Isolation Enforced by the Operating System Based on slides provided by Landon Cox

Isolation of resources Process memory Meltdown / Spectre Files (Virtual) Machines

Memory Isolation Each process works in its own virtual address space All accesses to physical memory go through the memory management system The memory management system isolates one process’s memory from the others The virtual address space allocated to the kernel is shared by all processes, but can’t be accessed directly by a user process

Accessing virtual memory User process Physical memory Page table CPU PTBR Page table base register for current process (PTBR) OS

Accessing virtual memory User process Physical memory Access virtual address Physical pages Page table CPU PTBR OS

Accessing virtual memory User process Physical memory Access virtual address Determine if access is pre-allowed Physical pages Page table CPU PTBR OS

Accessing virtual memory User process Physical memory Access virtual address Physical pages Page table CPU PTBR If OK, retrieve data, execute instruction OS

Accessing virtual memory User process Physical memory Access virtual address Physical pages Page table CPU PTBR If not OK, trap to OS OS

Accessing virtual memory User process Physical memory Access virtual address Physical pages Page table CPU PTBR If not OK, trap to OS Determine if access is valid OS

Accessing virtual memory User process If not valid, kill process Physical memory Access virtual address Physical pages Page table CPU PTBR If not OK, trap to OS OS

Accessing virtual memory User process Physical memory Access virtual address Physical pages Page table CPU PTBR If not OK, trap to OS If not resident, load non-resident page OS

Accessing virtual memory User process Physical memory Access virtual address Physical pages Page table CPU PTBR If not OK, trap to OS If not resident, load non-resident page, update page table OS

Accessing virtual memory User process Retry faulting instruction Physical memory Access virtual address Physical pages Page table CPU PTBR If not OK, trap to OS If not resident, load non-resident page, update page table OS

User/kernel translation data 4GB Kernel data (same for all page tables) 3GB (0xc0000000) User data (different for every process) 0GB Virtual memory

Kernel vs. user mode Who sets up the data used by the memory management unit (MMU)? Can’t be the user process Otherwise could access anything Only kernel is allowed to modify any memory Processor must know to allow kernel To update the translator (e.g., set PTBR) To execute privileged instructions (halt, do I/O)

Kernel vs. user mode How does machine know kernel is running? Mode bit This requires hardware support CPU supports different modes, kernel and user Mode is indicated by a hardware register Mode bit

Protection recap All memory accesses go through a translator GBs of protected data All memory accesses go through a translator Who can modify translator’s data? Only kernel can modify translator’s data How do we know if kernel is running? Mode bit indicates if kernel is running Who can modify the mode bit? One bit of protected data Making progress: the amount of protected data is down to a bit

Protecting the mode bit Can kernel change the mode bit? Yes. Kernel is completely trusted. Can user process change the mode bit? Not directly User programs need to invoke the kernel Must be able to initiate a change

When to transition from user to kernel? Exceptions (interrupts, traps) Access something out of your valid address space (e.g., segmentation fault) Disk I/O finishes, causes interrupt Timer pre-emption, causes interrupt Page faults System calls Similar in purpose to a function call Kernel as software library

Example system calls Process management Signals Memory management Fork/exec (start a new process), exit, getpid Signals Kill (send a signal), sigaction (set up handler) Memory management Brk (extend the valid address space), mmap File I/O Open, close, read, write Network I/O Accept, send, receive System management Reboot

System call implementation Syscalls are like functions, but different Implemented by special instruction Software trap syscall Execution of syscall traps to kernel Processor safely transfers control to kernel Hardware invokes kernel’s syscall trap handler

Kernel trap details Hardware must atomically Set processor mode bit to “kernel” Save current registers (SP, PC, general purpose) Change execution stack to kernel (SP) Jump to exception handler in kernel (PC)

Meltdown Processor Flaw Modern “superscalar” processors execute multiple instructions simultaneously “Branch prediction” used to decide what to execute next when necessary When a branch is incorrectly predicted, effects of instructions that should not have been executed are undone … or are they? the code may have caused something to be brought into cache, and this can be detected by timing the cache

Meltdown char *scratchpad = malloc(256 * 4096); \\ 256 pages of size 4096 bytes each ... evict scratchpad from the CPU cache ... unsigned char *p = SOME_KERNEL_ADDRESS; int x = rand() % 100; unsigned char a; unsigned char b; if (x == 4){ // suppose CPU branch prediction speculates that this condition will be true a = *p; // unauthorized read of kernel memory // indirect access to scratchpad based on value a read from kernel memory // brings page a into cache b = *(scratchpad + 4096 * a ); }

Detect Byte Value by Timing Cache Access long long smallest_time = 9999999999999; unsigned char leaked_a = 0; for (int c = 0; c < 256; ++c) { long long tsc0 = tsc(); char b = *(scratchpad + 4096 * c); long long tsc1 = tsc(); long long tottime = tsc1 - tsc0; if (tottime < smallest_time) { // the smallest tottime is consequence of speculation // made by CPU with "a" value, that brought a related // memory page into the cache. smallest_time = tottime; leaked_a = c; } printf("Kernel byte %p = %02x", SOME_KERNEL_ADDRESS, leaked_a); https://epxx.co/logbook/entries/meltdown_en.html

Mitigation Redesign processor Move kernel memory out of user process virtual address space

Access control Where is most trusted code located? In the operating system kernel What are the primary responsibilities of a UNIX kernel? Managing the file system Launching/scheduling processes Managing memory How do processes invoke the kernel? Via system calls Hardware shepherds transition from user process to kernel Processor knows when it is running kernel code Represents this through protection rings or mode bit

Access control How does kernel know if system call is allowed? Looks at user id (uid) of process making the call Looks at resources accessed by call (e.g., file or pipe) Checks access-control policy associated with resource Decides if policy allows uid to access resources How is a uid normally assigned to a process? On fork, child inherits parent’s uid

MOO accounting problem Multi-player game called Moo Want to maintain high score in a file Should players be able to update score? Yes Do we trust users to write file directly? No, they could lie about their score Game client (uid x) “x’s score = 10” High score “y’s score = 11” Game client (uid y)

MOO accounting problem Multi-player game called Moo Want to maintain high score in a file Could have a trusted process update scores Is this good enough? Game client (uid x) “x’s score = 10” Game server High score “x:10 y:11” “y’s score = 11” Game client (uid y)

MOO accounting problem Multi-player game called Moo Want to maintain high score in a file Could have a trusted process update scores Is this good enough? Can’t be sure that reported score is genuine Need to ensure score was computed correctly Game client (uid x) “x’s score = 100” Game server High score “x:100 y:11” “y’s score = 11” Game client (uid y)

Access control Insight: sometimes simple inheritance of uids is insufficient Tasks involving management of “user id” state Logging in (login) Changing passwords (passwd) Why isn’t this code just inside the kernel? This functionality doesn’t really require interaction w/ hardware Would like to keep kernel as small as possible How are “trusted” user-space processes identified? Run as super user or root (uid 0) Like a software kernel mode If a process runs under uid 0, then it has more privileges

Access control Why does login need to run as root? Needs to check username/password correctness Needs to fork/exec process under another uid Why does passwd need to run as root? Needs to modify password database (file) Database is shared by all users What makes passwd particularly tricky? Easy to allow process to shed privileges (e.g., login) passwd requires an escalation of privileges How does UNIX handle this? Executable files can have their setuid bit set If setuid bit is set, process inherits uid of image file’s owner on exec

MOO accounting problem Multi-player game called Moo Want to maintain high score in a file How does setuid solve our problem? Game executable is owned by trusted entity Game cannot be modified by normal users Users can run executable though High-score is also owned by trusted entity This is a form of trustworthy computing Only trusted code can update score Root ownership ensures code integrity Untrusted users can invoke trusted code Shell (uid x) Game client (uid moo) “fork/exec game” “x’s score = 10” High score (uid moo) “y’s score = 11” Shell (uid y) Game client (uid moo) “fork/exec game”

Coarser abstraction: virtual machine We’ve already seen a kind of virtual machine OS gives processes virtual memory Each process runs on a virtualized CPU Virtual machine An execution environment May or may not correspond to physical reality

How do we virtualize? Key technique: “trap and emulate” Untrusted/user code tries to do something it can’t Transfer control to something that can do it Evaluate whether thing is allowed If so, do it and return control. Else, kill process or throw exception. Where have we seen trap and emulate? Virtual memory Process tries to access non-resident memory Trap to OS OS makes virtual page resident Retry instruction that caused fault Generally useful technique, crucial for virtual machines Ways to do this? Rely on HW Rewrite code

Virtual-machine options Approaches to implementing VMs Interpreted virtual machines Translate every VM instruction Kind of like on-the-fly compilation VM instruction  HW instruction(s) Direct execution Execute instructions directly Emulate the hard ones

Interpreted virtual machines Implement the machine in software Must translate emulated to physical Java: byte codes  x86, PPC, ARM, etc Software fetches/executes instructions Program (foo.class) Interpreter (java) Byte code x86 Looks a lot like a dynamic virtual memory translator

Java virtual machine What is the (low-level) interface to the JVM? Java byte-code instructions What abstraction does the JVM provide? JVM: Stack-machine architecture Dalvik (Android): Register-based architecture The Java programming language High-level language compiled into byte code Library of services (kind of like a kernel) Like PHP, Python, C++/STL, C#

Direct execution What is the interface? What is the abstraction? Hardware ISA (e.g., x86 instructions) What is the abstraction? Physical machine (e.g., x86 processor) x86 Program (Linux kernel) x86 Monitor (VMware) x86

Different techniques Emulation Full virtualization Paravirtualization Bochs, QEMU Full virtualization VMware Paravirtualization Xen Dynamic recompilation Virtual PC

Views of the CPU How is a user process’s view of the CPU different than the OS’s? Kernel mode Access to physical memory Manipulation of page tables Other “privileged instructions” Turn off interrupts Traps Keep these in mind when thinking about virtual machines

Traditional OS structure App App App App Ring 3 Operating System Ring 0 Host Machine

Virtual-machine structure Guest App Guest App Guest App Ring 3 Guest OS Guest OS Guest OS Ring 3? Virtual Machine Monitor (Hypervisor) Ring 0 Host Machine

Virtual-machine structure Guest App Guest App Guest App Ring 3 Guest OS Guest OS Guest OS Ring 1 Virtual Machine Monitor (Hypervisor) Ring 0 Host Machine