Efficient Software Based Fault IsolationEfficient Software Based Fault Isolation

Author: Robert Wahobe,Steven Lucco,Thomas E Anderson, Susan L Author: Robert Wahobe,Steven Lucco,Thomas E Anderson, Susan L

GrahamGrahamGrahamGraham

Presenter: Maitree kanungoPresenter: Maitree kanungoDate:02/17/2010Date:02/17/2010

OverviewOverview

�� BackgroundBackground

�� Software Fault IsolationSoftware Fault Isolation

�� Efficient software encapsulationEfficient software encapsulation

�� Fast communication across fault domainsFast communication across fault domains

�� Performance Result AnalysisPerformance Result Analysis�� Performance Result AnalysisPerformance Result Analysis

Why Software fault isolation:Why Software fault isolation:

� Hardware-based Fault Isolation

� Run modules in separate address spaces� Communicate via Remote Procedure Call

� Switch to kernel mode

� Copy arguments

� Save/Restore registers

� Switch address spaces

� Return to user mode

� Context switches are expensive

Software Fault IsolationSoftware Fault Isolation

Virtual address segmentsVirtual address segments

�� Each segment share a unique upper bits called Each segment share a unique upper bits called

segment identifiersegment identifier

�� Distrusted module can jump to or write to the Distrusted module can jump to or write to the

same upper bit pattern (segment identifier)same upper bit pattern (segment identifier)

Techniques of Fault IsolationTechniques of Fault Isolation

22 techniques for software based faulttechniques for software based fault--isolation.isolation.

�� Segment matchingSegment matching

�� SandboxingSandboxing�� SandboxingSandboxing

Techniques of Fault IsolationTechniques of Fault Isolation

�� This technique involves modifying the software This technique involves modifying the software binary to prevent stores or jumps from leaving a binary to prevent stores or jumps from leaving a certain range of addresses.certain range of addresses.

�� All addresses used in store or jump locations are All addresses used in store or jump locations are �� All addresses used in store or jump locations are All addresses used in store or jump locations are either checked or modified to enforce this.either checked or modified to enforce this.

�� Straight modification without checking (i.e., by bit Straight modification without checking (i.e., by bit substitution) is "sandboxing", substitution) is "sandboxing",

�� checking and error reporting is "segment matching"checking and error reporting is "segment matching"

Fault DomainFault Domain

990---

991---

992---

…

991---

992---

…

993---

…

Segment (code) Segment (data)

Fault Domain

Each segment has Each segment has

unique pattern of unique pattern of

upper bits called“ upper bits called“

segment identifier”segment identifier”

What is Segment MatchingWhat is Segment Matching

�� Static verification: Target address is known at compiling timeStatic verification: Target address is known at compiling time

�� Unsafe instruction: Jumps & stores instruction which cannot Unsafe instruction: Jumps & stores instruction which cannot be statically verified to be correct segment until at runtime. It be statically verified to be correct segment until at runtime. It could corrupt permanent data. could corrupt permanent data.

�� Segment matchingSegment matching

�� Insert checking code before every unsafe instruction. The Insert checking code before every unsafe instruction. The checking code determines whether the unsafe checking code determines whether the unsafe instruction’s target address has the correct segment instruction’s target address has the correct segment identifier.identifier.

Example of segment matchingExample of segment matching

� Say an unsafe instruction is located in segment 101, but wants to write to segment 100. Initially, target address=10001111;

� segment-reg=101; shift-reg=5 (or 101);

dedicateddedicated--reg = 10001111reg = 10001111

dedicateddedicated--reg>>shiftreg>>shift--reg = 100,reg = 100,

so scratchso scratch--reg = 100 reg = 100

segmentsegment--reg=101; scratchreg=101; scratch--reg=100; not reg=100; not

equal! A trap is generated to trigger equal! A trap is generated to trigger

a system error routine outside the a system error routine outside the

distrusted module’s fault domain.distrusted module’s fault domain.

If they match, then we know the target If they match, then we know the target

address is indeed inside the same address is indeed inside the same

segment, so we can run:segment, so we can run:

store value, dedicatedstore value, dedicated--regreg

Segment MatchingSegment Matching

�� Requires 4 dedicated registers to hold:Requires 4 dedicated registers to hold:

�� address in data segmentaddress in data segment

�� address in code segmentaddress in code segment

�� segment shift amount segment shift amount �� segment shift amount segment shift amount

�� segment identifiersegment identifier

Address SandboxingAddress Sandboxing

�� Segment matching can pinpoint the offending instruction.Segment matching can pinpoint the offending instruction.

�� Sandboxing reduces runtime overhead further, at the cost of Sandboxing reduces runtime overhead further, at the cost of

providing no info about the source of faults. providing no info about the source of faults.

�� Before each unsafe instruction we simply insert code that Before each unsafe instruction we simply insert code that

sets the upper bits of the target address to the correct sets the upper bits of the target address to the correct

segment ID.segment ID.

Pseudo code for Address SandboxingPseudo code for Address SandboxingAgain say an unsafe instruction is

located in segment 101, but wants

to write to segment 100. Initially,

target-reg=10001111;

segment-reg=101; and-mask-

reg=00011111;

targettarget--reg&andreg&and--maskmask--reg = 00001111reg = 00001111

so dedicatedso dedicated--reg=00001111reg=00001111

segmentsegment--reg | dedicatedreg | dedicated--reg = 10101111.reg = 10101111.

so dedicatedso dedicated--reg = 10101111.reg = 10101111.

store value, dedicatedstore value, dedicated--regreg

Now instead of writing to the intended unsafe location 10001111, sandboxing changed the Now instead of writing to the intended unsafe location 10001111, sandboxing changed the target address to 10101111, which is in the same fault domain of the writing instruction. In target address to 10101111, which is in the same fault domain of the writing instruction. In this case may be this fault domain will be corrupt, but it does not affect other fault this case may be this fault domain will be corrupt, but it does not affect other fault domains.domains.

..

Guard Zone OptimizationGuard Zone Optimization

�� RISC architectures include a RISC architectures include a registerregister--plusplus--offset instruction offset instruction mode. mode.

�� Take instruction “store value, Take instruction “store value, offset(reg)”. offset(reg)”.

�� To avoid calculating reg+offset, To avoid calculating reg+offset, �� To avoid calculating reg+offset, To avoid calculating reg+offset,

�� we directly sandbox the reg, at we directly sandbox the reg, at the expense of creating guard the expense of creating guard zones at the top and bottom of zones at the top and bottom of each segment.each segment.

�� Avoid sandboxing the use of Avoid sandboxing the use of stack pointer by sandboxing the stack pointer by sandboxing the dedicated register which dedicated register which significantly improves significantly improves performance.performance.

Cross Fault Domain CommunicationCross Fault Domain Communication

�� Control escapes a distrusted fault Control escapes a distrusted fault

domain only via a domain only via a jump tablejump table (to stub (to stub

instruction). instruction).

�� A callA call--stub and a returnstub and a return--stub are stub are

created for each pair of fault domains.created for each pair of fault domains.

�� The stub is also responsible for The stub is also responsible for �� The stub is also responsible for The stub is also responsible for managing machine states and registers. managing machine states and registers.

�� Fatal errors are handled by UNIX signal Fatal errors are handled by UNIX signal facility. Trusted modules may use a facility. Trusted modules may use a timer facility to interrupt execution or timer facility to interrupt execution or determinate a call.determinate a call.

Jump TableJump Table�� Allows a fault domain to safely call Allows a fault domain to safely call

the a trusted stub routine outside the a trusted stub routine outside

its domain; that stub then safely its domain; that stub then safely

calls into the destination domaincalls into the destination domain..

�� Each jump table entry is a control Each jump table entry is a control transfer instruction whose target transfer instruction whose target address is a legal entry point address is a legal entry point address is a legal entry point address is a legal entry point outside the domain. outside the domain.

�� Because the table is kept in the Because the table is kept in the (read(read--only) code segment in the only) code segment in the fault domain, it can only be fault domain, it can only be modified by a trusted module.modified by a trusted module.

Performance resultPerformance result

Performance resultPerformance result

Performance resultPerformance result

Performance resultPerformance result

ConclusionConclusion

�� Despite of the 4% overhead in sandboxing technique in executing Despite of the 4% overhead in sandboxing technique in executing

distrusted code, this method yields best application performance.distrusted code, this method yields best application performance.

�� whole approach does not enforce the privacy aspect of security, since whole approach does not enforce the privacy aspect of security, since

addresses used in load instructions are not checked or sandboxed, addresses used in load instructions are not checked or sandboxed,

because to do so would be prohibitively expensive.because to do so would be prohibitively expensive.because to do so would be prohibitively expensive.because to do so would be prohibitively expensive.

ReferencesReferences

Tom Burkleaux ‘ s Slides for Fault domain and cross fault domain communication Tom Burkleaux ‘ s Slides for Fault domain and cross fault domain communication

(figs) on Efficient software based isolation(figs) on Efficient software based isolation

Carl Yao’s slides for Examples of segment matching and address sandboxing Slides Carl Yao’s slides for Examples of segment matching and address sandboxing Slides

on efficient software based isolationon efficient software based isolation--SandboxingSandboxing

SFISFI--Risc .pdfRisc .pdf