Graphical User Interface for Virtualized Mobile Handsets Janis Danisevskis , Michael Peter, Jan Nordholz, Matthias Petschick, Julian Vetter Security in Telecommunications Technische Universit¨ at Berlin MoST San Jos´ e May 21 st , 2015
Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Bring You Own Device Business Phone Policy (possibly) Restricted set of apps Business Restricted internet access (VPN/Firewall) Remote provisioning Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 2/20
Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Bring You Own Device Private Phone Policy (likely) Private This is my phone, so I do whatever I want. And, don’t meddle with my stuff. Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 3/20
Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Our approach on BYOD Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 4/20
Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Our approach on BYOD Hypervisor/Microkernel Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 4/20
Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Our approach on BYOD virtual machine Private Hypervisor/Microkernel Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 4/20
Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Our approach on BYOD virtual machine virtual machine Private Business Hypervisor/Microkernel Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 4/20
Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Challenges addressed by this work Corporate Login Threat Model Username: Private side is under the control of an attacker Password: Impersonation attacks Eavesdropping attacks Evasion of isolation Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 5/20
Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Challenges addressed by this work Corporate Email App From: Your Boss Threat Model Subject: New Aquisition Private side is under the control of an attacker Transfer $gazillion Impersonation attacks to account no: xxxevilxxxx Eavesdropping attacks Evasion of isolation Your Boss Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 5/20
Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Challenges addressed by this work Threat Model Private side is under the Keylogging/ control of an attacker Logging of touch events Impersonation attacks Spying on screen output Eavesdropping attacks Evasion of isolation Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 5/20
Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Challenges addressed by this work DMA devices can threaten isolation Threat Model Private side is under the [7] Cloudburst (2009) control of an attacker [6] Dark Side of the Shader: Impersonation attacks Mobile GPU-Aided Malware Delivery (2013) Eavesdropping attacks Evasion of isolation [3, 5, 4] “Fire in the (root) hole!” (2014) Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 5/20
Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Challenges addressed by this work Threat Model Design Goals Private side is under the control of an attacker High graphics performance Impersonation attacks Low impact on CPU load Eavesdropping attacks Low impact on the TCB Evasion of isolation Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 5/20
Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Challenges addressed by this work Threat Model Design Goals Private side is under the control of an attacker High graphics performance Impersonation attacks Low impact on CPU load Eavesdropping attacks Low impact on the TCB Evasion of isolation Design and Implementation Secure GUI (Trusted path) Secure Mobile GPU Virtualization Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 5/20
Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Output label Private Business Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 6/20
Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion label region label framebuffer framebuffer client VM 1 client region switch 1 1 framebuffers client client VM 2 2 Screen is split into label region and client region Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 7/20
Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion label region label framebuffer framebuffer client VM 1 client region switch 1 1 framebuffers client client VM 2 2 Client VMs have private framebuffers Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 7/20
Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion label region label framebuffer framebuffer client VM 1 client region switch 1 1 framebuffers client client VM 2 2 Label controlled by the switcher indicates output routing Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 7/20
Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion label region label framebuffer framebuffer client VM 1 client region switch 1 1 framebuffers client client VM 2 2 Zero copy and composition in hardware Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 7/20
Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion client 2 client 1 guest physical memory label buffer client 1 buffer client 2 buffer not visible visible physical memory display controller controls scan-out region 1 control register driver scan-out region 2 control register display controller Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 8/20
Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion vsync interrupt input events output data client 1 VM display controller framebuffer driver switch input switch input driver client 2 VM event == ! policy master decision maker Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 9/20
Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Summary: Secure GUI Unforgeable labels → prevents impersonation Private framebuffers and exclusive input routing → prevent eavesdropping Zero copy with hardware overlays → low CPU load and low complexity Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets10/20
Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Mobile GPU Driver Stack User-space driver Provides: OpenGL/EGL Application abstraction Comprises: shader compiler, GPU abstraction linker, . . . (OpenGL/EGL) user space Kernel-space driver GPU driver Schedules rendering tasks Protects memory Kernel GPU driver Hardware MMU GPU Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets11/20
Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Mobile GPU Driver Stack User-space driver Provides: OpenGL/EGL Application abstraction Comprises: shader compiler, GPU abstraction linker, . . . (OpenGL/EGL) user space Kernel-space driver GPU driver Schedules rendering tasks Protects memory Kernel GPU driver Hardware MMU GPU Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets11/20
Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Mobile GPU Driver Stack User-space driver Provides: OpenGL/EGL Application abstraction Comprises: shader compiler, GPU abstraction linker, . . . (OpenGL/EGL) user space Kernel-space driver GPU driver Schedules rendering tasks Protects memory process address space GPU address space Kernel GPU job GPU driver Hardware MMU GPU physical address space Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets11/20
Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Mobile GPU Driver Stack (paravirtualized) User-space driver unmodified virtual machine User-kernel interface unmodified Application Custom protocol between GPU driver stub and GPU server GPU abstraction (OpenGL/EGL) No forwarding of high user space bandwidth data, such as GPU driver textures, attribute lists, or shader programs Guest Kernel GPU driver Forwards job requests to the stub GPU server GPU server (and job completion notifications to the Hypervisor client) Forwards mapping requests to Hardware MMU GPU the GPU server Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets12/20
Recommend
More recommend