time protection the missing os abstraction
play

Time Protection: The Missing OS Abstraction Qian Ge, Yuval Yarom, - PowerPoint PPT Presentation

Time Protection: The Missing OS Abstraction Qian Ge, Yuval Yarom, Tom Chothia, Gernot Heiser qian.ge@data61.csiro.au www.data61.csiro.au Top secret Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au 2 Enforcing time


  1. Time Protection: The Missing OS Abstraction Qian Ge, Yuval Yarom, Tom Chothia, Gernot Heiser qian.ge@data61.csiro.au www.data61.csiro.au

  2. Top secret Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �2

  3. Enforcing time protection at the OS level Security Domain Security Domain Sending information through timing Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �3

  4. Enforcing time protection at the OS level Security Domain Security Domain Sending information through timing Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �3

  5. Enforcing time protection at the OS level Security Domain Security Domain Sending information through timing Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �3

  6. Microarchitectural Timing Channels Security Domain Security Domain Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �4

  7. Microarchitectural Timing Channels Welcome to Dresden Security Domain Security Domain Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �4

  8. Microarchitectural Timing Channels Welcome to Dresden Security Domain Security Domain Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �4

  9. Microarchitectural Timing Channels Welcome to Dresden Security Domain Security Domain Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �4

  10. Microarchitectural Timing Channels Fast Fast Slow Fast Fast Welcome to Dresden ….. S F S FFF SSSS F Security Domain Security Domain Not English, but our protocol… Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �4

  11. Contention, Contention, Contention… • Contention leaks information via timing • Caches: • capacity-limited … • stateful Shared hardware caches • Resulting on temporal interference during: - time-shared access - concurrent access Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �5

  12. Contention, Contention, Contention… • Contention leaks information via timing • Caches: • capacity-limited … • stateful Shared hardware caches • Resulting on temporal interference during: - time-shared access Any state-holding microarchitectural feature: - concurrent access • Caches, branch predictor, TLB Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �5

  13. Preventing Contention by Partitioning Security Domain Security Domain Partitioned caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au

  14. Spatial Partitioning Cache colouring: • Distributing coloured cache sets Cache Cache to coloured memory frames • Memory management policy Memory RAM Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �7

  15. Spatial Partitioning Cache colouring: • Distributing coloured cache sets Cache Cache to coloured memory frames • Memory management policy Memory RAM Partition security domains on disjoint cache sets … Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �7

  16. Spatial Partitioning Cache colouring: • Distributing coloured cache sets Cache Cache to coloured memory frames • Memory management policy Memory RAM Partition security domains on disjoint cache sets • Resulting on temporal interference during: - time-shared access … - concurrent access Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �7

  17. Spatial Partitioning Cache colouring: • Distributing coloured cache sets Cache Cache to coloured memory frames • Memory management policy Memory RAM Partition security domains on disjoint cache sets • Resulting on temporal interference during: - time-shared access … - concurrent access Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �7

  18. Spatial Partitioning Cache colouring: • Distributing coloured cache sets Cache Cache to coloured memory frames • Memory management policy Memory RAM Partition security domains on disjoint cache sets • Resulting on temporal interference during: - time-shared access … - concurrent access Shared hardware caches Cannot be supported by on-core caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �7

  19. Temporal Partitioning Flushing on-core caches: • Resetting states Context switch … Shared on-caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �8

  20. Temporal Partitioning Flushing on-core caches: • Resetting states Context switch • Resulting on temporal … interference during: Shared on-caches - time-shared access - concurrent access Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �8

  21. Temporal Partitioning Flushing on-core caches: • Resetting states Context switch • Resulting on temporal … interference during: Shared on-caches - time-shared access - concurrent access Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �8

  22. Preventing Temporal Interference through Partitioning Security Domain Security Domain Context Temporal partitioning … Spatial partitioning … Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �9

  23. Wait, Everyone Shares the Kernel…. Security Domain Security Domain A shared partition Kernel Services … Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �10

  24. Wait, Everyone Shares the Kernel…. Security Domain Security Domain A shared partition Cache lines used by the kernel Kernel Services collide with Spy’s partition … Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �10

  25. Wait, Everyone Shares the Kernel…. Poster Session Security Domain Security Domain @ 17:15 A shared partition Cache lines used by the kernel Kernel Services collide with Spy’s partition … Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �10

  26. Wait, Everyone Shares the Kernel…. Fast Fast Slow Fast Fast Poster Session ….. S F S FFF SSSS F Security Domain Security Domain @ 17:15 A shared partition Cache lines used by the kernel Kernel Services collide with Spy’s partition … Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �10

  27. Kernel Services Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �11

  28. Cloning the Kernel Image Analysing the kernel sections .text .rodata .data Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �12

  29. Cloning the Kernel Image Duplicated sections Analysing the .text kernel sections .text .rodata .rodata Maintaining .data coherency .data Global (9KiB) Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �12

  30. Cloning the Kernel Image Duplicated sections Analysing the .text kernel sections .text .rodata .rodata Maintaining .data coherency .data Global (9KiB) Kernel Clone: Generating a copy of the kernel image with user-level managed memory Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �12

  31. Cloning the Kernel Image Duplicated sections Analysing the .text kernel sections .text .rodata .rodata Maintaining .data coherency .data Global (9KiB) Kernel Clone: Generating a copy of the kernel image with user-level managed memory Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �12

  32. Dedicated Kernel Images Security Domain Security Domain Shared Global Data Context Temporal partitioning Deterministic usage … Spatial partitioning … Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �13

  33. Timing Channel through the Shared Kernel Channel matrix: conditional probability of observing the output signal (time, Output (cycles) spy) given the input signal (system-call number, Trojan) Raw channel Horizontal variation Input (taking seL4 syscall) seL4 system call indicates a channel Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �14

  34. Timing Channel through the Shared Kernel Channel matrix: conditional probability of observing the output signal (time, Output (cycles) spy) given the input signal (system-call number, Trojan) Raw channel Horizontal variation Input (taking seL4 syscall) seL4 system call indicates a channel Output (cycles) Prevented by cloned kernel Input (taking seL4 syscall) Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �14

  35. How realistic is cloning? x86 Arm 224 KiB 120 KiB .text Memory consumption .rodata .data Arch seL4 Linux Global (9KiB) Clone fork + exec x86 79 μs 257 μs Arm 608 μs 4,300 μs Efficiency Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �15

Recommend


More recommend