time protection the missing os abstraction
play

Time Protection: The Missing OS Abstraction Qian Ge, Yuval Yarom, - PowerPoint PPT Presentation

Dec 16, 2023 •659 likes •1.08k views

Time Protection: The Missing OS Abstraction Qian Ge, Yuval Yarom, Tom Chothia, Gernot Heiser qian.ge@data61.csiro.au www.data61.csiro.au Top secret Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au 2 Enforcing time

  1. Time Protection: The Missing OS Abstraction Qian Ge, Yuval Yarom, Tom Chothia, Gernot Heiser qian.ge@data61.csiro.au www.data61.csiro.au

  2. Top secret Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �2

  3. Enforcing time protection at the OS level Security Domain Security Domain Sending information through timing Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �3

  4. Enforcing time protection at the OS level Security Domain Security Domain Sending information through timing Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �3

  5. Enforcing time protection at the OS level Security Domain Security Domain Sending information through timing Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �3

  6. Microarchitectural Timing Channels Security Domain Security Domain Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �4

  7. Microarchitectural Timing Channels Welcome to Dresden Security Domain Security Domain Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �4

  8. Microarchitectural Timing Channels Welcome to Dresden Security Domain Security Domain Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �4

  9. Microarchitectural Timing Channels Welcome to Dresden Security Domain Security Domain Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �4

  10. Microarchitectural Timing Channels Fast Fast Slow Fast Fast Welcome to Dresden ….. S F S FFF SSSS F Security Domain Security Domain Not English, but our protocol… Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �4

  11. Contention, Contention, Contention… • Contention leaks information via timing • Caches: • capacity-limited … • stateful Shared hardware caches • Resulting on temporal interference during: - time-shared access - concurrent access Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �5

  12. Contention, Contention, Contention… • Contention leaks information via timing • Caches: • capacity-limited … • stateful Shared hardware caches • Resulting on temporal interference during: - time-shared access Any state-holding microarchitectural feature: - concurrent access • Caches, branch predictor, TLB Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �5

  13. Preventing Contention by Partitioning Security Domain Security Domain Partitioned caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au

  14. Spatial Partitioning Cache colouring: • Distributing coloured cache sets Cache Cache to coloured memory frames • Memory management policy Memory RAM Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �7

  15. Spatial Partitioning Cache colouring: • Distributing coloured cache sets Cache Cache to coloured memory frames • Memory management policy Memory RAM Partition security domains on disjoint cache sets … Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �7

  16. Spatial Partitioning Cache colouring: • Distributing coloured cache sets Cache Cache to coloured memory frames • Memory management policy Memory RAM Partition security domains on disjoint cache sets • Resulting on temporal interference during: - time-shared access … - concurrent access Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �7

  17. Spatial Partitioning Cache colouring: • Distributing coloured cache sets Cache Cache to coloured memory frames • Memory management policy Memory RAM Partition security domains on disjoint cache sets • Resulting on temporal interference during: - time-shared access … - concurrent access Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �7

  18. Spatial Partitioning Cache colouring: • Distributing coloured cache sets Cache Cache to coloured memory frames • Memory management policy Memory RAM Partition security domains on disjoint cache sets • Resulting on temporal interference during: - time-shared access … - concurrent access Shared hardware caches Cannot be supported by on-core caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �7

  19. Temporal Partitioning Flushing on-core caches: • Resetting states Context switch … Shared on-caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �8

  20. Temporal Partitioning Flushing on-core caches: • Resetting states Context switch • Resulting on temporal … interference during: Shared on-caches - time-shared access - concurrent access Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �8

  21. Temporal Partitioning Flushing on-core caches: • Resetting states Context switch • Resulting on temporal … interference during: Shared on-caches - time-shared access - concurrent access Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �8

  22. Preventing Temporal Interference through Partitioning Security Domain Security Domain Context Temporal partitioning … Spatial partitioning … Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �9

  23. Wait, Everyone Shares the Kernel…. Security Domain Security Domain A shared partition Kernel Services … Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �10

  24. Wait, Everyone Shares the Kernel…. Security Domain Security Domain A shared partition Cache lines used by the kernel Kernel Services collide with Spy’s partition … Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �10

  25. Wait, Everyone Shares the Kernel…. Poster Session Security Domain Security Domain @ 17:15 A shared partition Cache lines used by the kernel Kernel Services collide with Spy’s partition … Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �10

  26. Wait, Everyone Shares the Kernel…. Fast Fast Slow Fast Fast Poster Session ….. S F S FFF SSSS F Security Domain Security Domain @ 17:15 A shared partition Cache lines used by the kernel Kernel Services collide with Spy’s partition … Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �10

  27. Kernel Services Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �11

  28. Cloning the Kernel Image Analysing the kernel sections .text .rodata .data Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �12

  29. Cloning the Kernel Image Duplicated sections Analysing the .text kernel sections .text .rodata .rodata Maintaining .data coherency .data Global (9KiB) Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �12

  30. Cloning the Kernel Image Duplicated sections Analysing the .text kernel sections .text .rodata .rodata Maintaining .data coherency .data Global (9KiB) Kernel Clone: Generating a copy of the kernel image with user-level managed memory Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �12

  31. Cloning the Kernel Image Duplicated sections Analysing the .text kernel sections .text .rodata .rodata Maintaining .data coherency .data Global (9KiB) Kernel Clone: Generating a copy of the kernel image with user-level managed memory Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �12

  32. Dedicated Kernel Images Security Domain Security Domain Shared Global Data Context Temporal partitioning Deterministic usage … Spatial partitioning … Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �13

  33. Timing Channel through the Shared Kernel Channel matrix: conditional probability of observing the output signal (time, Output (cycles) spy) given the input signal (system-call number, Trojan) Raw channel Horizontal variation Input (taking seL4 syscall) seL4 system call indicates a channel Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �14

  34. Timing Channel through the Shared Kernel Channel matrix: conditional probability of observing the output signal (time, Output (cycles) spy) given the input signal (system-call number, Trojan) Raw channel Horizontal variation Input (taking seL4 syscall) seL4 system call indicates a channel Output (cycles) Prevented by cloned kernel Input (taking seL4 syscall) Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �14

  35. How realistic is cloning? x86 Arm 224 KiB 120 KiB .text Memory consumption .rodata .data Arch seL4 Linux Global (9KiB) Clone fork + exec x86 79 μs 257 μs Arm 608 μs 4,300 μs Efficiency Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Last time: effects effect E : t 1/ 38 This time: staging . < e > . 2/ 38 Review:

Last time: effects effect E : t 1/ 38 This time: staging . < e > . 2/ 38 Review:

Last time: effects effect E : t 1/ 38 This time: staging . < e > . 2/ 38 Review: abstraction Lambda abstraction Abstraction of type equalities x : A . M A :: K . M a b A :: K . B Interfaces to computation First-class

816 views • 43 slides
Last time: generic programming val show : a data a string 1/ 45 This time: staging

Last time: generic programming val show : a data a string 1/ 45 This time: staging

Last time: generic programming val show : a data a string 1/ 45 This time: staging . < e > . 2/ 45 Review: abstraction Lambda abstraction Abstraction of type equalities x : A . M A :: K . M a b A :: K . B

876 views • 50 slides
Last Class: File System Abstraction Naming Protection Persistence Fast access

Last Class: File System Abstraction Naming Protection Persistence Fast access

Last Class: File System Abstraction Naming Protection Persistence Fast access Computer Science Computer Science CS377: Operating Systems Lecture 17, page 1 Protection The OS must allow users to control sharing of their

399 views • 9 slides
LIBMPK: SOFTWARE ABSTRACTION FOR INTEL MEMORY PROTECTION KEYS (INTEL MPK) Soyeon Park, Sangho

LIBMPK: SOFTWARE ABSTRACTION FOR INTEL MEMORY PROTECTION KEYS (INTEL MPK) Soyeon Park, Sangho

LIBMPK: SOFTWARE ABSTRACTION FOR INTEL MEMORY PROTECTION KEYS (INTEL MPK) Soyeon Park, Sangho Lee, Wen Xu, Hyungon Moon and Taesoo Kim INTRODUCTION SECURITY CRITICAL MEMORY REGIONS NEED PROTECTION JIT page To achieve code execution,

327 views • 32 slides
Point, Line, & Plane 1 Abstraction Abstraction is the act of considering something as a

Point, Line, & Plane 1 Abstraction Abstraction is the act of considering something as a

Point, Line, & Plane 1 Abstraction Abstraction is the act of considering something as a general quality or characteristic, apart from concrete realities, specific objects, or actual instances. 2 Abstraction Abstraction is

478 views • 21 slides
Earthing and Lightning Protection of Utility Scale PV Plant - What is Missing? - by Dr Pieter H

Earthing and Lightning Protection of Utility Scale PV Plant - What is Missing? - by Dr Pieter H

Earthing and Lightning Protection of Utility Scale PV Plant - What is Missing? - by Dr Pieter H Pretorius, TERRATECH, South Africa OVERVIEW INTRODUCTION IMPLICATIONS - DESIGN IMPLICATIONS INSTALLATION MITIGATION OPTIONS

493 views • 21 slides
Disaster Risk Reduction and Financial Protection: What is Missing, What Can Work? The Case of

Disaster Risk Reduction and Financial Protection: What is Missing, What Can Work? The Case of

Disaster Risk Reduction and Financial Protection: What is Missing, What Can Work? The Case of Latin America and the Caribbean Kari Keipi, IDB London, 15 November 2006 The Imperative of Reducing Risk 1. Increasing gap to finance disaster

229 views • 21 slides
Use of a multi-disciplinary approach to adjust an abstraction regime for the protection of shad

Use of a multi-disciplinary approach to adjust an abstraction regime for the protection of shad

Use of a multi-disciplinary approach to adjust an abstraction regime for the protection of shad Nicola Teague & Tom Elmitt IFM Fish and Flows Specialist Conference 2019 - York Background to the project Project structure Steering group

326 views • 6 slides
CSCI 350 Ch. 2 The Kernel Abstraction & Protection Mark Redekopp 2 PROCESSES &

CSCI 350 Ch. 2 The Kernel Abstraction & Protection Mark Redekopp 2 PROCESSES &

1 CSCI 350 Ch. 2 The Kernel Abstraction & Protection Mark Redekopp 2 PROCESSES & PROTECTION 3 Processes Program/Process Process 1,2,3, (def 1.) Address Space + Threads 0xffff ffff 1 or more threads Kernel

794 views • 35 slides
Predicate Abstraction with SATABS Existential Abstraction Predicate Abstraction for Software

Predicate Abstraction with SATABS Existential Abstraction Predicate Abstraction for Software

Outline Introduction Predicate Abstraction with SATABS Existential Abstraction Predicate Abstraction for Software Counterexample-Guided Abstraction Refinement Computing Existential Abstractions of Programs Version 1.0, 2010 Checking the

429 views • 12 slides
Data Abstraction Announcements Data Abstraction Data Abstraction Programmers Compound

Data Abstraction Announcements Data Abstraction Data Abstraction Programmers Compound

Data Abstraction Announcements Data Abstraction Data Abstraction Programmers Compound values combine other values together All A date: a year, a month, and a day A geographic position: latitude and longitude Data abstraction

430 views • 19 slides
Last time: abstraction and parametricity 1/ 44 This time: GADTs a b 2/ 44 What we

Last time: abstraction and parametricity 1/ 44 This time: GADTs a b 2/ 44 What we

Last time: abstraction and parametricity 1/ 44 This time: GADTs a b 2/ 44 What we gain : : (Addtionally, some programs become faster!) 3/ 44 What we gain : : (Addtionally, some

426 views • 42 slides
Last time: generic programming val show : a data a string 1/ 65 This time: staging

Last time: generic programming val show : a data a string 1/ 65 This time: staging

Last time: generic programming val show : a data a string 1/ 65 This time: staging . < e > . 2/ 65 Review: abstraction Row polymorphism Lambda abstraction x : A . M [ > `A | `B] A :: K . M A :: K . B

690 views • 50 slides
Making sense of time: The embodied nature of human abstraction Rafael E. Nez Embodied

Making sense of time: The embodied nature of human abstraction Rafael E. Nez Embodied

Making sense of time: The embodied nature of human abstraction Rafael E. Nez Embodied Cognition Lab Department of Cognitive Science University of California, San Diego at my hotel room in Tokyo susumu: advance, modoru: go

1.01k views • 59 slides
Continuous Imputation of Missing Values in Streams of Pattern-Determining Time Series Kevin

Continuous Imputation of Missing Values in Streams of Pattern-Determining Time Series Kevin

Continuous Imputation of Missing Values in Streams of Pattern-Determining Time Series Kevin Wellenzohn 1 ohlen 1 Michael H. B os 2 Johann Gamper 2 Hannes Mitterer 2 Anton Dign 1 Department of Computer Science University of Zurich 2 Faculty

356 views • 31 slides
Missing Data in Machine Learning Guy Van den Broeck Emerging Challenges in Databases and AI

Missing Data in Machine Learning Guy Van den Broeck Emerging Challenges in Databases and AI

Computer Science Reasoning about Missing Data in Machine Learning Guy Van den Broeck Emerging Challenges in Databases and AI Research (DBAI) Nov 12 2019 Outline 1. Missing data at prediction time a. Reasoning about expectations b.

1.91k views • 46 slides
Java Language Constructs II Department of Computer Science University of Maryland, College Park

Java Language Constructs II Department of Computer Science University of Maryland, College Park

CMSC 132: Object-Oriented Programming II Java Language Constructs II Department of Computer Science University of Maryland, College Park Announcements Regarding TA Room Usage No food or drinks are allowed in the TA room. Please do

588 views • 12 slides
Automatic Mining of Functionally Equivalent Code Fragments via Random Testing Lingxiao Jiang and

Automatic Mining of Functionally Equivalent Code Fragments via Random Testing Lingxiao Jiang and

Automatic Mining of Functionally Equivalent Code Fragments via Random Testing Lingxiao Jiang and Zhendong Su Introduction Functional Clones EqMiner w/ Evaluation Conclusion Cloning in Software Development How New Software Product

498 views • 38 slides
Sub-clones: Considering the Part Rather than the Whole Robert Tairas Department of Computer and

Sub-clones: Considering the Part Rather than the Whole Robert Tairas Department of Computer and

Sub-clones: Considering the Part Rather than the Whole Robert Tairas Department of Computer and Information Sciences University of Alabama at Birmingham Jeff Gray Department of Computer Science University of Alabama This research is

489 views • 18 slides
Project Project Walrus Walrus Make the most of your card cloning devices Make the most of your

Project Project Walrus Walrus Make the most of your card cloning devices Make the most of your

Project Project Walrus Walrus Make the most of your card cloning devices Make the most of your card cloning devices Whois Team Walrus Daniel Underhay Matthew Daley @dunderhay bugfuzz.com Security Consultant at Aura Information Security

666 views • 43 slides
Manipulation by Cloning Candidates (with Piotr Faliszewski and Edith Elkind) Arkadii Slinko

Manipulation by Cloning Candidates (with Piotr Faliszewski and Edith Elkind) Arkadii Slinko

Manipulation by Cloning Candidates (with Piotr Faliszewski and Edith Elkind) Arkadii Slinko Department of Mathematics The University of Auckland COMSOC 2010 (Dusseldorf, 14 September, 2010) Was Nader Responsible for Bushs Win? It is widely

223 views • 18 slides
Vlambeer Clones: Advancing the discussion Vlambeer Clones: Advancing the discussion Rami

Vlambeer Clones: Advancing the discussion Vlambeer Clones: Advancing the discussion Rami

Vlambeer Clones: Advancing the discussion Vlambeer Clones: Advancing the discussion Rami Ismail Jan Willem Nijman Business & Development Game Design What we did Super Crate Box, Radical Fishing, GUN GODZ, Serious Sam: The Random

593 views • 42 slides
Actifio DCA for Oracle Understanding the business and IT impact of the Actifio Database Cloning

Actifio DCA for Oracle Understanding the business and IT impact of the Actifio Database Cloning

Actifio DCA for Oracle Understanding the business and IT impact of the Actifio Database Cloning Appliance powered by Dell Technologies for Oracle databases Agenda Actifio Database Cloning Appliance (DCA) for Oracle Questions for Oracle

817 views • 27 slides
Crom: Faster Web Browsing Using Specula9ve Execu9on James Mickens Jeremy Elson Jon Howell Jacob

Crom: Faster Web Browsing Using Specula9ve Execu9on James Mickens Jeremy Elson Jon Howell Jacob

Crom: Faster Web Browsing Using Specula9ve Execu9on James Mickens Jeremy Elson Jon Howell Jacob R. Lorch Surfing the Web Prefetching: Web 1.0 Sta9c objects connected by declara9ve links Find prefetchable objects by traversing graph

613 views • 43 slides

More recommend