safe loading a foundation for secure execution of
play

Safe Loading A Foundation for Secure Execution of Untrusted - PowerPoint PPT Presentation

Jun 15, 2023 •174 likes •483 views

Safe Loading A Foundation for Secure Execution of Untrusted Programs Mathias Payer, Tobias Hartmann, Thomas R. Gross Department of Computer Science ETH Zurich, Switzerland Motivation Application code Kernel 2 Motivation Application code

  1. Safe Loading A Foundation for Secure Execution of Untrusted Programs Mathias Payer, Tobias Hartmann, Thomas R. Gross Department of Computer Science ETH Zurich, Switzerland

  2. Motivation Application code Kernel 2

  3. Motivation Application code ld.so Code Sandbox Kernel 3

  4. Motivation Application code ld.so Code Sandbox Sandbox Kernel 4

  5. Trusted RUntime Environment application library Trusted loader library ... Sandbox TRuE Kernel 5

  6. Outline ● Motivation ● Attack and execution model ● Trusted Runtime Environment ● Evaluation ● Related work ● Conclusion 6

  7. Attack constraints ● Attacker tries to escalate privileges with: Code injection ● Code reuse (ROP / JOP*) ● Data Data attacks ● Code * ROP – Return Oriented Programming: Shacham, CCS'07 JOP – Jump Oriented Programming: Bletsch et al., ASIACCS'11 7

  8. Attack constraints X ● Attacker tries to escalate privileges with: Code injection ● Code reuse (ROP / JOP*) ● Data Data attacks ● ● Application is killed on policy violation Code * ROP – Return Oriented Programming: Shacham, CCS'07 JOP – Jump Oriented Programming: Bletsch et al., ASIACCS'11 8

  9. Execution model ● Application is untrusted (not malicious) Symbol table and ELF information used in sandbox ● ● Secure execution uses Secure loader to bootstrap application ● Sandbox to protect from any code-based and data-based exploits ● 9

  10. Outline ● Motivation ● Attack model ● Trusted Runtime Environment Security architecture ● Safe loading ● Sandbox & System call policy ● Implementation ● ● Evaluation ● Related work ● Conclusion 10

  11. Security architecture TRuE Application Secure Loader Sandbox System call policy Kernel 11

  12. Secure loader Traditional loading: TRuE: Secure loader ld.so late interception safe ??? sandbox application regular sandbox library loader as transl. ld.so black box ... application library ... 12

  13. Secure loader Traditional loading: TRuE: Secure loader ld.so late interception safe ??? sandbox Information & safe sandbox instantiation application regular sandbox library loader as transl. ld.so black box ... application library ... 13

  14. SFI sandbox Sandbox Dynamic translator ● Translates individual basic blocks ● Checks branch targets and origins ● Weaves guards into translated code Original code Translated code 1' 1 2' 2 3 4 3' System call policy Kernel 14

  15. SFI sandbox Sandbox Dynamic translator ● Translates individual basic blocks ● Checks branch targets and origins ● Weaves guards into translated code Original code Translated code 1' 1 Protects from code-based and data-based attacks 2' 2 3 4 3' System call policy Kernel 15

  16. TRuE: implementation ● Prototype implementation (open source) Focus on IA32 and Linux ● Concept works for any ISA and operating system ● ● Small trusted computing base Code Comments Secure loader 5,400 2,100 Sandbox 15,200* 3,200 *4,900 LOC for the translation tables 16

  17. Outline ● Motivation ● Attack model ● Trusted Runtime Environment ● Evaluation Security discussion ● SPEC CPU2006 performance ● ● Related work ● Conclusion 17

  18. Security discussion ● Two execution domains Privileged sandbox domain ● Unprivileged application domain (traps into sandbox) ● ● Sandbox ensures code integrity Protection from code-injection and return oriented programming ● Policy protects from jump oriented programming and data attacks ● ● Secure loader enables safe program instantiation Low complexity (bare bone functionality) ● API for requests from the application ● 18

  19. Security discussion ● Two execution domains Privileged sandbox domain ● Unprivileged application domain (traps into sandbox) ● ● Sandbox ensures code integrity Protects unmodified, binary Protection from code-injection and return oriented programming ● applications from attacks Policy protects from jump oriented programming and data attacks ● ● Secure loader enables safe program instantiation Low complexity (bare bone functionality) ● API for requests from the application ● 19

  20. SPEC CPU 2006 performance ● Benchmarks execute with well-defined policy On Ubuntu Jaunty ● Intel Xeon E5520 CPU at 2.27GHz ● GCC version 4.3.3 ● ● Three configurations: native ● Secure loader (without sandbox) ● TRuE (secure loader plus sandbox) ● 20

  21. SPEC CPU 2006 performance Benchmark Secure TRuE Loading 400.perlbench -0.3% 85% 401.bzip2 -0.1% 4.9% 429.mcf -0.1% 0.5% 464.h264ref -0.3% 41% 433.milc 0.1% 3.7% Average* -0.1% 15% * Average is calculated over all 28 SPEC CPU2006 benchmarks 21

  22. SPEC CPU 2006 performance Benchmark Secure TRuE Loading 400.perlbench -0.3% 85% 401.bzip2 -0.1% 4.9% Low performance impact 429.mcf -0.1% 0.5% 464.h264ref -0.3% 41% 433.milc 0.1% 3.7% Average* -0.1% 15% * Average is calculated over all 28 SPEC CPU2006 benchmarks 22

  23. Outline ● Motivation ● Attack model ● Trusted Runtime Environment ● Evaluation ● Related work ● Conclusion 23

  24. Related work ● System call interposition (Janus, AppArmor) Only system calls checked, code is unchecked ● ● Software-based fault isolation (Libdetox, Vx32, Strata) Only a sandbox is not enough, additional guards and system call ● authorization needed, no loader information ● Static binary translation (Google's NaCL, PittSFIeld) Limits the ISA, static, special compilers needed ● ● Full system translation (VMWare, QEMU, Xen) Management overhead, data sharing problem ● 24

  25. Outline ● Motivation ● Attack model ● Trusted Runtime Environment ● Evaluation ● Related work ● Conclusion 25

  26. Conclusion ● TRuE protects from code-based and data-based exploits Secure loader extracts information ● Sandbox protects from code-based and data-based exploits ● ● Trusted secure loader increases security Application needs no privileges to map code executable ● Knowledge of program structure enables new guards ● ● TRuE protects unmodified applications in user-space 26

  27. Questions? ? http://nebelwelt.net/projects/TRuE/ 27

  28. Software based fault isolation Dynamic translator ● Translates individual basic blocks ● Checks branch targets and origins ● Weaves guards into translated code Original code Code cache Mapping table R RX 1' 1 1 1' 2 2' 2' 3 3' 2 Indirect control … ... flow transfers use a dynamic 3 3' check to verify 4 target and origin 28

  29. Implementation alternatives ● Static binary translation No second protected domain ● No dynamic library/module support ● Restricted ISA ● ● Regular loader, hidden sandbox Sandbox hidden by modifying loader data-structures ● Loader treated as black-box ● 29

  30. Malicious applications ● No information about internal control flow Coarse-grained protection at system call level ● ● Application can use CPU time (inside the app) System call policy protects from malicious system calls ● 30

Recommend

Linking and Loading ! Preparing Program for Execution ! Relocation ! Address binding !

Linking and Loading ! Preparing Program for Execution ! Relocation ! Address binding !

CPSC 410/611 : Operating Systems Linking and Loading ! Preparing Program for Execution ! Relocation ! Address binding ! Linking, loading ! Reading: Doeppner 3.4 ! Preparing a Program for Execution ! dynamically loaded system

128 views • 9 slides
Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in the Quantum Era (SPS G5448) February 5th, 2020 Christian Colombo Mark Vella Cryptographic Protocols Design Proofs to validate design against

467 views • 20 slides
Secure Returns SAFE AS A VAULT Secure SECONDS TO UPLOAD Efficient ACCESSIBLE ANYWHERE

Secure Returns SAFE AS A VAULT Secure SECONDS TO UPLOAD Efficient ACCESSIBLE ANYWHERE

Secure Returns SAFE AS A VAULT Secure SECONDS TO UPLOAD Efficient ACCESSIBLE ANYWHERE Convenient What is Secure Returns ? Secure Returns is a secure website where you and your clients can securely upload & download confidential

202 views • 9 slides
Load Transmission to Foundation of GBS Dynamic Loading D.M. Masterson Chevron Canada

Load Transmission to Foundation of GBS Dynamic Loading D.M. Masterson Chevron Canada

Load Transmission to Foundation of GBS Dynamic Loading D.M. Masterson Chevron Canada Limited Calgary Canada 1 December 19 2012 When calculating the effects of dynamic or time varying ice loads applied to an offshore structure such

225 views • 18 slides
Updating Guidance on the Safe and Secure Handling of Medicines September 2016 Why the update?

Updating Guidance on the Safe and Secure Handling of Medicines September 2016 Why the update?

Updating Guidance on the Safe and Secure Handling of Medicines September 2016 Why the update? Section Title The safe and secure handling of medicines brief history Guidelines for the safe THE SAFE AND SECURE HANDLING OF MEDICINES: &

302 views • 13 slides
Secure Program Execution via Secure Program Execution via Dynamic Information Flow Dynamic

Secure Program Execution via Secure Program Execution via Dynamic Information Flow Dynamic

Secure Program Execution via Secure Program Execution via Dynamic Information Flow Dynamic Information Flow Tracking Tracking G. Edward Suh Suh, , Jae Jae W. Lee, David W. Lee, David G. Edward Zhang, Srinivas Srinivas Devadas Devadas

547 views • 26 slides
Secure Multi-Execution Dominique Devriese Frank Piessens K.U.Leuven May 14, 2010 Dominique

Secure Multi-Execution Dominique Devriese Frank Piessens K.U.Leuven May 14, 2010 Dominique

Secure Multi-Execution Dominique Devriese Frank Piessens K.U.Leuven May 14, 2010 Dominique Devriese, Frank Piessens (K.U.Leuven) Secure Multi-Execution May 14, 2010 1 / 24 Secure Multi-Execution Outline Secure Multi-Execution

622 views • 29 slides
Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its

Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its

Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its Verification Mads Dam KTH Royal Institute of Technology BISS spring school, Bertinoro 2018 The Goal Hypervisor Context switch: Fixed round-robin

1.16k views • 67 slides
Alvirne 2020 Budget Committee Presentation November 6, 2019 Project Priorities 1. Safe/secure

Alvirne 2020 Budget Committee Presentation November 6, 2019 Project Priorities 1. Safe/secure

Alvirne 2020 Budget Committee Presentation November 6, 2019 Project Priorities 1. Safe/secure building entrance and Main Office 2. Safe/secure drop-off sequence (site improvements) 3. Improved function for high school cafeteria (student

221 views • 20 slides
Provably Secure Execution Platforms - Lecture One: Introduction Mads Dam KTH Royal Institute

Provably Secure Execution Platforms - Lecture One: Introduction Mads Dam KTH Royal Institute

Provably Secure Execution Platforms - Lecture One: Introduction Mads Dam KTH Royal Institute of Technology Thanks to Roberto Guanciale, Musard Balliu, Christoph Baumann, Hamed Nemati, Oliver Schwarz, Victor Do, Christian Gehrmann, Jonas

1.41k views • 114 slides
Connecting Europe facility Support to safe and secure parkings 6 November 2018 Mobility and

Connecting Europe facility Support to safe and secure parkings 6 November 2018 Mobility and

Connecting Europe facility Support to safe and secure parkings 6 November 2018 Mobility and Transport Safe and secure parking in CEF (2014-2017) 8 Actions (works and studies) co-funded under CEF since 2014. Total budget: 45,574,586

199 views • 9 slides
The New York Secure Ammunition and Firearms Enforcement (SAFE) Act Dr. Ed Engelbride Dr. Bruce

The New York Secure Ammunition and Firearms Enforcement (SAFE) Act Dr. Ed Engelbride Dr. Bruce

The New York Secure Ammunition and Firearms Enforcement (SAFE) Act Dr. Ed Engelbride Dr. Bruce McBride Regina McGraw, Esq. Joseph Storch, Esq. Sarah Harvey SAFE Act Basics Response to the Sandy Hook Elementary School shooting in Newton,

512 views • 18 slides
Secure and Fair Enforcement for Mortgage Licensing (SAFE Act) - Background The Secure and

Secure and Fair Enforcement for Mortgage Licensing (SAFE Act) - Background The Secure and

SAFE Act, RESPA, and ECOA Requirements for the HOME Program Administered by The information provided in this document is provided for general information only. TDHCA endeavors to ensure the accuracy and validity of all information contained

649 views • 32 slides
What is this talk about? What is this talk about? Deriving tight and safe task execution time

What is this talk about? What is this talk about? Deriving tight and safe task execution time

What is this talk about? What is this talk about? Deriving tight and safe task execution time bounds in a flexible and easy way independently of the system complexity... What is this talk about? Deriving tight and safe task execution time

551 views • 34 slides
System Architectures and Techniques for Efficient, Secure, and Trusted Code Execution Mario

System Architectures and Techniques for Efficient, Secure, and Trusted Code Execution Mario

System Architectures and Techniques for Efficient, Secure, and Trusted Code Execution Mario Werner May 7, 2020 Graz University of Technology Why do we care about code? www.tugraz.at 10:20 July 18 W i r e l e s s - G A D S L G

599 views • 49 slides
CaSE: Cache-Assisted Secure Execution on ARM Processors N1 N1NG NG ZHA ZHANG , KUN SUN, WENJING

CaSE: Cache-Assisted Secure Execution on ARM Processors N1 N1NG NG ZHA ZHANG , KUN SUN, WENJING

CaSE: Cache-Assisted Secure Execution on ARM Processors N1 N1NG NG ZHA ZHANG , KUN SUN, WENJING LOU, TOM HOU Talk Outline Motivation and Background Why this work ? Threat Model What are we defending against ? CaSE:

248 views • 21 slides
and Effi ficient Speculative Execution JIYONG YU, NAMRATA MANTRI, JOSEP TORRELLAS, ADAM

and Effi ficient Speculative Execution JIYONG YU, NAMRATA MANTRI, JOSEP TORRELLAS, ADAM

ISCA20 Section 5B Speculative Data-Oblivious Execution: Mobilizing Safe Prediction For Safe and Effi ficient Speculative Execution JIYONG YU, NAMRATA MANTRI, JOSEP TORRELLAS, ADAM MORRISON*, CHRISTOPHER W. FLETCHER UNIVERSITY OF ILLINOIS AT

833 views • 57 slides
SKEE: A Lightweight Secure Kernel level Execution Environment for ARM Ahmed M Azab, Kirk

SKEE: A Lightweight Secure Kernel level Execution Environment for ARM Ahmed M Azab, Kirk

SKEE: A Lightweight Secure Kernel level Execution Environment for ARM Ahmed M Azab, Kirk Swidowski, Rohan Bhutkar, Jia Ma, Wenbo Shen, Ruowen Wang, Peng Ning Samsung KNOX R&D, Samsung Research America Motivation Operating system kernels

543 views • 25 slides
CoSMIX: A Compiler-based System for Secure Memory Instrumentation and Execution in Enclaves Meni

CoSMIX: A Compiler-based System for Secure Memory Instrumentation and Execution in Enclaves Meni

CoSMIX: A Compiler-based System for Secure Memory Instrumentation and Execution in Enclaves Meni Orenbach (Technion), Yan Michalevsky (Anjuna), Christof Fetzer (TU Dresden, Scone), Mark Silberstein (Technion) Published in USENIX ATC19

744 views • 24 slides
Secure Management of Hazardous Materials in Sri Lanka Hazardous Waste Management PCB Safe

Secure Management of Hazardous Materials in Sri Lanka Hazardous Waste Management PCB Safe

International Conference on Safe & Secure Management of Hazardous Materials in Sri Lanka Hazardous Waste Management PCB Safe Handling & Disposal Ed Verhamme. Managing Partner September 17th & 18th 2015 Consultant, Coach &

732 views • 46 slides
Foundation 2 Articles of Association The mission of Qualanod is to promote the use and secure

Foundation 2 Articles of Association The mission of Qualanod is to promote the use and secure

Foundation 2 Articles of Association The mission of Qualanod is to promote the use and secure the quality, of anodized aluminium, through the design and management of a product and process certification adapted to end-market needs. The

458 views • 34 slides
The Loading Spinner AKA, the throbber Why do we have loading spinners? Purpose: tells the

The Loading Spinner AKA, the throbber Why do we have loading spinners? Purpose: tells the

The Loading Spinner AKA, the throbber Why do we have loading spinners? Purpose: tells the user that the computer is performing an action in the background ex: - downloading content - conducting intensive calculations -

654 views • 11 slides
How MPC Enables Secure Public Cloud Usability Avi Rose, vHSM Business Development - Europe

How MPC Enables Secure Public Cloud Usability Avi Rose, vHSM Business Development - Europe

How MPC Enables Secure Public Cloud Usability Avi Rose, vHSM Business Development - Europe November 2018 The Perimeter is Dead 2 Keys: The Foundation of the Foundation The foundation of any security model is the crypto layer. *

571 views • 19 slides
LOADING & HANDLING OF ROLLED CELLULOSE HOW DOES IT DIFFER FROM LOADING & HANDLING OF

LOADING & HANDLING OF ROLLED CELLULOSE HOW DOES IT DIFFER FROM LOADING & HANDLING OF

LOADING & HANDLING OF ROLLED CELLULOSE HOW DOES IT DIFFER FROM LOADING & HANDLING OF PAPER ROLLS? JULY 10, 2019 BY SAM GAYLE TECHNICAL SERVICES MANAGER DAMAGE PREVENTION Rolled Cellulose from Coosa Pines, AL. Resolute Forest

448 views • 19 slides

More recommend