![Page 1: Zeldovich et al. (both papers) Reading Group by Theo](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f155503460f94c2a0a4/html5/thumbnails/1.jpg)
Zeldovich et al. (both papers)Reading Group by Theo
![Page 2: Zeldovich et al. (both papers) Reading Group by Theo](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f155503460f94c2a0a4/html5/thumbnails/2.jpg)
Part 1/2Slides based on Zeldovich’s talk
2
![Page 3: Zeldovich et al. (both papers) Reading Group by Theo](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f155503460f94c2a0a4/html5/thumbnails/3.jpg)
Untrustworthy code everywhere◦Legitimate programs are vulnerable Even antivirus scanners…
◦Users authorize malicious software
Not getting any better◦Software becomes more complex
Can the O/S guarantee security?◦Probably not…
3
![Page 4: Zeldovich et al. (both papers) Reading Group by Theo](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f155503460f94c2a0a4/html5/thumbnails/4.jpg)
Virus Scanner
Virus Scanner
Live Update
Live Update
Internet
Internet
Private User Files
Private User Files
/tmp/tmp Virus Database
Virus Database
Acceptable flow
Private files should not leak to the internet!Private files should not leak to the internet!4
![Page 5: Zeldovich et al. (both papers) Reading Group by Theo](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f155503460f94c2a0a4/html5/thumbnails/5.jpg)
Virus Scanner
Virus Scanner
Live Update
Live Update
Internet
Internet
Private User Files
Private User Files
/tmp/tmp Virus Database
Virus Database
O/S
5
![Page 6: Zeldovich et al. (both papers) Reading Group by Theo](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f155503460f94c2a0a4/html5/thumbnails/6.jpg)
Virus Scanner
Virus Scanner
Live Update
Live Update
Internet
Internet
Private User Files
Private User Files
/tmp/tmp Virus Database
Virus Database
O/S
6
![Page 7: Zeldovich et al. (both papers) Reading Group by Theo](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f155503460f94c2a0a4/html5/thumbnails/7.jpg)
Virus Scanner
Virus Scanner
Live Update
Live Update
Internet
Internet
Private User Files
Private User Files
/tmp/tmp Virus Database
Virus DatabaseOr: Create file
SecretBitIs1.txtOr: Create file
SecretBitIs1.txt
2 malicious apps cooperating hard to detect!2 malicious apps cooperating hard to detect!
Covert Channel: Lock virus DB
Covert Channel: Lock virus DB
7
![Page 8: Zeldovich et al. (both papers) Reading Group by Theo](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f155503460f94c2a0a4/html5/thumbnails/8.jpg)
Existing O/S are too complex◦Too many protection
mechanisms File descriptors, user ids
Doesn’t help with security
Unix
P3P3P2P2P1P1
Unix Kernel(TCB)
Unix Kernel(TCB)
H/WH/W
Complex Objects
8
![Page 9: Zeldovich et al. (both papers) Reading Group by Theo](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f155503460f94c2a0a4/html5/thumbnails/9.jpg)
Unix HiStar
Unix Lib
P3P3P2P2P1P1
Unix Kernel(TCB)
Unix Kernel(TCB)
H/WH/W
P2P2P1P1
U1U1
P3P3
U3U3U2U2
HiStar Kernel(TCB)
HiStar Kernel(TCB)H/WH/W
Simple Objects9
![Page 10: Zeldovich et al. (both papers) Reading Group by Theo](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f155503460f94c2a0a4/html5/thumbnails/10.jpg)
Most Unix implemented as user-level libraries◦Narrow, easily controlled interface
All kernel objects have the same, flat namespace◦Files, users, processes, address spaces are kernel
objects
All information flow is made explicit
10
![Page 11: Zeldovich et al. (both papers) Reading Group by Theo](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f155503460f94c2a0a4/html5/thumbnails/11.jpg)
High DataHigh Data
High Process
High Process
Low DataLow Data
Low Process
Low Process
e.g.: credit card processing
Web ServerGlobally visible, read-only confi-
guration file
e.g.: Untrusted user process
‘High’ information should never modify ‘low’! Information only flows upwards
‘High’ information should never modify ‘low’! Information only flows upwards11
![Page 12: Zeldovich et al. (both papers) Reading Group by Theo](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f155503460f94c2a0a4/html5/thumbnails/12.jpg)
Each kernel object has a label◦Files, users, programs, etc
Each label is a set of categories For each category, each object has a level E.g. ‘unmodifiable’, ‘secret’ file of user X
12
![Page 13: Zeldovich et al. (both papers) Reading Group by Theo](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f155503460f94c2a0a4/html5/thumbnails/13.jpg)
Level Meaning0 Unmodifiable (read-only)1 Default Level2 Cannot be exported from PC3 Inaccessible (no read)⋆ Super access (can R/W
anything, change tags)
Fully trusted
Top Secret
Process can read less secret data (lower level), can write less trusted data (higher level)
Process can read less secret data (lower level), can write less trusted data (higher level)
Objects can have multiple labels (top secret & unmodifiable)
13
![Page 14: Zeldovich et al. (both papers) Reading Group by Theo](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f155503460f94c2a0a4/html5/thumbnails/14.jpg)
Bob’sFilesBob’sFiles
Bob’s ProcessBob’s
ProcessBob’s ShellBob’s Shell
Internet
Internet
Alice’sFiles
Alice’sFiles
Alice’s ProcessAlice’s
ProcessAlice’s Shell
Alice’s Shell
Color Mismatch
14
![Page 15: Zeldovich et al. (both papers) Reading Group by Theo](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f155503460f94c2a0a4/html5/thumbnails/15.jpg)
Bob’sSecret Files
Bob’sSecret Files
Bob’s FilesBob’s Files
Bob’s ShellBob’s Shell
Alice’sFiles
Alice’sFiles
Alice’s Shell
Alice’s Shell
Root shellRoot shell
15
![Page 16: Zeldovich et al. (both papers) Reading Group by Theo](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f155503460f94c2a0a4/html5/thumbnails/16.jpg)
S/W only implementation 11,600 TCB kernel code◦Hmmm. Can we do better? (LoStar)◦1,300 extra bootstrapping code
HiStar ensures that you have enough rights to execute, read, write data
Malicious web app can leak data only of the users that called it.
Does not protect against DoS
16
![Page 17: Zeldovich et al. (both papers) Reading Group by Theo](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f155503460f94c2a0a4/html5/thumbnails/17.jpg)
17
![Page 18: Zeldovich et al. (both papers) Reading Group by Theo](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f155503460f94c2a0a4/html5/thumbnails/18.jpg)
Part 2/2
18
![Page 19: Zeldovich et al. (both papers) Reading Group by Theo](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f155503460f94c2a0a4/html5/thumbnails/19.jpg)
HiStar has few kernel objects◦Process, files, address space, etc
Each object has a label◦‘Colored’ objects ◦Access allowed only when I have enough
credentials for that label
Let’s color the physical RAM!◦Using Raksha-like H/W
19
![Page 20: Zeldovich et al. (both papers) Reading Group by Theo](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f155503460f94c2a0a4/html5/thumbnails/20.jpg)
Unix HiStar
P2P2P1P1
U1U1
P3P3
U3U3U2U2
HiStar Kernel(TCB)
HiStar Kernel(TCB)
DRAMDRAM
Unix Lib
P3P3P2P2P1P1
Unix Kernel(TCB)
Unix Kernel(TCB)
DRAMDRAM
LoStar
P1P1
U1U1
P2P2
KernelKernel
P3P3
U3U3U2U2
KernelKernel
KernelKernel
(TCB)Security Monitor
(TCB)Security Monitor
DD RR AA MM
Super-Visor
Moni-torPhysical RAM
Authorized Colors
Protection Domain
20
![Page 21: Zeldovich et al. (both papers) Reading Group by Theo](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f155503460f94c2a0a4/html5/thumbnails/21.jpg)
Each 32-bit word has a 32-bit color Every memory reference (I and D) will retrieve
the associated color The security monitor checks the HiStar label
for that color and the current thread’s rights Check will be cached for future reuse
21
![Page 22: Zeldovich et al. (both papers) Reading Group by Theo](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f155503460f94c2a0a4/html5/thumbnails/22.jpg)
TagsTags TagsTags
L1-IL1-IPCPC De-
codeDe-
codeReg. FileReg. File
Permission Checks
Permission Checks
EXCEXC WBWBALU
Preexisting
Loki Logic
Loki Tags
L1-DL1-D
Execute P-CacheExecute P-Cache R/W
P-CacheR/W
P-Cache
Memory ControllerMemory
Controller
MemoryMemory TagsTags
Tag HandlingTag Handling
22
![Page 23: Zeldovich et al. (both papers) Reading Group by Theo](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f155503460f94c2a0a4/html5/thumbnails/23.jpg)
Color: 32-bit physical address of HiStar’s label◦1 color per page Indirect entry for multi-colored pages (color/word)
Colors stored in RAM◦Physical address space reserved Virtual memory manager not in the TCB
Colors associated with physical addresses◦No aliasing problem
23
![Page 24: Zeldovich et al. (both papers) Reading Group by Theo](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f155503460f94c2a0a4/html5/thumbnails/24.jpg)
A cache of recently checked labels◦32-bit color tag and 3 bit permissions (RWX)
32-entry 2-way set associative Can be thought as TLB◦Permission Lookaside Buffer◦Normal TLB tricks apply Eg P-Cache-I and P-Cache-D
Saved on context switch
24
![Page 25: Zeldovich et al. (both papers) Reading Group by Theo](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f155503460f94c2a0a4/html5/thumbnails/25.jpg)
Security exception calls LoStar’s monitor◦Not the kernel (HiStar) of the active thread
Security monitor in TCB◦No checks performed◦No physical – virtual translation◦‘Trusted’ mode above the H/W supervisor move
25
![Page 26: Zeldovich et al. (both papers) Reading Group by Theo](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f155503460f94c2a0a4/html5/thumbnails/26.jpg)
HiStar calls LoStar for new labels◦LoStar will write-protect the new label
LoStar protects critical global HiStar structures◦E.g., kernel object hash table◦HiStar kernels do not have to trust each other So virtual memory manager not in the TCB
LoStar does not guarantee liveness
26
![Page 27: Zeldovich et al. (both papers) Reading Group by Theo](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f155503460f94c2a0a4/html5/thumbnails/27.jpg)
Pipeline Depth 7 L1-I 16 KB, 2-way SARegister Windows 8 L1-D 32 KB, 2-way SA
Memory 512 MB I-TLB 8-entry, fully assoc.Bus width 64 bits D-TLB 8-entry, fully assoc.
Frequency 65 MHz I-Tag Cache 8-entry, fully assoc.*D-Tag Cache 8-entry, fully assoc.*
P-Cache 32-entry 2-way SA*Store page granularity tags.Multicolored pages store tags in ‘modified’(?) caches
27
![Page 28: Zeldovich et al. (both papers) Reading Group by Theo](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f155503460f94c2a0a4/html5/thumbnails/28.jpg)
Hardware Overhead
Trusted Code Base
Component Block RAMs 4-input LUTsBase Leon 43 14,502Loki Logic 2 2,756
% increase 5 19
Lines of code HiStar LoStarKernel code 11,600 12,700
Bootstrapping code 1,300 1,300Security monitor - 5,200
TCB size 11,600 5,20028
![Page 29: Zeldovich et al. (both papers) Reading Group by Theo](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f155503460f94c2a0a4/html5/thumbnails/29.jpg)
29
![Page 30: Zeldovich et al. (both papers) Reading Group by Theo](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f155503460f94c2a0a4/html5/thumbnails/30.jpg)
30
![Page 31: Zeldovich et al. (both papers) Reading Group by Theo](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f155503460f94c2a0a4/html5/thumbnails/31.jpg)
HiStarLoStar
LoStar without page tags1.4
1.6
1.0
1.2
0.6
0.8
0.2
0.4
0.0
Aver
age
Slow
dow
n
primes syscall IPC fork/exec small-file large-file wget gzip
Benchmarks
31
![Page 32: Zeldovich et al. (both papers) Reading Group by Theo](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f155503460f94c2a0a4/html5/thumbnails/32.jpg)
HiStar is an O/S with strict information flow◦Most O/S implemented as user library◦~11,000 TCB◦Achieves good performance
LoStar is a hardware-assisted HiStar◦~5,000 TCB◦Similar performance to HiStar
Unclear whether the benefit of reduced TCB outweighs the cost of extra H/W
32
![Page 33: Zeldovich et al. (both papers) Reading Group by Theo](https://reader035.vdocument.in/reader035/viewer/2022062314/56649f155503460f94c2a0a4/html5/thumbnails/33.jpg)
Questions?
33