Upload
barclay-simpson
View
40
Download
1
Embed Size (px)
DESCRIPTION
Secure web browsers, malicious hardware, and hardware support for binary translation. Sam King. Browser m otivation. Browsers most commonly used application today Browsers are an application platform Email, banking, investing, shopping, television, and more! - PowerPoint PPT Presentation
Citation preview
Secure web browsers, malicious hardware, and hardware support
for binary translation
Sam King
Browser motivation
• Browsers most commonly used application today• Browsers are an application platform
– Email, banking, investing, shopping, television, and more!
• Browsers are plagued with vulnerabilities– Internet Explorer: 57 vulnerabilities– Mozilla/Firefox: 122 vulnerabilities– Safari + Opera: 66 vulnerabilities
• Studies from Microsoft, Google, and University of Washington show web browser is attacker target
2/14
The OP Browser
• Goal: build a secure web browser
• Provide an architecture for secure web browsing– Maintain security guarantees even when compromised
• Driven by OS and formal methods design principles
3/14
OP design• Decompose into browser
subsystems– Web page instance
further divided
• Use message passing– All messages through
browser kernel
• Dedicated subsystems for OS operations
• Host OS sandboxing4/14
Design enables security
• Partitioning and constrained communication enable new security mechanisms– Clean separation of browser functionality and security
• Policy– Plugin security policies, xss
• Formal methods– SOP + URL address bar invariant
5/14
Research questions
• OP: more secure browser can be practical– Hopefully no longer weakest link in comp. stack
• Can you operate with a malicious OS?– What portions of the OS does browser kernel replicate?– What portions of the OS does browser kernel rely on?
6/14
Replicate portions of the OS
• Extracts parts of OS needed for web client sec– Custom labeling and access control system– RPC / message passing layer– Window manager (limited extent)
7/14
Assumptions about OS• Process-level isolation (easy)
– Memory protection– well-known IPC mechanisms
• System-level sandboxing (moderate)– Isolate processes from system resources– Restrict system call capabilities
• Resource management (hard)– Create processes, message forwarding and naming– Network, disk, screen
• Possible techniques for enforcing assumptions– Bottom up: SVA, binary trans, hardware isolation primitives– Top down: Simple web client, not a full browser
8/14
Untrusted computing base: defending against malicious hardware
Building secure systems
• We make assumptions when designing secure systems
• Break secure system, break assumptions– E.g., look for crypto keys in memory
• People assume hardware is correct
• What if we break this assumption?
10/14
Malicious hardware
• Is it possible to modify design of processors?
• Implementing hardware is difficult• Implementing HW-based attacks is easy!– Small hardware level footholds– Execute high-level high-value attacks WITHOUT exploiting
any software bugs
11/14
Defenses
• Based on insights from foothold devel.• Analyze circuit at design time• Highlight potentially malicious circuits
• Closely related to operating systems– Both have symbolic representation, compiled– 3rd party tools and libraries– Principles learned from exercise could apply to OS
• Fundamentally an issue untrusted lower layers12/14
Hardware support for dynamic binary translation
H/W for dynamic bin. trans.
• Problem: instrument individual inst is slow– Especially true for security applications
• Goal: amortize the cost across mult. instructions– Fast path for common case, efficient check for correct
• E.g., don’t read tainted memory
– Slow path for correct (fully instrumented) case• Solution: hardware support
– HW signatures (e.g., bloom filter) to summarize• E.g., addresses for load / store instructions
– Apply known tricks to security case• Extra registers, parallel optimization, atomic regions, etc.
14/14
Questions?
15/14
Performance
• Load latencies do not impact usabilityLoad time in seconds
16/14