time protection the missing os abstraction
play

Time Protection: The Missing OS Abstraction Qian Ge, Yuval Yarom, - PowerPoint PPT Presentation

Dec 16, 2023 •659 likes •1.08k views

Time Protection: The Missing OS Abstraction Qian Ge, Yuval Yarom, Tom Chothia, Gernot Heiser qian.ge@data61.csiro.au www.data61.csiro.au Top secret Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au 2 Enforcing time

  1. Time Protection: The Missing OS Abstraction Qian Ge, Yuval Yarom, Tom Chothia, Gernot Heiser qian.ge@data61.csiro.au www.data61.csiro.au

  2. Top secret Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �2

  3. Enforcing time protection at the OS level Security Domain Security Domain Sending information through timing Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �3

  4. Enforcing time protection at the OS level Security Domain Security Domain Sending information through timing Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �3

  5. Enforcing time protection at the OS level Security Domain Security Domain Sending information through timing Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �3

  6. Microarchitectural Timing Channels Security Domain Security Domain Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �4

  7. Microarchitectural Timing Channels Welcome to Dresden Security Domain Security Domain Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �4

  8. Microarchitectural Timing Channels Welcome to Dresden Security Domain Security Domain Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �4

  9. Microarchitectural Timing Channels Welcome to Dresden Security Domain Security Domain Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �4

  10. Microarchitectural Timing Channels Fast Fast Slow Fast Fast Welcome to Dresden ….. S F S FFF SSSS F Security Domain Security Domain Not English, but our protocol… Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �4

  11. Contention, Contention, Contention… • Contention leaks information via timing • Caches: • capacity-limited … • stateful Shared hardware caches • Resulting on temporal interference during: - time-shared access - concurrent access Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �5

  12. Contention, Contention, Contention… • Contention leaks information via timing • Caches: • capacity-limited … • stateful Shared hardware caches • Resulting on temporal interference during: - time-shared access Any state-holding microarchitectural feature: - concurrent access • Caches, branch predictor, TLB Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �5

  13. Preventing Contention by Partitioning Security Domain Security Domain Partitioned caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au

  14. Spatial Partitioning Cache colouring: • Distributing coloured cache sets Cache Cache to coloured memory frames • Memory management policy Memory RAM Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �7

  15. Spatial Partitioning Cache colouring: • Distributing coloured cache sets Cache Cache to coloured memory frames • Memory management policy Memory RAM Partition security domains on disjoint cache sets … Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �7

  16. Spatial Partitioning Cache colouring: • Distributing coloured cache sets Cache Cache to coloured memory frames • Memory management policy Memory RAM Partition security domains on disjoint cache sets • Resulting on temporal interference during: - time-shared access … - concurrent access Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �7

  17. Spatial Partitioning Cache colouring: • Distributing coloured cache sets Cache Cache to coloured memory frames • Memory management policy Memory RAM Partition security domains on disjoint cache sets • Resulting on temporal interference during: - time-shared access … - concurrent access Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �7

  18. Spatial Partitioning Cache colouring: • Distributing coloured cache sets Cache Cache to coloured memory frames • Memory management policy Memory RAM Partition security domains on disjoint cache sets • Resulting on temporal interference during: - time-shared access … - concurrent access Shared hardware caches Cannot be supported by on-core caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �7

  19. Temporal Partitioning Flushing on-core caches: • Resetting states Context switch … Shared on-caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �8

  20. Temporal Partitioning Flushing on-core caches: • Resetting states Context switch • Resulting on temporal … interference during: Shared on-caches - time-shared access - concurrent access Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �8

  21. Temporal Partitioning Flushing on-core caches: • Resetting states Context switch • Resulting on temporal … interference during: Shared on-caches - time-shared access - concurrent access Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �8

  22. Preventing Temporal Interference through Partitioning Security Domain Security Domain Context Temporal partitioning … Spatial partitioning … Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �9

  23. Wait, Everyone Shares the Kernel…. Security Domain Security Domain A shared partition Kernel Services … Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �10

  24. Wait, Everyone Shares the Kernel…. Security Domain Security Domain A shared partition Cache lines used by the kernel Kernel Services collide with Spy’s partition … Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �10

  25. Wait, Everyone Shares the Kernel…. Poster Session Security Domain Security Domain @ 17:15 A shared partition Cache lines used by the kernel Kernel Services collide with Spy’s partition … Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �10

  26. Wait, Everyone Shares the Kernel…. Fast Fast Slow Fast Fast Poster Session ….. S F S FFF SSSS F Security Domain Security Domain @ 17:15 A shared partition Cache lines used by the kernel Kernel Services collide with Spy’s partition … Shared hardware caches Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �10

  27. Kernel Services Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �11

  28. Cloning the Kernel Image Analysing the kernel sections .text .rodata .data Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �12

  29. Cloning the Kernel Image Duplicated sections Analysing the .text kernel sections .text .rodata .rodata Maintaining .data coherency .data Global (9KiB) Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �12

  30. Cloning the Kernel Image Duplicated sections Analysing the .text kernel sections .text .rodata .rodata Maintaining .data coherency .data Global (9KiB) Kernel Clone: Generating a copy of the kernel image with user-level managed memory Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �12

  31. Cloning the Kernel Image Duplicated sections Analysing the .text kernel sections .text .rodata .rodata Maintaining .data coherency .data Global (9KiB) Kernel Clone: Generating a copy of the kernel image with user-level managed memory Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �12

  32. Dedicated Kernel Images Security Domain Security Domain Shared Global Data Context Temporal partitioning Deterministic usage … Spatial partitioning … Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �13

  33. Timing Channel through the Shared Kernel Channel matrix: conditional probability of observing the output signal (time, Output (cycles) spy) given the input signal (system-call number, Trojan) Raw channel Horizontal variation Input (taking seL4 syscall) seL4 system call indicates a channel Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �14

  34. Timing Channel through the Shared Kernel Channel matrix: conditional probability of observing the output signal (time, Output (cycles) spy) given the input signal (system-call number, Trojan) Raw channel Horizontal variation Input (taking seL4 syscall) seL4 system call indicates a channel Output (cycles) Prevented by cloned kernel Input (taking seL4 syscall) Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �14

  35. How realistic is cloning? x86 Arm 224 KiB 120 KiB .text Memory consumption .rodata .data Arch seL4 Linux Global (9KiB) Clone fork + exec x86 79 μs 257 μs Arm 608 μs 4,300 μs Efficiency Time Protection: The Missing OS Abstraction qian.ge@data61.csiro.au �15

Recommend

Last time: effects effect E : t 1/ 38 This time: staging . < e > . 2/ 38 Review:

Last time: effects effect E : t 1/ 38 This time: staging . < e > . 2/ 38 Review:

Last time: effects effect E : t 1/ 38 This time: staging . < e > . 2/ 38 Review: abstraction Lambda abstraction Abstraction of type equalities x : A . M A :: K . M a b A :: K . B Interfaces to computation First-class

816 views • 43 slides
Last time: generic programming val show : a data a string 1/ 45 This time: staging

Last time: generic programming val show : a data a string 1/ 45 This time: staging

Last time: generic programming val show : a data a string 1/ 45 This time: staging . < e > . 2/ 45 Review: abstraction Lambda abstraction Abstraction of type equalities x : A . M A :: K . M a b A :: K . B

876 views • 50 slides
Last Class: File System Abstraction Naming Protection Persistence Fast access

Last Class: File System Abstraction Naming Protection Persistence Fast access

Last Class: File System Abstraction Naming Protection Persistence Fast access Computer Science Computer Science CS377: Operating Systems Lecture 17, page 1 Protection The OS must allow users to control sharing of their

399 views • 9 slides
LIBMPK: SOFTWARE ABSTRACTION FOR INTEL MEMORY PROTECTION KEYS (INTEL MPK) Soyeon Park, Sangho

LIBMPK: SOFTWARE ABSTRACTION FOR INTEL MEMORY PROTECTION KEYS (INTEL MPK) Soyeon Park, Sangho

LIBMPK: SOFTWARE ABSTRACTION FOR INTEL MEMORY PROTECTION KEYS (INTEL MPK) Soyeon Park, Sangho Lee, Wen Xu, Hyungon Moon and Taesoo Kim INTRODUCTION SECURITY CRITICAL MEMORY REGIONS NEED PROTECTION JIT page To achieve code execution,

327 views • 32 slides
Point, Line, & Plane 1 Abstraction Abstraction is the act of considering something as a

Point, Line, & Plane 1 Abstraction Abstraction is the act of considering something as a

Point, Line, & Plane 1 Abstraction Abstraction is the act of considering something as a general quality or characteristic, apart from concrete realities, specific objects, or actual instances. 2 Abstraction Abstraction is

478 views • 21 slides
Earthing and Lightning Protection of Utility Scale PV Plant - What is Missing? - by Dr Pieter H

Earthing and Lightning Protection of Utility Scale PV Plant - What is Missing? - by Dr Pieter H

Earthing and Lightning Protection of Utility Scale PV Plant - What is Missing? - by Dr Pieter H Pretorius, TERRATECH, South Africa OVERVIEW INTRODUCTION IMPLICATIONS - DESIGN IMPLICATIONS INSTALLATION MITIGATION OPTIONS

493 views • 21 slides
Disaster Risk Reduction and Financial Protection: What is Missing, What Can Work? The Case of

Disaster Risk Reduction and Financial Protection: What is Missing, What Can Work? The Case of

Disaster Risk Reduction and Financial Protection: What is Missing, What Can Work? The Case of Latin America and the Caribbean Kari Keipi, IDB London, 15 November 2006 The Imperative of Reducing Risk 1. Increasing gap to finance disaster

229 views • 21 slides
Use of a multi-disciplinary approach to adjust an abstraction regime for the protection of shad

Use of a multi-disciplinary approach to adjust an abstraction regime for the protection of shad

Use of a multi-disciplinary approach to adjust an abstraction regime for the protection of shad Nicola Teague & Tom Elmitt IFM Fish and Flows Specialist Conference 2019 - York Background to the project Project structure Steering group

326 views • 6 slides
CSCI 350 Ch. 2 The Kernel Abstraction & Protection Mark Redekopp 2 PROCESSES &

CSCI 350 Ch. 2 The Kernel Abstraction & Protection Mark Redekopp 2 PROCESSES &

1 CSCI 350 Ch. 2 The Kernel Abstraction & Protection Mark Redekopp 2 PROCESSES & PROTECTION 3 Processes Program/Process Process 1,2,3, (def 1.) Address Space + Threads 0xffff ffff 1 or more threads Kernel

794 views • 35 slides
Predicate Abstraction with SATABS Existential Abstraction Predicate Abstraction for Software

Predicate Abstraction with SATABS Existential Abstraction Predicate Abstraction for Software

Outline Introduction Predicate Abstraction with SATABS Existential Abstraction Predicate Abstraction for Software Counterexample-Guided Abstraction Refinement Computing Existential Abstractions of Programs Version 1.0, 2010 Checking the

429 views • 12 slides
Data Abstraction Announcements Data Abstraction Data Abstraction Programmers Compound

Data Abstraction Announcements Data Abstraction Data Abstraction Programmers Compound

Data Abstraction Announcements Data Abstraction Data Abstraction Programmers Compound values combine other values together All A date: a year, a month, and a day A geographic position: latitude and longitude Data abstraction

430 views • 19 slides
Last time: abstraction and parametricity 1/ 44 This time: GADTs a b 2/ 44 What we

Last time: abstraction and parametricity 1/ 44 This time: GADTs a b 2/ 44 What we

Last time: abstraction and parametricity 1/ 44 This time: GADTs a b 2/ 44 What we gain : : (Addtionally, some programs become faster!) 3/ 44 What we gain : : (Addtionally, some

426 views • 42 slides
Last time: generic programming val show : a data a string 1/ 65 This time: staging

Last time: generic programming val show : a data a string 1/ 65 This time: staging

Last time: generic programming val show : a data a string 1/ 65 This time: staging . < e > . 2/ 65 Review: abstraction Row polymorphism Lambda abstraction x : A . M [ > `A | `B] A :: K . M A :: K . B

690 views • 50 slides
Making sense of time: The embodied nature of human abstraction Rafael E. Nez Embodied

Making sense of time: The embodied nature of human abstraction Rafael E. Nez Embodied

Making sense of time: The embodied nature of human abstraction Rafael E. Nez Embodied Cognition Lab Department of Cognitive Science University of California, San Diego at my hotel room in Tokyo susumu: advance, modoru: go

1.01k views • 59 slides
Continuous Imputation of Missing Values in Streams of Pattern-Determining Time Series Kevin

Continuous Imputation of Missing Values in Streams of Pattern-Determining Time Series Kevin

Continuous Imputation of Missing Values in Streams of Pattern-Determining Time Series Kevin Wellenzohn 1 ohlen 1 Michael H. B os 2 Johann Gamper 2 Hannes Mitterer 2 Anton Dign 1 Department of Computer Science University of Zurich 2 Faculty

356 views • 31 slides
Missing Data in Machine Learning Guy Van den Broeck Emerging Challenges in Databases and AI

Missing Data in Machine Learning Guy Van den Broeck Emerging Challenges in Databases and AI

Computer Science Reasoning about Missing Data in Machine Learning Guy Van den Broeck Emerging Challenges in Databases and AI Research (DBAI) Nov 12 2019 Outline 1. Missing data at prediction time a. Reasoning about expectations b.

1.91k views • 46 slides
Learning from Irregularly-Sampled Time Series A Missing Data Perspective Steven Cheng-Xian Li

Learning from Irregularly-Sampled Time Series A Missing Data Perspective Steven Cheng-Xian Li

Learning from Irregularly-Sampled Time Series A Missing Data Perspective Steven Cheng-Xian Li Benjamin M. Marlin University of Massachusetts Amherst Irregularly-Sampled Time Series Irregularly-sampled time series: Time series with non-uniform

798 views • 42 slides
Efficient stochastic simulation of systems with multiple time scales via statistical abstraction

Efficient stochastic simulation of systems with multiple time scales via statistical abstraction

Efficient stochastic simulation of systems with multiple time scales via statistical abstraction Luca Bortolussi 123 Dimitrios Milios 4 Guido Sanguinetti 45 Modelling and Simulation Group, University of Saarland, Germany Department of Mathematics

489 views • 30 slides
What is abstraction? What is abstraction? Workable answer a blurring of details Idea:

What is abstraction? What is abstraction? Workable answer a blurring of details Idea:

What is abstraction? What is abstraction? Workable answer a blurring of details Idea: agree to ignore certain details ( for now ) e.g., with procedural abstraction idea is to convert original problem to a series of simpler

229 views • 12 slides
Lecture 11: Abstraction I ntro. to Programming, lecture 11: Abstraction 2 Topics for today

Lecture 11: Abstraction I ntro. to Programming, lecture 11: Abstraction 2 Topics for today

Chair of Softw are Engineering Einfhrung in die Programmierung Introduction to Programming Prof. Dr. Bertrand Meyer Lecture 11: Abstraction I ntro. to Programming, lecture 11: Abstraction 2 Topics for today Abstraction, especially

167 views • 12 slides
SAT-based Abstraction Refinement for Real-time Systems Stephanie Kemper 1 e Platzer 2 , 3 Andr

SAT-based Abstraction Refinement for Real-time Systems Stephanie Kemper 1 e Platzer 2 , 3 Andr

SAT-based Abstraction Refinement for Real-time Systems Stephanie Kemper 1 e Platzer 2 , 3 Andr 1 Centrum voor Wiskunde en Informatica, Software Engineering, Amsterdam, The Netherlands 2 University of Oldenburg, Department of Computing Science,

773 views • 66 slides
On Visual Abstraction Ivan Viola Visual Abstraction Fundamental concept in visualization and

On Visual Abstraction Ivan Viola Visual Abstraction Fundamental concept in visualization and

On Visual Abstraction Ivan Viola Visual Abstraction Fundamental concept in visualization and visual arts Somewhat intuitively understood A formal definition not available VAD textbook refers to task and data abstraction Map generalization:

387 views • 11 slides
Missing Data and Imputation NINA ORWITZ OCTOBER 30 TH , 2017 Outline Types of missing data

Missing Data and Imputation NINA ORWITZ OCTOBER 30 TH , 2017 Outline Types of missing data

Missing Data and Imputation NINA ORWITZ OCTOBER 30 TH , 2017 Outline Types of missing data Simple methods for dealing with missing data Single and multiple imputation R example Missing data is a complex problem We must consider:

377 views • 22 slides
Announcements Data Abstraction Data Abstraction Compound values combine other values together

Announcements Data Abstraction Data Abstraction Compound values combine other values together

Announcements Data Abstraction Data Abstraction Compound values combine other values together Programmers A date: a year, a month, and a day All A geographic position: latitude and longitude Data abstraction lets us manipulate

383 views • 3 slides

More recommend