A Design for Comprehensive Kernel Instrumentation Peter Feiner - - PowerPoint PPT Presentation

a design for comprehensive kernel instrumentation
SMART_READER_LITE
LIVE PREVIEW

A Design for Comprehensive Kernel Instrumentation Peter Feiner - - PowerPoint PPT Presentation

Jun 14, 2023 398 likes •859 views

A Design for Comprehensive Kernel Instrumentation Peter Feiner Angela Demke Brown Ashvin Goel peter@cs.toronto.edu demke@cs.toronto.edu ashvin@eecg.toronto.edu University of Toronto 01 / 16 1 Motivation Transparent fault isolation for

slide-1
SLIDE 1

01 / 16

A Design for Comprehensive Kernel Instrumentation

1

Peter Feiner Angela Demke Brown Ashvin Goel

peter@cs.toronto.edu demke@cs.toronto.edu ashvin@eecg.toronto.edu

University of Toronto

slide-2
SLIDE 2

01 / 16

Motivation

Transparent fault isolation for device drivers

  • Want to isolate existing driver binaries

Inspired by Byte Granularity Isolation

  • Requires source code

Use Dynamic Binary Instrumentation (DBI)

  • Does not require source code
  • Inspect & modify instructions before they execute

2

x86 Driver Code Kernel

slide-3
SLIDE 3

01 / 16

Motivation

Transparent fault isolation for device drivers

  • Want to isolate existing driver binaries

Inspired by Byte Granularity Isolation

  • Requires source code

Use Dynamic Binary Instrumentation (DBI)

  • Does not require source code
  • Inspect & modify instructions before they execute

2

x86 Driver Code Instrumented Driver Kernel

slide-4
SLIDE 4

01 / 16

Motivation

Transparent fault isolation for device drivers

  • Want to isolate existing driver binaries

Inspired by Byte Granularity Isolation

  • Requires source code

Use Dynamic Binary Instrumentation (DBI)

  • Does not require source code
  • Inspect & modify instructions before they execute

2

x86 Driver Code x86 Driver Code Instrumented Driver Kernel DBI

slide-5
SLIDE 5

01 / 16

Motivation

DBI applied for debugging and security at the user level

  • Memcheck - checks memory errors
  • Program Shepherding - control flow integrity

Various user-level DBI frameworks are available

  • APIs for inspecting and modifying instructions
  • e.g.,

Valgrind, DynamoRIO, Pin

These frameworks don’t work in the kernel

  • What would it take?

3

slide-6
SLIDE 6

01 / 16

OS

The Key Difference

User frameworks sit between applications and the OS

  • Interpose on system calls
  • Take advantage of OS services, e.g. I/O

Kernel frameworks need to sit between the OS & CPU

  • Isn’t that what hypervisors do?

4

A p p s

DBI

CPU

slide-7
SLIDE 7

01 / 16

Our Approach

We need to combine a DBI framework with a hypervisor

  • Choice 1: Port DBI to an existing hypervisor
  • Pros: both exist
  • Cons: both very complex
  • Choice 2: Create a minimal hypervisor,

similar to SecVisor’s approach

  • Pros: easier to do
  • Pros: possibly higher performance

We designed a minimal hypervisor around a DBI framework

  • Let’s see how DBI works & what it needs

5

O S

Kernel DBI

Apps CPU

slide-8
SLIDE 8

01 / 16

DBI Technique

Copy basic blocks of x86 code into code cache before execution

  • Code executed from cache
  • Instrumentation added to copy
  • Manipulate copies to return

control to the dispatcher

6

Execute from Code Cache Dispatch Cached? Copy Block No Yes x86 Code Start

slide-9
SLIDE 9

01 / 16

DBI Requirements

Never execute machine’s original code

  • Necessary for security applications

Hide framework from instrumented code

  • Instrumented code should observe un-instrumented machine state

Dispatcher should use instrumented code with care

  • Implementation cannot use non-reentrant instrumented code

Detect changes to the original code

  • Invalidate stale code in the cache

Preserve multicore concurrency

  • Essential for performance and accuracy

7

slide-10
SLIDE 10

01 / 16

We’ll look at the first three in more detail

Meeting DBI Requirements

8

User Kernel Never Execute Original Code New Threads, Signals Kernel Entry Points Transparency Signals Interrupts, Exceptions Reentrance Use OS Code Implement Everything From Scratch Detect Code Changes System Calls mmap, mprotect, etc. Shadow Page Tables Concurrency Locking, Thread Private CPU Private

slide-11
SLIDE 11

01 / 16

Never Execute Original Code

9

User Code Exceptions Interrupts OS Binaries (kernel, drivers) User Mode Supervisor Mode

slide-12
SLIDE 12

01 / 16

Never Execute Original Code

9

User Code Exceptions Interrupts User Mode Supervisor Mode Dispatcher Code Cache

  • Load kernel module that redirects

entry points to the dispatcher OS Binaries (kernel, drivers)

slide-13
SLIDE 13

01 / 16

Redirecting Entry Points

10

Entry 1 Entry 2 Table Register OS Binaries

Descriptor Table

slide-14
SLIDE 14

01 / 16

Redirecting Entry Points

10

Entry 1 Entry 2 Table Register Dispatcher OS Binaries Entry 1 Entry 2 Code Cache

Descriptor Table Shadow Table

slide-15
SLIDE 15

01 / 16

Redirecting Entry Points

10

Entry 1 Entry 2 Table Register Dispatcher OS Binaries Entry 1 Entry 2 Code Cache

  • Can’t write to table register, otherwise loose control

Descriptor Table Shadow Table

slide-16
SLIDE 16

01 / 16

Redirecting Entry Points

10

Entry 1 Entry 2 Table Register Dispatcher OS Binaries Entry 1 Entry 2 Shadow Register Code Cache

  • Can’t write to table register, otherwise loose control
  • Can’t drop the write, otherwise you loose transparency

Descriptor Table Shadow Table

slide-17
SLIDE 17

01 / 16

Transparency

Need to hide DBI framework from instrumented code

  • Sometimes essential for correctness

Many transparency issues, including

  • Code cache return addresses
  • Shadowed registers
  • Exception stack frame
  • Interrupt stack frame

11

slide-18
SLIDE 18

01 / 16

Exception Transparency

Dispatching kernel’s exception handlers is tricky because they inspect machine state

  • Registers stolen by instrumentation
  • Address of instruction that triggers the exception
  • Handlers need to see original instruction addresses
  • Linux panics on page faults from non white-listed instructions
  • Problem is that code cache isn’t on the white list
  • Solution is to translate from code cache to original address

Solution for interrupt handlers is similar

12

slide-19
SLIDE 19

01 / 16

Interrupt Transparency

13

H = Interrupt Handler I = Instrumentation = Interrupt

slide-20
SLIDE 20

01 / 16

Interrupt Transparency

13

A H = Interrupt Handler I = Instrumentation = Interrupt Original Code

slide-21
SLIDE 21

01 / 16

Interrupt Transparency

13

A H = Interrupt Handler I = Instrumentation = Interrupt Original Code

slide-22
SLIDE 22

01 / 16

Interrupt Transparency

13

IH A H = Interrupt Handler I = Instrumentation = Interrupt Original Code

slide-23
SLIDE 23

01 / 16

Interrupt Transparency

13

IH A A H = Interrupt Handler I = Instrumentation = Interrupt Original Code

slide-24
SLIDE 24

01 / 16

Interrupt Transparency

13

IH B A A H = Interrupt Handler I = Instrumentation = Interrupt Original Code

slide-25
SLIDE 25

01 / 16

Interrupt Transparency

13

Copy A IH B A A H = Interrupt Handler I = Instrumentation = Interrupt Original Code Dispatcher

slide-26
SLIDE 26

01 / 16

Interrupt Transparency

13

A Copy A IH B A A A H = Interrupt Handler I = Instrumentation = Interrupt Original Code Dispatcher Code Cache Original Addresses

slide-27
SLIDE 27

01 / 16

Interrupt Transparency

13

A Copy A IH B A A A I H = Interrupt Handler I = Instrumentation = Interrupt Original Code Dispatcher Code Cache Original Addresses

slide-28
SLIDE 28

01 / 16

Interrupt Transparency

13

A Copy A IH B A A A I H = Interrupt Handler I = Instrumentation = Interrupt Original Code Dispatcher Code Cache Original Addresses

slide-29
SLIDE 29

01 / 16

Delay interrupts until next code-cache exit

Interrupt Transparency

13

A Copy A IH B A A A I H = Interrupt Handler I = Instrumentation = Interrupt Original Code Dispatcher Code Cache Original Addresses

slide-30
SLIDE 30

01 / 16

Delay interrupts until next code-cache exit

Interrupt Transparency

13

A Copy A IH B A A A I H = Interrupt Handler I = Instrumentation = Interrupt Original Code Dispatcher Code Cache Original Addresses

slide-31
SLIDE 31

01 / 16

Delay interrupts until next code-cache exit

Interrupt Transparency

13

A Copy A IH B A A A I A H = Interrupt Handler I = Instrumentation = Interrupt Original Code Dispatcher Code Cache A Original Addresses

slide-32
SLIDE 32

01 / 16

Delay interrupts until next code-cache exit

Interrupt Transparency

13

A Copy A IH B A A A I A H = Interrupt Handler I = Instrumentation = Interrupt Original Code Dispatcher Code Cache A Original Addresses

slide-33
SLIDE 33

01 / 16

Delay interrupts until next code-cache exit

Copy IH

Interrupt Transparency

13

A Copy A IH B A A A I A H = Interrupt Handler I = Instrumentation = Interrupt Original Code Dispatcher Code Cache A Original Addresses

slide-34
SLIDE 34

01 / 16

Delay interrupts until next code-cache exit

Copy IH

Interrupt Transparency

13

A IH Copy A IH B A A A I A IH H = Interrupt Handler I = Instrumentation = Interrupt Original Code Dispatcher Code Cache A Original Addresses

slide-35
SLIDE 35

01 / 16

Delay interrupts until next code-cache exit

Copy IH

Interrupt Transparency

13

A IH Copy A Copy B IH B A A A I A IH H = Interrupt Handler I = Instrumentation = Interrupt Original Code Dispatcher Code Cache A Original Addresses

slide-36
SLIDE 36

01 / 16

Delay interrupts until next code-cache exit

Copy IH

Interrupt Transparency

13

A IH Copy A Copy B IH B A A B A I A IH B H = Interrupt Handler I = Instrumentation = Interrupt Original Code Dispatcher Code Cache A Original Addresses

slide-37
SLIDE 37

01 / 16

Code is not reentrant if it is unsafe to execute before

  • ther executions of the same code finish
  • Dispatcher cannot use any non-reentrant OS code, e.g. print,

because the non-reentrant code might be currently executing

Say, print consists of basic blocks P1, P2

  • P1 has executed from code cache
  • Dispatcher copies P2
  • Dispatcher uses print for debugging and invokes P1
  • print fails because it is non-reentrant

Reentrance

14

Copy P2 P1 P1

Dispatcher Code Cache

slide-38
SLIDE 38

01 / 16

Reentrance Solution

Typical solution is to reimplement non-reentrant code using lower-level uninstrumented code

  • e.g., user-level DBI has custom print that makes system calls

OS-level framework has no lower-level code

  • Dispatcher must be entirely self sufficient
  • Implement our own heap

Some code too difficult to implement from scratch

  • Detach and reattach framework to use existing OS code
  • Have custom user program make system calls on our behalf
  • Framework cannot depend on user program’s correctness

15

slide-39
SLIDE 39

01 / 16

Our Proposal

We chose to port DynamoRIO to a minimal hypervisor because it is

  • Open source
  • Performance oriented
  • Mature

Applications

  • Transparent fault isolation
  • Dynamic optimization

We will open source our port!

  • What would you do with in-kernel DBI?

16

slide-40
SLIDE 40

01 / 16

Backup Slides

17

slide-41
SLIDE 41

01 / 16

Existing Hypervisors

VMWare

  • Uses a code cache to translate sensitive instructions
  • Does not have an instrumentation API

PinOS

  • Pin DBI + Xen Hypervisor
  • Does whole-system instrumentation (user + kernel)
  • Dispatching is much slower for whole-system (50x slowdown)
  • Delegates I/O to a separate uninstrumented

VM

Neither is open source

18

slide-42
SLIDE 42

01 / 16

Minimal Hypervisor

Simpler than a full-fledged hypervisor

  • No multiplexing
  • Shadow page tables have same address mappings, just more

restrictive permissions

  • Don’t need to be completely transparent
  • We can piggy-back on existing OS code, like segment selectors

for CPU-private data

19

slide-43
SLIDE 43

01 / 16

Design Assumptions

Once booted, OS runs exclusively in 64-bit long mode

  • Emulating obsolete x86 modes would be a pain
  • Confirmed validity on Linux by inspection
  • We believe it is valid on Windows

Can store dispatcher and code cache in pages that are in all page tables at the same virtual addresses

  • Otherwise, we need to steal RAM from the OS at bootup
  • Provided by Linux
  • We believe this is provided by Windows

Design should work with OS that meets assumptions

  • We are currently targeting Linux

20

slide-44
SLIDE 44

01 / 16

Hardware Virtualization Extensions

Do not make implementation simpler

  • Removes the need to inspect sensitive instructions
  • However, we already can inspect sensitive instructions

Could make implementation more complex

  • Need to emulate instructions that cause exits
  • Easier for us to emit fix-up code in the code cache

Could improve performance

  • Extended page tables might perform better than shadow
  • We want to experiment with this

21