1 / 27

Architectural Support for Software-Based Protection

Architectural Support for Software-Based Protection. Mihai Budiu Úlfar Erlingsson Martín Abadi. Silicon Valley. ASID Workshop, Oct 21, 2006. Summary. Enforce control flow to prevent software attacks [CCS 05] [ICFEM 05]. Protect modules within a single address space [OSDI 06].

dima
Download Presentation

Architectural Support for Software-Based Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Architectural Support for Software-Based Protection Mihai BudiuÚlfar ErlingssonMartín Abadi Silicon Valley ASID Workshop, Oct 21, 2006

  2. Summary Enforce control flow to prevent software attacks [CCS 05] [ICFEM 05] Protect modules within a single address space [OSDI 06] This work: add hardware support CFI XFI

  3. Outline • Control-Flow Integrity • XFI: Protecting Modules • Conclusions

  4. CFI Motivation Control flow Anatomy of many software attacks

  5. CFI Idea + = Executable Control-Flow Graph Self-checking program

  6. CFI Security Benefits • Enforces CFG against attacker that controlswhole data memory • Defends against a large class of attacks • Buffer overflows • Stack smashing • Jump-to-libc • Pointer subterfuge • Validated experimentally Code Data Stack

  7. Embedding a CFG Edge ? jmp r1 ...... dest:..... jmpc r1, 50...... cfilabel 60 …. cfilabel 50 ..... Traditional indirect jump New ISA: checked jump and label

  8. Semantics jmpc r1, L cfilabel L cfi_register = L; jmp r1 if (cfi_register == L) cfi_register = 0 before any instructionexcept cfilabel if (cfi_register != 0) cfi_exception()

  9. Evaluation Spec2k Sources Squeeze++binary rewriter Sim-alpha simulator Binary Instrumentedbinary Performancedata Alpha CC instrumentationalgorithm Linux

  10. CFI Execution Overhead

  11. Outline • Control-Flow Integrity • XFI: Protecting Modules • Conclusions

  12. XFI Motivation Shareddata structure OS Kernel Driver Driver Kernel heap Ring 0 (high privilege) Single address space

  13. XFI Address Spaces Entry points Code Data Code R/OData R/WData Host system XFI Module Stacks Host heap A B Fastpath region Slowpath region

  14. Memory Bounds Checks if (x < A + 0) goto SlowpathCheck; if (B – sizeof(int) < x) goto SlowpathCheck; retfromSlowCheck: *(int*)x = 2; *(int*)x = 2; Code Data Code R/OData R/WData Host system XFI Module Host heap 2 x A B

  15. ISA Support for XFI mrguard $r, L, H If ($r < $a + L) XFI_exception()if ($b – H < $r) XFI_exception() $r L H A B [$r – L, $r + H)  [$a, $b)

  16. Evaluation Mediabench Sources Handinstrument Kernel Sim-alpha simulator Assembly Instrumentedbinary Performancedata Alpha CC Link Object files Linux

  17. Bounds Checks Overhead

  18. Advantages of ISA Support Compared with software solutions: • Reduce executable size • Reduce pressure on fetch structures(I-cache, trace cache, br. predictors) • Decrease register pressure (no intermediate results) • Do not pollute condition flags • Do not pollute the data cache to fetch code label [CFI only]

  19. Conclusions • ISA support is very simple • ISA support does not stretch critical hw resources • ISA support can reduce the cost of CFI and XFI enforcement

  20. Backup Slides

  21. MSR Silicon Valley

  22. Our Neighbors Google NASA AMES Microsoft SVC

  23. We’re Going Into Architecture

  24. We’re Hiring Computer Architects • Exciting research opportunities • A chance to influence industry • A lot of creative freedom • A great interdisciplinary team • A brand new research group • A great location research.microsoft.com/aboutmsr/labs/siliconvalley

  25. CFI & XFI Toolchain Unsafe code Executable Compiler Binaryrewriter Safe executable Verifier Program Safe code Debugginginformation Execution Trusted computing base Instrumentationalgorithm

  26. CFI Software Implementation jmpc r1, 50...... cfilabel 50 ..... if (*r1 != 50) then goto error; goto r1+4; …. .data 50 ….

  27. CFI Binary Size Increase

More Related