[PPT] - Sugar: Secure GPU Acceleration in Web Browsers Zhihao Yao , Zongheng PowerPoint Presentation

SLIDE 1

Sugar: Secure GPU Acceleration in Web Browsers

Zhihao Yao, Zongheng Ma, Yingtong Liu, Ardalan Amiri Sani, Aparna Chandramowlishwaran Trustworthy Systems Lab, UC Irvine

1

SLIDE 2

WebGL was released in 2011

Source: https://www.google.com/map

2

SLIDE 3

WebGL is popular

WebGL adoption rate by top 100 websites

3

47.0% 53.0%

SLIDE 4

WebGL is popular

Browser support rate (48.8 million visitors)

Source: http://webglstats.com (2017)

Does not support

4

4.0% 96.0%

SLIDE 5

https://www.apple.com/macos/sierra/ http://dlmf.nist.gov https://www.google.com/map https://eyes.nasa.gov/curiosity/

5

SLIDE 6

WebGL recap

6

SLIDE 7

First, a quick recap on OpenGL

Native app GL libs Kernel mode GPU driver GPU hardware

7

user space kernel space kernel space hardware

SLIDE 8

Native app GL libs Native app GL libs Kernel mode GPU driver GPU hardware

function call

First, a quick recap on OpenGL

8

user space kernel space kernel space hardware

SLIDE 9

First, a quick recap on OpenGL

Native app GL libs Native app GL libs Kernel mode GPU driver GPU hardware

syscall

9

user space kernel space kernel space hardware

SLIDE 10

Use the same design for WebGL?

Web app GL libs Kernel mode GPU driver GPU hardware

10

user space kernel space kernel space hardware

Buggy Compromised Malicious

SLIDE 11

Web app GL libs Kernel mode GPU driver GPU hardware

11

Web apps are not trusted

user space kernel space kernel space hardware

Buggy Compromised Malicious

SLIDE 12

Web app GL libs Kernel mode GPU driver GPU hardware

12

GPU driver is buggy

Buggy Compromised Malicious

user space kernel space kernel space hardware

SLIDE 13

web app GL libs

Kernel driver is compromised

Web app GL libs Kernel mode GPU driver GPU hardware

13

user space kernel space kernel space hardware

Buggy Compromised Malicious

SLIDE 14

Current WebGL design

14

Kernel mode GPU driver Browser GPU hardware GPU Process Checks GL libs Web app Web app Web app

user space kernel space kernel space hardware

SLIDE 15

Current WebGL design

15

Kernel mode GPU driver Browser Web app Web app Web app GPU hardware GPU Process Checks GL libs

IPC

Browser

user space kernel space kernel space hardware

SLIDE 16

Security checks in GPU Process

16

Kernel mode GPU driver Browser GPU hardware GPU Process Checks GL libs Web app Web app Web app

user space kernel space kernel space hardware

SLIDE 17

TCB of current WebGL Design

17

Kernel mode GPU driver Browser GPU hardware GPU Process Checks GL libs Web app Web app Web app 158,000 LoC (GPU Process) 457,000 LoC (GL libraries) 123,000 LoC (GPU driver)

SLIDE 18

18

Kernel mode GPU driver Browser GPU hardware GPU Process Checks GL libs Web app Web app Web app

CVE-2014-1556 CVE-2015-7179 CVE-2013-2874 CVE-2017-5031 CVE-2014-1502

Vulnerabilities in GPU process

SLIDE 19

Kernel driver is compromised

19

CVE-2011-2601* Chrome 153469 Chrome 483877* CVE-2011-2367 CVE-2011-3653

Kernel mode GPU driver Browser GPU hardware GPU Process Checks GL libs Web app Web app Web app

*Not yet fixed

SLIDE 20

Vulnerability examples

CVE-2014-1556 execute arbitrary code CVE-2015-7179 execute arbitrary code CVE-2013-2874 read browser UI CVE-2017-5031 read GPU process memory CVE-2014-1502 use of cross-origin contents Chrome Issue 593680 browser hang Chrome Issue 83841 leak system username CVE-2011-2601* system UI freeze Chrome issue 153469 kernel panic Chrome issue 483877* system UI freeze CVE-2011-2367 read of GPU memory CVE-2011-3653 read of GPU memory CVE-2014-3173 read of GPU memory

20

*Not yet fixed

SLIDE 21

Our WebGL vulnerability study

21

https://trusslab.github.io/sugar/webgl_bugs

SLIDE 22

High performance Known vulnerabilities Zero day vulnerabilities System UI freeze

Current WebGL design

22

SLIDE 23

CVE-2014-3173, read of GPU graphics memory We type some private notes in terminal:

23

SLIDE 24

CVE-2014-3173, read of GPU graphics memory

24

SLIDE 25

Overview of Sugar

Key idea:

Use GPU virtualization to give an untrusted web

app a separate vGPU

25

SLIDE 26

Intel GPU virtualization

26

We build a prototype on Intel GPU virtualization
Intel GPU virtualization is available since the 4th

generation Core processors [1]

[1] https://www.usenix.org/conference/atc14/technical-sessions/presentation/tian Photo credit: https://www.intel.com/pressroom/archive/releases/2008/20081117comp_sm.htm

SLIDE 27

27

SLIDE 28

GPU GPU vGPU 2 vGPU 1

28

SLIDE 29

Sugar’s design

Kernel mode GPU driver Browser vGPU GPU hardware Web app GL libs vGPU driver GPU Process GL libs

29

user space kernel space hardware

SLIDE 30

Sugar’s design

Kernel mode GPU driver Browser vGPU GPU hardware Web app GL libs vGPU driver GPU Process GL libs

function call

30

user space kernel space hardware

SLIDE 31

Sugar’s design

Kernel mode GPU driver Browser vGPU GPU hardware Web app GL libs vGPU driver GPU Process GL libs

function call

31

user space kernel space hardware

SLIDE 32

Sugar’s design

Kernel mode GPU driver Browser vGPU GPU hardware Web app GL libs vGPU driver GPU Process GL libs

32

user space kernel space hardware

SLIDE 33

Sugar’s design

virtual graphics plane primary graphics plane

Kernel mode GPU driver Browser vGPU GPU hardware Web app GL libs vGPU driver GPU Process GL libs

33

SLIDE 34

Why is Sugar secure?

34

SLIDE 35

Web app process is untrusted

Kernel mode GPU driver Browser vGPU GPU hardware Web app GL libs vGPU driver GPU Process GL libs

35

user space kernel space hardware

SLIDE 36

Web app process is sandboxed

Kernel mode GPU driver Browser vGPU GPU hardware Web app GL libs vGPU driver GPU Process GL libs

36

user space kernel space hardware

SLIDE 37

vGPU is isolated

Kernel mode GPU driver Browser vGPU GPU hardware Web app GL libs vGPU driver GPU Process GL libs

37

user space kernel space hardware

SLIDE 38

Sugar’s TCB is small

Kernel mode GPU driver Browser vGPU GPU hardware Web app GL libs vGPU driver GPU Process GL libs

38

34,400 LoC (GPU virtualization)

user space kernel space hardware

SLIDE 39

Vulnerability examples

CVE-2014-1556 execute arbitrary code CVE-2015-7179 execute arbitrary code CVE-2013-2874 read browser UI CVE-2017-5031 read GPU process memory CVE-2014-1502 use of cross-origin contents Chrome Issue 593680 browser hang Chrome Issue 83841 leak system username CVE-2011-2601* system UI freeze Chrome issue 153469 kernel panic Chrome issue 483877* system UI freeze CVE-2011-2367 read of GPU memory CVE-2011-3653 read of GPU memory CVE-2014-3173 read of GPU memory

39

*Not yet fixed

SLIDE 40

Limitation of this Sugar design

Intel vGPU hang will cause a real GPU hang

40

SLIDE 41

Dual-GPU Sugar

Key idea: Use two GPUs to fully isolate the virtual graphics plane and the primary graphics plane.

Solves system UI freeze
Provides better performance isolation

41

SLIDE 42

Dual-GPU Sugar’s design

Kernel mode GPU 1 driver GPU 1 hardware Browser vGPU GPU 2 hardware Kernel mode GPU 2 driver Web app GL libs vGPU driver GPU process GL libs

42

user space kernel space hardware

Photo credit: https://www.amd.com/zh-tw/products/graphics/desktop/6000/6990

SLIDE 43

Many computers have two GPUs

apple.com/macbook-pro dell.com/Inspiron15 store.hp.com/envy

43

SLIDE 44

Source: https://newsroom.intel.com/news/8th-gen-intel-core-radeon-rx-vega-m-graphics

Intel’s 8th Generation Core Processors with Radeon RX Vega M Graphics

44

SLIDE 45

Sugar’s implementation

45

SLIDE 46

WebKit / Blink WebGL frontend WebGL backend GL libs vGPU driver

WebGL in web app process

GPU Process WebGL backend GL libs

Reuse most of GPU process code

46

Ported from GPU process

SLIDE 47

vGPU driver as a library

WebKit / Blink WebGL frontend WebGL backend GL libs vGPU driver

We modify GL libs to issue function calls instead of syscalls

47

function call

SLIDE 48

Register: trap and emulate

Kernel mode GPU driver Browser vGPU GPU hardware Web app GL libs vGPU driver GPU Process GL libs

Mapped registers

48

user space kernel space hardware

SLIDE 49

Register: trap and emulate

Kernel mode GPU driver Browser vGPU GPU hardware Web app GL libs vGPU driver GPU Process GL libs

Mapped registers

GPU virtualization layer will emulate

49

user space kernel space hardware

SLIDE 50

Interrupt: deliver as signal

Kernel mode GPU driver Browser vGPU GPU hardware Web app GL libs vGPU driver GPU Process GL libs

Interrupt

50

user space kernel space hardware

SLIDE 51

Interrupt: deliver as signal

Kernel mode GPU driver Browser vGPU GPU hardware Web app GL libs vGPU driver GPU Process GL libs

Interrupt

51

The virtualization layer delivers as a signal

user space kernel space hardware

SLIDE 52

Interrupt: deliver as signal

Kernel mode GPU driver Browser vGPU GPU hardware Web app GL libs vGPU driver GPU Process GL libs

Interrupt Signal

52

user space kernel space hardware

SLIDE 53

DMA overview

Main memory GPU

53

DMA

SLIDE 54

DMA overview

Main memory vGPU

54

DMA

Page table

SLIDE 55

Evaluations

55

SLIDE 56

Sugar’s performance is good

under the same WebGL benchmarks that Chrome uses

56

SLIDE 57

Sugar’s performance is good

under the same WebGL benchmarks that Chrome uses

57

60 FPS

SLIDE 58

Sugar’s CPU overhead is low

Sugar is better than CPU rendering by 375% on average

58

SLIDE 59

Summary

Sugar leverages modern GPU virtualization solutions

to isolate WebGL

Sugar addresses this by repurposing Intel vGPU

driver to a library Thank you! Sugar is open source: https://trusslab.github.io/sugar

59