libmpk software abstraction for intel memory protection
play

LIBMPK: SOFTWARE ABSTRACTION FOR INTEL MEMORY PROTECTION KEYS (INTEL - PowerPoint PPT Presentation

Sep 13, 2023 •7 likes •327 views

LIBMPK: SOFTWARE ABSTRACTION FOR INTEL MEMORY PROTECTION KEYS (INTEL MPK) Soyeon Park, Sangho Lee, Wen Xu, Hyungon Moon and Taesoo Kim INTRODUCTION SECURITY CRITICAL MEMORY REGIONS NEED PROTECTION JIT page To achieve code execution,

  1. LIBMPK: SOFTWARE ABSTRACTION FOR INTEL MEMORY PROTECTION KEYS (INTEL MPK) Soyeon Park, Sangho Lee, Wen Xu, Hyungon Moon and Taesoo Kim

  2. INTRODUCTION SECURITY CRITICAL MEMORY REGIONS NEED PROTECTION ▸ JIT page 
 “To achieve code execution, we can simply locate one of these RWX JIT pages and overwrite it with our own shellcode.” - [1] ▸ Personal information ▸ Password ▸ Private key 
 “We confirmed that all individuals used only the Heartbleed exploit to obtain the private key.” - [2] [1] Amy Burnett, et al. “Weaponization of a Javascriptcore vulnerability” RET2 Systems Engineering Blog [2] Nick Sullivan “The Results of the CloudFlare Challenge” CloudFlare Blog

  3. INTRODUCTION EXAMPLE 1 - HEARTBLEED ATTACK P r i v a t e k e y 1000 bytes H E L L O Reply “HELLO” (1000 bytes) · · · Private key · · · · · · t s e u q e r d e e l b t r a e H y e Web Server k e t a v i r p g n i d u l c n i a t a d d e k a e L

  4. INTRODUCTION EXAMPLE 1 : EXISTING SOLUTION TO PROTECT MEMORY ▸ Process separation Process Process MEMORY MEMORY [1] Song, Chengyu, et al. "Exploiting and Protecting Dynamic Code Generation”, NDSS 2015. 
 [2] Litton, James, et al. "Light-Weight Contexts: An OS Abstraction for Safety and Performance”, OSDI 2016.

  5. INTRODUCTION EXAMPLE 2 - EXISTING SOLUTION TO PROTECT JIT PAGE ▸ JIT page W^X protection Process mprotect(W) Write code Execute Write Write mprotect(RX) Code Cache

  6. 
 INTRODUCTION PROBLEMS OF EXISTING SOLUTIONS ▸ Process Separation 
 High overhead to spawn new process and synch data ▸ W^X Protection Multiple cost to change permission of multiple pages Race condition due to permission synchronization This talk: utilizing a hardware mechanism, Intel Memory Protection Key (MPK), to address these challenges

  7. OUTLINE OUTLINE ▸ Introduction ▸ Intel MPK Explained ▸ Challenges ▸ Design ▸ Implementation ▸ Evaluation ▸ Discussion ▸ Related Work ▸ Conclusion

  8. INTEL MPK EXPLAINED OVERVIEW ▸ Support fast permission change for page groups with single instruction ▸ Fast single invocation ▸ Fast permission change for multiple pages 18 mprotect (contiguous) mprotect (sparse) 13.5 Latency (ms) mprotect Intel MPK 9 Userspace 4.5 Kernel 0 1000 6000 11000 16000 21000 26000 31000 36000 Number of pages

  9. INTEL MPK EXPLAINED UNDERLINE IMPLEMENTATION pkey 2 <- R/W pkey 2 <- R 
 32-bit register page 120 -> R/W page 120 -> R R W R W WRPKRU 16 pkeys RDPKRU pkey_mprotect Kernel ··· page # pkey perm. ··· 120 2 R/W ▸ Permissions per cpu ··· ▸ 32-bit PKRU register contains keys/perm < Page table> ▸ WRPKRU: write key/perm ▸ RDPKRU: read key/perm

  10. INTEL MPK EXPLAINED EXAMPLE - JIT PAGE W^X PROTECTION pkey = 1 function init() pkey = pkey_alloc() Grant pkey_mprotect(code_cache, len, RWX, pkey) permission PKRU Register function JIT() 1 WRPKRU(pkey, W) CODE CACHE Write code in ... W code cache RWX RWX write code cache ... WRPKRU(pkey, R) 1 Revoke function fini() permission R pkey_free(pkey)

  11. INTEL MPK EXPLAINED EXAMPLE : EXECUTABLE-ONLY MEMORY function init() pkey = pkey_alloc() pkey_mprotect(code_cache, len, RWX, pkey) pkey function JIT() WRPKRU(pkey, W) CODE CACHE ... RWX write code cache ... WRPKRU(pkey, R) function fini() pkey_free(pkey)

  12. INTEL MPK EXPLAINED EXAMPLE : EXECUTABLE-ONLY MEMORY function init() pkey = pkey_alloc() pkey_mprotect(code_cache, len, RWX, pkey) pkey function JIT() WRPKRU(pkey, W) CODE CACHE ... RWX RWX write code cache ... WRPKRU(pkey, None) function fini() pkey_free(pkey)

  13. OUTLINE OUTLINE ▸ Introduction ▸ Intel MPK Explained ▸ Challenges ▸ Non-scalable Hardware Resource ▸ Asynchronous Permission Change ▸ Design ▸ Implementation ▸ Evaluation ▸ Discussion ▸ Related Work ▸ Conclusion

  14. CHALLENGES NON-SCALABLE HARDWARE RESOURCE ▸ Only 16 keys are provided Process pkey pkey pkey 1 16 ? W W W Write code Write code Write code cache 1 cache 16 cache 17 R R R pkey pkey pkey pkey 1 2 3 4 1 2 3 4 pkey pkey 5 … 16 17 5 16

  15. CHALLENGES ASYNCHRONOUS PERMISSION CHANGE - PROS ▸ Permission change with MPK is per-thread intrinsically Process RX RX RX W RX Write Code RX Cache R Code Cache

  16. CHALLENGES ASYNCHRONOUS PERMISSION CHANGE - PROS ▸ Permission change with MPK is per-thread intrinsically Process RX RX W W pkey RX Write Code RX Cache Write R Code Cache

  17. CHALLENGES ASYNCHRONOUS PERMISSION CHANGE - CONS ▸ Permission synchronization is necessary in some context Process RX RX X W RX Write Code RX Cache pkey None Code Cache

  18. CHALLENGES ASYNCHRONOUS PERMISSION CHANGE - CONS ▸ Permission synchronization is necessary in some context Process RX RX X W RX Write Code RX Cache Read pkey None Code Cache

  19. 
 
 DESIGN REVISIT : CHALLENGES ▸ Non-scalable Hardware Resources 
 Key virtualization solve by key indirection. ▸ Asynchronous Permission Change libmpk provide permission synchronization API

  20. DESIGN KEY VIRTUALIZATION ▸ Decoupling physical keys from user interface ▸ Key indirection working like cache W W W Write Write Write code code code R R R pkey 1 pkey 16 pkey ? vkey 1 vkey 16 vkey 17 😲 Application Library 😋 Evicted pkey 1 pkey 16

  21. DESIGN INTER-THREAD PERMISSION SYNCHRONIZATION RX X RX X THREAD B THREAD A STATE : RUNNING STATE : RUNNING RUNNING SLEEP ➍ return ➌ interrupt Userspace ➊ call mpk_mprotect() Kernel task_work ➎ update PKRU (rescheduled) pkey_sync ➋ add hooks WRPKRU

  22. IMPLEMENTATION IMPLEMENTATION ▸ libmpk is written in C/C++ ▸ Userspace library : 663 LoC ▸ Kernel support : 1K LoC ▸ Permission Synchronization ▸ Kernel module for managing metadata ▸ Userspace cannot fabricate metadata 
 ‣ We open source at https://github.com/sslab-gatech/libmpk

  23. IMPLEMENTATION USE CASE - JIT PAGE W^X PROTECTION function init() vkey = libmpk_mmap(&code_cache, len, RWX) Key virtualization function JIT() libmpk_begin(vkey, W) ... CODE CACHE write code cache RWX RWX ... libmpk_end(vkey) libmpk_mprotect(vkey, X) X X X Permission synchronization X

  24. OUTLINE OUTLINE ▸ Introduction ▸ Intel MPK Explained ▸ Challenges ▸ Design ▸ Implementation ▸ Evaluation ▸ Usability ▸ Checking overhead occurred by design ▸ Use cases - applying for memory isolation and protection ▸ Discussion ▸ Related Work ▸ Conclusion

  25. EVALUATION LIBMPK IS EASY TO ADOPT ▸ OpenSSL (83 LoC) : protecting private key ▸ Memcached (117 LoC) : protecting slabs ▸ Chakracore (10 LoC) : protecting JIT pages

  26. EVALUATION LATENCY - KEY VIRTUALIZATION ▸ Cache miss costs overhead due to eviction 3.0 2.3 Miss Time ( μ s) Hit 1.5 mprotect 0.8 0.0 0 25 50 75 100 Hit rate Reasonable overhead while providing similar functionality.

  27. EVALUATION LATENCY - INTER-THREAD PERMISSION SYNCHRONIZATION mpk_mprotect ▸ Performance mprotect (4KB) mprotect (4000KB) ▸ 1,000 pages : 3.8x 40 ▸ Single page : 1.7x 30 Latency ( μ s) 20 10 0 1 5 10 15 20 25 30 35 40 Number of threads libmpk outperform mprotect regardless of the number of pages.

  28. EVALUATION FAST MEMORY ISOLATION - OPENSSL & MEMCACHED For 1GB protection : OpenSSL ▸ ▸ original vs mpk_inthread : ▸ request/sec: 0.53% ▸ 0.01% slowdown mpk_synch vs mprotect : ▸ 8.1x original mpk_inthread original libmpk mpk_synch mprotect 500 1500 375 1125 request/sec Kbyte/sec 750 250 125 375 0 0 1 2 4 8 16 32 64 128 256 5121024 250 500 750 1000 Size of each request (KB) Number of connections

  29. EVALUATION FAST AND SECURE W ⊕ X - JIT COMPILATION ▸ Chakracore mprotect-based protection ▸ Allows race-condition attack ▸ 4.39% performance improvement (31.11% at most) ▸ mprotect libmpk 1.30 Normalized Score 1.15 1.00 0.85 0.70 RICHARDS DELTABLUE CRYPTO RAYTRACE EARLEYBOYER REGEXP SPLAY SPLAYLATENCY NAVIERSTOKES PDFJS MANDREEL MANDREELLATENCY GAMEBOY CODELOAD BOX2D ZLIB TYPESCRIPT

  30. DISCUSSION DISCUSSION ▸ Rogue data cache load (Meltdown) ▸ MPK is also affected by the Meltdown attack ▸ Hardware or software-level mitigation ▸ Code reuse attack ▸ Arbitrary executed WRPKRU may break the security ▸ Applying sandboxing or control-flow integrity ▸ Protection key use-after-free ▸ pkey_free does not perfectly free the protection key ▸ Pages are still associated with the pkey after free

  31. RELATED WORK RELATED WORK ▸ ERIM [1] : Secure wrapper of MPK ▸ Shadow Stack [2] : Shadow stack protected by MPK ▸ XOM-Switch [3] : Code-reuse attack prevention with execute-only memory supported by MPK [1] Anjo Vahldiek-Oberwagner, et al. “ERIM: Secure, Efficient In-Process Isolation with Memory Protection Keys”, Security 2019 [2] Nathan Burow, et al. “Shining Light on Shadow Stacks”, Oakland 2019 [3] Mingwei Zhang, et al. “XOM-Switch: Hiding Your Code From Advanced Code Reuse Attacks in One Shot”, Black Hat Asia 2018

  32. CONCLUSION CONCLUSION ▸ libmpk is a secure, scalable, and synchronizable abstraction of MPK for supporting fast memory protection and isolation with little effort. THANKS! https://github.com/sslab-gatech/libmpk

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

TRUSTED MEMORY Software-Based O-Chip Memory Protection for RISC-V Trusted Execution

TRUSTED MEMORY Software-Based O-Chip Memory Protection for RISC-V Trusted Execution

TRUSTED MEMORY Software-Based O-Chip Memory Protection for RISC-V Trusted Execution Environments Gui Andrade Krste Asanovi Dayeol Lee David Kohlbrenner Dawn Song University of California, Berkeley TRUSTED MEMORY? Securing data/code

703 views • 48 slides
Persistent Memory Use Cases in Modern Software Architectures Olasoji Denloye SW Engineer Intel

Persistent Memory Use Cases in Modern Software Architectures Olasoji Denloye SW Engineer Intel

Persistent Memory Use Cases in Modern Software Architectures Olasoji Denloye SW Engineer Intel Corporation Persistent Memory 3 Properties of Persistent Memory Byte-addressable like DRAM Direct user-level access Lowers DRAM

503 views • 23 slides
Predicate Abstraction with SATABS Existential Abstraction Predicate Abstraction for Software

Predicate Abstraction with SATABS Existential Abstraction Predicate Abstraction for Software

Outline Introduction Predicate Abstraction with SATABS Existential Abstraction Predicate Abstraction for Software Counterexample-Guided Abstraction Refinement Computing Existential Abstractions of Programs Version 1.0, 2010 Checking the

429 views • 12 slides
Software Transactional Memory Should Not Be Obstruction Free Robert Ennals Intel Research

Software Transactional Memory Should Not Be Obstruction Free Robert Ennals Intel Research

Software Transactional Memory Should Not Be Obstruction Free Robert Ennals Intel Research Cambridge 15 JJ Thomson Avenue, Cambridge, CB3 0FD, UK robert.ennals@intel.com presented by Ted Cooper for CS510 Concurrent Systems (Spring 2014)

753 views • 36 slides
MPTEE: Bringing Flexible and Efficient Memory Protection to Intel SGX Wenjia Zhao 1,2 , Kangjie Lu

MPTEE: Bringing Flexible and Efficient Memory Protection to Intel SGX Wenjia Zhao 1,2 , Kangjie Lu

MPTEE: Bringing Flexible and Efficient Memory Protection to Intel SGX Wenjia Zhao 1,2 , Kangjie Lu 2 , Yong Qi 1 , Sqiyu Qi 3 1 Xian Jiaotong University, China 2 University of Minnesota, USA 3 Xidian University, China EuroSys'20, April 2730,

626 views • 51 slides
Deterministic Memory Abstraction and Supporting Multicore System Architecture Farzad Farshchi $ ,

Deterministic Memory Abstraction and Supporting Multicore System Architecture Farzad Farshchi $ ,

Deterministic Memory Abstraction and Supporting Multicore System Architecture Farzad Farshchi $ , Prathap Kumar Valsan ^ , Renato Mancuso * , Heechul Yun $ $ University of Kansas, ^ Intel, * Boston University Multicore Processors in CPS

797 views • 24 slides
Virtual Memory Process Abstraction, Part 2: Private Address Space Motivation : why not direct

Virtual Memory Process Abstraction, Part 2: Private Address Space Motivation : why not direct

Virtual Memory Process Abstraction, Part 2: Private Address Space Motivation : why not direct physical memory access? Address translation with pages Optimizing translation : translation lookaside buffer Extra benefits : sharing and protection

622 views • 38 slides
On abstraction and compositionality for weak-memory linearisability Brijesh Dongol Radha

On abstraction and compositionality for weak-memory linearisability Brijesh Dongol Radha

On abstraction and compositionality for weak-memory linearisability Brijesh Dongol Radha Jagadeesan James Riely Alasdair Armstrong Atomicity abstraction and weak memory How do we provide reliable atomicity abstractions? Concurrent

1.03k views • 59 slides
MEMORY ON THE KNL Adrian Jackson adrianj@epcc.ed.ac.uk @adrianjhpc Some slides from Intel

MEMORY ON THE KNL Adrian Jackson adrianj@epcc.ed.ac.uk @adrianjhpc Some slides from Intel

MEMORY ON THE KNL Adrian Jackson adrianj@epcc.ed.ac.uk @adrianjhpc Some slides from Intel Presentations Memory Two levels of memory for KNL Main memory KNL has direct access to all of main memory Similar latency/bandwidth as

507 views • 21 slides
Outline Operating System Security Introduction CS 239 Memory protection

Outline Operating System Security Introduction CS 239 Memory protection

Outline Operating System Security Introduction CS 239 Memory protection Interprocess communications protection Security for Networks and File protection System Software Authentication May 20, 2002 Lecture 13 Lecture

348 views • 12 slides
NOW Handout Page 1 CS258 S99 1 Relationship between Perspectives Back to Basics Parallel

NOW Handout Page 1 CS258 S99 1 Relationship between Perspectives Back to Basics Parallel

Meta-message today powerful high-level abstraction boils down to specific, simple low-level mechanisms each detail has significant implications Shared Memory Multiprocessors Topic: THE MEMORY ABSTRACTION sequence of reads and

388 views • 10 slides
Counterexample Guided Abstraction Refinement in Blast Reading: Checking Memory Safety with Blast

Counterexample Guided Abstraction Refinement in Blast Reading: Checking Memory Safety with Blast

Counterexample Guided Abstraction Refinement in Blast Reading: Checking Memory Safety with Blast 17-654/17-754 Analysis of Software Artifacts Jonathan Aldrich

400 views • 14 slides
Abstraction is our Business What I have A single (or a finite number) of CPUs Memory Management

Abstraction is our Business What I have A single (or a finite number) of CPUs Memory Management

Abstraction is our Business What I have A single (or a finite number) of CPUs Memory Management Many programs I would like to run What I want : a Thread Each program has full control of one or more CPUs 1 Abstraction Address Space is our

280 views • 7 slides
Abstraction is our Business What I have A single (or a finite number) of CPUs Memory Management

Abstraction is our Business What I have A single (or a finite number) of CPUs Memory Management

Abstraction is our Business What I have A single (or a finite number) of CPUs Memory Management Many programs I would like to run What I want : a Thread Each program has full control of one or more CPUs 1 2 Abstraction Address Space is our

368 views • 11 slides
LINUX / C++ PROTECTION FEATURES CS4414 Lecture 26 CORNELL CS4414 - FALL 2020. 1 IDEA MAP FOR

LINUX / C++ PROTECTION FEATURES CS4414 Lecture 26 CORNELL CS4414 - FALL 2020. 1 IDEA MAP FOR

Professor Ken Birman LINUX / C++ PROTECTION FEATURES CS4414 Lecture 26 CORNELL CS4414 - FALL 2020. 1 IDEA MAP FOR TODAY Firewalls Memory Protection Type Checking as a Protection Tool VMs and Containers Intel SGX Security CORNELL CS4414 -

595 views • 43 slides
1 Processes and the Kernel The Kernel Processes and the Kernel The Kernel Today, all

1 Processes and the Kernel The Kernel Processes and the Kernel The Kernel Today, all

Memory Protection Memory Protection Paging Virtual memory provides protection by: Each process (user or OS) has different virtual memory space. Machines and Virtualization Machines and Virtualization The OS maintain the page tables

83 views • 5 slides
Learning I/O Automata Fides Aarts and Frits Vaandrager ICIS, Radboud Universiteit Nijmegen

Learning I/O Automata Fides Aarts and Frits Vaandrager ICIS, Radboud Universiteit Nijmegen

Introduction I/O Behavior and Determinism Interface Automata Learning IOAs Conclusions and Future Work Learning I/O Automata Fides Aarts and Frits Vaandrager ICIS, Radboud Universiteit Nijmegen CONCUR 2010, Paris Fides Aarts and Frits

1.15k views • 56 slides
1 Lets start with an overview of how a typical

1 Lets start with an overview of how a typical

{HEADSHOT} In the first lesson, you learned the basics of so&gt;ware analysis. However, analysis is only one half of this courses scope. The

793 views • 40 slides
Clang Interface Stubs Syntax Directed Stub Library Generation Puyan Lotfi Facebook Interface

Clang Interface Stubs Syntax Directed Stub Library Generation Puyan Lotfi Facebook Interface

Clang Interface Stubs Syntax Directed Stub Library Generation Puyan Lotfi Facebook Interface Stubs echo &quot;&quot; | clang -shared -fPIC -x c - -o - | llvm-objdump -section-headers a.out: file format ELF64-x86-64 Sections: Idx Name

568 views • 24 slides
CS 105 Intel x86 (IA32/64) Processors Intel x86 (IA32/64) Processors Tour of the Black Holes

CS 105 Intel x86 (IA32/64) Processors Intel x86 (IA32/64) Processors Tour of the Black Holes

CS 105 Intel x86 (IA32/64) Processors Intel x86 (IA32/64) Processors Tour of the Black Holes of Computing Totally Dominate

365 views • 9 slides
Scripting using ImageJ Macro - a quick 1 hour tutorial - We use Fiji. http://fiji.sc please

Scripting using ImageJ Macro - a quick 1 hour tutorial - We use Fiji. http://fiji.sc please

Scripting using ImageJ Macro - a quick 1 hour tutorial - We use Fiji. http://fiji.sc please download and install. Kota Miura @ CMCI EMBL 2-1 Why do we write macro? Aim: Students acquire ImageJ macro programming techniques to ease their

616 views • 57 slides
Introduction to Selected Classes of the QuantLib Library II Dimitri Reiswich December 2010

Introduction to Selected Classes of the QuantLib Library II Dimitri Reiswich December 2010

Introduction to Selected Classes of the QuantLib Library II Dimitri Reiswich December 2010 Dimitri Reiswich QuantLib Intro II December 2010 1 / 148 In the whole tutorial I assume that you have included the QuantLib header via #include

1.64k views • 149 slides
How we look inside stars: stellar evolution codes &amp; Mathieu Renzo, PhD student @ API,

How we look inside stars: stellar evolution codes &amp; Mathieu Renzo, PhD student @ API,

Computational Astrophysics 18/01/16 How we look inside stars: stellar evolution codes &amp; Mathieu Renzo, PhD student @ API, UvA Traditional scientific knowledge has generally taken the form of either theory or experimental data.

503 views • 32 slides
SimBA: Simple Black-box Adversarial Attacks Chuan Guo , Jacob R. Gardner, Yurong You, Andrew

SimBA: Simple Black-box Adversarial Attacks Chuan Guo , Jacob R. Gardner, Yurong You, Andrew

SimBA: Simple Black-box Adversarial Attacks Chuan Guo , Jacob R. Gardner, Yurong You, Andrew Gordon Wilson, Kilian Q. Weinberger June 12, 2019 &lt;latexit

383 views • 11 slides

More recommend