Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Policies and Mechanisms for
Operating System Security
Vinod Ganapathy
Associate Professor of Computer Science
Rutgers, The State University of New Jersey
Layered computer system design
Modern computer systems are built using
layers of abstraction
2
Memory I/O devicesCPU
Hardware
Vinod Ganapathy - Policies and Mechanisms for OS Security
Layered computer system design
Modern computer systems are built using
layers of abstraction
3
Memory I/O devicesCPU
Hardware
Operating
System
SyscallsProcess
List
Kernel
Code
IDT
…
Vinod Ganapathy - Policies and Mechanisms for OS Security
Layered computer system design
Modern computer systems are built using
layers of abstraction
4
Memory I/O devicesCPU
Hardware
Operating
System
SyscallsProcess
List
Kernel
Code
IDT
…
Utilities &
Librariesls, ps, &
bash utilitieslibc gcc …
Vinod Ganapathy - Policies and Mechanisms for OS Security
Layered computer system design
Modern computer systems are built using
layers of abstraction
5
User
app
Memory I/O devicesCPU
Hardware
Operating
System
SyscallsProcess
List
Kernel
Code
IDT
…
User
app
Utilities &
Librariesls, ps, &
bash utilitieslibc gcc …
…
Vinod Ganapathy - Policies and Mechanisms for OS Security
Fundamental principle in security
6
User
app
Memory I/O devicesCPU
Hardware
Operating
System
SyscallsProcess
List
Kernel
Code
IDT
…
User
app
Utilities &
Librariesls, ps, &
bash utilitieslibc gcc …
…
The lower you go, the more control you have
Least control
Most control
Vinod Ganapathy - Policies and Mechanisms for OS Security
7
User
app
Hardware
Operating
System
Utilities &
Libraries
Example: Malware detection
Vinod Ganapathy - Policies and Mechanisms for OS Security
8
User
app
Hardware
Operating
System
Malware
detector
Utilities &
Libraries
Example: Malware detection
Vinod Ganapathy - Policies and Mechanisms for OS Security
9
User
app
Hardware
Operating
System
Malware
detector
Utilities &
Libraries
Example: Malware detection
cat ps ls …TCB
Trusted
Layer
Vinod Ganapathy - Policies and Mechanisms for OS Security
10
User
app
Hardware
Operating
System
Malware
detector
Utilities &
Libraries
But utilities may be compromised!
cat ps ls
Vinod Ganapathy - Policies and Mechanisms for OS Security
11
User
app
Hardware
Operating
System
Malware
detector
Utilities &
Libraries
But utilities may be compromised!
cat ps ls
1
1 Show me
file contents
Vinod Ganapathy - Policies and Mechanisms for OS Security
12
User
app
Hardware
Operating
System
Malware
detector
Utilities &
Libraries
But utilities may be compromised!
cat ps ls
2
1 Show me
file contents
2 Fake, benign
content
Vinod Ganapathy - Policies and Mechanisms for OS Security
13
User
app
Hardware
Operating
System
Malware
detector
Utilities &
Libraries
Solution: Query the OS
System call API
1
1
Query with syscall
TCB
Vinod Ganapathy - Policies and Mechanisms for OS Security
14
User
app
Hardware
Operating
System
Malware
detector
Utilities &
Libraries
Solution: Query the OS
System call API
1
2
Query with syscall
OS reads file
2
TCB
Vinod Ganapathy - Policies and Mechanisms for OS Security
15
User
app
Hardware
Operating
System
Malware
detector
Utilities &
Libraries
Solution: Query the OS
System call API
1
2
3
Query with syscall
OS reads file
Returns true
file content
3
TCB
Vinod Ganapathy - Policies and Mechanisms for OS Security
16
User
app
Hardware
Operating
System
Malware
detector
Utilities &
Libraries
OS detects malicious utilities too
System call API
A
B
cat
cat file
Read file
A Bdiff vs ?
A
B
TCB
Vinod Ganapathy - Policies and Mechanisms for OS Security
17
User
app
Hardware
Operating
System
Malware
detector
Utilities &
Libraries
What if the OS is malicious?
System call API
Vinod Ganapathy - Policies and Mechanisms for OS Security
18
Hardware
Operating
System
Malware
detector
Utilities &
Libraries
Rootkit = Malware that infects OS
System call API
Rootkits hide malware from detectors Long-term stealth
…
Vinod Ganapathy - Policies and Mechanisms for OS Security
How does an OS get infected?
• Exploits of kernel vulnerabilities:
– Injecting malicious code by exploiting a memory
error in the kernel
• Privilege escalation attacks:
– Exploit a root process and use resulting
administrative privileges to update the kernel
• Social engineering attacks:
– Trick user into installing fake kernel updates
• Defeated via signature verification of kernel updates
• Trivial to perform prior to the Windows Vista OS
Vinod Ganapathy - Policies and Mechanisms for OS Security 19
How prevalent are rootkits?
• 2010 Microsoft report: 7% of all infections
from client machines due to rootkits[1]
• 2016 HummingBad Android rootkit:[2]
– Up to 85 million Android devices infected?
– Earns malware authors $300,000 each week
through fraudulent mobile advertisements
• Used in many high-profile incidents:
– Torpig and Storm botnets
– Sony BMG (2005), Greek wiretapping (2004/5)
20
[1] Microsoft Malware Protection Center, “Some Observations on Rootkits,” January 2010,
https://blogs.technet.microsoft.com/mmpc/2010/01/07/some-observations-on-rootkits
[2] CheckPoint Software, “From HummingBad to Worse,” July 2016,
http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf
21
User
app
Hardware
Operating
System
Malware
detector
Utilities &
Libraries
How can we detect rootkits?
System call API
Hypervisor (a.k.a. Virtual Machine Monitor)
Ask for help from the layers below
TCB
Vinod Ganapathy - Policies and Mechanisms for OS Security
22
User
app
Hardware
Operating
System
Malware
detector
Utilities &
Libraries
How low can we go?
Hypervisor [Bluepill, Subvert]
TCB
Vinod Ganapathy - Policies and Mechanisms for OS Security
23
User
app
Operating
System
Malware
detector
Utilities &
Libraries
How low can we go?
Hardware[Stuxnet, Trojaned ICs]???
TCBVinod Ganapathy - Policies and Mechanisms for OS Security
Today’s talk
• Detecting OS-level rootkit
infections (with some help
from the hardware)
• In two parts:
1. Policies: How do we know
that the OS is infected?
2. Mechanisms: How can the
hardware help us?
24
User
apps
Utilities &
Libraries
Operating
System
HardwareTCB
Vinod Ganapathy - Policies and Mechanisms for OS Security
My contributions to OS security
Vinod Ganapathy - Policies and Mechanisms for OS Security 25
2008 ---- Detecting rootkits using data structure invariants [ACSAC’08]
2008 ---- Re-architecting device drivers for better isolation [ASPLOS’08]
2009 ---- Securing OSes from malicious device drivers [ACSAC’09]
2010 ---- Exploring rootkits on smartphones [HotMobile’10]
2011 ---- Security/energy tradeoffs in rootkit detection [ACM MobiSys’11]
2012 ---- Rootkit detection on cloud platforms [ACM CCS’12]
2013 ---- Adapting multicore hardware for rootkit detection [TIFS’13]
2016 ---- Rootkit detection with ARM TrustZone [ACM MobiSys’16]
2016 ---- Rootkit detection using 3D-stacked hardware [Submitted]
Covered in today’s talk
Vinod Ganapathy - Policies and Mechanisms for OS Security 26
2008 ---- Detecting rootkits using data structure invariants [ACSAC’08]
2008 ---- Re-architecting device drivers for better isolation [ASPLOS’08]
2009 ---- Securing OSes from malicious device drivers [ACSAC’09]
2010 ---- Exploring rootkits on smartphones [HotMobile’10]
2011 ---- Security/energy tradeoffs in rootkit detection [ACM MobiSys’11]
2012 ---- Rootkit detection on cloud platforms [ACM CCS’12]
2013 ---- Adapting multicore hardware for rootkit detection [TIFS’13]
2016 ---- Rootkit detection with ARM TrustZone [ACM MobiSys’16]
2016 ---- Rootkit detection using 3D-stacked hardware [Submitted]
Modus operandi
Vinod Ganapathy - Policies and Mechanisms for OS Security 27
Analysis of memory snapshots obtained from target machine
User app
Physical Memory
Hardware
Operating
System
SyscallProcess
List
Kernel
Code
User app
Utilities &
Libraries
…
Target machinePotentially rootkit infected
TCB
Modus operandi
Vinod Ganapathy - Policies and Mechanisms for OS Security 28
Analysis of memory snapshots obtained from target machine
User app
Physical Memory
Hardware
Operating
System
SyscallProcess
List
Kernel
Code
User app
Utilities &
Libraries
…
Target machinePotentially rootkit infected
Analysis machineTrusted
TCB
Modus operandi
Vinod Ganapathy - Policies and Mechanisms for OS Security 29
Analysis of memory snapshots obtained from target machine
User app
Physical Memory
Hardware
Operating
System
SyscallProcess
List
Kernel
Code
User app
Utilities &
Libraries
…
Target machinePotentially rootkit infected
Analysis machineTrusted
TCB
Snapshot of
memory pages
…
Research questions
• RQ1: What algorithm should we use for memory snapshot analysis?
– Concerns our security policy
– Answer: Formulate rootkit detection problem as one of detecting invariant violations
• RQ2: How can we fetch memory pages without involving the target’s OS?
– Concerns our mechanism
– Answer: Leverage hardware advances
Vinod Ganapathy - Policies and Mechanisms for OS Security 30
Research questions
• RQ1: What algorithm should we use for memory snapshot analysis?
– Concerns our security policy
– Answer: Formulate rootkit detection problem as one of detecting invariant violations
• RQ2: How can we fetch memory pages without involving the target’s OS?
– Concerns our mechanism
– Answer: Leverage hardware advances
Vinod Ganapathy - Policies and Mechanisms for OS Security 31
Example 1: Linux Adore rootkit
int main()
{
open(…)
...
return(0)
}
sys_open(...)
{
...
}
sys_open
System call table
32
OS kernelUser app
Vinod Ganapathy - Policies and Mechanisms for OS Security
Example 1: Linux Adore rootkit
int main()
{
open(…)
...
return(0)
}
sys_open(...)
{
...
}
evil_open(...)
{
malicious();
sys_open(...)
}
evil_open
System call table
33
OS kernelUser app
Vinod Ganapathy - Policies and Mechanisms for OS Security
Example 1: Linux Adore rootkit
int main()
{
open(…)
...
return(0)
}
sys_open(...)
{
...
}
evil_open(...)
{
malicious();
sys_open(...)
}
evil_open
System call table
34
OS kernelUser app
Vinod Ganapathy - Policies and Mechanisms for OS Security
Violated: Function pointer values in
system call table should not change
Example 2: Windows Fu rootkit
run_list
next_task
run_list
next_task
run_list
next_task
all-tasks: Used for process accounting
run-list: Used by the scheduler to select processes for execution
Process A Process B Process C
35Vinod Ganapathy - Policies and Mechanisms for OS Security
Example 2: Windows Fu rootkit
run_list
next_task
run_list
next_task
run_list
next_task
run_list
next_task
all-tasks: Used for process accounting
run-list: Used by the scheduler to select processes for execution
Hidden processProcess A Process B Process C
36Vinod Ganapathy - Policies and Mechanisms for OS Security
Example 2: Windows Fu rootkit
run_list
next_task
run_list
next_task
run_list
next_task
run_list
next_task
all-tasks: Used for process accounting
run-list: Used by the scheduler to select processes for execution
Hidden processProcess A Process B Process C
37Vinod Ganapathy - Policies and Mechanisms for OS Security
Violated: run-list ⊆ all-tasks
38
Urandom
Entropy Pool
(128 bytes)
Secondary
Entropy Pool
(128 bytes)Primary
Entropy Pool
(512 bytes)
/dev/random
/dev/urandom
External Entropy
Sources
Vinod Ganapathy - Policies and Mechanisms for OS Security
Example 3: Kernel PRNG corruptor
39
Urandom
Entropy Pool
(128 bytes)
Secondary
Entropy Pool
(128 bytes)Primary
Entropy Pool
(512 bytes)
/dev/random
/dev/urandom
External Entropy
Sources
Vinod Ganapathy - Policies and Mechanisms for OS Security
Example 3: Kernel PRNG corruptor
Attack: Modify coefficients of polynomials used to stir the entropy pools. Weaken quality of random numbers
40
Urandom
Entropy Pool
(128 bytes)
Secondary
Entropy Pool
(128 bytes)Primary
Entropy Pool
(512 bytes)
/dev/random
/dev/urandom
External Entropy
Sources
Vinod Ganapathy - Policies and Mechanisms for OS Security
Example 3: Kernel PRNG corruptorViolated:
• poolinfo.tap1 ∈ {26, 103}
• poolinfo.tap2 ∈ {20, 76}
• poolinfo.tap3 ∈ {14, 51}
• poolinfo.tap4 ∈ {7, 25}
• poolinfo.tap5 == 1
Key technical challenges
• Vast attack surface:
– The kernel has thousands of data structures
• Specifying correctness properties:
– Infeasible to supply properties manually
Vinod Ganapathy - Policies and Mechanisms for OS Security 41
Key technical challenges
• Vast attack surface:
– The kernel has thousands of data structures
– Solution: Use memory snapshots to analyze all
kernel data structures
• Specifying correctness properties:
– Infeasible to supply properties manually
– Solution: Infer invariants by adapting methods
from dynamic program analysis
Vinod Ganapathy - Policies and Mechanisms for OS Security 42
Offline training phase
Vinod Ganapathy - Policies and Mechanisms for OS Security 43
User app
Physical Memory
Hardware
Operating
System
SyscallProcess
List
Kernel
Code
User app
Utilities &
Libraries
…
Clean reference machine Not rootkit infected
Analysis machine
TCB
Snapshot of
memory pages
…
Offline training phase
Vinod Ganapathy - Policies and Mechanisms for OS Security 44
User app
Physical Memory
Hardware
Operating
System
SyscallProcess
List
Kernel
Code
User app
Utilities &
Libraries
…
Clean reference machine Not rootkit infected
Analysis machine
TCB
Snapshot of
memory pages
…
Inference
Invariant DB
Online enforcement phase
Vinod Ganapathy - Policies and Mechanisms for OS Security 45
User app
Physical Memory
Hardware
Operating
System
SyscallProcess
List
Kernel
Code
User app
Utilities &
Libraries
…
Target machine Potentially rootkit infected
Analysis machine
TCB
Snapshot of
memory pages
…
Inference
Invariant DB
Compare
Prior work on inferring invariants
• Daikon: Dynamic program analysis tool to
infer data invariants [Ernst et al., 2000]
T1, T2, … , Tn = Traces from execution of a target
program, recording variable values
Values/properties invariant in in T1, T2, … , Tn
(e.g., foo == 5, foo ≤ bar + baz)
Vinod Ganapathy - Policies and Mechanisms for OS Security 46
Adapting to memory snapshots
S1, S2, … Sn = Snapshots from reference machine
for (i ∈ [1 .. n]) {
Di = Reconstruct kernel data structures in Si
}
D1, D2, … , Dn
Vinod Ganapathy - Policies and Mechanisms for OS Security 47
Data Structure Invariants
• sys_open == 0x3ee210fb
• run-list ⊆ all-tasks
• poolinfo.tap1 ∈ {26, 103}
• poolinfo.tap2 ∈ {20, 76}
• …
Reconstructing data structures
Vinod Ganapathy - Policies and Mechanisms for OS Security 48
(3) Snapshot of
memory pages
…
(2) Entry-points into the kernel(1) Kernel data structure
type definitionsffffe400 init_task
ffffe410 phys_base
ffffe420 loops_per_jiffy
...
struct task_struct {...}
struct list_head {...}
struct siginfo {...}
...
Reconstructing data structures
Vinod Ganapathy - Policies and Mechanisms for OS Security 49
(3) Snapshot of
memory pages
…
(2) Entry-points into the kernel(1) Kernel data structure
type definitionsffffe400 init_task
ffffe410 phys_base
ffffe420 loops_per_jiffy
...
struct task_struct {...}
struct list_head {...}
struct siginfo {...}
...
struct task_struct {
int state;
int counter;
struct task_struct *next;
...
}
00000001
0034ea23
ac3456bc
...
Data at 0xffffe400Definition of task_struct
init_task.state = 1init_task.counter = 0x34ea23
init_task.next = 0xac3456bc
Reconstructing data structures
Vinod Ganapathy - Policies and Mechanisms for OS Security 50
(3) Snapshot of
memory pages
…
(2) Entry-points into the kernel(1) Kernel data structure
type definitionsffffe400 init_task
ffffe410 phys_base
ffffe420 loops_per_jiffy
...
struct task_struct {...}
struct list_head {...}
struct siginfo {...}
...
struct task_struct {
int state;
int counter;
struct task_struct *next;
...
}
Data at 0xac3456bcDefinition of task_struct
init_task.next.state = 0init_task.next.counter = 0x56ae71
init_task.next.next = 0xbf6723ae
00000000
0056ae71
bf6723ae
...
Experimental evaluation
① How effective is our approach at detecting
rootkits? i.e., what is the false negative rate?
②What is the quality of automatically-
generated invariants? i.e., what is the false
positive rate?
Target machine ran Linux 2.4.20. Used same
machine as reference machine as well.
Vinod Ganapathy - Policies and Mechanisms for OS Security 51
Training phase
• Ran LMBench on reference machine:
– Collected 15 complete memory snapshots
(including reboots): took 25 minutes
– Inferred invariants using Daikon in 31 minutes
• Inferred 236,444 invariants across the
memory snapshots
Vinod Ganapathy - Policies and Mechanisms for OS Security 52
False negative evaluation
• Conducted experiments with 23 Linux
rootkits:
– 14 rootkits from PacketStorm
– 9 advanced rootkits, discussed in the literature
• Installed rootkits one at a time on the target
machine and tested effectiveness of our
approach at detecting the infection
Vinod Ganapathy - Policies and Mechanisms for OS Security 53
54November 30, 2009
Rootkit name Data structures affected Detected?
1. Adore-0.42 System call table (from PacketStorm)
2. All-root System call table (from PacketStorm)
3. Kbd System call table (from PacketStorm)
4. Kis-0.9 System call table (from PacketStorm)
5. Linspy2 System call table (from PacketStorm)
6. Modhide System call table (from PacketStorm)
7. Phide System call table (from PacketStorm)
8. Rial System call table (from PacketStorm)
9. Rkit-1.01 System call table (from PacketStorm)
10. Shtroj2 System call table (from PacketStorm)
11. Synapsys-0.4 System call table (from PacketStorm)
12. THC Backdoor System call table (from PacketStorm)
13. Adore-ng VFS hooks/UDP recvmsg (from PacketStorm)
14. Knark-2.4.3 System call table, proc hooks (from PacketStorm)
15. Disable Firewall Netfilter hooks (Baliga et al., 2007)
16. Disable PRNG VFS hooks (Baliga et al., 2007)
17. Altering RTC VFS hooks (Baliga et al., 2007)
18. Defeat signature scans VFS hooks (Baliga et al., 2007)
19. Entropy pool struct poolinfo (Baliga et al., 2007)
20. Hidden process Process lists (Petroni et al., 2006)
21. Linux Binfmt Shellcode.com
22. Resource waste struct zone_struct (Baliga et al., 2007)
23. Intrinsic DOS int max_threads (Baliga et al., 2007)
False positive evaluation
• Ran a benign workload for 42 minutes
– Copying Linux kernel source code
– Editing a text document
– Compiling the Linux kernel
– Downloading eight videos from Internet
– Perform file system operations using the IOZone
benchmark
• Only 82 out of 236,444 invariants spuriously
violated during execution
– Can be improved with more training
Vinod Ganapathy - Policies and Mechanisms for OS Security 55
Current status of this approach
• Adopted widely in community for memory
snapshot-based rootkit detection
• Has led to numerous follow-on projects by
other research groups (200+ citations)
– More accurate data structure reconstruction
– Better ways to express invariants
– Improving accuracy of inferred invariants
Vinod Ganapathy - Policies and Mechanisms for OS Security 56
Research questions
• RQ1: What algorithm should we use for memory snapshot analysis?
– Concerns our security policy
– Answer: Formulate rootkit detection problem as one of detecting invariant violations
• RQ2: How can we fetch memory pages without involving the target’s OS?
– Concerns our mechanism
– Answer: Leverage hardware advances
Vinod Ganapathy - Policies and Mechanisms for OS Security 57
Tamper
resistance
Performance
isolation
Snapshot
consistency
Vinod Ganapathy - Policies and Mechanisms for OS Security 58
Snapshot acquisition mechanism
1 2 3
Tamper
resistance
Performance
isolation
Snapshot
consistency
Vinod Ganapathy - Policies and Mechanisms for OS Security 59
Tamper resistance
Target should not interfere with snapshot acquisition
Tamper
resistance
Performance
isolation
Snapshot
consistency
Virtualization
Vinod Ganapathy - Policies and Mechanisms for OS Security 60
Tamper resistance
Target should not interfere with snapshot acquisition
Physical Memory
Virtual Hardware
Operating
System
Hypervisor
• Hypervisor can fetch memory
from virtual machine without
OS involvement
Tamper
resistance
Performance
isolation
Snapshot
consistency
Virtualization
Co-processor
Vinod Ganapathy - Policies and Mechanisms for OS Security 61
Tamper resistance
Target should not interfere with snapshot acquisition
Physical Memory
Hardware
Operating
System• Co-processor uses DMA
• OS on target involved in
DMA setup
• Malicious OS can hide
portions of memory with
malicious content
Tamper
resistance
Performance
isolation
Snapshot
consistency
Virtualization
Co-processor
Vinod Ganapathy - Policies and Mechanisms for OS Security 62
Performance isolation
Do not halt the target during snapshot acquisition
• Necessary for situations where continuous
snapshot acquisition is necessary
• Hypervisor-based acquisition requires pausing
the virtual machine
• Co-processor can operate in concert with target
Tamper
resistance
Performance
isolation
Snapshot
consistency
Virtualization
Co-processor
Vinod Ganapathy - Policies and Mechanisms for OS Security 63
Snapshot consistency
Snapshot should faithfully represent target’s state at a given instant in time
Physical Memory
Hardware
Operating
System F1 F2…T
F1 F2…T + δ
NULL
CONSISTENT
CONSISTENT
Tamper
resistance
Performance
isolation
Snapshot
consistency
Virtualization
Co-processor
Vinod Ganapathy - Policies and Mechanisms for OS Security 64
Snapshot consistency
Snapshot should faithfully represent target’s state at a given instant in time
Physical Memory
Hardware
Operating
System F1 F2…
T T + δ
Co-processor cannot pause target.
Snapshot may contain pages
obtained at different instants in time
INCONSISTENT
Tamper
resistance
Performance
isolation
Snapshot
consistency
Virtualization
Co-processor
3D-stacking
Vinod Ganapathy - Policies and Mechanisms for OS Security 65
Our contribution
• Based on 3D-stacked technology:
– New hardware manufacturing technology that
“stacks” memory/processing logic atop the chip
– Early versions of 3D-stacked hardware already
on market, e.g., AMD Radeon series
3D-stacked chip
Vinod Ganapathy - Policies and Mechanisms for OS Security 66
Picture courtesy of AMD
CPU and
Memory controller
On-chip memory
(high-speed)
3D-stacked chip
Vinod Ganapathy - Policies and Mechanisms for OS Security 67
Picture courtesy of AMD
CPU and
Memory controller
On-chip memory
(high-speed)
Memory bus
Traditional (off-chip)
DRAM memory
Our use of 3D-stacking
• On-chip DRAM treated as a page-granularity
cache of off-chip DRAM memory
– Every address accessed by the CPU will result in
the page frame being fetched to on-chip DRAM
Vinod Ganapathy - Policies and Mechanisms for OS Security 68
Cache of off-chip
DRAM memoryOff-chip DRAM
On-chip DRAM
Memory controller
Crypto logic
CPU
Memory bus
Triggering snapshot acquisition
Vinod Ganapathy - Policies and Mechanisms for OS Security 69
On-chip DRAM
Memory controller
Crypto logic
CPU
Trigger = Device that communicates to the
CPU to enter snapshot acquisition mode: Physical device attached to South/NorthBridge
that sends a non-maskable interrupt
NIC with Wake-on-LAN-like feature
Off-chip DRAM
Memory bus
Snapshot acquisition mode
Vinod Ganapathy - Policies and Mechanisms for OS Security 70
Memory controller
Crypto logic
CPU
• Memory controller splits on-chip DRAM into
two parts: Cache of off-chip DRAM memory
Copy-on-Write (CoW) area
CacheCoW
1
Off-chip DRAM
Memory bus
Snapshot acquisition mode
Vinod Ganapathy - Policies and Mechanisms for OS Security 71
Memory controller
Crypto logic
CPU
• Hardware brings one page frame of off-chip
DRAM at a time to on-chip DRAM cache
CacheCoWFiFi
2
Off-chip DRAM
Memory bus
Snapshot acquisition mode
Vinod Ganapathy - Policies and Mechanisms for OS Security 72
Memory controller
Crypto logic
CPU
• Crypto logic digitally signs contents of page: Random nonce used to prevent replay attacks
Same nonce used for all pages in snapshot
CacheCoW
+ Page#
+ Rand#Fi
3
Off-chip DRAM
Memory bus
Snapshot acquisition mode
Vinod Ganapathy - Policies and Mechanisms for OS Security 73
Memory controller
Crypto logic
CPU
• Hardware instructs OS to write signed page
to external medium: Even if OS is infected, it cannot cheat, since
integrity of page is protected by the hardware
CacheCoW
Disk
4
+ Page#
+ Rand#Fi
Off-chip DRAM
Memory bus
• CPU continues to execute concurrently: If it writes to page Fj that has not yet been
copied Memory controller makes a copy of the
original page in the Copy-on-Write area
When hardware ready to snapshot Fj, copy
created from Copy-on-Write area
Snapshot acquisition mode
Vinod Ganapathy - Policies and Mechanisms for OS Security 74
Memory controller
Crypto logic
CPU
Memory bus
CacheCoW
5
Fj
Off-chip DRAM
Fj
At conclusion of acquisition
• Consistent snapshot of off-chip memory at
instant when acquisition was initiated
• Snapshot is tamper-resistant even to a
corrupted OS
• Obtained without pausing target machine
Vinod Ganapathy - Policies and Mechanisms for OS Security 75
+ 0
+ RF0
+ 1
+ RF1
+ N
+ RFN
…
Security analysis
Malicious OS cannot:
Corrupt pages in snapshot: Integrity
Hide pages from snapshot: Completeness
Replay old snapshot: Freshness
“Clean” itself during snapshot acquisition
because Copy-on-Write stores original page:
External control
Vinod Ganapathy - Policies and Mechanisms for OS Security 76
+ 0
+ RF0
+ 1
+ RF1
+ N
+ RFN
…
Evaluation
• Atop 3D-stacked hardware emulator
• Evaluated:
– Impact of 3D-stacked memory available
– Effectiveness of performance-isolation claim
• Used canneal, memcached, graph500, mcf
– Time to procure full snapshot of memory:
• ~10-100 seconds, depending on external medium
– Complexity of hardware modifications:
• Evaluated using CACTI and Aladdin
• Negligible area/energy overheads
Vinod Ganapathy - Policies and Mechanisms for OS Security 77
Evidence of performance isolation
Vinod Ganapathy - Policies and Mechanisms for OS Security 78
Applications make progress as long as space available
in on-chip CoW area. Space in CoW area dependent on
speed of external medium that stores snapshot
Other research projects…
• Improving cloud platform security [ACSAC’08, RAID’10, CCS’12a, SOCC’14]
• Security for mobile devices (and other IoT devices)[MobiSys’11, TIFS’13, MobiSys’16]
• Hardware support for software and system security [CCS’08, ECOOP’12a, TIFS’13, MobiSys’16, RU-DCS-TR724]
• Web application and Web browser security [ACSAC’08, ACSAC’09, ECOOP’12a, ECOOP’12b, ECOOP’14, FSE’14]
• Tools for cross-platform mobile app development [ICSE’13, ASE’15]
• Retrofitting legacy software for security [CCS’05, Oakland’06, ASPLOS’06, ICSE’07, CCS’08, CCS’12b]
• Proofs of security for retrofitting transformations[Work in progress]
79
Generic theme: Computer Systems Security
Vinod Ganapathy - Policies and Mechanisms for OS Security
A big thank you to my students
80
Graduated PhDs
• Dr. Mohan Dhawan (IBM Research India)
• Dr. Saman Zarandioon (Amazon.com)
• Dr. Shakeel Butt (NVidia now at Google)
• Dr. Liu Yang (HP Labs now at Baidu)
• Dr. Rezwana Karim (Samsung Research America)
• Dr. Amruta Gokhale (Teradata)
Former Postdocs
• Dr. Arati Baliga (AT&T Security Labs)
Graduated MS students
• Jeffrey Bickford (AT&T Research)
• Yogesh Padmanaban (Microsoft)
Current PhD students
• Jay P. Lim, Hai Nguyen, Daeyoung Kim.
Vinod Ganapathy - Policies and Mechanisms for OS Security
URL: http://www.cs.rutgers.edu/~vinodg
Email: [email protected]