Virtual Ghost: Protecting Applications from Hostile Operating - - PowerPoint PPT Presentation

Virtual Ghost: Protecting Applications from Hostile Operating Systems

John Criswell, Nathan Dautenhahn, and Vikram Adve

1

New Job

New Job

Do You Trust Your Operating System?

3

Do You Trust Your Operating System?

3

Online Shopping!

Do You Trust Your Operating System?

3

Online Shopping! F i l i n g T a x e s !

Do You Trust Your Operating System?

3

Online Shopping! F i l i n g T a x e s ! M e d i c a l D a t a !

Do You Trust Your Operating System?

3

V

• t

i n g M a c h i n e s ! Online Shopping! F i l i n g T a x e s ! M e d i c a l D a t a !

Do You Trust Your Operating System?

3

V

• t

i n g M a c h i n e s ! Online Shopping! National Security! F i l i n g T a x e s ! M e d i c a l D a t a !

Commodity Operating Systems Are Vulnerable!

Vulnerability Examples Buffer Overflows BugTraq ID 12911, 13589, 13207, 13225, 12295 Integer Overflows BugTraq ID 10179, 63707 Information Leaks BugTraq ID 8831, 64677, 64746, 64742, 62405 Kernel-level Malware Adore rootkit

4

If the operating system kernel is exploited, all security guarantees are null and void.

5

Virtual Ghost Contributions

• Protects application data confidentiality and integrity
• Uses compiler techniques thanks to LLVM
• Same privilege level as kernel
• Faster than hypervisor-based approaches

6

Outline

• Motivation
• Design
• Results
• Future Work

7

Goal: Application That Protects Itself from OS

Required Features

• 1. Private data and code
• 2. Incorruptible control flow
• 3. Reliable encryption key delivery

Private Code Private Data Public Data Operating System

8

Private Key

Challenges

9

Challenges

• 1. Processor lets privileged software access all memory

9

Challenges

• 1. Processor lets privileged software access all memory
• 2. Operating System must manipulate application state
• Process and thread creation
• Executing new programs (exec() family of system calls)
• Signal handler dispatch

9

Applications

• OS compiled to virtual instruction set
• Designed to be easy to analyze and instrument
• Low-level instructions (SVA-OS) replace assembly code
• Translate ahead-of-time, boot-time, or run-time

Virtual Ghost

10

Processor OS Kernel

Applications Virtual Ghost VM

• OS compiled to virtual instruction set
• Designed to be easy to analyze and instrument
• Low-level instructions (SVA-OS) replace assembly code
• Translate ahead-of-time, boot-time, or run-time

Virtual Ghost

10

Processor OS Kernel

Native Instruction Set Virtual Instruction Set

Virtual Instruction Set

• SVA-Core: Compiler Instrumentation
• Based on LLVM IR: Typed, Explicit SSA form
• Sophisticated compiler analysis and instrumentation
• SVA-OS: Virtual Ghost Runtime
• OS-neutral instructions to support a commodity OS
• Encapsulates & controls hardware and state manipulation
• Implemented as a run-time library linked into kernel

Virtual Ghost

Compiler Instrumentation VG Runtime

11

Ghost Memory Virtual Ghost VM Memory User-Space Memory

Private Data and Code

Ghost Memory

Kernel Memory

12

Ghost Memory Virtual Ghost VM Memory

Kernel cannot access

User-Space Memory

Private Data and Code

Ghost Memory

Kernel Memory

12

Ghost Memory Instrumentation

• Software Fault Isolation
• Protects Ghost and VM Memory
• Avoids TLB flush
• Control-Flow Integrity
• Prevents instrumentation bypass
• Provides kernel protection

Virtual Ghost VM Memory User-Space Memory Ghost Memory Kernel Memory

13

Software Fault Isolation Instrumentation

Ghost Memory 0xffffff0000000000 – 0xffffff8000000000 mask = (((p >> 32) == 0xffffff00 ? 0x8000000000 : 0); p |= mask; store v, *p;

Control-Flow Integrity Instrumentation1

• Insert NOP labels at target

addresses

• Function entry
• Call sites
• Instrument all computed jumps
• Bitmask to force pointer into

kernel code

• Check label at target of

computed jump

• 1. Zeng, Tan, and Morrisett, Combining Control-flow Integrity and Static Analysis for

Efficient and Validated Data Sandboxing, CCS 2011

pushq %rax add %rax, %rax sub $1, %rbx call foo NOP Label popq

foo:

NOP Label

Secure Application Control Flow

• Program state in VM Memory
• OS cannot modify directly
• SVA-OS vets/performs changes
• Signal handler dispatch
• Thread creation
• Exec() system calls

Virtual Ghost

Saved Program State

Kernel SVA-OS

16

Application Key Pair

Secure Application Encryption Keys

Application Code Virtual Ghost

Executable Process

17

Code Segment Memory

Kernel-Inserted Key Pair

Kernel Injects Wrong Key

Application Code Virtual Ghost

Executable Process

18

Code Segment Ghost Memory

Application Key Pair

Kernel Replaces Code

Kernel-Inserted Code Virtual Ghost

Executable Process

19

Code Segment Ghost Memory

Application Key Pair EVG(Application Key Pair)

Secure Application Encryption Keys

EVG(Application Code) EVG(Hash of Executable) Virtual Ghost

Executable Process

20

Code Segment Ghost Memory

Application Key Pair EVG(Application Key Pair)

Secure Application Encryption Keys

EVG(Application Code) EVG(Hash of Executable) Virtual Ghost

Executable Process

20

Code Segment Ghost Memory Application Key Pair

Outline

• Introduction
• Design
• Results
• Future Work

21

Implementation

• Developed a x86_64 64-bit implementation of Virtual Ghost
• Ported FreeBSD 9.0 to Virtual Ghost
• FreeBSD compiles with LLVM out of the box
• Modified OpenSSH applications to use ghosting
• ssh client
• ssh-agent key-chain server
• ssh-add utility

22

Kernel Malware Attack

Trick Application into Putting Data into the Clear

• Install signal handler to malicious code in application
• Malicious code copies data to traditional memory

Kernel Malware Driver ssh-agent Traditional Memory ssh-agent Ghost Memory

23

memcpy (g, t); write(fd, t, 10);

Malicious Data Flow

Kernel Malware Attack

Trick Application into Putting Data into the Clear

• Install signal handler to malicious code in application
• Malicious code copies data to traditional memory

Kernel Malware Driver ssh-agent Traditional Memory ssh-agent Ghost Memory

23

memcpy (g, t); write(fd, t, 10);

Malicious Data Flow

X

LMBench Execution Time Normalized to Native

[1] InkTag: Secure Applications on an Untrusted Operating System, ASPLOS 2013

Normalized Execution to Native 2.5 5 7.5 10 12.5 15 lmbench Benchmark n u l l

• p

e n / c l

• s

e m m a p p a g e f a u l t f

• r

k f

• r

k / e x e c

4.2 4.4 1.15 4.7 4.83 3.9 3.04 5.74 7.5 9.94 7.95 55.8

InkTag[1] Virtual Ghost

24

Web Server Performance for thttpd

• ApacheBench: 100 clients, 100,00 requests
• Performance overhead negligible

KB/s 1 10 100 1,000 10,000 100,000 File Size (KB) 1 2 4 8 16 32 64 128 256 512 1024

Native FreeBSD Virtual Ghost

25

Unmodified SSH Server Performance

• 23% reduction of bandwidth on average
• 45% reduction in worst case

Bandwidth (KB/s) 22500 45000 67500 90000 File Size (KB) 1 4 1 6 6 4 2 5 6 1 2 4 4 9 6 1 6 3 8 4 6 5 5 3 6 2 6 2 1 4 4 1 4 8 5 7 6

Native FreeBSD Virtual Ghost

26

Ghosting SSH Client Performance

• 5% reduction in worst case

Bandwidth (KB/s) 15000 30000 45000 60000 File Size (KB) 1 4 1 6 6 4 2 5 6 1 2 4 4 9 6 1 6 3 8 4 6 5 5 3 6 2 6 2 1 4 4 1 4 8 5 7 6

Original ssh Ghosting ssh

27

Outline

• Introduction
• Design
• Results
• Future Work

28

Future Work

• Improved performance
• Advanced optimization (e.g., type safe check optimization)
• Cryptographic protocols for preventing OS attacks
• Prevent replay attacks
• Compiler transforms to use Virtual Ghost features

29

Started Open-Source Release

• LLVM Compiler Extensions
• Virtual Ghost Run-time Library

Summary

• Virtual Ghost allows applications to protect themselves

from an OS

• Uses compiler instrumentation
• Keeps higher processor privilege levels free
• Faster than hypervisor-based approaches

See what we do at http://sva.cs.illinois.edu!

31