Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more...
Transcript of Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more...
![Page 1: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/1.jpg)
Lightweight Capability Domains:TOWARDS DECOMPOSING THE LINUX KERNEL
Charles Jacobsen Sarah Spall Scott BauerMuktesh Khole Anton Burtsev
![Page 2: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/2.jpg)
Decades of work to make
kernels more secure
Decompose and isolate subsystems
Formal verification/static analysis
Stack guards
Address space layout randomization
NX, SMEP protection
Control flow integrity
Software fault isolation
Safe languages
2
![Page 3: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/3.jpg)
0
50
100
150
200
250
300
2009 2010 2011 2012 2013 2014
Linux Kernel Vulnerabilities by Year
3
![Page 4: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/4.jpg)
Example
Remote exploit in Linux network firewall
Arbitrary code execution
Linux Kernel v 3.0 (June, 2011) – 3.13.6 (March, 2014)
CVE-2014-2523
4
static bool dccp_new (...) {struct dccp_header _dh, *dh;
- skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);+ skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);};
Stack smash
Correct
![Page 5: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/5.jpg)
Why haven’t things changed? 5
1. Attackers circumvent runtime security mechanismsStack guards, ASLR, NX, SMEP
2. Kernels are big, complex, evolving organismsFormal verification, safe languages, decompose
and isolate
3. Other techniques introduce too much overheadDecompose and isolate, SFI, strong CFI
![Page 6: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/6.jpg)
6
Linus:
“Any time you try to make things be about
just security, you’re missing some other part
of the equation.”
Boy Genius Report, September 2015
![Page 7: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/7.jpg)
Reconsidering decomposition 7
Modular kernel opens up new design possibilities
Strong isolation more realistic on current hardware
More rigorous formal verification, testing becomes
possible
![Page 8: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/8.jpg)
End goals 8
1. Performance and capabilities that beats the
current kernel
2. Strong isolation of code and resources
3. Explicit resource access control
![Page 9: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/9.jpg)
History
Sawmill
Abandoned, details not fully published
Nooks
Handwritten wrappers and object tracker code
IPC overhead significant for some benchmarks
User-level device drivers
Automation, code reuse
virtuOS
Coarse “vertical” slicing of system stacks
9
These focus on security and reliability.
![Page 10: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/10.jpg)
Lessons learned 10
1. It’s got to be incremental
2. We must start with unmodified code
3. Decomposition must be automated
4. The resulting system must be fast
![Page 11: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/11.jpg)
Outline
Lightweight Capability Domains
Breaking the code apart
Automating Decomposition
Making it fast
11
![Page 12: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/12.jpg)
Lightweight Capability Domains
![Page 13: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/13.jpg)
Isolate unmodified code 13
![Page 14: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/14.jpg)
Benefits 14
Trusted, non-isolated code runs as before
No de-privileging of isolated code, runs in
supervisor level
Isolated address spaces, memory, and devices
![Page 15: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/15.jpg)
Breaking the code apart
![Page 16: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/16.jpg)
Function calls IPC 16
Small library kernel for common functions like
memcpy and malloc
![Page 17: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/17.jpg)
Shared data 17
Use private copies, like Nooks
Synchronized during cross-domain invocations
![Page 18: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/18.jpg)
Decentralize object tracking 18
Domains are “microkernels” for their resources
Cross-domain references are capabilities
![Page 19: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/19.jpg)
Projections 19
Some domains only use a subset of fields
Use same struct for backward compatibility, but
glue code only synchronizes fields in projection
Revisit this in IDL
![Page 20: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/20.jpg)
Automating Decomposition
![Page 21: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/21.jpg)
Scalar functions 21
interface {
rpc int scalar_func(int a, int b);
}
Nothing new here
![Page 22: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/22.jpg)
Example 22
User module invokes functions in filesystem module to mount a filesystem
![Page 23: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/23.jpg)
The original interface 23
struct super_block {char* name;type1 field1;type2 field2;type3 field3;struct block_device *bdev;
};
struct block_device {type1 field1;type2 field2;
};
// Mount a filesystemint mount(struct super_block *sb);
// Look up a mount instancestruct super_block* lookup(char* name);
![Page 24: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/24.jpg)
Complexities 24
Shared objects
Stateful interaction – user expects pointer to same
struct it invoked mount with when it invokes
lookup
Object hierarchy
![Page 25: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/25.jpg)
Projections, revisited25
projection super_block <struct super_block> {[in] char* name;[in,out] type1 field1;[in] type2 field2;projection block_device <struct block_device> *bdev;
};
projection block_device <struct block_device> {[in] type1 field1;[out] type2 field2;
};
struct super_block {char* name;type1 field1;type2 field2;type3 field3;struct block_device *bdev;
};
struct block_device {type1 field1;type2 field2;
};
IDL
Original
![Page 26: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/26.jpg)
Declare mount 26
interface {
rpc int mount(projection super_block<struct super_block> *sb);
}
Uses super block projection
![Page 27: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/27.jpg)
Private copy lifetimes 27
projection super_block <struct super_block> {...[alloc(caller)] projection block_device
<struct block_device> *bdev;};
rpc int mount([alloc(caller)] projection super_block<struct super_block> *sb);
IDL
![Page 28: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/28.jpg)
Future IDL work
Data structure analysis for assisting with IDL writing
Security policies?
Locks
Some locking internal to subsystems
Other locking is cross-domain
Object-oriented interfaces nearly complete
28
![Page 29: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/29.jpg)
Making it fast
![Page 30: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/30.jpg)
Assign subsystems to cores 30
Uninterrupted access to CPU
Improve memory locality
Passive code active code
![Page 31: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/31.jpg)
Fast, cross-core async IPC 31
Baremetal pipelines
Minimizes synchronization of threads across domains
Decentralizes communication
![Page 32: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/32.jpg)
Making async feasible 32
Unmodified code not designed for asynchronous
function invocations
Want to minimize number of threads (stacks, etc.)
that service a domain
Use AC language from Barrelfish
Cooperative, event-driven execution
No stack ripping
![Page 33: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/33.jpg)
AC Example 33
do {async write();async read();
} finish();Code
Runtime
![Page 34: Lightweight Capability Domains - TU Dortmund · 2015-10-28 · Decades of work to make kernels more secure Decompose and isolate subsystems Formal verification/static analysis Stack](https://reader033.fdocuments.in/reader033/viewer/2022041616/5e3b55897a687e051b64fddc/html5/thumbnails/34.jpg)
Conclusions
It’s time to try again!
Current trends in hardware
Abstract and automate decomposition
Design may not be feasible for embedded
systems, but may facilitate re-writing kernel in safe
language
Result: Secure, scalable, modular kernel
34