armlock hardware based fault
play

ARMlock: Hardware-based Fault Isolation for ARM Yajin Zhou , - PowerPoint PPT Presentation

ARMlock: Hardware-based Fault Isolation for ARM Yajin Zhou , Xiaoguang Wang, Yue Chen, and Zhi Wang North Carolina State University Xian Jiaotong University Florida State University Software is Complicated and Vulnerable Number of CVEs 17


  1. ARMlock: Hardware-based Fault Isolation for ARM Yajin Zhou , Xiaoguang Wang, Yue Chen, and Zhi Wang North Carolina State University Xi’an Jiaotong University Florida State University

  2. Software is Complicated and Vulnerable Number of CVEs 17 million SLOC 300 266 249 250 189 200 15 million SLOC 175 152 150 125 116 110 102 100 86 78 74 63 2 million SLOC 44 43 50 27 7 4 3 3 0 2010 2011 2012 2013 2014 400 thousands SLOC Linux Chrome Apache Libpng 2

  3. Software is Complicated and Vulnerable  Code: different sources  Third-party libraries, plugins …  Vulnerabilities in one module could compromise the whole application Heartbleed 3

  4. Software Fault Isolation  SFI: security by isolation  Split application into different fault domains  Separate each domain from others  Compromised fault domains cannot affect others  Widely used in x86 systems  Linux kernel: LXFI  User level applications: Native client, Vx32 … Our work focuses on ARM architecture 4

  5. ARM Architecture is Popular 750 million Android devices in 2013 ARM is catching up in the data 99% are based on ARM architecture center server market 5

  6. SFI on ARM Architecture  Native client for ARM  Compiler based solution  Limitations: assumption on memory layout, hard to efficiently support self-modifying code, and JIT compiling  ARMor  Binary rewriting  High performance overhead 6

  7. Our Solution: ARMlock  Strict isolation  Memory read/write, code execution, system calls  Low performance overhead  Sandbox context switch, sandbox itself  Compatibility  Memory layout, self-modifying code, JIT compiling  Leverage an often overlooked hardware feature: Memory domain 7

  8. Background: ARM Memory Domain D0 D1 D14 D15 lw r0, [r1] 01 00 … 00 00 … √ … Domain 0 DACR Register lw r1, [r2] X Domain 1 Sandboxed code ARM domain access control Domain 2 Type Value Description … No Access 00 No access permitted Client 01 Permissions defined by page tables Domain 14 Reserved 10 Reserved Domain 15 Manager 11 No permissions check (unlimited access) Virtual memory space 8

  9. Threat Model  OS kernel is trusted  Host application is benign but could be vulnerable  External modules: vulnerable or malicious Isolate compromised or malicious modules from the host application 9

  10. ARMlock Architecture Sandboxed untrusted module data data function function Host application User mode System call interposition Kernel mode Linux kernel ARMlock kernel extension Cross-sandbox communication (with the help of ARMlock kernel extension) 10 10

  11. Sandbox Creation  Host application asks ARMlock kernel module to create a sandbox  Kernel module initializes the sandbox  Locate first level page table entries  Assign different memory domains to the host application and sandboxes  Memory domain assignment cannot be changed by the sandbox 11 11

  12. Sandbox Switch  DACR register is saved in the thread control block  DACR register is updated when switching sandboxes  Only current domain (and kernel) are accessible, not other domains  Multithreading is naturally supported  Each CPU core has its own DACR register 12 12

  13. Cross-sandbox Communication  Inter-module function call  Inter-module memory reference 13 13

  14. Inter-module Function Invocation  Two new system calls  ARMlock_CALL: inter-module function call  ARMlock_RET: inter-module function return 14 14

  15. Inter-module Function Invocation  Inter-module function invocation caller stub Sandboxed untrusted module gate callee gate Host application User mode Kernel mode Linux kernel ARMlock kernel extension Inter-domain transfer (with the help of ARMlock kernel extension) Intra-domain transfer (with the help of ARMlock user library) 15 15

  16. Inter-module Function Invocation Stub Switch stack etc. Prepare context Set PC to entry gate Entry gate Issue ARMlock_CALL ARMlock_CALL returns Caller Callee Prepare context Call real function Call Sandbox1 Sandbox1 _func _func Issue ARMlock_RET Return gate Switch stack etc. Restore context Set PC to return gate Return ARMlock_RET returns ARMlock kernel module Sandbox 1 Sandbox 0 16 16

  17. Inter-module Memory Reference  Kernel assisted memory copy  Kernel marks both domains as accessible  Copy data into the destination sandbox  Restore the DACR register 17 17

  18. Inter-module Memory Reference  Shared memory domain: using a domain which is accessible in both sandboxes  Data from sandboxed modules should be sanitized Domain 0 Domain 0 Domain 1 Domain 1 lw r0, [r1] lw r3, [r1] Domain 2 Domain 2 … … … … … … lw r1, [r2] lw r5, [r2] Domain 14 Domain 14 Accessible Sandbox 0 Sandbox 1 Domain 15 Domain 15 Non-accessible Memory space Memory space 18 18

  19. System Call Interposition  Recent Linux system has 380+ system calls  Normal applications may use less than that, e.g., around 60  More system calls may expose more kernel vulnerabilities  Host applications in ARMlock could control system calls available to sandboxed modules  Implemented through the seccomp-BPF framework 19 19

  20. Evaluation  Security analysis  Performance overhead  Sandbox switch latency  Sandbox itself 20 20

  21. Security Analysis  Cross-sandbox communication  Inter-module function invocation Host application  Inter-module memory reference 1 Sandboxed module  Kernel assisted memory copy function function  Shared memory domain: race condition data data 2 Linux kernel ARMlock 21 21

  22. Performance Evaluation: Configuration Item Configuration CPU ARM1176JZF-S 700MHz RAM 512MB OS Raspbian (based on Debian) Kernel Linux 3.6.11 LMbench Version 2 nbench Version 2.2.3 22 22

  23. Sandbox Switch Latency  Call a simple inc function inside the sandbox  1 second: 903,343 inter-module calls -- 1.1 μ s for each call 23 23

  24. Sandbox Switch Latency  One sandbox switch: two system calls 10,000 x 2778.3 2631 1,000 x 100 x 17.4 16.4 5.8 10 x 3.1 2.6 1 1 1 x ARMlock clock exec fork getpid null sig_handle sig_install stat 24 24

  25. Performance Overhead 100% 90% 80% 0.661 70% 0.584 60% 50% 40% Internal 30% External 20% 10% 0% 25 25

  26. Discussion  Some developer efforts are required  Refactor the application into domains  Avoid frequent domain switch  Need to use short format page table in latest ARM architecture  Kernel-level sandbox  Other OS support 26 26

  27. Takeaway  ARMlock: a hardware-based fault isolation for ARM  Strict isolation  Low performance overhead  Better compatibility 27 27

  28. Q&A 28 28

Recommend


More recommend