Application compartmentalization Conventional gunzip - - PowerPoint PPT Presentation

application compartmentalization
SMART_READER_LITE
LIVE PREVIEW

Application compartmentalization Conventional gunzip - - PowerPoint PPT Presentation

Sep 14, 2022 125 likes •273 views

CHERI A Hybrid Capability-System Architecture for Scalable Software Compartmentalization Robert N.M. Watson * , Jonathan Woodruff * , Peter G. Neumann , Simon W. Moore * , Jonathan Anderson , David Chisnall * , Nirav Dave , Brooks

slide-1
SLIDE 1

Approved for public release; distribution is unlimited. This research is sponsored by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C-0237 (‘CTSRD’) and FA8750-11-C-0249 (‘MRC2’). The views, opinions, and/or findings contained in this article/presentation are those of the author(s)/presenter(s) and should not be interpreted as representing the official views or policies of the Department of Defense or the U.S. Government.

CHERI

A Hybrid Capability-System Architecture for Scalable Software Compartmentalization

Robert N.M. Watson*, Jonathan Woodruff*, Peter G. Neumann†, Simon W. Moore*, Jonathan Anderson‡, David Chisnall*, Nirav Dave†, Brooks Davis†, Khilan Gudka*, Ben Laurie§, Steven J. Murdoch¶, Robert Norton*, Michael Roe*, Stacey Son, and Munraj Vadera*

*University of Cambridge, †SRI International, ‡Memorial University, §Google UK Ltd, ¶University College London

IEEE Symposium on Security and Privacy 18 May 2015

slide-2
SLIDE 2

Application compartmentalization

Application compartmentalization mitigates vulnerabilities by decomposing applications into isolated compartments delegated limited rights

2

UNIX process Kernel main loop vulnerable decompression code Kernel UNIX process Capability-mode process main loop vulnerable decompression code Compartmentalized gunzip Conventional gunzip

slide-3
SLIDE 3

3

HTTP GET sandbox

  • 5. fetch

URL-specific sandbox URL-specific sandbox SSL sandbox HTTPS sandbox network sandbox Code-centred compartmentalisation Data-centered compartmentalisation

  • 1. fetch

main loop http ssl ftp URL-specific sandbox main loop http ssl ftp FTP sandbox

  • 2. fetch

main loop http ssl ftp HTTP sandbox

  • 3. fetch

main loop http ssl FTP sandbox ftp SSL sandbox HTTP auth sandbox

  • 4. fetch

main loop http auth ssl FTP sandbox ftp http get

  • Many possible compartmentalizations:
  • Trade off security, complexity, performance
  • But the process model is problematic:
  • Virtual addressing scales poorly due to page

tables, Translation Look-aside Buffer (TLB)

  • Multiple address spaces and Inter-Process

Communication (IPC) are hard to program

  • Quite poor for library compartmentalization

due to memory-centered APIs (e.g, zlib)

slide-4
SLIDE 4

CHERI capability model

  • ISCA 2014: Fine-grained, in-address-space memory protection

via a capability model

  • Capabilities replace pointers for data references
  • Capability registers and tagged memory enforce

strong pointer and control-flow integrity, bounds checking

  • Hybrid model composes naturally with an MMU
  • ASPLOS 2015: Compiler support for capabilities
  • Converge fat-pointer and capability models
  • C pointers compiled into capabilities with various ABIs
  • Can we build efficient compartmentalization over

CHERI memory protection ?

4

slide-5
SLIDE 5

Virtual memory vs. capabilities

5

Virtual Memory Capabilities Protects Virtual addresses and pages References (pointers) to C code, data structures Hardware MMU, TLB Capability registers, tagged memory Costs TLB, page tables, lookups, shootdowns Per-pointer overhead, context switching Compartment scalability Tens to hundreds Thousands or more Domain crossing IPC Function calls Optimization goals Isolation, full virtualization Memory sharing, frequent domain transitions

CHERI hybridizes the models: pick two!

slide-6
SLIDE 6

6

OS kernel

Address-space executive Address-space executive

Legacy application + capability libraries

Address-space executive

Pure-capability application

Virtual address spaces

Hybrid capability/MMU OSes

Capability-based OS with legacy libraries CHERI CPU libssl

zlib

zlib

zlib

zlib class1 libssl class2

libssl

libssl

Single address space

slide-7
SLIDE 7

permissions (31 bits)

  • type (24bits)

s length (64 bits)

  • ffset (64 bits)

base (64 bits)

CHERI capabilities

  • Sealed bit prevents further modification
  • Object types atomically link code, data capabilities
  • CCall/CReturn instructions provide hardware-

assisted, software-defined domain transitions

7

256-bit capability

Virtual address space

v 1-bit tag

slide-8
SLIDE 8

CheriBSD object capabilities

  • In-process object-capability model
  • libcheri loads and links classes,

instantiates objects

  • Per-thread capability register file

describes its protection domain

  • Domain transition within threads

via register-file transformation

  • CCall/CReturn exception handlers

unseal capabilities, allow delegation

  • Trusted stack provides reliable

software-defined return, recovery

  • Many other software-defined models

possible; e.g., asynchronous closures

8

Virtual address space … $c0 $c1 $c2 $c31 $c3 … $c0 $c1 $c2 $c31 $c3 Thread1 capability registers Thread2 capability registers

slide-9
SLIDE 9

Object-capability call/return

Compartmentalized object Ambient object Compartmentalized object Ambient object Kernel CCall CCall System call CReturn CReturn System- call return CReturn CCall

  • Initial registers after execve()

grant ambient authority

  • Synchronous function-like call

eases application/library adaptation

  • CCall/CReturn ABI clears

unused registers to prevent leakage

  • Only authorized system

classes can make system calls

  • Constant overhead to

function-call cost

9

slide-10
SLIDE 10

CHERI hardware/software prototypes

  • Bluespec FPGA prototype
  • 64-bit MIPS + CHERI ISA
  • Pipelined, L1/L2 caches, MMU
  • Synthesizes at ~100MHz
  • Capability-aware software
  • CheriBSD OS
  • CHERI clang/LLVM compiler
  • Adapted applications
  • Open-source release

10

Implementation on FPGA

slide-11
SLIDE 11

11

slide-12
SLIDE 12

Application implications

Pros

  • Single address-space

programming model

  • Referential integrity matches

programmer model

  • Modest work to insert

protection-domain boundaries

  • Objects permit mutual distrust
  • Constant (low) overhead

relative to function calls even with large memory flows

Cons

  • Still have to reason about the

security properties

  • Shared memory is more subtle

than copy semantics

  • Capability overhead in data

cache is real and measurable

  • ABI subtleties between MIPS

and CHERI compiled code

  • Lower overhead raises further

cache side-channel concerns

12

slide-13
SLIDE 13

Conclusions

  • Hybrid object-capability model over memory capabilities
  • Software-defined, fine-grained, in-address-space

compartmentalization

  • Cleanly extends the MMU-based process model
  • Targets C-language userspace TCBs
  • Non-IPC model supports library compartmentalization
  • Orders of magnitude more efficient

compartmentalization that conventional designs

  • Open-source reference implementation, ISA specification:

http://www.cheri-cpu.org/

13