Efficient Software Based Fault Efficient Software Based Fault Isolation Isolation Author: Robert Wahobe,Steven Lucco,Thomas E Anderson, Author: Robert Wahobe,Steven Lucco,Thomas E Anderson, Susan L Graham Susan L Graham Presenter: Maitree kanungo Presenter: Maitree kanungo Date:02/17/2010 Date:02/17/2010
21
Embed
Efficient Software Based Fault Isolation Author: Robert Wahobe,Steven Lucco,Thomas E Anderson, Susan L Graham Presenter: Maitree kanungo Date:02/17/2010.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Efficient Software Based Fault IsolationEfficient Software Based Fault Isolation
Author: Robert Wahobe,Steven Lucco,Thomas E Anderson, Susan L Author: Robert Wahobe,Steven Lucco,Thomas E Anderson, Susan L GrahamGraham
Hardware-based Fault Isolation Run modules in separate address spaces
Communicate via Remote Procedure Call Switch to kernel mode Copy arguments Save/Restore registers Switch address spaces Return to user mode
Context switches are expensive
Software Fault IsolationSoftware Fault Isolation
Virtual address segmentsVirtual address segments Each segment share a unique upper bits called Each segment share a unique upper bits called
segment identifiersegment identifier
Distrusted module can jump to or write to the Distrusted module can jump to or write to the same upper bit pattern (segment identifier)same upper bit pattern (segment identifier)
Techniques of Fault IsolationTechniques of Fault Isolation
22 techniques for software based fault-isolation.techniques for software based fault-isolation.
Techniques of Fault IsolationTechniques of Fault Isolation
This technique involves modifying the software This technique involves modifying the software binary to prevent stores or jumps from leaving a binary to prevent stores or jumps from leaving a certain range of addresses.certain range of addresses.
All addresses used in store or jump locations are All addresses used in store or jump locations are either checked or modified to enforce this.either checked or modified to enforce this.
Straight modification without checking (i.e., by bit Straight modification without checking (i.e., by bit substitution) is "sandboxing", substitution) is "sandboxing",
checking and error reporting is "segment matching"checking and error reporting is "segment matching"
Fault DomainFault Domain
990---
991---
992---
…
991---
992---
…
993---
…
Segment (code) Segment (data)
Fault Domain
Each segment has Each segment has unique pattern of unique pattern of upper bits called“ upper bits called“
segment identifier”segment identifier”
What is Segment MatchingWhat is Segment Matching
Static verification: Target address is known at compiling timeStatic verification: Target address is known at compiling time
Unsafe instruction: Jumps & stores instruction which cannot Unsafe instruction: Jumps & stores instruction which cannot be statically verified to be correct segment until at runtime. It be statically verified to be correct segment until at runtime. It could corrupt permanent data. could corrupt permanent data.
Segment matchingSegment matching Insert checking code before every unsafe instruction. The Insert checking code before every unsafe instruction. The
checking code determines whether the unsafe checking code determines whether the unsafe instruction’s target address has the correct segment instruction’s target address has the correct segment identifier.identifier.
Example of segment matchingExample of segment matching Say an unsafe instruction is located in segment 101, but wants to write to
segment-reg=101; scratch-reg=100; not segment-reg=101; scratch-reg=100; not equal! A trap is generated to trigger a equal! A trap is generated to trigger a system error routine outside the system error routine outside the distrusted module’s fault domain.distrusted module’s fault domain.
If they match, then we know the target If they match, then we know the target address is indeed inside the same address is indeed inside the same segment, so we can run:segment, so we can run:
store value, dedicated-regstore value, dedicated-reg
Segment MatchingSegment Matching
Requires 4 dedicated registers to hold:Requires 4 dedicated registers to hold: address in data segmentaddress in data segment address in code segmentaddress in code segment segment shift amount segment shift amount segment identifiersegment identifier
Address SandboxingAddress Sandboxing
Segment matching can pinpoint the offending instruction.Segment matching can pinpoint the offending instruction.
Sandboxing reduces runtime overhead further, at the cost of Sandboxing reduces runtime overhead further, at the cost of providing no info about the source of faults. providing no info about the source of faults.
Before each unsafe instruction we simply insert code that Before each unsafe instruction we simply insert code that sets the upper bits of the target address to the correct sets the upper bits of the target address to the correct segment ID.segment ID.
Pseudo code for Address SandboxingPseudo code for Address SandboxingAgain say an unsafe instruction is located in segment 101, but wants to write to segment 100. Initially, target-reg=10001111; segment-reg=101; and-mask-reg=00011111;
store value, dedicated-regstore value, dedicated-regNow instead of writing to the intended unsafe location 10001111, sandboxing changed the target address to Now instead of writing to the intended unsafe location 10001111, sandboxing changed the target address to
10101111, which is in the same fault domain of the writing instruction. In this case may be this fault domain 10101111, which is in the same fault domain of the writing instruction. In this case may be this fault domain will be corrupt, but it does not affect other fault domains.will be corrupt, but it does not affect other fault domains.
..
Guard Zone OptimizationGuard Zone Optimization
RISC architectures include a RISC architectures include a register-plus-offset instruction register-plus-offset instruction mode. mode.
Take instruction “store value, Take instruction “store value, offset(reg)”. offset(reg)”.
To avoid calculating reg+offset, To avoid calculating reg+offset,
we directly sandbox the reg, at the we directly sandbox the reg, at the expense of creating guard zones at expense of creating guard zones at the top and bottom of each the top and bottom of each segment.segment.
Avoid sandboxing the use of stack Avoid sandboxing the use of stack pointer by sandboxing the pointer by sandboxing the dedicated register which dedicated register which significantly improves performance.significantly improves performance.
Cross Fault Domain CommunicationCross Fault Domain Communication Control escapes a distrusted fault Control escapes a distrusted fault
domain only via a domain only via a jump tablejump table (to stub (to stub instruction). instruction).
A call-stub and a return-stub are A call-stub and a return-stub are created for each pair of fault domains.created for each pair of fault domains.
The stub is also responsible for The stub is also responsible for managing machine states and managing machine states and registers. registers.
Fatal errors are handled by UNIX signal Fatal errors are handled by UNIX signal facility. Trusted modules may use a facility. Trusted modules may use a timer facility to interrupt execution or timer facility to interrupt execution or determinate a call.determinate a call.
Jump TableJump Table
Allows a fault domain to safely call Allows a fault domain to safely call the a trusted stub routine outside the a trusted stub routine outside its domain; that stub then safely its domain; that stub then safely calls into the destination domaincalls into the destination domain..
Each jump table entry is a control Each jump table entry is a control transfer instruction whose target transfer instruction whose target address is a legal entry point address is a legal entry point outside the domain. outside the domain.
Because the table is kept in the Because the table is kept in the (read-only) code segment in the (read-only) code segment in the fault domain, it can only be fault domain, it can only be modified by a trusted module.modified by a trusted module.
Performance resultPerformance result
Performance resultPerformance result
Performance resultPerformance result
Performance resultPerformance result
ConclusionConclusion Despite of the 4% overhead in sandboxing technique in executing Despite of the 4% overhead in sandboxing technique in executing
distrusted code, this method yields best application performance.distrusted code, this method yields best application performance.
whole approach does not enforce the privacy aspect of security, since whole approach does not enforce the privacy aspect of security, since addresses used in load instructions are not checked or sandboxed, addresses used in load instructions are not checked or sandboxed, because to do so would be prohibitively expensive.because to do so would be prohibitively expensive.
ReferencesReferences
Tom Burkleaux ‘ s Slides for Fault domain and cross fault domain communication Tom Burkleaux ‘ s Slides for Fault domain and cross fault domain communication (figs) on Efficient software based isolation(figs) on Efficient software based isolationCarl Yao’s slides for Examples of segment matching and address sandboxing Slides Carl Yao’s slides for Examples of segment matching and address sandboxing Slides on efficient software based isolation-Sandboxingon efficient software based isolation-SandboxingSFI-Risc .pdfSFI-Risc .pdf