Ik-Soon Kim December 18, 2010 Embedded Software Platform Team

Slides:



Advertisements
Similar presentations
The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.
Advertisements

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.
Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.
Extensibility, Safety and Performance in the SPIN Operating System Bershad et al Presentation by norm Slides shamelessly “borrowed” from Stefan Savage’s.
1 Last Class: Introduction Operating system = interface between user & architecture Importance of OS OS history: Change is only constant User-level Applications.
1 OS & Computer Architecture Modern OS Functionality (brief review) Architecture Basics Hardware Support for OS Features.
Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?
Language Evaluation Criteria
Safety in the C programming Language Peter Wihl May 26 th, 2005 CS 297 Security and Programming Languages.
1 CS503: Operating Systems Part 1: OS Interface Dongyan Xu Department of Computer Science Purdue University.
Secure Virtual Architecture John Criswell, Arushi Aggarwal, Andrew Lenharth, Dinakar Dhurjati, and Vikram Adve University of Illinois at Urbana-Champaign.
G53SEC 1 Reference Monitors Enforcement of Access Control.
15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.
Computer Security and Penetration Testing
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
CHAPTER 2: COMPUTER-SYSTEM STRUCTURES Computer system operation Computer system operation I/O structure I/O structure Storage structure Storage structure.
Buffer Overflow Detection Stuart Pickard CSCI 297 June 14, 2005.
Native Client: A Sandbox for Portable, Untrusted x86 Native Code
CS533 Concepts of Operating Systems Jonathan Walpole.
1 Efficient Type and Memory Safety for Tiny Embedded Systems John Regehr Nathan Cooprider Will Archer Eric Eide University of Utah School of Computing.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
G53SEC 1 Reference Monitors Enforcement of Access Control.
By Teacher Asma Aleisa Year 1433 H.   Goals of memory management  To provide a convenient abstraction for programming.  To allocate scarce memory.
The Fail-Safe C to Java translator Yuhki Kamijima (Tohoku Univ.)
Software Defects.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
Highly Scalable Distributed Dataflow Analysis Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan Chelsea LeBlancTodd.
1 A Secure Access Control Mechanism against Internet Crackers Kenichi Kourai* Shigeru Chiba** *University of Tokyo **University of Tsukuba.
Topic 3: C Basics CSE 30: Computer Organization and Systems Programming Winter 2011 Prof. Ryan Kastner Dept. of Computer Science and Engineering University.
A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.
Protecting C Programs from Attacks via Invalid Pointer Dereferences Suan Hsi Yong, Susan Horwitz University of Wisconsin – Madison.
Efficient Software Based Fault Isolation Author: Robert Wahobe,Steven Lucco,Thomas E Anderson, Susan L Graham Presenter: Maitree kanungo Date:02/17/2010.
Efficient software-based fault isolation Robert Wahbe, Steven Lucco, Thomas Anderson & Susan Graham Presented by: Stelian Coros.
Sampling Dynamic Dataflow Analyses Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan University of British Columbia.
CS533 Concepts of Operating Systems Jonathan Walpole.
Lecture 4 Page 1 CS 111 Online Modularity and Memory Clearly, programs must have access to memory We need abstractions that give them the required access.
Memory Protection: Kernel and User Address Spaces Andy Wang Operating Systems COP 4610 / CGS 5765.
Computer System Structures
Efficient Software-Based Fault Isolation
Modularity Most useful abstractions an OS wants to offer can’t be directly realized by hardware Modularity is one technique the OS uses to provide better.
Healing Data Races On-The-Fly
Kernel Design & Implementation
Introduction to Operating Systems
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
Protecting Memory What is there to protect in memory?
Processes and threads.
Memory Protection: Kernel and User Address Spaces
Security Issues Formalization
Protection and OS Structure
Protecting Memory What is there to protect in memory?
Operating System Structure
Secure Software Development: Theory and Practice
Modularity and Memory Clearly, programs must have access to memory
Memory Protection: Kernel and User Address Spaces
High Coverage Detection of Input-Related Security Faults
Introduction to Operating Systems
Memory Protection: Kernel and User Address Spaces
Memory Protection: Kernel and User Address Spaces
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
CS 143A Quiz 1 Solution.
IMPROVING THE RELIABILITY OF COMMODITY OPERATING SYSTEMS
Module 2: Computer-System Structures
Software Security Lesson Introduction
The Design & Implementation of Hyperupcalls
Cyclone: A safe dialect of C
CS5123 Software Validation and Quality Assurance
Memory Protection: Kernel and User Address Spaces
Advanced Operating Systems (CS 202) Operating System Structure
Sampling Dynamic Dataflow Analyses
Presentation transcript:

Ik-Soon Kim December 18, 2010 Embedded Software Platform Team Safe system software Ik-Soon Kim December 18, 2010 Embedded Software Platform Team

Software bugs Software bug Means an error, failure or fault in a program or system Causes a program or system to behave in unintended ways Mostly arises from mistakes and errors made by people We hope to remove software bugs automatically Based on our approach, I implemented a prototype system by modifying the Linux kernel on IA thirty two. The prototype system provides two important facilities. The first facility is to execute user programs in kernel mode. And the second facility is to invoke system calls from kernel mode. I’ll explain how I implemented these two facilities briefly.

Case 1: The European Ariane5 (June 4, 1996) Explodes 40s into its maiden flight due to a software bug Development period : about 10 years Development cost : $7 billon Cargo value : $500 million

Case 2: In the Mars Mars Rover loses contact in 1997 Mars Climate Orbiter is lost in 1999 Mars Polar Lander is lost in 1999 Mars Rover freezes in 2004

Case 3: Malaysia Airlines jetliner (August 2005) Suddenly zoomed upward and was jerked into a steep dive A defective software program had provided incorrect data about the aircraft’s speed and acceleration, confusing flight computers

Goal Guaranteeing a Linux kernel module is secure Our strategy: Checks the C programs statically Based on formal program analysis Reports the analysis results Warns of all suspicious locations If no warning messages, no bugs A warning message does not always mean a bug Inserts the guard code at reported suspicious locations Suspicious locations are checked at runtime

System software Modern operating systems support two execution modes: User mode: Most applications on OS run in user mode Some dangerous operations are forbidden in user mode Restricted, slow, but safe mode Kernel mode: OS itself and its modules run in kernel mode Any operations are permitted in kernel mode Almighty, fast, but dangerous mode OS kernel is getting bigger More functions are added to OS kernel System software tends to evolve into kernel software for speedup Network module in linux, Commercial web server in redhat

Expensive system calls System calls are slow Data copies between user and kernel spaces Context switches between user and kernel modes Interrruptions Slow ! Context switch Data Copy Program Service System call One of the problems of traditional operating systems is that system calls are slow. In traditional operating systems, user programs and an operating system kernel are totally separated by the privilege level facility of CPU. User programs are in user mode and a kernel is in kernel mode. So, to invoke system calls, we need very inefficient operations such as context switches or software interruptions. Interruption User mode Kernel mode

Executing arbitrary programs in kernel mode In kernel mode, programs can Access arbitrary memory Execute arbitrary code Dangerous ! Bad program Crash hard disk execute Attack other programs It’s very dangerous to execute arbitrary user programs in kernel mode. In kernel mode, programs can access arbitrary memory and execute arbitrary code. So, if a bad program is executed in kernel mode, it may crash our hard disk or attack other programs. Kernel mode

Eliminating the overhead of system calls Execute programs in kernel mode directly System calls become mere function calls Fast ! Program Service System call The most naïve solution for this problem is to execute user programs in kernel mode. Then we can invoke system calls very fast because system calls become merely function calls. We need neither heavy context switches nor software interruptions. But, off course, we cannot take this solution easily, because… Kernel mode

Safe ! Our goal (2/2) Safely execute programs in kernel mode Prevent illegal memory access Prevent illegal control changes Safe ! Bad program Crash hard disk execute Attack other programs So, our goal is to safely execute user programs in kernel mode. We ensure the safety by preventing illegal memory access and code execution with type system. For this goal, we use Typed Assembly Language. Kernel mode

Our goal (1/2) Our goal is to guarantee that our kernel module is secure: Memory safety Our module never reads and writes in a forbidden area Control flow safety Our module never jumps into a permitted code area We’d like to guarantee that Our module always changes the execution control within the safe area Our module always uses the memory safely in the permitted area We can’t avoid restricting something above in reality: setjmp, longjmp, computed goto, inlined assembly code

Static analyzer in 2009 (1/3) Detects buffer overrun errors and stack vulnerability in C programs Based on abstract interpretation and constraint solving: Reporting false errors Doing “sound” static analysis : Finding all existent bugs (sound) Not executing target programs for analysis (static) C programs : ANSI C + a portion of GCC GCC supports too many extensions (ex. nested functions) GCC is changing rapidly Our frontend should be rapidly updated too

Static analyzer in 2009 (2/3) i = 3 i  [3,3] if(…) i = 7 i  [7,7] Range analysis Computes the range of possible values for variables if(…) i = 3 i = 7 a[i] = 0 i  [3,3] i  [7,7] i  [3,7] true “Array subscript analysis”? poss values of Index variables

Static analyzer in 2009 (3/3) i = 3; if(...){ i  [3,3] i = 7; } Range analysis: Can eliminate unnecessary bounds checks Can detect potential out-of-bounds errors char a[12]; int i; i = 3; if(...){ i = 7; } a[i] = 0; i  [3,3] i  [7,7] i  [3,7] (in bounds)

Code rewriter Inserts guard code at suspicious locations: Analyzer can report suspicious points which can be bugs or not A module is guaranteed to be safe if no bugs are found The module can be safe or dangerous if some suspicious positions are found Insert dynamic check code at the suspicious positions Guard code can cause the runtime overhead Code rewriter tries to insert the least guard code for performance If some software is developed from scratch using a good static analyzer, code rewriter would be unnecessary

Constraint Extraction Verification Process Bug Platform Source Code Secure source code Syntax Analysis (GCC 구문 확장) Semantic Analysis (GCC 확장, 포인터 분석) Dead Code Elimination (GCC 확장) Analysis Language Constraint Extraction Constraint Solver Insert Guard code Pointer analysis Checks whether a null pointer is dereferenced Checks whether a pointer address is in safe range

Progress We are building Extending C parser Static analyzer Conforms to C99 standard Supports many GNU C extensions Static analyzer Range analysis (implemented in 2009) Pointer analysis Code rewriter Inserts dynamic check code at suspicious locations Will be expanded to support pointer analysis and extended C parser

Conclusion Safe Linux kernel modules never execute the dangerous operations Safe and efficient system software Efficient kernel mode software Speedup is achievable by running system software in kernel mode Safe system software By using formal verification, we can guarantee our system software won’t do harm to the overall system Our system software never causes the system crash