Efficient Software Based Fault IsolationEfficient Software Based Fault Isolation

Author: Robert Wahobe,Steven Lucco,Thomas E Anderson, Susan L Author: Robert Wahobe,Steven Lucco,Thomas E Anderson, Susan L GrahamGraham

Presenter: Maitree kanungoPresenter: Maitree kanungoDate:02/17/2010Date:02/17/2010

OverviewOverview BackgroundBackground Software Fault IsolationSoftware Fault Isolation

Efficient software encapsulationEfficient software encapsulation Fast communication across fault domainsFast communication across fault domains

Performance Result AnalysisPerformance Result Analysis

Why Software fault isolation:Why Software fault isolation:

Hardware-based Fault Isolation Run modules in separate address spaces

Communicate via Remote Procedure Call Switch to kernel mode Copy arguments Save/Restore registers Switch address spaces Return to user mode

Context switches are expensive

Software Fault IsolationSoftware Fault Isolation

Virtual address segmentsVirtual address segments Each segment share a unique upper bits called Each segment share a unique upper bits called

segment identifiersegment identifier

Distrusted module can jump to or write to the Distrusted module can jump to or write to the same upper bit pattern (segment identifier)same upper bit pattern (segment identifier)

Techniques of Fault IsolationTechniques of Fault Isolation

22 techniques for software based fault-isolation.techniques for software based fault-isolation.

Segment matchingSegment matching SandboxingSandboxing

Techniques of Fault IsolationTechniques of Fault Isolation

This technique involves modifying the software This technique involves modifying the software binary to prevent stores or jumps from leaving a binary to prevent stores or jumps from leaving a certain range of addresses.certain range of addresses.

All addresses used in store or jump locations are All addresses used in store or jump locations are either checked or modified to enforce this.either checked or modified to enforce this.

Straight modification without checking (i.e., by bit Straight modification without checking (i.e., by bit substitution) is "sandboxing", substitution) is "sandboxing",

checking and error reporting is "segment matching"checking and error reporting is "segment matching"

Fault DomainFault Domain

990---

991---

992---

…

991---

992---

…

993---

…

Segment (code) Segment (data)

Fault Domain

Each segment has Each segment has unique pattern of unique pattern of upper bits called“ upper bits called“

segment identifier”segment identifier”

What is Segment MatchingWhat is Segment Matching

Static verification: Target address is known at compiling timeStatic verification: Target address is known at compiling time

Unsafe instruction: Jumps & stores instruction which cannot Unsafe instruction: Jumps & stores instruction which cannot be statically verified to be correct segment until at runtime. It be statically verified to be correct segment until at runtime. It could corrupt permanent data. could corrupt permanent data.

Segment matchingSegment matching Insert checking code before every unsafe instruction. The Insert checking code before every unsafe instruction. The

checking code determines whether the unsafe checking code determines whether the unsafe instruction’s target address has the correct segment instruction’s target address has the correct segment identifier.identifier.

Example of segment matchingExample of segment matching Say an unsafe instruction is located in segment 101, but wants to write to

segment 100. Initially, target address=10001111; segment-reg=101; shift-reg=5 (or 101);

dedicated-reg = 10001111dedicated-reg = 10001111

dedicated-reg>>shift-reg = 100,dedicated-reg>>shift-reg = 100,so scratch-reg = 100 so scratch-reg = 100

segment-reg=101; scratch-reg=100; not segment-reg=101; scratch-reg=100; not equal! A trap is generated to trigger a equal! A trap is generated to trigger a system error routine outside the system error routine outside the distrusted module’s fault domain.distrusted module’s fault domain.

If they match, then we know the target If they match, then we know the target address is indeed inside the same address is indeed inside the same segment, so we can run:segment, so we can run:

store value, dedicated-regstore value, dedicated-reg

Segment MatchingSegment Matching

Requires 4 dedicated registers to hold:Requires 4 dedicated registers to hold: address in data segmentaddress in data segment address in code segmentaddress in code segment segment shift amount segment shift amount segment identifiersegment identifier

Address SandboxingAddress Sandboxing

Segment matching can pinpoint the offending instruction.Segment matching can pinpoint the offending instruction.

Sandboxing reduces runtime overhead further, at the cost of Sandboxing reduces runtime overhead further, at the cost of providing no info about the source of faults. providing no info about the source of faults.

Before each unsafe instruction we simply insert code that Before each unsafe instruction we simply insert code that sets the upper bits of the target address to the correct sets the upper bits of the target address to the correct segment ID.segment ID.

Pseudo code for Address SandboxingPseudo code for Address SandboxingAgain say an unsafe instruction is located in segment 101, but wants to write to segment 100. Initially, target-reg=10001111; segment-reg=101; and-mask-reg=00011111;

target-reg&and-mask-reg = 00001111target-reg&and-mask-reg = 00001111so dedicated-reg=00001111so dedicated-reg=00001111

segment-reg | dedicated-reg = 10101111.segment-reg | dedicated-reg = 10101111.so dedicated-reg = 10101111.so dedicated-reg = 10101111.

store value, dedicated-regstore value, dedicated-regNow instead of writing to the intended unsafe location 10001111, sandboxing changed the target address to Now instead of writing to the intended unsafe location 10001111, sandboxing changed the target address to

10101111, which is in the same fault domain of the writing instruction. In this case may be this fault domain 10101111, which is in the same fault domain of the writing instruction. In this case may be this fault domain will be corrupt, but it does not affect other fault domains.will be corrupt, but it does not affect other fault domains.

..

Guard Zone OptimizationGuard Zone Optimization

RISC architectures include a RISC architectures include a register-plus-offset instruction register-plus-offset instruction mode. mode.

Take instruction “store value, Take instruction “store value, offset(reg)”. offset(reg)”.

To avoid calculating reg+offset, To avoid calculating reg+offset,

we directly sandbox the reg, at the we directly sandbox the reg, at the expense of creating guard zones at expense of creating guard zones at the top and bottom of each the top and bottom of each segment.segment.

Avoid sandboxing the use of stack Avoid sandboxing the use of stack pointer by sandboxing the pointer by sandboxing the dedicated register which dedicated register which significantly improves performance.significantly improves performance.

Cross Fault Domain CommunicationCross Fault Domain Communication Control escapes a distrusted fault Control escapes a distrusted fault

domain only via a domain only via a jump tablejump table (to stub (to stub instruction). instruction).

A call-stub and a return-stub are A call-stub and a return-stub are created for each pair of fault domains.created for each pair of fault domains.

The stub is also responsible for The stub is also responsible for managing machine states and managing machine states and registers. registers.

Fatal errors are handled by UNIX signal Fatal errors are handled by UNIX signal facility. Trusted modules may use a facility. Trusted modules may use a timer facility to interrupt execution or timer facility to interrupt execution or determinate a call.determinate a call.

Jump TableJump Table

Allows a fault domain to safely call Allows a fault domain to safely call the a trusted stub routine outside the a trusted stub routine outside its domain; that stub then safely its domain; that stub then safely calls into the destination domaincalls into the destination domain..

Each jump table entry is a control Each jump table entry is a control transfer instruction whose target transfer instruction whose target address is a legal entry point address is a legal entry point outside the domain. outside the domain.

Because the table is kept in the Because the table is kept in the (read-only) code segment in the (read-only) code segment in the fault domain, it can only be fault domain, it can only be modified by a trusted module.modified by a trusted module.

Performance resultPerformance result

Performance resultPerformance result

Performance resultPerformance result

Performance resultPerformance result

ConclusionConclusion Despite of the 4% overhead in sandboxing technique in executing Despite of the 4% overhead in sandboxing technique in executing

distrusted code, this method yields best application performance.distrusted code, this method yields best application performance.

whole approach does not enforce the privacy aspect of security, since whole approach does not enforce the privacy aspect of security, since addresses used in load instructions are not checked or sandboxed, addresses used in load instructions are not checked or sandboxed, because to do so would be prohibitively expensive.because to do so would be prohibitively expensive.

ReferencesReferences

Tom Burkleaux ‘ s Slides for Fault domain and cross fault domain communication Tom Burkleaux ‘ s Slides for Fault domain and cross fault domain communication (figs) on Efficient software based isolation(figs) on Efficient software based isolationCarl Yao’s slides for Examples of segment matching and address sandboxing Slides Carl Yao’s slides for Examples of segment matching and address sandboxing Slides on efficient software based isolation-Sandboxingon efficient software based isolation-SandboxingSFI-Risc .pdfSFI-Risc .pdf