Virtual Ghost: Protecting Applications from Hostile Operating - PowerPoint PPT Presentation

Virtual Ghost: Protecting Applications from Hostile Operating Systems John Criswell, Nathan Dautenhahn, and Vikram Adve 1

New Job

New Job

Do You Trust Your Operating System? 3

Online Shopping! Do You Trust Your Operating System? 3

F i l i n g T a x Online Shopping! e s ! Do You Trust Your Operating System? 3

F i l i n g T a x Online Shopping! e s ! Do You Trust Your Operating System? ! a t a D l a c i d e M 3

F i l i n g T a x Online Shopping! e s ! Do You Trust Your Operating System? ! s e n i h c a M g n i t o V ! a t a D l a c i d e M 3

F i l i n g T a x Online Shopping! e s ! Do You Trust Your Operating System? ! s e n i h National Security! c a M g n i t o V ! a t a D l a c i d e M 3

Commodity Operating Systems Are Vulnerable! Vulnerability Examples Bu ff er Overflows BugTraq ID 12911, 13589, 13207, 13225, 12295 Integer Overflows BugTraq ID 10179, 63707 Information Leaks BugTraq ID 8831, 64677, 64746, 64742, 62405 Kernel-level Malware Adore rootkit 4

If the operating system kernel is exploited, all security guarantees are null and void . 5

Virtual Ghost Contributions • Protects application data confidentiality and integrity • Uses compiler techniques thanks to LLVM • Same privilege level as kernel • Faster than hypervisor-based approaches 6

Outline • Motivation • Design • Results • Future Work 7

Goal: Application That Protects Itself from OS Public Data Private Data Private Code Private Key Operating System Required Features 1. Private data and code 2. Incorruptible control flow 3. Reliable encryption key delivery 8

Challenges 9

Challenges 1. Processor lets privileged software access all memory 9

Challenges 1. Processor lets privileged software access all memory 2. Operating System must manipulate application state • Process and thread creation • Executing new programs (exec() family of system calls) • Signal handler dispatch 9

Virtual Ghost Applications OS Kernel Processor • OS compiled to virtual instruction set • Designed to be easy to analyze and instrument • Low-level instructions (SVA-OS) replace assembly code • Translate ahead-of-time, boot-time, or run-time 10

Virtual Ghost Applications OS Kernel Virtual Instruction Set Virtual Ghost VM Native Instruction Set Processor • OS compiled to virtual instruction set • Designed to be easy to analyze and instrument • Low-level instructions (SVA-OS) replace assembly code • Translate ahead-of-time, boot-time, or run-time 10

Virtual Instruction Set Virtual Ghost Compiler Instrumentation VG Runtime • SVA-Core: Compiler Instrumentation • Based on LLVM IR: Typed, Explicit SSA form • Sophisticated compiler analysis and instrumentation • SVA-OS: Virtual Ghost Runtime • OS-neutral instructions to support a commodity OS • Encapsulates & controls hardware and state manipulation • Implemented as a run-time library linked into kernel 11

Ghost Memory User-Space Memory Virtual Ghost VM Memory Kernel Memory Private Data and Code Ghost Memory 12

User-Space Memory Ghost Memory Kernel cannot access Virtual Ghost VM Memory Kernel Memory Private Data and Code Ghost Memory 12

Ghost Memory Instrumentation • Software Fault Isolation User-Space Memory • Protects Ghost and VM Memory • Avoids TLB flush Ghost Memory • Control-Flow Integrity Virtual Ghost VM Memory • Prevents instrumentation bypass • Provides kernel protection Kernel Memory 13

Software Fault Isolation Instrumentation Ghost Memory 0x ffffff 0000000000 – 0x ffffff 8000000000 mask = (((p >> 32) == 0x ffffff 00 ? 0x8000000000 : 0); p |= mask; store v, *p;

Control-Flow Integrity Instrumentation 1 • Insert NOP labels at target foo: NOP Label addresses pushq %rax • Function entry add %rax, %rax • Call sites sub $1, %rbx • Instrument all computed jumps • Bitmask to force pointer into call foo kernel code NOP Label • Check label at target of computed jump popq 1. Zeng, Tan, and Morrisett, Combining Control-flow Integrity and Static Analysis for Efficient and Validated Data Sandboxing , CCS 2011

Secure Application Control Flow • Program state in VM Memory Kernel • OS cannot modify directly • SVA-OS vets/performs changes SVA-OS • Signal handler dispatch • Thread creation Virtual Ghost • Exec() system calls Saved Program State 16

Secure Application Encryption Keys Executable Process Application Code Code Segment Application Key Pair Memory Virtual Ghost 17

Kernel Injects Wrong Key Executable Process Application Code Code Segment Ghost Memory Kernel-Inserted Key Pair Virtual Ghost 18

Kernel Replaces Code Executable Process Kernel-Inserted Code Code Segment Ghost Memory Application Key Pair Virtual Ghost 19

Secure Application Encryption Keys Executable Process E VG (Application Code) Code Segment Ghost Memory E VG (Application Key Pair) Application Key Pair E VG (Hash of Executable) Virtual Ghost 20

Secure Application Encryption Keys Executable Process E VG (Application Code) Code Segment Ghost Memory E VG (Application Key Pair) Application Key Pair Application Key Pair E VG (Hash of Executable) Virtual Ghost 20

Outline • Introduction • Design • Results • Future Work 21

Implementation • Developed a x86_64 64-bit implementation of Virtual Ghost • Ported FreeBSD 9.0 to Virtual Ghost • FreeBSD compiles with LLVM out of the box • Modified OpenSSH applications to use ghosting • ssh client • ssh-agent key-chain server • ssh-add utility 22

Kernel Malware Attack Trick Application into Putting Data into the Clear • Install signal handler to malicious code in application • Malicious code copies data to traditional memory memcpy (g, t); Malicious Data Flow write(fd, t, 10); ssh-agent Kernel Traditional Memory ssh-agent Malware Driver Ghost Memory 23

Kernel Malware Attack Trick Application into Putting Data into the Clear • Install signal handler to malicious code in application • Malicious code copies data to traditional memory X memcpy (g, t); Malicious Data Flow write(fd, t, 10); ssh-agent Kernel Traditional Memory ssh-agent Malware Driver Ghost Memory 23

LMBench Execution Time Normalized to Native InkTag[1] Virtual Ghost 55.8 15 12.5 Execution to 9.94 Normalized 10 7.95 7.5 Native 7.5 5.74 4.83 4.7 4.4 4.2 3.9 5 3.04 1.15 2.5 0 l e p t k c l l u s u r e a o n o x m a f e l f c m / e / k n g r e a o p p f o lmbench Benchmark [1] InkTag: Secure Applications on an Untrusted Operating System, ASPLOS 2013 24

Web Server Performance for thttpd Native FreeBSD Virtual Ghost 100,000 10,000 1,000 KB/s 100 10 1 1 2 4 8 16 32 64 128 256 512 1024 File Size (KB) • ApacheBench: 100 clients, 100,00 requests • Performance overhead negligible 25

Unmodified SSH Server Performance Native FreeBSD Virtual Ghost 90000 Bandwidth (KB/s) 67500 45000 22500 0 1 4 6 4 6 4 6 4 6 4 6 1 6 5 2 9 8 3 4 7 2 0 0 3 5 1 5 1 4 6 5 2 8 1 6 6 4 2 0 1 File Size (KB) • 23% reduction of bandwidth on average • 45% reduction in worst case 26

Ghosting SSH Client Performance Original ssh Ghosting ssh 60000 Bandwidth (KB/s) 45000 30000 15000 0 1 4 6 4 6 4 6 4 6 4 6 1 6 5 2 9 8 3 4 7 2 0 0 3 5 1 5 1 4 6 5 2 8 1 6 6 4 2 0 1 File Size (KB) • 5% reduction in worst case 27

Outline • Introduction • Design • Results • Future Work 28

Future Work • Improved performance • Advanced optimization (e.g., type safe check optimization) • Cryptographic protocols for preventing OS attacks • Prevent replay attacks • Compiler transforms to use Virtual Ghost features 29

Started Open-Source Release • LLVM Compiler Extensions • Virtual Ghost Run-time Library

Summary • Virtual Ghost allows applications to protect themselves from an OS • Uses compiler instrumentation • Keeps higher processor privilege levels free • Faster than hypervisor-based approaches See what we do at http://sva.cs.illinois.edu! 31