Presentation is loading. Please wait.

Presentation is loading. Please wait.

Efficient Software-Based Fault Isolation

Published byOscar Poole Modified over 6 years ago

Similar presentations

Presentation on theme: "Efficient Software-Based Fault Isolation"— Presentation transcript:

1 Efficient Software-Based Fault Isolation
Robert Wahbe Steven Lucco Thomas E. Anderson Susan L. Graham Presenter: Christopher Head

2 Approaches to Isolation
Address Spaces Control read/write sharing by shm, mmap, chmod No procedure calls Heavy-weight IPC Zero overhead for pure execution Software Isolation Control read/write sharing by userspace data structures Intra-process procedure calls Trivial IPC Small but nonzero overhead for pure execution

3 Address Classification
High Low Data or Code Address Variable, offset into isolated module Fixed for this module Different in all other modules Module cannot change this! Code: direct transfers statically validated; indirect transfers must go through dedicated register whose top bits are forced Data: direct loads/stores statically validated; indirect loads/stores must go through dedicated register; guard regions Stack: stack pointer is considered dedicated; sets checked rather than usages

4 Inter-Domain Control Transfers
Untrusted modules can only transfer control to addresses in a jump table which contains secured entry points published by other modules Jumps between untrusted modules go through trusted stubs which copy call parameters from caller data segment to callee data segment

5 System Calls Untrusted modules cannot make system calls
Untrusted modules access resources by calling into trusted modules to request access Trusted module checks whether access is permitted and arbitrates access to resources

6 Shared Memory Untrusted modules can share memory with each other:
Publisher and subscriber make inter-domain call into trusted module Trusted module issues mmap call to alias physical RAM into application virtual address space Domain 1 Data Segment Domain 2 Data Segment Physical RAM

7 Implementations Compiler Modification
Modify compiler to output machine code with recognizable instruction sequences Loader proves module obeys rules Compiler optimization possible Binary Patching Loader patches in trusted instruction sequences Portable to any language or closed-source modules Difficult to deal with dedicated registers

8 Performance Basic sandboxing: 4.3% overhead
Writes, control transfers restricted Memory reads unrestricted Full sandboxing: 21.8% / 17.6% overhead Memory reads also restricted Performance loss from register restriction: 0.4% Growth of instruction stream size: 10.5%

9 Conclusion System was developed and applied to a real-life example (PostgreSQL extensions) Small overhead occurs in performance, but overhead is much lower than overhead of using multiple processes for isolation and small enough to be acceptable especially for typical everyday applications

10 Questions Does this require two versions of GCC to be maintained? Yes
Not very hard; already done for developing for multiple platforms or embedded systems Eating 4 out of 32 registers doesn't sound very nice! Performance analysis says 0.4% overhead 32 is a lot of registers

11 Questions Has this been done on X86? Similar: Google Native Client
Easier: X86 allows immediates encoded in instructions No dedicated regs needed Harder: X86 instructions are variable length. How can static analysis prove anything if you can jump into the middle of an instruction?

12 Questions Binary patching is mainstream now; VMWare does it for the entire operating system. Which approach (patching-vs-compiler) makes more sense from a performance POV? VMWare is slow unless you have VT, in which case it doesn't use binary patching anyway Compiler can never lose: Apply the binary patch to its own output to break even. Anything better is a win.

13 Questions Is it secure? Yes:
Module is proven to only transfer control inside itself or to a jump table entry, and to write only to its own data memory. All potentially-dangerous operations guarded by sequences of instructions carefully written to eliminate any danger even if only a suffix of the instructions are executed (e.g. by a malicious jump).

14 Questions Can't we solve this at a higher level with a well- defined RPC API? No: defining an API doesn't guarantee untrusted modules will obey it. Do we need to modify the OS? How large is a segment? Will we run out of segments? Not hardware segments Defined entirely in userspace at any power-of-two size

15 Questions Parameters passed might be wrong. If callee doesn't sanity-check, could corrupt whole system? Yes. Trusted modules must treat published entry points like kernel system calls: everything must be checked

16 Questions If two modules running in parallel wish to communicate by only passing pointers to objects back and forth, can they? Shared memory In memory-bound program, will cache issues cause overhead? Data layout is identical to native Code size grows by ~10.5%

17 Questions What happens if there is a hardware fault? OS sees fault
Application receives signal Put signal handler in trusted module What is the purpose of the stubs? Untrusted modules can't write to each other's data segments Trusted stubs copy arguments between segments

Download ppt "Efficient Software-Based Fault Isolation"

Similar presentations

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.
Lightweight Remote Procedure Call Brian N. Bershad, Thomas E. Anderson, Edward D. Lazowska, and Henry M. Levy Presented by Alana Sweat.

Lightweight Remote Procedure Call Brian N. Bershad, Thomas E. Anderson, Edward D. Lazowska, and Henry M. Levy Presented by Alana Sweat.
“Efficient Software-Based Fault Isolation” (1993) by: Robert Wahbe, Steven Lucco, Thomas E. Anderson, Susan L. Graham PRESENTED BY DAVID KENNEDY.

“Efficient Software-Based Fault Isolation” (1993) by: Robert Wahbe, Steven Lucco, Thomas E. Anderson, Susan L. Graham PRESENTED BY DAVID KENNEDY.
1 Storage Registers vs. memory Access to registers is much faster than access to memory Goal: store as much data as possible in registers Limitations/considerations:

1 Storage Registers vs. memory Access to registers is much faster than access to memory Goal: store as much data as possible in registers Limitations/considerations:
Honors Compilers Addressing of Local Variables Mar 19 th, 2002.

Honors Compilers Addressing of Local Variables Mar 19 th, 2002.
Run time vs. Compile time

Run time vs. Compile time
Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.

Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.
Efficient Software-Based Fault Isolation—sandboxing Presented by Carl Yao.

Efficient Software-Based Fault Isolation—sandboxing Presented by Carl Yao.
CSE 451: Operating Systems Autumn 2013 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.

CSE 451: Operating Systems Autumn 2013 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.
Protection and the Kernel: Mode, Space, and Context.

Protection and the Kernel: Mode, Space, and Context.
Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.

Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.
CS 153 Design of Operating Systems Spring 2015 Lecture 17: Paging.

CS 153 Design of Operating Systems Spring 2015 Lecture 17: Paging.
Native Client: A Sandbox for Portable, Untrusted x86 Native Code

Native Client: A Sandbox for Portable, Untrusted x86 Native Code
CS533 Concepts of Operating Systems Jonathan Walpole.

CS533 Concepts of Operating Systems Jonathan Walpole.
1 Chapter 3.2 : Virtual Memory What is virtual memory? What is virtual memory? Virtual memory management schemes Virtual memory management schemes Paging.

1 Chapter 3.2 : Virtual Memory What is virtual memory? What is virtual memory? Virtual memory management schemes Virtual memory management schemes Paging.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 2: Operating-System Structures.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 2: Operating-System Structures.
By Teacher Asma Aleisa Year 1433 H.   Goals of memory management  To provide a convenient abstraction for programming  To allocate scarce memory resources.

By Teacher Asma Aleisa Year 1433 H.   Goals of memory management  To provide a convenient abstraction for programming  To allocate scarce memory resources.
1 File Systems: Consistency Issues. 2 File Systems: Consistency Issues File systems maintains many data structures  Free list/bit vector  Directories.

1 File Systems: Consistency Issues. 2 File Systems: Consistency Issues File systems maintains many data structures  Free list/bit vector  Directories.
11 World-Leading Research with Real-World Impact! ZeroVM Backgroud Prosunjit Biswas Institute for Cyber Security University of Texas at San Antonio April.

11 World-Leading Research with Real-World Impact! ZeroVM Backgroud Prosunjit Biswas Institute for Cyber Security University of Texas at San Antonio April.
G53SEC 1 Reference Monitors Enforcement of Access Control.

G53SEC 1 Reference Monitors Enforcement of Access Control.

Similar presentations

Ads by Google