Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ik-Soon Kim December 18, 2010 Embedded Software Platform Team

Published byBlake Henderson Modified over 6 years ago

Similar presentations

Presentation on theme: "Ik-Soon Kim December 18, 2010 Embedded Software Platform Team"— Presentation transcript:

1 Ik-Soon Kim December 18, 2010 Embedded Software Platform Team
Safe system software Ik-Soon Kim December 18, 2010 Embedded Software Platform Team

2 Software bugs Software bug
Means an error, failure or fault in a program or system Causes a program or system to behave in unintended ways Mostly arises from mistakes and errors made by people We hope to remove software bugs automatically Based on our approach, I implemented a prototype system by modifying the Linux kernel on IA thirty two. The prototype system provides two important facilities. The first facility is to execute user programs in kernel mode. And the second facility is to invoke system calls from kernel mode. I’ll explain how I implemented these two facilities briefly.

3 Case 1: The European Ariane5 (June 4, 1996)
Explodes 40s into its maiden flight due to a software bug Development period : about 10 years Development cost : $7 billon Cargo value : $500 million

4 Case 2: In the Mars Mars Rover loses contact in 1997
Mars Climate Orbiter is lost in 1999 Mars Polar Lander is lost in 1999 Mars Rover freezes in 2004

5 Case 3: Malaysia Airlines jetliner (August 2005)
Suddenly zoomed upward and was jerked into a steep dive A defective software program had provided incorrect data about the aircraft’s speed and acceleration, confusing flight computers

6 Goal Guaranteeing a Linux kernel module is secure Our strategy:
Checks the C programs statically Based on formal program analysis Reports the analysis results Warns of all suspicious locations If no warning messages, no bugs A warning message does not always mean a bug Inserts the guard code at reported suspicious locations Suspicious locations are checked at runtime

7 System software Modern operating systems support two execution modes:
User mode: Most applications on OS run in user mode Some dangerous operations are forbidden in user mode Restricted, slow, but safe mode Kernel mode: OS itself and its modules run in kernel mode Any operations are permitted in kernel mode Almighty, fast, but dangerous mode OS kernel is getting bigger More functions are added to OS kernel System software tends to evolve into kernel software for speedup Network module in linux, Commercial web server in redhat

8 Expensive system calls
System calls are slow Data copies between user and kernel spaces Context switches between user and kernel modes Interrruptions Slow ! Context switch Data Copy Program Service System call One of the problems of traditional operating systems is that system calls are slow. In traditional operating systems, user programs and an operating system kernel are totally separated by the privilege level facility of CPU. User programs are in user mode and a kernel is in kernel mode. So, to invoke system calls, we need very inefficient operations such as context switches or software interruptions. Interruption User mode Kernel mode

9 Executing arbitrary programs in kernel mode
In kernel mode, programs can Access arbitrary memory Execute arbitrary code Dangerous ! Bad program Crash hard disk execute Attack other programs It’s very dangerous to execute arbitrary user programs in kernel mode. In kernel mode, programs can access arbitrary memory and execute arbitrary code. So, if a bad program is executed in kernel mode, it may crash our hard disk or attack other programs. Kernel mode

10 Eliminating the overhead of system calls
Execute programs in kernel mode directly System calls become mere function calls Fast ! Program Service System call The most naïve solution for this problem is to execute user programs in kernel mode. Then we can invoke system calls very fast because system calls become merely function calls. We need neither heavy context switches nor software interruptions. But, off course, we cannot take this solution easily, because… Kernel mode

11 Safe ! Our goal (2/2) Safely execute programs in kernel mode
Prevent illegal memory access Prevent illegal control changes Safe ! Bad program Crash hard disk execute Attack other programs So, our goal is to safely execute user programs in kernel mode. We ensure the safety by preventing illegal memory access and code execution with type system. For this goal, we use Typed Assembly Language. Kernel mode

12 Our goal (1/2) Our goal is to guarantee that our kernel module is secure: Memory safety Our module never reads and writes in a forbidden area Control flow safety Our module never jumps into a permitted code area We’d like to guarantee that Our module always changes the execution control within the safe area Our module always uses the memory safely in the permitted area We can’t avoid restricting something above in reality: setjmp, longjmp, computed goto, inlined assembly code

13 Static analyzer in (1/3) Detects buffer overrun errors and stack vulnerability in C programs Based on abstract interpretation and constraint solving: Reporting false errors Doing “sound” static analysis : Finding all existent bugs (sound) Not executing target programs for analysis (static) C programs : ANSI C + a portion of GCC GCC supports too many extensions (ex. nested functions) GCC is changing rapidly Our frontend should be rapidly updated too

14 Static analyzer in 2009 (2/3) i = 3 i  [3,3] if(…) i = 7 i  [7,7]
Range analysis Computes the range of possible values for variables if(…) i = 3 i = 7 a[i] = 0 i  [3,3] i  [7,7] i  [3,7] true “Array subscript analysis”? poss values of Index variables

15 Static analyzer in 2009 (3/3) i = 3; if(...){ i  [3,3] i = 7; }
Range analysis: Can eliminate unnecessary bounds checks Can detect potential out-of-bounds errors char a[12]; int i; i = 3; if(...){ i = 7; } a[i] = 0; i  [3,3] i  [7,7] i  [3,7] (in bounds)

16 Code rewriter Inserts guard code at suspicious locations:
Analyzer can report suspicious points which can be bugs or not A module is guaranteed to be safe if no bugs are found The module can be safe or dangerous if some suspicious positions are found Insert dynamic check code at the suspicious positions Guard code can cause the runtime overhead Code rewriter tries to insert the least guard code for performance If some software is developed from scratch using a good static analyzer, code rewriter would be unnecessary

17 Constraint Extraction
Verification Process Bug Platform Source Code Secure source code Syntax Analysis (GCC 구문 확장) Semantic Analysis (GCC 확장, 포인터 분석) Dead Code Elimination (GCC 확장) Analysis Language Constraint Extraction Constraint Solver Insert Guard code Pointer analysis Checks whether a null pointer is dereferenced Checks whether a pointer address is in safe range

18 Progress We are building Extending C parser Static analyzer
Conforms to C99 standard Supports many GNU C extensions Static analyzer Range analysis (implemented in 2009) Pointer analysis Code rewriter Inserts dynamic check code at suspicious locations Will be expanded to support pointer analysis and extended C parser

19 Conclusion Safe Linux kernel modules never execute the dangerous operations Safe and efficient system software Efficient kernel mode software Speedup is achievable by running system software in kernel mode Safe system software By using formal verification, we can guarantee our system software won’t do harm to the overall system Our system software never causes the system crash

Download ppt "Ik-Soon Kim December 18, 2010 Embedded Software Platform Team"

Similar presentations

The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.

The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.

Attacking Malicious Code: A Report to the Infosec Research Council Kim Sung-Moo.
Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.

Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.
Extensibility, Safety and Performance in the SPIN Operating System Bershad et al Presentation by norm Slides shamelessly “borrowed” from Stefan Savage’s.

Extensibility, Safety and Performance in the SPIN Operating System Bershad et al Presentation by norm Slides shamelessly “borrowed” from Stefan Savage’s.
1 Last Class: Introduction Operating system = interface between user & architecture Importance of OS OS history: Change is only constant User-level Applications.

1 Last Class: Introduction Operating system = interface between user & architecture Importance of OS OS history: Change is only constant User-level Applications.
1 OS & Computer Architecture Modern OS Functionality (brief review) Architecture Basics Hardware Support for OS Features.

1 OS & Computer Architecture Modern OS Functionality (brief review) Architecture Basics Hardware Support for OS Features.
Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?

Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?
Language Evaluation Criteria

Language Evaluation Criteria
Safety in the C programming Language Peter Wihl May 26 th, 2005 CS 297 Security and Programming Languages.

Safety in the C programming Language Peter Wihl May 26 th, 2005 CS 297 Security and Programming Languages.
1 CS503: Operating Systems Part 1: OS Interface Dongyan Xu Department of Computer Science Purdue University.

1 CS503: Operating Systems Part 1: OS Interface Dongyan Xu Department of Computer Science Purdue University.
Secure Virtual Architecture John Criswell, Arushi Aggarwal, Andrew Lenharth, Dinakar Dhurjati, and Vikram Adve University of Illinois at Urbana-Champaign.

Secure Virtual Architecture John Criswell, Arushi Aggarwal, Andrew Lenharth, Dinakar Dhurjati, and Vikram Adve University of Illinois at Urbana-Champaign.
G53SEC 1 Reference Monitors Enforcement of Access Control.

G53SEC 1 Reference Monitors Enforcement of Access Control.
15-740/18-740 Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.

15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.

Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
CHAPTER 2: COMPUTER-SYSTEM STRUCTURES Computer system operation Computer system operation I/O structure I/O structure Storage structure Storage structure.

CHAPTER 2: COMPUTER-SYSTEM STRUCTURES Computer system operation Computer system operation I/O structure I/O structure Storage structure Storage structure.
Buffer Overflow Detection Stuart Pickard CSCI 297 June 14, 2005.

Buffer Overflow Detection Stuart Pickard CSCI 297 June 14, 2005.
Native Client: A Sandbox for Portable, Untrusted x86 Native Code

Native Client: A Sandbox for Portable, Untrusted x86 Native Code
CS533 Concepts of Operating Systems Jonathan Walpole.

CS533 Concepts of Operating Systems Jonathan Walpole.

Similar presentations

Ads by Google