A Non-Inclusive Memory Permissions Architecture for Protection - - PowerPoint PPT Presentation

a non inclusive memory permissions architecture for
SMART_READER_LITE
LIVE PREVIEW

A Non-Inclusive Memory Permissions Architecture for Protection - - PowerPoint PPT Presentation

Oct 20, 2022 101 likes •873 views

A Non-Inclusive Memory Permissions Architecture for Protection Against Cross-Layer Attacks Jesse Elwell 1 Ryan Riley 2 Nael Abu-Ghazaleh 1 Dmitry Ponomarev 1 1 State University of New York at Binghamton Department of Computer Science 2 Qatar

slide-1
SLIDE 1

A Non-Inclusive Memory Permissions Architecture for Protection Against Cross-Layer Attacks

Jesse Elwell1 Ryan Riley2 Nael Abu-Ghazaleh1 Dmitry Ponomarev1

1State University of New York at Binghamton

Department of Computer Science

2Qatar University

Department of Computer Science

20th International Symposium on High Performance Computer Architecture February 17th, 2014

slide-2
SLIDE 2

Introduction & Motivation

System software (Hypervisor/OS) is steadily increasing in complexity Complexity leads to vulberabilities Software Lines of Code Vulnerabilities KVM 30K 38 Xen 200K 59 Linux kernel 15M 228 A single vulnerability in system software can allow an attacker to compromise the entire system

Binghamton University / Qatar University HPCA 2014 2 / 25

slide-3
SLIDE 3

Example 1: Malicious Supervisor Attack Memory Layout User OS

EXECUTABLE YES/NO SUPERVISOR OR USER/SUPERVISOR READ-ONLY OR READ-WRITE

x86-64 Memory Permissions

Binghamton University / Qatar University HPCA 2014 3 / 25

slide-4
SLIDE 4

Example 1: Malicious Supervisor Attack Memory Layout User OS

EXECUTABLE YES/NO SUPERVISOR OR USER/SUPERVISOR READ-ONLY OR READ-WRITE

x86-64 Memory Permissions

Sensitive Data NO USER/SUPERVISOR READ-WRITE

Binghamton University / Qatar University HPCA 2014 3 / 25

slide-5
SLIDE 5

Example 1: Malicious Supervisor Attack Memory Layout User OS

EXECUTABLE YES/NO SUPERVISOR OR USER/SUPERVISOR READ-ONLY OR READ-WRITE

x86-64 Memory Permissions

Buffer Sensitive Data NO USER/SUPERVISOR READ-WRITE

Binghamton University / Qatar University HPCA 2014 3 / 25

slide-6
SLIDE 6

Example 1: Malicious Supervisor Attack Memory Layout

EXECUTABLE YES/NO SUPERVISOR OR USER/SUPERVISOR READ-ONLY OR READ-WRITE

x86-64 Memory Permissions

Sensitive Data NO USER/SUPERVISOR READ-WRITE Buffer Copy

Binghamton University / Qatar University HPCA 2014 3 / 25

slide-7
SLIDE 7

Example 1: Malicious Supervisor Attack Memory Layout User OS

EXECUTABLE YES/NO SUPERVISOR OR USER/SUPERVISOR READ-ONLY OR READ-WRITE

x86-64 Memory Permissions

Sensitive Data NO USER/SUPERVISOR READ-WRITE Sensitive Data

Binghamton University / Qatar University HPCA 2014 3 / 25

slide-8
SLIDE 8

Example 1: Malicious Supervisor Attack Memory Layout User OS

EXECUTABLE YES/NO SUPERVISOR OR USER/SUPERVISOR READ-ONLY OR READ-WRITE

x86-64 Memory Permissions

Sensitive Data NO USER/SUPERVISOR READ-WRITE Sensitive Data

Binghamton University / Qatar University HPCA 2014 3 / 25

slide-9
SLIDE 9

Example 2: return-2-user Attack Memory Layout User OS

EXECUTABLE YES/NO SUPERVISOR OR USER/SUPERVISOR READ-ONLY OR READ-WRITE

x86-64 Memory Permissions

Binghamton University / Qatar University HPCA 2014 4 / 25

slide-10
SLIDE 10

Example 2: return-2-user Attack Memory Layout User OS

EXECUTABLE YES/NO SUPERVISOR OR USER/SUPERVISOR READ-ONLY OR READ-WRITE

x86-64 Memory Permissions

Malicious Code YES USER/SUPERVISOR READ-WRITE

Binghamton University / Qatar University HPCA 2014 4 / 25

slide-11
SLIDE 11

Example 2: return-2-user Attack

Code

Memory Layout User OS

EXECUTABLE YES/NO SUPERVISOR OR USER/SUPERVISOR READ-ONLY OR READ-WRITE

x86-64 Memory Permissions

Malicious Code YES USER/SUPERVISOR READ-WRITE System Call

Binghamton University / Qatar University HPCA 2014 4 / 25

slide-12
SLIDE 12

Example 2: return-2-user Attack

Code

Memory Layout User OS

EXECUTABLE YES/NO SUPERVISOR OR USER/SUPERVISOR READ-ONLY OR READ-WRITE

x86-64 Memory Permissions

Malicious Code YES USER/SUPERVISOR READ-WRITE Vulnerability Exploited

Binghamton University / Qatar University HPCA 2014 4 / 25

slide-13
SLIDE 13

Example 2: return-2-user Attack

Code

Memory Layout User OS

EXECUTABLE YES/NO SUPERVISOR OR USER/SUPERVISOR READ-ONLY OR READ-WRITE

x86-64 Memory Permissions

Malicious Code YES USER/SUPERVISOR READ-WRITE OS Privileges

Binghamton University / Qatar University HPCA 2014 4 / 25

slide-14
SLIDE 14

Example 2: return-2-user Attack

Code

Memory Layout User OS

EXECUTABLE YES/NO SUPERVISOR OR USER/SUPERVISOR READ-ONLY OR READ-WRITE

x86-64 Memory Permissions

Malicious Code YES USER/SUPERVISOR READ-WRITE OS Privileges

Binghamton University / Qatar University HPCA 2014 4 / 25

slide-15
SLIDE 15

Cross-Layer Attack Flows

Hypervisor App Guest OS App App Guest OS

Binghamton University / Qatar University HPCA 2014 5 / 25

slide-16
SLIDE 16

Cross-Layer Attack Flows

Hypervisor App Guest OS App App Guest OS

ret-2-user

Binghamton University / Qatar University HPCA 2014 5 / 25

slide-17
SLIDE 17

Cross-Layer Attack Flows

Hypervisor App Guest OS App App Guest OS

ret-2-user ret-2-VM

Binghamton University / Qatar University HPCA 2014 5 / 25

slide-18
SLIDE 18

Cross-Layer Attack Flows

Hypervisor App Guest OS App App Guest OS

ret-2-user ret-2-VM

Binghamton University / Qatar University HPCA 2014 5 / 25

slide-19
SLIDE 19

Cross-Layer Attack Flows

Hypervisor App Guest OS App App Guest OS

ret-2-user ret-2-VM

Binghamton University / Qatar University HPCA 2014 5 / 25

slide-20
SLIDE 20

Cross-Layer Attack Flows

Hypervisor App Guest OS App App Guest OS

ret-2-user ret-2-VM

Binghamton University / Qatar University HPCA 2014 5 / 25

slide-21
SLIDE 21

Non-Inclusive Memory Permissions

EXECUTABLE YES/NO SUPERVISOR OR USER/SUPERVISOR READ-ONLY OR READ-WRITE

Current Inclusive x86-64 Memory Permissions

Binghamton University / Qatar University HPCA 2014 6 / 25

slide-22
SLIDE 22

Non-Inclusive Memory Permissions

EXECUTABLE YES/NO SUPERVISOR OR USER/SUPERVISOR READ-ONLY OR READ-WRITE

Current Inclusive x86-64 Memory Permissions

Binghamton University / Qatar University HPCA 2014 6 / 25

slide-23
SLIDE 23

Non-Inclusive Memory Permissions Non-Inclusive Memory Permissions (NIMP)

Execute Write Read Execute Write Read Execute Write Read Hypervisor Operating System User-Level EXECUTABLE YES/NO SUPERVISOR OR USER/SUPERVISOR READ-ONLY OR READ-WRITE

Current Inclusive x86-64 Memory Permissions

Binghamton University / Qatar University HPCA 2014 6 / 25

slide-24
SLIDE 24

Mitigating Malicious Supervisor Attacks Memory Layout

Sensitive Data Buffer

Non-Inclusive Memory Permissions

Execute Write Read Execute Write Read Operating System User-Level Copy NO NO NO YES YES NO

Binghamton University / Qatar University HPCA 2014 7 / 25

slide-25
SLIDE 25

Mitigating Malicious Supervisor Attacks Memory Layout User OS

Sensitive Data Buffer

Non-Inclusive Memory Permissions

Execute Write Read Execute Write Read Operating System User-Level NO NO NO YES YES NO EXCEPTION!

Binghamton University / Qatar University HPCA 2014 7 / 25

slide-26
SLIDE 26

Mitigating Malicious Supervisor Attacks Memory Layout User OS

Sensitive Data Buffer

Non-Inclusive Memory Permissions

Execute Write Read Execute Write Read Operating System User-Level NO NO NO YES YES NO EXCEPTION!

Binghamton University / Qatar University HPCA 2014 7 / 25

slide-27
SLIDE 27

Mitigating return-2-user Attacks

Code

Memory Layout User OS

Malicious Code Execute Write Read Execute Write Read Operating System User-Level NO NO NO YES YES YES

Non-Inclusive Memory Permissions

OS Privileges

Binghamton University / Qatar University HPCA 2014 8 / 25

slide-28
SLIDE 28

Mitigating return-2-user Attacks

Code

Memory Layout User OS

Malicious Code Execute Write Read Execute Write Read Operating System User-Level NO NO NO YES YES YES

Non-Inclusive Memory Permissions

EXCEPTION!

Binghamton University / Qatar University HPCA 2014 8 / 25

slide-29
SLIDE 29

Mitigating return-2-user Attacks

Code

Memory Layout User OS

Malicious Code Execute Write Read Execute Write Read Operating System User-Level NO NO NO YES YES YES

Non-Inclusive Memory Permissions

EXCEPTION!

Binghamton University / Qatar University HPCA 2014 8 / 25

slide-30
SLIDE 30

NIMP Design Overview

Permission Store

Binghamton University / Qatar University HPCA 2014 9 / 25

slide-31
SLIDE 31

NIMP Design Overview

Memory Permission Manager Memory Permission Change Requests Permission Store

Binghamton University / Qatar University HPCA 2014 9 / 25

slide-32
SLIDE 32

NIMP Design Overview

Memory Permission Manager Memory Permission Change Requests Permission Store Permission Reference Monitor Memory Access Decision Memory Access Requests

Binghamton University / Qatar University HPCA 2014 9 / 25

slide-33
SLIDE 33

The Permission Store

1 2 4 3 5 6 7 8 9 10 11 12 13 14 15 User OS Hypervisor P T S X W R X W R X W R Reserved Binghamton University / Qatar University HPCA 2014 10 / 25

slide-34
SLIDE 34

The Permission Store

Physical Memory

PS Entry 0 PS Entry 1 PS Entry N PS Entry 2

. . .

1 2 4 3 5 6 7 8 9 10 11 12 13 14 15 User OS Hypervisor P T S X W R X W R X W R Reserved

Permission Store (Protected Memory)

Binghamton University / Qatar University HPCA 2014 10 / 25

slide-35
SLIDE 35

The Permission Store

Physical Memory

PS Entry 0 PS Entry 1 PS Entry N PS Entry 2

. . .

1 2 4 3 5 6 7 8 9 10 11 12 13 14 15 User OS Hypervisor P T S X W R X W R X W R Reserved

Register Permission Store (Protected Memory)

PS_BASE Binghamton University / Qatar University HPCA 2014 10 / 25

slide-36
SLIDE 36

Augmenting TLBs to Store PS Entries

TLB

0x12345000 Virtual Address

. . .

0x09ABC000 Physical Address

. . .

Virtual Permissions

. . .

RO U NX

Binghamton University / Qatar University HPCA 2014 11 / 25

slide-37
SLIDE 37

Augmenting TLBs to Store PS Entries

TLB

0x12345000 Virtual Address

. . .

0x09ABC000 Physical Address

. . .

Virtual Permissions

. . .

Permission Store Entry

. . .

  • W

R

  • W

R

  • W

R

RO U NX

Binghamton University / Qatar University HPCA 2014 11 / 25

slide-38
SLIDE 38

The Memory Permission Manager

Rule Database

Binghamton University / Qatar University HPCA 2014 12 / 25

slide-39
SLIDE 39

The Memory Permission Manager

Rule Database

Permission Change Request

Binghamton University / Qatar University HPCA 2014 12 / 25

slide-40
SLIDE 40

The Memory Permission Manager

Rule Database

Current Permissions Requester New Permissions

Binghamton University / Qatar University HPCA 2014 12 / 25

slide-41
SLIDE 41

The Memory Permission Manager

Rule Database

Current Permissions Requester New Permissions Allow or Disallow

Binghamton University / Qatar University HPCA 2014 12 / 25

slide-42
SLIDE 42

Contents of the Rule Database

Initial Permissions New Permissions Hyp. OS User Hyp. OS User Requester R W X R W X R W X R W X R W X R W X Action

Hypervisor

  • - -
  • - -
  • - -

* * * * * * * * *

None Hypervisor

* * * * * * * * *

  • - -
  • - -
  • - -

Wipe Page OS

  • - -
  • - -
  • - -
  • - -

* * * * * *

None OS

  • - -

* * * * * *

  • - -
  • - -
  • - -

Wipe Page Hypervisor

  • W -
  • - -
  • - -
  • - X
  • - -
  • - -

None OS

  • - -
  • W -
  • - -
  • - -
  • - X
  • - -

None OS

  • - -
  • - -
  • W -
  • - -
  • - -
  • - X

None

Binghamton University / Qatar University HPCA 2014 13 / 25

slide-43
SLIDE 43

Secure Permission Changes: The PERM SET Instruction

Virtual Address New Permissions

PERM_SET %eax, %ebx

Binghamton University / Qatar University HPCA 2014 14 / 25

slide-44
SLIDE 44

Secure Permission Changes: The PERM SET Instruction

Virtual Address New Permissions

PERM_SET %eax, %ebx

Access TLB Binghamton University / Qatar University HPCA 2014 14 / 25

slide-45
SLIDE 45

Secure Permission Changes: The PERM SET Instruction

Virtual Address New Permissions

PERM_SET %eax, %ebx

Access TLB Hit Miss Access Page Tables Read PS Entry Current Permissions Binghamton University / Qatar University HPCA 2014 14 / 25

slide-46
SLIDE 46

Secure Permission Changes: The PERM SET Instruction

Virtual Address New Permissions

PERM_SET %eax, %ebx

Access TLB Hit Miss Access Page Tables Read PS Entry Current Permissions Requester (Current Privilege Level) Binghamton University / Qatar University HPCA 2014 14 / 25

slide-47
SLIDE 47

Secure Permission Changes: The PERM SET Instruction

Virtual Address New Permissions

PERM_SET %eax, %ebx

Access TLB Hit Miss Access Page Tables Read PS Entry Current Permissions Requester (Current Privilege Level) Binghamton University / Qatar University HPCA 2014 14 / 25

slide-48
SLIDE 48

Secure Permission Changes: The PERM SET Instruction

Virtual Address New Permissions

PERM_SET %eax, %ebx

Access TLB Hit Miss Access Page Tables Read PS Entry Current Permissions Requester (Current Privilege Level) Access Rule Database Binghamton University / Qatar University HPCA 2014 14 / 25

slide-49
SLIDE 49

Secure Permission Changes: The PERM SET Instruction

Virtual Address New Permissions

PERM_SET %eax, %ebx

Access TLB Hit Miss Access Page Tables Read PS Entry Current Permissions Requester (Current Privilege Level) Access Rule Database Perform Action Write PS + TLB Match Binghamton University / Qatar University HPCA 2014 14 / 25

slide-50
SLIDE 50

Secure Permission Changes: The PERM SET Instruction

Virtual Address New Permissions

PERM_SET %eax, %ebx

Access TLB Hit Miss Access Page Tables Read PS Entry Current Permissions Requester (Current Privilege Level) Access Rule Database Perform Action Write PS + TLB Match Exception No Match Binghamton University / Qatar University HPCA 2014 14 / 25

slide-51
SLIDE 51

The Permission Reference Monitor

Expected Permissions Actual Permissions

Load/Store Instructions Permission Store Don’t Match

Expected permissions can be:

Embedded into instruction bits Stored in a new register

Binghamton University / Qatar University HPCA 2014 15 / 25

slide-52
SLIDE 52

The Permission Reference Monitor

Expected Permissions Actual Permissions

Comparison Load/Store Instructions Permission Store Don’t Match

Expected permissions can be:

Embedded into instruction bits Stored in a new register

Binghamton University / Qatar University HPCA 2014 15 / 25

slide-53
SLIDE 53

The Permission Reference Monitor

Expected Permissions Actual Permissions

Comparison Load/Store Instructions Permission Store Don’t Match Match

Load/Store Succeeds Load/Store Fails

Expected permissions can be:

Embedded into instruction bits Stored in a new register

Binghamton University / Qatar University HPCA 2014 15 / 25

slide-54
SLIDE 54

Hardware Changes Needed for NIMP

PS Table CPU Physical Memory Core 1

DTLB

PS Entries

ITLB

Core 0 PS_Base Register Rule Database MMU MPM Regular Memory Protected Memory Hypervisor OS PERM_SET

PS Entries

DTLB

PS Entries

ITLB

PS Entries

Binghamton University / Qatar University HPCA 2014 16 / 25

slide-55
SLIDE 55

Hardware Changes Needed for NIMP

PS Table CPU Physical Memory Core 1

DTLB

PS Entries

ITLB

Core 0 PS_Base Register Rule Database MMU MPM Regular Memory Protected Memory Hypervisor OS PERM_SET

PS Entries

DTLB

PS Entries

ITLB

PS Entries

Binghamton University / Qatar University HPCA 2014 16 / 25

slide-56
SLIDE 56

Hardware Changes Needed for NIMP

PS Table CPU Physical Memory Core 1

DTLB

PS Entries

ITLB

Core 0 PS_Base Register Rule Database MMU MPM Regular Memory Protected Memory Hypervisor OS PERM_SET

PS Entries

DTLB

PS Entries

ITLB

PS Entries

Binghamton University / Qatar University HPCA 2014 16 / 25

slide-57
SLIDE 57

Hardware Changes Needed for NIMP

PS Table CPU Physical Memory Core 1

DTLB

PS Entries

ITLB

Core 0 PS_Base Register Rule Database MMU MPM Regular Memory Protected Memory Hypervisor OS PERM_SET

PS Entries

DTLB

PS Entries

ITLB

PS Entries

Binghamton University / Qatar University HPCA 2014 16 / 25

slide-58
SLIDE 58

Performance Evaluation: Sources of Overhead

Fetching PS entries from the Permission Store on TLB misses

Cached in various levels of (data) caches

Binghamton University / Qatar University HPCA 2014 17 / 25

slide-59
SLIDE 59

Performance Evaluation: Sources of Overhead

Fetching PS entries from the Permission Store on TLB misses

Cached in various levels of (data) caches

Cycles spent performing actions before permissions are changed

Zeroing pages

Binghamton University / Qatar University HPCA 2014 17 / 25

slide-60
SLIDE 60

Performance Evaluation: Sources of Overhead

Fetching PS entries from the Permission Store on TLB misses

Cached in various levels of (data) caches

Cycles spent performing actions before permissions are changed

Zeroing pages

Increase in cycle time due to hardware component delay

Widening TLB entries Accessing the Rule Database

Binghamton University / Qatar University HPCA 2014 17 / 25

slide-61
SLIDE 61

Performance Evaluation: Fetching PS Entries

We used MARSSx86, a full system x86-64 simulator to evaluate the impact of NIMP on cache performance Overall effect on IPC Miss/hit rates for PS Entry data Effect on miss/hit rate for regular data

Binghamton University / Qatar University HPCA 2014 18 / 25

slide-62
SLIDE 62

Reduction in IPC

0.5 1 1.5 2 2.5 3 3.5 4

IPC Difference (%) 0.2% 0.1% 0.3% 3.8% 3.5% 1.3%

Binghamton University / Qatar University HPCA 2014 19 / 25

slide-63
SLIDE 63

Reduction in IPC

0.5 1 1.5 2 2.5 3 3.5 4

IPC Difference (%) 0.2% 0.1% 0.3% 3.8% 3.5% 1.3%

Binghamton University / Qatar University HPCA 2014 19 / 25

slide-64
SLIDE 64

Reduction in IPC

0.5 1 1.5 2 2.5 3 3.5 4

IPC Difference (%) 0.2% 0.1% 0.3% 3.8% 3.5% 1.3%

Binghamton University / Qatar University HPCA 2014 19 / 25

slide-65
SLIDE 65

Reduction in IPC

0.5 1 1.5 2 2.5 3 3.5 4

IPC Difference (%) 0.2% 0.1% 0.3% 3.8% 3.5% 1.3%

Binghamton University / Qatar University HPCA 2014 19 / 25

slide-66
SLIDE 66

L1 Miss Rate Accessing Permission Bits

5 10 15 20 25

Miss Rate (%) 0.77% 0.67% 2.88% 19.70% 16.10% 4.16%

Binghamton University / Qatar University HPCA 2014 20 / 25

slide-67
SLIDE 67

L1 Miss Rate Accessing Permission Bits

5 10 15 20 25

Miss Rate (%) 0.77% 0.67% 2.88% 19.70% 16.10% 4.16%

Binghamton University / Qatar University HPCA 2014 20 / 25

slide-68
SLIDE 68

L1 Miss Rate Accessing Permission Bits

5 10 15 20 25

Miss Rate (%) 0.77% 0.67% 2.88% 19.70% 16.10% 4.16%

Binghamton University / Qatar University HPCA 2014 20 / 25

slide-69
SLIDE 69

L1 Miss Rate Accessing Permission Bits

5 10 15 20 25

Miss Rate (%) 0.77% 0.67% 2.88% 19.70% 16.10% 4.16%

Binghamton University / Qatar University HPCA 2014 20 / 25

slide-70
SLIDE 70

L1 Cache Miss Rate for Regular Accesses

2 4 6 8 10 12 14 Without Perms With Perms

Miss Rate (%)

Binghamton University / Qatar University HPCA 2014 21 / 25

slide-71
SLIDE 71

L1 Cache Miss Rate for Regular Accesses

2 4 6 8 10 12 14 Without Perms With Perms

Miss Rate (%) Δ 0.3% Δ 0.4%

Binghamton University / Qatar University HPCA 2014 21 / 25

slide-72
SLIDE 72

L1 Cache Miss Rate for Regular Accesses

2 4 6 8 10 12 14 Without Perms With Perms

Miss Rate (%) Δ 0.3% Δ 0.4% Δ 0.08%

Binghamton University / Qatar University HPCA 2014 21 / 25

slide-73
SLIDE 73

Performance Evaluation: Zeroing Pages

We profiled the Linux kernel using ftrace to collect information about events that cause permission change requests Assumptions: Every permission transition requires the page to be zeroed 1 cycle / byte (i.e. 4096 cycles / 4KB page) Cycle percentages assume a 3GHz Processor

Binghamton University / Qatar University HPCA 2014 22 / 25

slide-74
SLIDE 74

Page Zeroing Overhead

VirtualBox

Booting a virtual machine

Chromium

Loading web pages

LibreOffice

Opening spreadsheets

Application Changes Per Second Cycle Overhead VirtualBox 2765 0.4% Chromium 2973 0.4% LibreOffice 8608 1.2%

Binghamton University / Qatar University HPCA 2014 23 / 25

slide-75
SLIDE 75

Conclusions

Vulnerabilities in system software coupled with inclusive memory permissions in current designs leave systems exposed to cross-layer attacks Non-inclusive permissions can stop these attacks with minimal

  • verhead

NIMP incurs about 1% performance loss on average, and modest changes to hardware and system software

Binghamton University / Qatar University HPCA 2014 24 / 25

slide-76
SLIDE 76

Thank you! Questions/Comments?

Binghamton University / Qatar University HPCA 2014 25 / 25