative 32-entry region table 31

  29. Speedup Over Native Execution 1.2 0.995 Hardware-Based CDI Software-Based CDI 1 0.8 0.84 0.6 0.4 0.2 0 Benchmark Applications Branch prediction – 6% speedup 400.perlbench vs BTB 32

  30. Security Average Indirect target Reduction – AIR [2] Measure of the reduction in the software attack surface 99.999%+ reduction in indirect target set Average of tens of targets per indirect Previous works : average of tens of thousands of targets per indirect instruction [2] Control Flow Integrity for COTS Binaries , Zhang and Sekar, USENIX Security 2013 33

  31. Conclusions Locking down insecure indirection can eliminate contemporary control-flow attacks Hardware-based control-data isolation efficiently realizes this capability Minimal runtime overhead – 0 . 5% 34

  32. Thank You Questions? 35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable

Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable

Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable Isolation Dan Ports Kevin Grittner MIT Wisconsin Court System Saturday, May 21, 2011 1 Overview Serializable isolation makes it easier to reason

922 views • 60 slides
ADAPTED SPAULDING PYRAMID Making Isolation: How does it work? Patient Isolation- Creating

ADAPTED SPAULDING PYRAMID Making Isolation: How does it work? Patient Isolation- Creating

ADAPTED SPAULDING PYRAMID Making Isolation: How does it work? Patient Isolation- Creating auxiliary isolation rooms (CDC) SCRUBBERS - 1 ea to serve patient room, and 1 for Airlock Typically deployed on supplied wheel platform

144 views • 3 slides
Virtual Machine Introspection Isolation Interpretation Interposition Isolation

Virtual Machine Introspection Isolation Interpretation Interposition Isolation

Virtual Machine Introspection Isolation Interpretation Interposition Isolation From in-guest kernel/userspace Provided by Xen Buggy emulation blurres the line From trusted computing base (TCB) Possible via Xen

286 views • 26 slides
2 Fault Isolation &amp; Restoration Manual Fault Isolation &amp; Restoration The

2 Fault Isolation &amp; Restoration Manual Fault Isolation &amp; Restoration The

1 Self Healing Network (Centralized Restoration Gateway) IEEE PES 2015 General Meeting 2 Fault Isolation &amp; Restoration Manual Fault Isolation &amp; Restoration The operator makes switching decisions Automatic Fault Location

724 views • 22 slides
GCC Highlighted Products GSure Gel Extraction kit GSure Soil DNA Isolation kit GSure Sputum DNA

GCC Highlighted Products GSure Gel Extraction kit GSure Soil DNA Isolation kit GSure Sputum DNA

GSure Bacterial genomic DNA isolation kit GCC Highlighted Products GSure Gel Extraction kit GSure Soil DNA Isolation kit GSure Sputum DNA Isolation Kit GSure Stool DNA Isolation Kit GSure Urine DNA Isolation Kit GSure Yeast RNA

455 views • 23 slides
Introduction to pixel track isolation The purpose of track isolation algorithm is an additional

Introduction to pixel track isolation The purpose of track isolation algorithm is an additional

Introduction to pixel track isolation The purpose of track isolation algorithm is an additional improvement of level-1 pixel trigger performance. Procedure of pixel track isolation Reconstructed pixel tracks using kinematic parameters

669 views • 27 slides
#KEEPTHECONVERSATIONGOING Sick pay and self isolation Day one right SSP for up to 14 days

#KEEPTHECONVERSATIONGOING Sick pay and self isolation Day one right SSP for up to 14 days

#KEEPTHECONVERSATIONGOING Sick pay and self isolation Day one right SSP for up to 14 days will be reimbursed Self isolation notes from online 111 Self isolation and pay Working from Home Everyone should be working

398 views • 12 slides
Using technology to reduce social isolation: research on dementia and social isolation Professor

Using technology to reduce social isolation: research on dementia and social isolation Professor

Using technology to reduce social isolation: research on dementia and social isolation Professor Josie Tetley Dr Emma-Reetta Koivunen Ageing and Long Term Conditions Group Faculty of Health, Psychology &amp; Social Care Manchester

338 views • 19 slides
456 457 458 The purpose of shallow trench isolation (STI) is to provide isolation between

456 457 458 The purpose of shallow trench isolation (STI) is to provide isolation between

In this module we would review a typical gate first, poly-Si gate CMOS process flow. 456 457 458 The purpose of shallow trench isolation (STI) is to provide isolation between individual devices in a CMSO chip. Typical process details and the

381 views • 8 slides
W E OFTEN THINK : Isolation is when others leave us alone ( and its often true) B UT WE TEND

W E OFTEN THINK : Isolation is when others leave us alone ( and its often true) B UT WE TEND

W HEN F EELINGS OF I SOLATION B ECOME A R OADBLOCK Joe &amp; Cindi Ferrini Joeferrini.com Cindiferrini.com W E OFTEN THINK : Isolation is when others leave us alone ( and its often true) B UT WE TEND TOWARD ISOLATION PULLING AWAY FROM :

723 views • 18 slides
ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted

ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted

ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted environment Possibly with multiple tenants Setting OS: users / processes Browser: webpages / browser extensions Cloud: virtual machines (VMs)

272 views • 25 slides
Derandomizing Isolation in Space-Bounded Settings Dieter van Melkebeek and Gautam Prakriya

Derandomizing Isolation in Space-Bounded Settings Dieter van Melkebeek and Gautam Prakriya

Derandomizing Isolation in Space-Bounded Settings Dieter van Melkebeek and Gautam Prakriya University of Wisconsin-Madison 6 July 2017 Isolation Isolation Computational Problem : instance x set of solutions for x . Eg.:

876 views • 42 slides
Harmonizing Performance and Isolation in Microkernels with Efficient Intra-kernel Isolation and

Harmonizing Performance and Isolation in Microkernels with Efficient Intra-kernel Isolation and

Harmonizing Performance and Isolation in Microkernels with Efficient Intra-kernel Isolation and Communication Jinyu Gu , Xinyue Wu, Wentai Li, Nian Liu, Zeyu Mi, Yubin Xia, Haibo Chen Monolithic Kernel and Microkernel 2 Monolithic Kernel and

336 views • 23 slides
Object Capabilities and Isolation of Untrusted Web Applications Ankur Taly Dept. of Computer

Object Capabilities and Isolation of Untrusted Web Applications Ankur Taly Dept. of Computer

Isolation problem for Web Mashups Formal definition of Capability Safe languages Solving the Isolation problem using Capabilit Object Capabilities and Isolation of Untrusted Web Applications Ankur Taly Dept. of Computer Science, Stanford

1.01k views • 43 slides
Language Based isolation of Untrusted JavaScript Ankur Taly Dept. of Computer Science, Stanford

Language Based isolation of Untrusted JavaScript Ankur Taly Dept. of Computer Science, Stanford

Web 2 . 0 and the Isolation Problem Case Study : FBJS Formal Semantics of JavaScript Achieving the Isolation goal Ongoing Language Based isolation of Untrusted JavaScript Ankur Taly Dept. of Computer Science, Stanford University Joint work

650 views • 46 slides
2019-20 DNA Biology New Products RNA Biology PROTEIN Biology MOLECULAR Biology Plant DNA

2019-20 DNA Biology New Products RNA Biology PROTEIN Biology MOLECULAR Biology Plant DNA

Catalogue 2019-20 DNA Biology New Products RNA Biology PROTEIN Biology MOLECULAR Biology Plant DNA Isolation kit OLIGO Synthesis Soil DNA isolation kit Fungal DNA isolation kit Blood RNA isolation kit G-SNAP in -gel protein visualization

1.71k views • 101 slides
Coherent Diffraction Imaging (CDI) with X-Rays School on Synchrotron and Free-Electron-Laser

Coherent Diffraction Imaging (CDI) with X-Rays School on Synchrotron and Free-Electron-Laser

Coherent Diffraction Imaging (CDI) with X-Rays School on Synchrotron and Free-Electron-Laser Methods for Multidisciplinary Applications ICTP Trieste, May 15, 2018 Anders Madsen European X-Ray Free-Electron Laser Facility Hamburg, Germany

1.18k views • 73 slides
Insigh sights ts fo for r Dis isadvanta advantaged ged Communi mmunities ties Overview

Insigh sights ts fo for r Dis isadvanta advantaged ged Communi mmunities ties Overview

Gr Grin inne ne Sm Smit ith Ch Chil ildho dhood d Devel elopment opment Init itia iative ive (CD CDI) Acces cessing sing Pri rimar mary y Car are: e: Le Lessons ons an and Insigh sights ts fo for r Dis isadvanta

432 views • 20 slides
Integrity Policies CS461/ECE422 Computer Security I Fall 2009 Based on slides provided by

Integrity Policies CS461/ECE422 Computer Security I Fall 2009 Based on slides provided by

Integrity Policies CS461/ECE422 Computer Security I Fall 2009 Based on slides provided by Matt Bishop for use with Slide #6-1 Computer Security: Art and Science Reading CS: Chapter 6 Slide #6-2 Overview Requirements Very

664 views • 53 slides
Java Technologies Contexts and Dependency Injection (CDI) The Context Do you remember AOP, IoC,

Java Technologies Contexts and Dependency Injection (CDI) The Context Do you remember AOP, IoC,

Java Technologies Contexts and Dependency Injection (CDI) The Context Do you remember AOP, IoC, DI ? Implicit Middleware seems like a good idea. Using transactions is so easy in EJBs... Is it possible to extend this mechanism? We need

563 views • 45 slides
GWT, CDI &amp; JAX-RS A match made in heaven Heiko Braun &lt;hbraun@redhat.com&gt; About

GWT, CDI &amp; JAX-RS A match made in heaven Heiko Braun &lt;hbraun@redhat.com&gt; About

GWT, CDI &amp; JAX-RS A match made in heaven Heiko Braun &lt;hbraun@redhat.com&gt; About me Heiko Braun Senior Software Engineer JBoss / Red Hat 4 years JBoss, 12 years industry Focus on SOA, BPM, GWT Contributor:

388 views • 27 slides
ELECTROCHEMICAL PROCESSES FOR WATER TREATMENT: ELECTROREDUCTION AND ELECTROSORPTION 1 Focus of

ELECTROCHEMICAL PROCESSES FOR WATER TREATMENT: ELECTROREDUCTION AND ELECTROSORPTION 1 Focus of

Dr. Ljiljana Rajic ELECTROCHEMICAL PROCESSES FOR WATER TREATMENT: ELECTROREDUCTION AND ELECTROSORPTION 1 Focus of todays lecture Electroreduction and indirect oxidation processes, and their use for groundwater treatment

986 views • 40 slides
CS419 Spring 2010 Computer Security Access Control: Policies and Mechanisms Vinod Ganapathy

CS419 Spring 2010 Computer Security Access Control: Policies and Mechanisms Vinod Ganapathy

CS419 Spring 2010 Computer Security Access Control: Policies and Mechanisms Vinod Ganapathy Lectures 9 and 10 Access Control The prevention of unauthorized use of a resource, including the prevention of use of a resource in an

1.17k views • 90 slides
Fourth Quarter 2016 Earnings Conference Call 1/18/2017 Important Cautionary Statement About

Fourth Quarter 2016 Earnings Conference Call 1/18/2017 Important Cautionary Statement About

Click To Edit Master Title Style Fourth Quarter 2016 Earnings Conference Call 1/18/2017 Important Cautionary Statement About Forward-Looking Statements This presentation contains forward-looking statements within the meaning of section 27A of

776 views • 39 slides

More recommend