Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Referencemonitors
SumanJana
*OriginalslidesfromVitalyShma9kov
ReferenceMonitor
• Observesexecu9onoftheprogram/process– Atwhatlevel?Possibili9es:hardware,OS,network
• Haltsorconfinesexecu9oniftheprogramisabouttoviolatethesecuritypolicy– What’sa“securitypolicy”?– Whichsystemeventsarerelevanttothepolicy?
• Instruc9ons,memoryaccesses,systemcalls,networkpackets…
• Cannotbecircumventedbythemonitoredprocess
EnforceableSecurityPolicies
• Referencemonitorscanonlyenforcesafetypolicies[Schneider‘98]– Execu9onofaprocessisasequenceofstates– Safetypolicyisapredicateonaprefixofthesequence
• Policymustdependonlyonthepastofapar9cularexecu9on;onceitbecomesfalse,it’salwaysfalse
• Notpoliciesthatrequireknowledgeofthefuture– “IfthisserveracceptsaSYNpacket,itwilleventuallysendaresponse”
• Notpoliciesthatdealwithallpossibleexecu9ons– “Thisprogramshouldneverrevealasecret”
ReferenceMonitorImplementa9on
• Policiescandependonapplica9onseman9cs• Enforcementdoesn’trequirecontextswitchesinthekernel• Lowerperformanceoverhead
Program
RMKernel
RMProgram
Kernel
Program
Kernel
RM
Kernelized Wrapper Modifiedprogram
Integratereferencemonitorintoprogramcodeduringcompila9onorviabinaryrewri9ng
WhatMakesaProcessSafe?
• Memorysafety:allmemoryaccessesare“correct”– Respectarraybounds,don’tstomponanotherprocess’smemory,don’texecutedataasifitwerecode
• Control-flowsafety:allcontroltransfersareenvisionedbytheoriginalprogram– Noarbitraryjumps,nocallstolibraryrou9nesthattheoriginalprogramdidnotcall
• Typesafety:allfunc9oncallsandopera9onshaveargumentsofcorrecttype
OSasaReferenceMonitor
• Collec9onofrunningprocessesandfiles– Processesareassociatedwithusers– Fileshaveaccesscontrollists(ACLs)sayingwhichuserscanread/write/executethem
• OSenforcesavarietyofsafetypolicies– Fileaccessesarecheckedagainstfile’sACL– Processcannotwriteintomemoryofanotherprocess– Someopera9onsrequiresuperuserprivileges
• Butmayneedtoswitchbackandforth(e.g.,setuidinUnix)– EnforceCPUsharing,diskquotas,etc.
• Samepolicyforallprocessesofthesameuser
HardwareMechanisms:TLB
• TLB:Transla9onLookasideBuffer– Mapsvirtualtophysicaladdresses– Locatednexttothecache– OnlysupervisorprocesscanmanipulateTLB
• ButifOSiscompromised,maliciouscodecanabuseTLBtomakeitselfinvisibleinvirtualmemory(ShadowWalker)
• TLBmissraisesapagefaultexcep9on– ControlistransferredtoOS(insupervisormode)– OSbringsthemissingpagetothememory
• Thisisanexpensivecontextswitch
Time
callsf=fopen(“foo”)
UserProcess
libraryexecutes“break”
Kernel
trap savescontext,flushesTLB,etc.checksUIDagainstACL,setsupIObuffers&filecontext,pushesptrtocontextonuser’sstack,etc.restorescontext,clearssupervisorbit
callsfread(f,n,&buf)libraryexecutes“break” savescontext,flushesTLB,etc.
checksfisavalidfilecontext,doesdiskaccessintolocalbuffer,copiesresultsintouser’sbuffer,etc.restorescontext,clearssupervisorbit
StepsinaSystemCall[Morrisett]
Midtermgrades
ModernHardwareMeetsSecurity
• Modernhardware:largenumberofregisters,bigmemorypages
• Isola9on⇒eachprocessshouldliveinitsownhardwareaddressspace
• …buttheperformancecostofinter-processcommunica9onisincreasing– Contextswitchesareveryexpensive– TrappingintoOSkernelrequiresflushingTLBandcache,compu9ngjumpdes9na9on,copyingmemory
• Conflict:isola9onvs.cheapcommunica9on
SohwareFaultIsola9on(SFI)
• Processesliveinthesamehardwareaddressspace;sohwarereferencemonitorisolatesthem– Eachprocessisassignedalogical“faultdomain”– Checkallmemoryreferencesandjumpstoensuretheydon’tleaveprocess’sdomain
• Tradeoff:checkingvs.communica9on– Paythecostofexecu9ngchecksforeachmemorywriteandcontroltransfertosavethecostofcontextswitchingwhentrappingintothekernel
[Wahbeetal.SOSP‘93]
FaultDomains
• Process’scodeanddatainonememorysegment– Iden9fiedbyauniquepajernofupperbits– Codeisseparatefromdata(heap,stack,etc.)– Thinkofafaultdomainasa“sandbox”
• Binarymodifiedsothatitcannotescapedomain– Addressesaremaskedsothatallmemorywritesaretoaddresseswithinthesegment• Coarse-grainedmemorysafety(vs.arrayboundschecking)
– Codeisinsertedbeforeeachjumptoensurethatthedes9na9oniswithinthesegment
• Doesthishelpmuchagainstbufferoverflows?
VerifyingJumpsandStores
• Iftargetaddresscanbedeterminedsta9cally,maskitwiththesegment’supperbits– Crash,butwon’tstomponanotherprocess’smemory
• Ifaddressunknownun9lrun9me,insertcheckingcodebeforetheinstruc9on
• Ensurethatcodecan’tjumparoundthechecks– Targetaddressheldinadedicatedregister– Itsvalueischangedonlybyinsertedcode,atomically,andonlywithavaluefromthedatasegment
SimpleSFIExample
• Faultdomain=from0x1200to0x12FF• Originalcode:writex• NaïveSFI: x:=x&00FF x:=x|1200 writex• BejerSFI: tmp:=x&00FF tmp:=tmp|1200 writetmp
convertxintoanaddressthatlieswithinthefaultdomain
Whatifthecodejumpsrighthere?…
InlineReferenceMonitor
• GeneralizeSFItomoregeneralsafetypoliciesthanjustmemorysafety– Policyspecifiedinsomeformallanguage– Policydealswithapplica9on-levelconcepts:accesstosystemresources,networkevents,etc.• “Noprocessshouldsendtothenetworkaherreadingafile”,
“Noprocessshouldopenmorethan3windows”,…
• Policychecksareintegratedintothebinarycode– Viabinaryrewri9ngorwhencompiling
• Insertedchecksshouldbeuncircumventable– RelyonSFIforbasicmemorysafety
PolicySpecifica9oninSASI
SASIpoliciesarefinite-stateautomata• Canexpressanysafetypolicy• Easytoanalyze,emulate,compile• WrijeninSALlanguage(textualversionofdiagrams)
Nodivisionbyzero
¬ (op = “div” arg2 = 0) ∧
read¬ send¬
read
Nonetworksendaherfileread
[Cornell project]
PolicyEnforcement
• Checkingbeforeeveryinstruc9onisanoverkill– Check“Nodivisionbyzero”onlybeforeDIV
• SASIusespar9alevalua9on– Insertpolicychecksbeforeeveryinstruc9on,thenrelyonsta9canalysistoeliminateunnecessarychecks
• Thereisa“seman9cgap”betweenindividualinstruc9onsandpolicy-levelevents– Applica9onsuseabstrac9onssuchasstrings,types,files,func9oncalls,etc.
– Referencemonitormustsynthesizetheseabstrac9onsfromlow-levelassemblycode
M.Abadi,M.Budiu,U.Erlingsson,J.Ligaq
Control-FlowIntegrity:Principles,Implementa9ons,andApplica9ons
(CCS2005)
• Mainidea:pre-determinecontrolflowgraph(CFG)ofanapplica9on– Sta9canalysisofsourcecode– Sta9cbinaryanalysis←CFI– Execu9onprofiling– Explicitspecifica9onofsecuritypolicy
• Execu9onmustfollowthepre-determinedcontrolflowgraph
CFI:Control-FlowIntegrity[Abadietal.]
• Usebinaryrewri9ngtoinstrumentcodewithrun9mechecks(similartoSFI)
• Insertedchecksensurethattheexecu9onalwaysstayswithinthesta9callydeterminedCFG– Wheneveraninstruc9ontransferscontrol,des9na9onmustbevalidaccordingtotheCFG
• Goal:preventinjec9onofarbitrarycodeandinvalidcontroltransfers(e.g.,return-oriented-programming)– Secureeveniftheajackerhascompletecontroloverthethread’saddressspace
CFI:BinaryInstrumenta9on
CFGExample
• Foreachcontroltransfer,determinesta9callyitspossibledes9na9on(s)
• Insertauniquebitpajernateverydes9na9on– Twodes9na9onsareequivalentifCFGcontainsedgestoeachfromthesamesource• Thisisimprecise(why?)
– Usesamebitpajernforequivalentdes9na9ons
• Insertbinarycodethatatrun9mewillcheckwhetherthebitpajernofthetargetinstruc9onmatchesthepajernofpossibledes9na9ons
CFI:ControlFlowEnforcement
CFI:ExampleofInstrumenta9on
Originalcode
Instrumentedcode
Abuseanx86assemblyinstruc9ontoinsert“12345678”tagintothebinaryJumptothedes9na9ononlyif
thetagisequalto“12345678”
• UniqueIDs– Bitpajernschosenasdes9na9onIDsmustnotappearanywhereelseinthecodememoryexceptIDchecks
• Non-writablecode– Programshouldnotmodifycodememoryatrun9me
• Whataboutrun-9mecodegenera9onandself-modifica9on?
• Non-executabledata– Programshouldnotexecutedataasifitwerecode
• Enforcement:hardwaresupport+prohibitsystemcallsthatchangeprotec9onstate+verifica9onatload-9me
CFI:Preven9ngCircumven9on
• SupposeacallfromAgoestoC,andacallfromBgoestoeitherC,orD(whencanthishappen?)– CFIwillusethesametagforCandD,butthisallowsan
“invalid”callfromAtoD– Possiblesolu9on:duplicatecodeorinline– Possiblesolu9on:mul9pletags
• Func9onFiscalledfirstfromA,thenfromB;what’savaliddes9na9onforitsreturn?– CFIwillusethesametagforbothcallsites,butthisallowsFtoreturntoBaherbeingcalledfromA
– Solu9on:shadowcallstack
ImprovingCFIPrecision
CFI:SecurityGuarantees
• Effec9veagainstajacksbasedonillegi9matecontrol-flowtransfer– Stack-basedbufferoverflow,return-to-libcexploits,pointersubterfuge
• Doesnotprotectagainstajacksthatdonotviolatetheprogram’soriginalCFG– Incorrectargumentstosystemcalls– Subs9tu9onoffilenames– Otherdata-onlyajacks
PossibleExecu9onofMemory[Erlingsson]
NextStep:XFI
• Inlinereferencemonitoraddedviabinaryrewri9ng– Canbeappliedtosomelegacycode
• CFItopreventcircumven9on• Fine-grainedaccesscontrolpoliciesformemoryregions– Morethansimplememorysafety(cf.SFI)
• Reliesinpartonload-9meverifica9on– Similarto“proof-carryingcode”
[Erlingsson et al. OSDI ‘06]
TwoStacks• XFImaintainsaseparate“scopedstack” withreturnaddressesandsomelocalvariables– Keepstrackoffunc9oncalls,returnsandexcep9ons
• Securestorageareaforfunc9on-localinforma9on– Cannotbeoverflown,accessedviaacomputedreferenceorpointer,etc.
– Stackintegrityensuredbysohwareguards– Presenceofguardsisdeterminedbysta9cverifica9onwhenprogramisloaded
• Separate“alloca9onstack”forarraysandlocalvariableswhoseaddresscanbepassedaround
XFI:MemoryAccessControl
• Modulehasaccesstoitsownmemory– Withrestric9ons(e.g.,shouldn’tbeabletocorruptitsownscopedstack)
• Hostcanalsograntaccesstoothercon9guousmemoryregions– Fine-grained:canrestrictaccesstoasinglebyte– Accesstoconstantaddressesandscopedstackverifiedsta9cally
– Inlinememoryguardsverifyotheraccessesatrun9me• Fastinlineverifica9onforacertainaddressrange;iffails,callspecialrou9nesthatcheckaccesscontroldatastructures
XFI:Preven9ngCircumven9on
• IntegrityoftheXFIprotec9onenvironment– Basiccontrol-flowintegrity– “Scopedstack”preventsout-of-orderexecu9onpathseveniftheymatchcontrol-flowgraph
– Dangerousinstruc9onsareneverexecutedortheirexecu9onisrestricted• Forexample,privilegedinstruc9onsthatchangeprotec9onstate,modifyx86flags,etc.
• Therefore,XFImodulescanevenruninkernel