A Secure Architecture for Untrusted Web Browser Plugins Achim - - PowerPoint PPT Presentation
A Secure Architecture for Untrusted Web Browser Plugins Achim Weimert SECT/TU-Berlin March 18, 2011 Achim Weimert (SECT/TU-Berlin) Web Browser Plugin Architecture March 18, 2011 1 / 21 Outline Introduction 1 Design 2 3 Implementation
Achim Weimert
SECT/TU-Berlin
March 18, 2011
Achim Weimert (SECT/TU-Berlin) Web Browser Plugin Architecture March 18, 2011 1 / 21
1
Introduction
2
Design
3
Implementation
4
Evaluation
5
Demo
Achim Weimert (SECT/TU-Berlin) Web Browser Plugin Architecture March 18, 2011 2 / 21
Web browser:
◮ Display web page ◮ Execute JavaScript Achim Weimert (SECT/TU-Berlin) Web Browser Plugin Architecture March 18, 2011 3 / 21
Web browser:
◮ Display web page ◮ Execute JavaScript
Plugins:
◮ Extend browser functionality ◮ Provided by third-party ◮ Executed in browser context ◮ Netscape Plugin API (NPAPI) Achim Weimert (SECT/TU-Berlin) Web Browser Plugin Architecture March 18, 2011 3 / 21
Plugins to attack web browser
Availability Integrity Confidentiality
Achim Weimert (SECT/TU-Berlin) Web Browser Plugin Architecture March 18, 2011 4 / 21
Plugins to attack web browser
Availability Integrity Confidentiality
Threat model
Attacker controls web page, plugin Trusted OS, browser, user
Achim Weimert (SECT/TU-Berlin) Web Browser Plugin Architecture March 18, 2011 4 / 21
Create architecture that...
allows for multi-media plugins
◮ low latency ◮ high data throughput ◮ low computation overhead ◮ multiple event sources ◮ threading ◮ prioritization
prevents attacks on browser security
Achim Weimert (SECT/TU-Berlin) Web Browser Plugin Architecture March 18, 2011 5 / 21
Achim Weimert (SECT/TU-Berlin) Web Browser Plugin Architecture March 18, 2011 6 / 21
Design...
... an interface
Checkable information flow
... an architecture
Provide interface Enforce interface Facilitate multi-media plugins
Overview
Execution model, host-client interaction, threading library
Achim Weimert (SECT/TU-Berlin) Web Browser Plugin Architecture March 18, 2011 7 / 21
Virtual CPU model (vCPU)
Resembles physical CPU Sequential execution model Control flow diversion on events Allows for user level threads Allows for synchronization
Achim Weimert (SECT/TU-Berlin) Web Browser Plugin Architecture March 18, 2011 8 / 21
Virtual CPU model (vCPU)
Resembles physical CPU Sequential execution model Control flow diversion on events Allows for user level threads Allows for synchronization
Host-Client Interaction
System calls Events
Achim Weimert (SECT/TU-Berlin) Web Browser Plugin Architecture March 18, 2011 8 / 21
Multi-threading:
◮ preemption ◮ scheduling ◮ prioritization of events and threads ◮ synchronization
Dynamic memory
Achim Weimert (SECT/TU-Berlin) Web Browser Plugin Architecture March 18, 2011 9 / 21
Achim Weimert (SECT/TU-Berlin) Web Browser Plugin Architecture March 18, 2011 10 / 21
Tools
Ubuntu Linux 9.10 (64bit) C++ / Assembly Implementation separate from the browser Sandboxing vCPU Preemption Thread priorities Event priorities Synchronization System calls User level resume
Achim Weimert (SECT/TU-Berlin) Web Browser Plugin Architecture March 18, 2011 11 / 21
Host waits for client changes using waitpid Segmentation fault at specific address Manipulation of client using ptrace
Implemented System Calls
exit / sleep / resume / deliver event / get data / display
Achim Weimert (SECT/TU-Berlin) Web Browser Plugin Architecture March 18, 2011 12 / 21
Resume client state without system call
high usage of syscall resume repeated switching to host user level implementation
◮ high performance ◮ RET instruction Achim Weimert (SECT/TU-Berlin) Web Browser Plugin Architecture March 18, 2011 13 / 21
Achim Weimert (SECT/TU-Berlin) Web Browser Plugin Architecture March 18, 2011 14 / 21
System Call Roundtrip
clock cycles per call time per call relation vCPU ( syscall null ) 37, 702 ticks ≈ 35.671 µs 100% native (getpid) 248 ticks ≈ 0.234 µs 1%
Achim Weimert (SECT/TU-Berlin) Web Browser Plugin Architecture March 18, 2011 15 / 21
Context Switch
configuration time per switch relation 1 vCPU user level resume ≈ 1.0 µs 100% 2 syscall resume ≈ 16.5 µs 1, 732% 3 native shared addr. (clone) ≈ 2.3 µs 237% 4 separate addr. (fork) ≈ 2.9 µs 300% 5 separate addr. (clone) ≈ 2.9 µs 300%
Achim Weimert (SECT/TU-Berlin) Web Browser Plugin Architecture March 18, 2011 16 / 21
Computation Overhead
time relation vCPU 13,733 ms 100.0% native 13,643 ms 99.3%
Achim Weimert (SECT/TU-Berlin) Web Browser Plugin Architecture March 18, 2011 17 / 21
Event Latency
2000 4000 6000 8000 10000 1 2 3 4 5 6 Latency in CPU clock cycles Number of parallel data event handling threads Latency of events with parallel data event handling threads
Figure: Latency of events: increasing number of data event handling threads
Achim Weimert (SECT/TU-Berlin) Web Browser Plugin Architecture March 18, 2011 18 / 21
Event Latency with parallel events
500000 1e+06 1.5e+06 2e+06 2.5e+06 1 2 3 4 5 Average CPU cycles per 100 events Number of parallel data event handling threads Average event latency for HIGH priority handling (1) Average event latency for EQUAL priority handling (2)
Figure: Latency of data events: increasing number of data event handling threads
Achim Weimert (SECT/TU-Berlin) Web Browser Plugin Architecture March 18, 2011 19 / 21
Achim Weimert (SECT/TU-Berlin) Web Browser Plugin Architecture March 18, 2011 20 / 21
Thank you! Questions?
Achim Weimert (SECT/TU-Berlin) Web Browser Plugin Architecture March 18, 2011 21 / 21