memory safety for low level software hardware interactions
play

Memory Safety for Low- Level Software/Hardware Interactions John - PowerPoint PPT Presentation

Mar 29, 2024 •26 likes •556 views

Memory Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray Vikram Adve Montreal or Bust! Memory Safety Future is Bright User-space memory safety is improving Safe languages SAFECode, CCured, Baggy

  1. Memory Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray Vikram Adve Montreal or Bust!

  2. Memory Safety Future is Bright  User-space memory safety is improving  Safe languages  SAFECode, CCured, Baggy bounds checking, Softbound, etc  Memory safety for operating systems exists!  Singularity (C#), SPIN (Modula-3)  Linux on Secure Virtual Architecture (C)

  3. A New Enemy Arises: Software/Hardware Interactions  What is a low-level software-hardware interaction?  Instruction that manipulates hardware resources  Below semantics of the programming language  Perfectly type-safe code ! But:  Can corrupt control-flow or data-flow  Examples:  Processor State  I/O Objects  MMU mappings

  4. Memory Safety: Processor State  Operating systems explicitly manage Processor State  Processor states saved in memory buffers  Type-safe stores can modify a saved processor state  Can subvert control/data-flow integrity P R1 R2 Pointer in OS R3 PC SP Memory

  5. Memory Safety: Processor State  Operating systems explicitly manage Processor State  Processor states saved in memory buffers  Type-safe stores can modify a saved processor state  Can subvert control/data-flow integrity P R1 R2 Pointer in OS R3 PC SP Memory

  6. Memory Safety: Processor State  Operating systems explicitly manage Processor State  Processor states saved in memory buffers  Type-safe stores can modify a saved processor state  Can subvert control/data-flow integrity Context Switch P R1 R1 R2 R2 Pointer in OS R3 R3 PC PC SP SP Memory CPU

  7. Memory Safety: I/O  I/O device memory and RAM in same address space  However, I/O memory is different  I/O memory incompatible with standard compiler analysis  I/O memory has side effects on hardware  Intel E1000E Bug on Linux 2.6  Invalid write on I/O memory  Damaged Intel E1000E Network Cards  Potential DoS Attack

  8. Memory Safety: MMU T1* P1  MMU can violate type Memory Pointers safety T2* P2 Virtual Physical Memory Memory

  9. Memory Safety: MMU T1* P1  MMU can violate type Memory Pointers safety T2* P2 Virtual Physical Memory Memory

  10. Memory Safety: MMU T1* P1  MMU can violate type Memory Pointers safety T2* P2 Virtual Physical Memory Memory  MMU can make kernel pages User accessible to user-space Kernel  BID9356, BID9686, BID18177 (www.securityfocus.com) Virtual Physical Memory Memory

  11. Memory Safety: MMU T1* P1  MMU can violate type Memory Pointers safety T2* P2 Virtual Physical Memory Memory  MMU can make kernel pages User accessible to user-space Kernel  BID9356, BID9686, BID18177 (www.securityfocus.com) Virtual Physical Memory Memory

  12. It’s Already Here!  Intel E1000E Bug  MMU exploits in Linux Need solutions before these attacks become more sophisticated and commonplace!

  13. SVA-OS: Memory Safety for Low- Level Software-Hardware Interactions  First system to provide comprehensive memory safety for low-level software/hardware interactions  Linux 2.4.22 on Secure Virtual Architecture (SVA)  Compiler analysis and runtime checks  Little overhead above and beyond traditional memory safety  Effective at preventing software/hardware exploits

  14. Outline  Motivation  High-level Solutions  Design of SVA-OS  Experimental Results  Future Work and Conclusions

  15. Foundations: What Do We Need?  System that provides traditional memory safety  SVA-OS will preserve memory safety  Examples  Type-safe languages, e.g. Singularity  Compiler techniques for commodity operating systems, e.g. Secure Virtual Architecture (SVA)

  16. Solution: Processor State  New instruction to save old state and restore new state  State saved in internal SVA-OS memory  State referenced by ID returned from VM  Policy left to OS  Scheduling, context switching, signal delivery ID1 ID2 ID3 Process 1: ID 1 R1 R1 R1 R2 R2 R2 Process 3: ID 2 PC PC PC SP SP SP Process 8: ID 3 OS SVA-OS Memory CPU Task Structures

  17. Solution: Memory Mapped I/O  New instruction to map I/O memory into address space  New instructions to load/store I/O objects  Add run-time checks to ensure that:  Regular load/stores access memory  I/O accesses access I/O memory P1 iostore (v, *p1); Memory Pointer P2 store (v, *p2); I/O Pointer

  18. Solution: Memory Mapped I/O  New instruction to map I/O memory into address space  New instructions to load/store I/O objects  Add run-time checks to ensure that:  Regular load/stores access memory  I/O accesses access I/O memory P1 iostore (v, *p1); Memory Pointer P2 store (v, *p2); I/O Pointer

  19. Solution: Memory Mapped I/O  New instruction to map I/O memory into address space  New instructions to load/store I/O objects  Add run-time checks to ensure that:  Regular load/stores access memory  I/O accesses access I/O memory P1 iostore (v, *p1); Memory Pointer P2 store (v, *p2); I/O Pointer

  20. Solution: MMU  Add run-time checks on MMU updates  Mapping kernel memory into user-space  Mapping data inconsistent with types  Same mechanism as VMMs  Finer-grain checks T1* P1 User Kernel T2* P2 Virtual Physical Virtual Physical Memory Memory Memory Memory

  21. Solution: MMU  Add run-time checks on MMU updates  Mapping kernel memory into user-space  Mapping data inconsistent with types  Same mechanism as VMMs  Finer-grain checks T1* P1 User Kernel T2* P2 Virtual Physical Virtual Physical Memory Memory Memory Memory

  22. Solution: MMU  Add run-time checks on MMU updates  Mapping kernel memory into user-space  Mapping data inconsistent with types  Same mechanism as VMMs  Finer-grain checks T1* P1 User Kernel T2* P2 Virtual Physical Virtual Physical Memory Memory Memory Memory

  23. Solution: MMU  Add run-time checks on MMU updates  Mapping kernel memory into user-space  Mapping data inconsistent with types  Same mechanism as VMMs  Finer-grain checks T1* P1 User Kernel T2* P2 Virtual Physical Virtual Physical Memory Memory Memory Memory

  24. Solution: MMU  Add run-time checks on MMU updates  Mapping kernel memory into user-space  Mapping data inconsistent with types  Same mechanism as VMMs  Finer-grain checks T1* P1 User Kernel T2* P2 Virtual Physical Virtual Physical Memory Memory Memory Memory

  25. Outline  Motivation  High-level Solutions  Design of SVA-OS  Experimental Results  Future Work and Conclusions

  26. Secure Virtual Architecture 1  Compiler-based virtual machine  Hosts a commodity OS (e.g., Linux)  Provides traditional memory safety guarantees (control-flow and data-flow integrity) OS Kernel OS Memory Allocator SVA ISA Safety Compiler Native Code Generator SVA Virtual Machine SVA Run-time Memory Safety Library Run-time Library Native ISA Hardware Hardware 1 Criswell et al. [SOSP 2007]

  27. From SVA to SVA-OS  Extend the SVA software/hardware interface  New instructions control software/hardware interactions  Enforce memory safety for low-level operations  Use static analysis when possible  Add run-time checks when necessary

  28. Solution: Processor State  Save old state and place new state in a single instruction  sva_swap_integer  Return opaque handle  Buffer saved in SVA-OS memory  Buffer released on sva_swap_integer call ID1 ID2 ID3 Process 1: ID 1 R1 R1 R1 R2 R2 R2 Process 3: ID 2 PC PC PC SP SP SP Process 8: ID 3 OS SVA-OS Memory CPU Task Structures

  29. Solution: Processor State  Save old state and place new state in a single instruction  sva_swap_integer  Return opaque handle  Buffer saved in SVA-OS memory  Buffer released on sva_swap_integer call ID1 ID2 Process 1: ID 1 R1 R1 R1 R2 R2 R2 Process 3: ID 2 PC PC PC SP SP SP Process 8: ID 3 OS SVA-OS Memory CPU Task Structures

  30. Solution: Memory Mapped I/O  Operating system uses a pseudo-allocator  Map I/O objects into virtual address space  New instructions for I/O reads and writes  sva_io_readb , sva_io_writeb  Compiler marks I/O memory as type-unknown  Load/store check on each access  Load/store checks on memory objects that alias

  31. Solution: MMU  VMM-like interface to declare and update MMU mappings  sva_declare_l1_page , sva_declare_l2_page  sva_update_l1_mapping , sva_update_l2_mapping  Runtime checks for typed memory  Pointer analysis in SVA segregates data by types  SVA-OS ensures this stays consistent  Run-time checks for dividing memory  SVA-OS memory and kernel memory  Kernel memory and user-space memory  I/O memory and regular kernel memory

  32. Linux 2.4 Port on SVA-OS  Less than 100 lines changes from original SVA Linux port  switch_to ➞ sva_swap_integer  readb ➞ sva_io_readb  set_pte ➞ sva_update_l1_mapping  pte_alloc_one ➞ sva_declare_l1_page  Compiler changes:  Allocation of I/O objects: ioremap

  33. Outline  Motivation  High-level Solutions  Design of SVA-OS  Experimental Results  Future Work and Conclusions

  34. Does It Work?  Tested two real world MMU exploits  BID9356, BID9686 on Linux 2.4  BID18177 exploit code not available  Injected errors into our Linux 2.4 port  New system calls  Studied the E1000E Intel Network bug  Paper study because only on Linux 2.6

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lecture 3 Hardware and Software 3. Hardware and Softw are 4. High Level Languages 5.

Lecture 3 Hardware and Software 3. Hardware and Softw are 4. High Level Languages 5.

1. Introduction 2. Binary Representation Lecture 3 Hardware and Software 3. Hardware and Softw are 4. High Level Languages 5. Standard input and output Hardware has been defined as 6. Operators, expression and statem ents the

238 views • 3 slides
Shared Memory Multiprocessors Logical design and software interactions 1 Shared Memory

Shared Memory Multiprocessors Logical design and software interactions 1 Shared Memory

Shared Memory Multiprocessors Logical design and software interactions 1 Shared Memory Multiprocessors Symmetric Multiprocessors (SMPs) Symmetric access to all of main memory from any processor Dominate the server market Building blocks

1.33k views • 107 slides
The Memory Hierarchy 10/25/16 Transition First half of course: hardware focus How the

The Memory Hierarchy 10/25/16 Transition First half of course: hardware focus How the

The Memory Hierarchy 10/25/16 Transition First half of course: hardware focus How the hardware is constructed How the hardware works How to interact with hardware Second half: performance and software systems Memory

480 views • 35 slides
Cap5 - Shared Memory Multiprocessors Logical design and software interactions 1 Shared Memory

Cap5 - Shared Memory Multiprocessors Logical design and software interactions 1 Shared Memory

Adaptado dos slides da editora por Mario Crtes IC/Unicamp Cap5 - Shared Memory Multiprocessors Logical design and software interactions 1 Shared Memory Multiprocessors Symmetric Multiprocessors (SMPs) Symmetric access to all of main

1.5k views • 110 slides
Memory corruption: Why we cant have nice things Mathias Payer (@gannimo)

Memory corruption: Why we cant have nice things Mathias Payer (@gannimo)

Memory corruption: Why we cant have nice things Mathias Payer (@gannimo) http://hexhive.github.io Software is unsafe and insecure Low-level languages (C/C++) trade type safety and memory safety for performance Programmer responsible

602 views • 39 slides
COSMOS: Coordination of High-Level Synthesis and Memory Optimization for Hardware Accelerators

COSMOS: Coordination of High-Level Synthesis and Memory Optimization for Hardware Accelerators

ACM/IEEE CODES+ISSS 2017, Seoul, South Korea COSMOS: Coordination of High-Level Synthesis and Memory Optimization for Hardware Accelerators Luca Piccolboni, Paolo Mantovani, Giuseppe Di Guglielmo, Luca Carloni Columbia University, New York,

624 views • 61 slides
CheriABI Hardware enforced memory safety for FreeBSD Brooks Davis , Robert N. M. Watson,

CheriABI Hardware enforced memory safety for FreeBSD Brooks Davis , Robert N. M. Watson,

CheriABI Hardware enforced memory safety for FreeBSD Brooks Davis , Robert N. M. Watson, Alexander Richardson, Peter G. Neumann, Simon W. Moore, John Baldwin, David Chisnall, James Clarke, Nathaniel Wesley Filardo, Khilan Gudka, Alexandre

430 views • 29 slides
Buffer Software Security overflows and other memory safety vulnerabilities History

Buffer Software Security overflows and other memory safety vulnerabilities History

This time We will begin By investigating our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Software security Security is a form

2.11k views • 190 slides
Our Domain Level 1 BBBEE Contributor South African Designed and Manufactured RSE Software and

Our Domain Level 1 BBBEE Contributor South African Designed and Manufactured RSE Software and

Traffic Management Technologies Road Safety: An Operational Perspective Sean Heathcote VP Operations & Delivery - Africa Our Domain Level 1 BBBEE Contributor South African Designed and Manufactured RSE Software and Hardware

326 views • 17 slides
software and hardware for the Internet of Things. Choose hardware Design hardware Design

software and hardware for the Internet of Things. Choose hardware Design hardware Design

Zeidman Technologies has created a fundamentally new way to develop embedded software and hardware for the Internet of Things. Choose hardware Design hardware Design software Initial hardware choices determine Integrate functionality and

185 views • 15 slides
A Realistic Evaluation of Memory Hardware Errors and Software System Susceptibility Xin Li 1

A Realistic Evaluation of Memory Hardware Errors and Software System Susceptibility Xin Li 1

A Realistic Evaluation of Memory Hardware Errors and Software System Susceptibility Xin Li 1 Michael Huang 1 Kai Shen 2 Lingkun Chu 3 1 Department of Electrical and Computer Engineering University of Rochester 2 Department of Computer Science

504 views • 29 slides
Hardware-Software Interface Memory addressing, C language, pointers Assertions, debugging

Hardware-Software Interface Memory addressing, C language, pointers Assertions, debugging

CS 240 Stage 2 Hardware-Software Interface Memory addressing, C language, pointers Assertions, debugging Machine code, assembly language, program translation Control flow Procedures, stacks Data layout, security, linking and loading Program,

415 views • 30 slides
Hardware-Software Interface Memory addressing, C language, pointers Assertions, debugging

Hardware-Software Interface Memory addressing, C language, pointers Assertions, debugging

CS 240 Stage 2 Hardware-Software Interface Memory addressing, C language, pointers Assertions, debugging Machine code, assembly language, program translation Control flow Procedures, stacks Data layout, security, linking and loading Program,

822 views • 29 slides
Unit 7: Virtual Memory TLBs and memory hierarchy issues

Unit 7: Virtual Memory TLBs and memory hierarchy issues

This Unit: Virtual Memory App App App The operating system (OS) System software A super-application Hardware support for an OS CIS 501: Computer Architecture Mem CPU I/O Virtual memory Page tables and address translation

554 views • 10 slides
Hardware Transactional Memory on Haswell EP Viktor Leis Technische Universitt Mnchen 1 / 14

Hardware Transactional Memory on Haswell EP Viktor Leis Technische Universitt Mnchen 1 / 14

Hardware Transactional Memory on Haswell EP Viktor Leis Technische Universitt Mnchen 1 / 14 Introduction Intels new mid-level server platform: Haswell EP up to 18 cores per socket (up to 72 hardware threads with 2 sockets)

890 views • 9 slides
Flexible Hardware Design at Flexible Hardware Design at Low Levels of Abstraction Low Levels of

Flexible Hardware Design at Flexible Hardware Design at Low Levels of Abstraction Low Levels of

Flexible Hardware Design at Flexible Hardware Design at Low Levels of Abstraction Low Levels of Abstraction Emil Axelsson Hardware Description and Verification May 2009 Why low-level? Why low-level? Related question: Why is some software

908 views • 51 slides
02941 Physically Based Rendering Sun and Sky and Colour and Environment Maps Jeppe Revall Frisvad

02941 Physically Based Rendering Sun and Sky and Colour and Environment Maps Jeppe Revall Frisvad

02941 Physically Based Rendering Sun and Sky and Colour and Environment Maps Jeppe Revall Frisvad June 2020 Dynamic range Ambient luminance levels for some common lighting environments: Illumination (cd/m 2 ) Condition 10 3 Starlight

325 views • 19 slides
15-721 ADVANCED DATABASE SYSTEMS Lecture #14 Optimizer Implementation (Part I) Andy Pavlo

15-721 ADVANCED DATABASE SYSTEMS Lecture #14 Optimizer Implementation (Part I) Andy Pavlo

15-721 ADVANCED DATABASE SYSTEMS Lecture #14 Optimizer Implementation (Part I) Andy Pavlo / / Carnegie Mellon University / / Spring 2016 @Andy_Pavlo // Carnegie Mellon University // Spring 2017 2 TODAYS AGENDA Background

964 views • 65 slides
Virtual Memory: Concepts 15-213: Introduc0on to Computer Systems

Virtual Memory: Concepts 15-213: Introduc0on to Computer Systems

Carnegie Mellon Virtual Memory: Concepts 15-213: Introduc0on to Computer Systems 15 th Lecture, Oct. 14, 2010 Instructors: Randy Bryant and Dave OHallaron

498 views • 36 slides
Large objects in the Cloud Thursday, 11 April 13 Riak Cloud Storage Cloud Storage software

Large objects in the Cloud Thursday, 11 April 13 Riak Cloud Storage Cloud Storage software

Large objects in the Cloud Thursday, 11 April 13 Riak Cloud Storage Cloud Storage software backed by Riak Simple API Multi-tenant, Per-tenant Reporting Pluggable Authentication Multi Data Center Replication (Enterprise)

369 views • 18 slides
CSE-571 Robotics Mapping Sparse landmarks RGB / Depth Maps Problems in Mapping Occupancy

CSE-571 Robotics Mapping Sparse landmarks RGB / Depth Maps Problems in Mapping Occupancy

Types of SLAM-Problems Grid maps or scans CSE-571 Robotics Mapping Sparse landmarks RGB / Depth Maps Problems in Mapping Occupancy Grid Maps Sensor interpretation Introduced by Moravec and Elfes in 1985 Represent environment

227 views • 9 slides
Enhanced Efficiency of Mapping Distribution Protocols in Scalable Routing and Addressing

Enhanced Efficiency of Mapping Distribution Protocols in Scalable Routing and Addressing

Enhanced Efficiency of Mapping Distribution Protocols in Scalable Routing and Addressing Architectures K. Sriram, Patrick Gleichmann, Young-Tak Kim, and Doug Montgomery July 2010 National Institute of Standards and Technology National

363 views • 19 slides
Computer Graphics (CS 543) Lecture 9 (Part 1): Environment

Computer Graphics (CS 543) Lecture 9 (Part 1): Environment

Computer Graphics (CS 543) Lecture 9 (Part 1): Environment Mapping (ReflecBons and RefracBons) Prof Emmanuel Agu (Adapted from slides by Ed Angel)

751 views • 49 slides
Mapping the Great Void Smarter scanning for IPv6 Richard Barnes, Rick Altmann, Daniel Kerr BBN

Mapping the Great Void Smarter scanning for IPv6 Richard Barnes, Rick Altmann, Daniel Kerr BBN

Mapping the Great Void Smarter scanning for IPv6 Richard Barnes, Rick Altmann, Daniel Kerr BBN Technologies Agenda Challenges for mapping the IPv6 Internet Some approaches to smarter scanning CIDR++ Registry information

736 views • 26 slides

More recommend