reference monitors - columbia universitysuman/secure_sw_devel/ref_monitor.pdf · 2017. 9. 11. ·...
TRANSCRIPT
![Page 1: Reference monitors - Columbia Universitysuman/secure_sw_devel/ref_monitor.pdf · 2017. 9. 11. · “correct ” – Respect ... – Its value is changed only by inserted code, atomically,](https://reader036.vdocument.in/reader036/viewer/2022063015/5fd3422b87f8e811f06415de/html5/thumbnails/1.jpg)
Referencemonitors
SumanJana
*OriginalslidesfromVitalyShma9kov
![Page 2: Reference monitors - Columbia Universitysuman/secure_sw_devel/ref_monitor.pdf · 2017. 9. 11. · “correct ” – Respect ... – Its value is changed only by inserted code, atomically,](https://reader036.vdocument.in/reader036/viewer/2022063015/5fd3422b87f8e811f06415de/html5/thumbnails/2.jpg)
ReferenceMonitor
• Observesexecu9onoftheprogram/process– Atwhatlevel?Possibili9es:hardware,OS,network
• Haltsorconfinesexecu9oniftheprogramisabouttoviolatethesecuritypolicy– What’sa“securitypolicy”?– Whichsystemeventsarerelevanttothepolicy?
• Instruc9ons,memoryaccesses,systemcalls,networkpackets…
• Cannotbecircumventedbythemonitoredprocess
![Page 3: Reference monitors - Columbia Universitysuman/secure_sw_devel/ref_monitor.pdf · 2017. 9. 11. · “correct ” – Respect ... – Its value is changed only by inserted code, atomically,](https://reader036.vdocument.in/reader036/viewer/2022063015/5fd3422b87f8e811f06415de/html5/thumbnails/3.jpg)
EnforceableSecurityPolicies
• Referencemonitorscanonlyenforcesafetypolicies[Schneider‘98]– Execu9onofaprocessisasequenceofstates– Safetypolicyisapredicateonaprefixofthesequence
• Policymustdependonlyonthepastofapar9cularexecu9on;onceitbecomesfalse,it’salwaysfalse
• Notpoliciesthatrequireknowledgeofthefuture– “IfthisserveracceptsaSYNpacket,itwilleventuallysendaresponse”
• Notpoliciesthatdealwithallpossibleexecu9ons– “Thisprogramshouldneverrevealasecret”
![Page 4: Reference monitors - Columbia Universitysuman/secure_sw_devel/ref_monitor.pdf · 2017. 9. 11. · “correct ” – Respect ... – Its value is changed only by inserted code, atomically,](https://reader036.vdocument.in/reader036/viewer/2022063015/5fd3422b87f8e811f06415de/html5/thumbnails/4.jpg)
ReferenceMonitorImplementa9on
• Policiescandependonapplica9onseman9cs• Enforcementdoesn’trequirecontextswitchesinthekernel• Lowerperformanceoverhead
Program
RMKernel
RMProgram
Kernel
Program
Kernel
RM
Kernelized Wrapper Modifiedprogram
Integratereferencemonitorintoprogramcodeduringcompila9onorviabinaryrewri9ng
![Page 5: Reference monitors - Columbia Universitysuman/secure_sw_devel/ref_monitor.pdf · 2017. 9. 11. · “correct ” – Respect ... – Its value is changed only by inserted code, atomically,](https://reader036.vdocument.in/reader036/viewer/2022063015/5fd3422b87f8e811f06415de/html5/thumbnails/5.jpg)
WhatMakesaProcessSafe?
• Memorysafety:allmemoryaccessesare“correct”– Respectarraybounds,don’tstomponanotherprocess’smemory,don’texecutedataasifitwerecode
• Control-flowsafety:allcontroltransfersareenvisionedbytheoriginalprogram– Noarbitraryjumps,nocallstolibraryrou9nesthattheoriginalprogramdidnotcall
• Typesafety:allfunc9oncallsandopera9onshaveargumentsofcorrecttype
![Page 6: Reference monitors - Columbia Universitysuman/secure_sw_devel/ref_monitor.pdf · 2017. 9. 11. · “correct ” – Respect ... – Its value is changed only by inserted code, atomically,](https://reader036.vdocument.in/reader036/viewer/2022063015/5fd3422b87f8e811f06415de/html5/thumbnails/6.jpg)
OSasaReferenceMonitor
• Collec9onofrunningprocessesandfiles– Processesareassociatedwithusers– Fileshaveaccesscontrollists(ACLs)sayingwhichuserscanread/write/executethem
• OSenforcesavarietyofsafetypolicies– Fileaccessesarecheckedagainstfile’sACL– Processcannotwriteintomemoryofanotherprocess– Someopera9onsrequiresuperuserprivileges
• Butmayneedtoswitchbackandforth(e.g.,setuidinUnix)– EnforceCPUsharing,diskquotas,etc.
• Samepolicyforallprocessesofthesameuser
![Page 7: Reference monitors - Columbia Universitysuman/secure_sw_devel/ref_monitor.pdf · 2017. 9. 11. · “correct ” – Respect ... – Its value is changed only by inserted code, atomically,](https://reader036.vdocument.in/reader036/viewer/2022063015/5fd3422b87f8e811f06415de/html5/thumbnails/7.jpg)
HardwareMechanisms:TLB
• TLB:Transla9onLookasideBuffer– Mapsvirtualtophysicaladdresses– Locatednexttothecache– OnlysupervisorprocesscanmanipulateTLB
• ButifOSiscompromised,maliciouscodecanabuseTLBtomakeitselfinvisibleinvirtualmemory(ShadowWalker)
• TLBmissraisesapagefaultexcep9on– ControlistransferredtoOS(insupervisormode)– OSbringsthemissingpagetothememory
• Thisisanexpensivecontextswitch
![Page 8: Reference monitors - Columbia Universitysuman/secure_sw_devel/ref_monitor.pdf · 2017. 9. 11. · “correct ” – Respect ... – Its value is changed only by inserted code, atomically,](https://reader036.vdocument.in/reader036/viewer/2022063015/5fd3422b87f8e811f06415de/html5/thumbnails/8.jpg)
Time
callsf=fopen(“foo”)
UserProcess
libraryexecutes“break”
Kernel
trap savescontext,flushesTLB,etc.checksUIDagainstACL,setsupIObuffers&filecontext,pushesptrtocontextonuser’sstack,etc.restorescontext,clearssupervisorbit
callsfread(f,n,&buf)libraryexecutes“break” savescontext,flushesTLB,etc.
checksfisavalidfilecontext,doesdiskaccessintolocalbuffer,copiesresultsintouser’sbuffer,etc.restorescontext,clearssupervisorbit
StepsinaSystemCall[Morrisett]
![Page 9: Reference monitors - Columbia Universitysuman/secure_sw_devel/ref_monitor.pdf · 2017. 9. 11. · “correct ” – Respect ... – Its value is changed only by inserted code, atomically,](https://reader036.vdocument.in/reader036/viewer/2022063015/5fd3422b87f8e811f06415de/html5/thumbnails/9.jpg)
Midtermgrades
![Page 10: Reference monitors - Columbia Universitysuman/secure_sw_devel/ref_monitor.pdf · 2017. 9. 11. · “correct ” – Respect ... – Its value is changed only by inserted code, atomically,](https://reader036.vdocument.in/reader036/viewer/2022063015/5fd3422b87f8e811f06415de/html5/thumbnails/10.jpg)
ModernHardwareMeetsSecurity
• Modernhardware:largenumberofregisters,bigmemorypages
• Isola9on⇒eachprocessshouldliveinitsownhardwareaddressspace
• …buttheperformancecostofinter-processcommunica9onisincreasing– Contextswitchesareveryexpensive– TrappingintoOSkernelrequiresflushingTLBandcache,compu9ngjumpdes9na9on,copyingmemory
• Conflict:isola9onvs.cheapcommunica9on
![Page 11: Reference monitors - Columbia Universitysuman/secure_sw_devel/ref_monitor.pdf · 2017. 9. 11. · “correct ” – Respect ... – Its value is changed only by inserted code, atomically,](https://reader036.vdocument.in/reader036/viewer/2022063015/5fd3422b87f8e811f06415de/html5/thumbnails/11.jpg)
SohwareFaultIsola9on(SFI)
• Processesliveinthesamehardwareaddressspace;sohwarereferencemonitorisolatesthem– Eachprocessisassignedalogical“faultdomain”– Checkallmemoryreferencesandjumpstoensuretheydon’tleaveprocess’sdomain
• Tradeoff:checkingvs.communica9on– Paythecostofexecu9ngchecksforeachmemorywriteandcontroltransfertosavethecostofcontextswitchingwhentrappingintothekernel
[Wahbeetal.SOSP‘93]
![Page 12: Reference monitors - Columbia Universitysuman/secure_sw_devel/ref_monitor.pdf · 2017. 9. 11. · “correct ” – Respect ... – Its value is changed only by inserted code, atomically,](https://reader036.vdocument.in/reader036/viewer/2022063015/5fd3422b87f8e811f06415de/html5/thumbnails/12.jpg)
FaultDomains
• Process’scodeanddatainonememorysegment– Iden9fiedbyauniquepajernofupperbits– Codeisseparatefromdata(heap,stack,etc.)– Thinkofafaultdomainasa“sandbox”
• Binarymodifiedsothatitcannotescapedomain– Addressesaremaskedsothatallmemorywritesaretoaddresseswithinthesegment• Coarse-grainedmemorysafety(vs.arrayboundschecking)
– Codeisinsertedbeforeeachjumptoensurethatthedes9na9oniswithinthesegment
• Doesthishelpmuchagainstbufferoverflows?
![Page 13: Reference monitors - Columbia Universitysuman/secure_sw_devel/ref_monitor.pdf · 2017. 9. 11. · “correct ” – Respect ... – Its value is changed only by inserted code, atomically,](https://reader036.vdocument.in/reader036/viewer/2022063015/5fd3422b87f8e811f06415de/html5/thumbnails/13.jpg)
VerifyingJumpsandStores
• Iftargetaddresscanbedeterminedsta9cally,maskitwiththesegment’supperbits– Crash,butwon’tstomponanotherprocess’smemory
• Ifaddressunknownun9lrun9me,insertcheckingcodebeforetheinstruc9on
• Ensurethatcodecan’tjumparoundthechecks– Targetaddressheldinadedicatedregister– Itsvalueischangedonlybyinsertedcode,atomically,andonlywithavaluefromthedatasegment
![Page 14: Reference monitors - Columbia Universitysuman/secure_sw_devel/ref_monitor.pdf · 2017. 9. 11. · “correct ” – Respect ... – Its value is changed only by inserted code, atomically,](https://reader036.vdocument.in/reader036/viewer/2022063015/5fd3422b87f8e811f06415de/html5/thumbnails/14.jpg)
SimpleSFIExample
• Faultdomain=from0x1200to0x12FF• Originalcode:writex• NaïveSFI: x:=x&00FF x:=x|1200 writex• BejerSFI: tmp:=x&00FF tmp:=tmp|1200 writetmp
convertxintoanaddressthatlieswithinthefaultdomain
Whatifthecodejumpsrighthere?…
![Page 15: Reference monitors - Columbia Universitysuman/secure_sw_devel/ref_monitor.pdf · 2017. 9. 11. · “correct ” – Respect ... – Its value is changed only by inserted code, atomically,](https://reader036.vdocument.in/reader036/viewer/2022063015/5fd3422b87f8e811f06415de/html5/thumbnails/15.jpg)
InlineReferenceMonitor
• GeneralizeSFItomoregeneralsafetypoliciesthanjustmemorysafety– Policyspecifiedinsomeformallanguage– Policydealswithapplica9on-levelconcepts:accesstosystemresources,networkevents,etc.• “Noprocessshouldsendtothenetworkaherreadingafile”,
“Noprocessshouldopenmorethan3windows”,…
• Policychecksareintegratedintothebinarycode– Viabinaryrewri9ngorwhencompiling
• Insertedchecksshouldbeuncircumventable– RelyonSFIforbasicmemorysafety
![Page 16: Reference monitors - Columbia Universitysuman/secure_sw_devel/ref_monitor.pdf · 2017. 9. 11. · “correct ” – Respect ... – Its value is changed only by inserted code, atomically,](https://reader036.vdocument.in/reader036/viewer/2022063015/5fd3422b87f8e811f06415de/html5/thumbnails/16.jpg)
PolicySpecifica9oninSASI
SASIpoliciesarefinite-stateautomata• Canexpressanysafetypolicy• Easytoanalyze,emulate,compile• WrijeninSALlanguage(textualversionofdiagrams)
Nodivisionbyzero
¬ (op = “div” arg2 = 0) ∧
read¬ send¬
read
Nonetworksendaherfileread
[Cornell project]
![Page 17: Reference monitors - Columbia Universitysuman/secure_sw_devel/ref_monitor.pdf · 2017. 9. 11. · “correct ” – Respect ... – Its value is changed only by inserted code, atomically,](https://reader036.vdocument.in/reader036/viewer/2022063015/5fd3422b87f8e811f06415de/html5/thumbnails/17.jpg)
PolicyEnforcement
• Checkingbeforeeveryinstruc9onisanoverkill– Check“Nodivisionbyzero”onlybeforeDIV
• SASIusespar9alevalua9on– Insertpolicychecksbeforeeveryinstruc9on,thenrelyonsta9canalysistoeliminateunnecessarychecks
• Thereisa“seman9cgap”betweenindividualinstruc9onsandpolicy-levelevents– Applica9onsuseabstrac9onssuchasstrings,types,files,func9oncalls,etc.
– Referencemonitormustsynthesizetheseabstrac9onsfromlow-levelassemblycode
![Page 18: Reference monitors - Columbia Universitysuman/secure_sw_devel/ref_monitor.pdf · 2017. 9. 11. · “correct ” – Respect ... – Its value is changed only by inserted code, atomically,](https://reader036.vdocument.in/reader036/viewer/2022063015/5fd3422b87f8e811f06415de/html5/thumbnails/18.jpg)
M.Abadi,M.Budiu,U.Erlingsson,J.Ligaq
Control-FlowIntegrity:Principles,Implementa9ons,andApplica9ons
(CCS2005)
![Page 19: Reference monitors - Columbia Universitysuman/secure_sw_devel/ref_monitor.pdf · 2017. 9. 11. · “correct ” – Respect ... – Its value is changed only by inserted code, atomically,](https://reader036.vdocument.in/reader036/viewer/2022063015/5fd3422b87f8e811f06415de/html5/thumbnails/19.jpg)
• Mainidea:pre-determinecontrolflowgraph(CFG)ofanapplica9on– Sta9canalysisofsourcecode– Sta9cbinaryanalysis←CFI– Execu9onprofiling– Explicitspecifica9onofsecuritypolicy
• Execu9onmustfollowthepre-determinedcontrolflowgraph
CFI:Control-FlowIntegrity[Abadietal.]
![Page 20: Reference monitors - Columbia Universitysuman/secure_sw_devel/ref_monitor.pdf · 2017. 9. 11. · “correct ” – Respect ... – Its value is changed only by inserted code, atomically,](https://reader036.vdocument.in/reader036/viewer/2022063015/5fd3422b87f8e811f06415de/html5/thumbnails/20.jpg)
• Usebinaryrewri9ngtoinstrumentcodewithrun9mechecks(similartoSFI)
• Insertedchecksensurethattheexecu9onalwaysstayswithinthesta9callydeterminedCFG– Wheneveraninstruc9ontransferscontrol,des9na9onmustbevalidaccordingtotheCFG
• Goal:preventinjec9onofarbitrarycodeandinvalidcontroltransfers(e.g.,return-oriented-programming)– Secureeveniftheajackerhascompletecontroloverthethread’saddressspace
CFI:BinaryInstrumenta9on
![Page 21: Reference monitors - Columbia Universitysuman/secure_sw_devel/ref_monitor.pdf · 2017. 9. 11. · “correct ” – Respect ... – Its value is changed only by inserted code, atomically,](https://reader036.vdocument.in/reader036/viewer/2022063015/5fd3422b87f8e811f06415de/html5/thumbnails/21.jpg)
CFGExample
![Page 22: Reference monitors - Columbia Universitysuman/secure_sw_devel/ref_monitor.pdf · 2017. 9. 11. · “correct ” – Respect ... – Its value is changed only by inserted code, atomically,](https://reader036.vdocument.in/reader036/viewer/2022063015/5fd3422b87f8e811f06415de/html5/thumbnails/22.jpg)
• Foreachcontroltransfer,determinesta9callyitspossibledes9na9on(s)
• Insertauniquebitpajernateverydes9na9on– Twodes9na9onsareequivalentifCFGcontainsedgestoeachfromthesamesource• Thisisimprecise(why?)
– Usesamebitpajernforequivalentdes9na9ons
• Insertbinarycodethatatrun9mewillcheckwhetherthebitpajernofthetargetinstruc9onmatchesthepajernofpossibledes9na9ons
CFI:ControlFlowEnforcement
![Page 23: Reference monitors - Columbia Universitysuman/secure_sw_devel/ref_monitor.pdf · 2017. 9. 11. · “correct ” – Respect ... – Its value is changed only by inserted code, atomically,](https://reader036.vdocument.in/reader036/viewer/2022063015/5fd3422b87f8e811f06415de/html5/thumbnails/23.jpg)
CFI:ExampleofInstrumenta9on
Originalcode
Instrumentedcode
Abuseanx86assemblyinstruc9ontoinsert“12345678”tagintothebinaryJumptothedes9na9ononlyif
thetagisequalto“12345678”
![Page 24: Reference monitors - Columbia Universitysuman/secure_sw_devel/ref_monitor.pdf · 2017. 9. 11. · “correct ” – Respect ... – Its value is changed only by inserted code, atomically,](https://reader036.vdocument.in/reader036/viewer/2022063015/5fd3422b87f8e811f06415de/html5/thumbnails/24.jpg)
• UniqueIDs– Bitpajernschosenasdes9na9onIDsmustnotappearanywhereelseinthecodememoryexceptIDchecks
• Non-writablecode– Programshouldnotmodifycodememoryatrun9me
• Whataboutrun-9mecodegenera9onandself-modifica9on?
• Non-executabledata– Programshouldnotexecutedataasifitwerecode
• Enforcement:hardwaresupport+prohibitsystemcallsthatchangeprotec9onstate+verifica9onatload-9me
CFI:Preven9ngCircumven9on
![Page 25: Reference monitors - Columbia Universitysuman/secure_sw_devel/ref_monitor.pdf · 2017. 9. 11. · “correct ” – Respect ... – Its value is changed only by inserted code, atomically,](https://reader036.vdocument.in/reader036/viewer/2022063015/5fd3422b87f8e811f06415de/html5/thumbnails/25.jpg)
• SupposeacallfromAgoestoC,andacallfromBgoestoeitherC,orD(whencanthishappen?)– CFIwillusethesametagforCandD,butthisallowsan
“invalid”callfromAtoD– Possiblesolu9on:duplicatecodeorinline– Possiblesolu9on:mul9pletags
• Func9onFiscalledfirstfromA,thenfromB;what’savaliddes9na9onforitsreturn?– CFIwillusethesametagforbothcallsites,butthisallowsFtoreturntoBaherbeingcalledfromA
– Solu9on:shadowcallstack
ImprovingCFIPrecision
![Page 26: Reference monitors - Columbia Universitysuman/secure_sw_devel/ref_monitor.pdf · 2017. 9. 11. · “correct ” – Respect ... – Its value is changed only by inserted code, atomically,](https://reader036.vdocument.in/reader036/viewer/2022063015/5fd3422b87f8e811f06415de/html5/thumbnails/26.jpg)
CFI:SecurityGuarantees
• Effec9veagainstajacksbasedonillegi9matecontrol-flowtransfer– Stack-basedbufferoverflow,return-to-libcexploits,pointersubterfuge
• Doesnotprotectagainstajacksthatdonotviolatetheprogram’soriginalCFG– Incorrectargumentstosystemcalls– Subs9tu9onoffilenames– Otherdata-onlyajacks
![Page 27: Reference monitors - Columbia Universitysuman/secure_sw_devel/ref_monitor.pdf · 2017. 9. 11. · “correct ” – Respect ... – Its value is changed only by inserted code, atomically,](https://reader036.vdocument.in/reader036/viewer/2022063015/5fd3422b87f8e811f06415de/html5/thumbnails/27.jpg)
PossibleExecu9onofMemory[Erlingsson]
![Page 28: Reference monitors - Columbia Universitysuman/secure_sw_devel/ref_monitor.pdf · 2017. 9. 11. · “correct ” – Respect ... – Its value is changed only by inserted code, atomically,](https://reader036.vdocument.in/reader036/viewer/2022063015/5fd3422b87f8e811f06415de/html5/thumbnails/28.jpg)
NextStep:XFI
• Inlinereferencemonitoraddedviabinaryrewri9ng– Canbeappliedtosomelegacycode
• CFItopreventcircumven9on• Fine-grainedaccesscontrolpoliciesformemoryregions– Morethansimplememorysafety(cf.SFI)
• Reliesinpartonload-9meverifica9on– Similarto“proof-carryingcode”
[Erlingsson et al. OSDI ‘06]
![Page 29: Reference monitors - Columbia Universitysuman/secure_sw_devel/ref_monitor.pdf · 2017. 9. 11. · “correct ” – Respect ... – Its value is changed only by inserted code, atomically,](https://reader036.vdocument.in/reader036/viewer/2022063015/5fd3422b87f8e811f06415de/html5/thumbnails/29.jpg)
TwoStacks• XFImaintainsaseparate“scopedstack” withreturnaddressesandsomelocalvariables– Keepstrackoffunc9oncalls,returnsandexcep9ons
• Securestorageareaforfunc9on-localinforma9on– Cannotbeoverflown,accessedviaacomputedreferenceorpointer,etc.
– Stackintegrityensuredbysohwareguards– Presenceofguardsisdeterminedbysta9cverifica9onwhenprogramisloaded
• Separate“alloca9onstack”forarraysandlocalvariableswhoseaddresscanbepassedaround
![Page 30: Reference monitors - Columbia Universitysuman/secure_sw_devel/ref_monitor.pdf · 2017. 9. 11. · “correct ” – Respect ... – Its value is changed only by inserted code, atomically,](https://reader036.vdocument.in/reader036/viewer/2022063015/5fd3422b87f8e811f06415de/html5/thumbnails/30.jpg)
XFI:MemoryAccessControl
• Modulehasaccesstoitsownmemory– Withrestric9ons(e.g.,shouldn’tbeabletocorruptitsownscopedstack)
• Hostcanalsograntaccesstoothercon9guousmemoryregions– Fine-grained:canrestrictaccesstoasinglebyte– Accesstoconstantaddressesandscopedstackverifiedsta9cally
– Inlinememoryguardsverifyotheraccessesatrun9me• Fastinlineverifica9onforacertainaddressrange;iffails,callspecialrou9nesthatcheckaccesscontroldatastructures
![Page 31: Reference monitors - Columbia Universitysuman/secure_sw_devel/ref_monitor.pdf · 2017. 9. 11. · “correct ” – Respect ... – Its value is changed only by inserted code, atomically,](https://reader036.vdocument.in/reader036/viewer/2022063015/5fd3422b87f8e811f06415de/html5/thumbnails/31.jpg)
XFI:Preven9ngCircumven9on
• IntegrityoftheXFIprotec9onenvironment– Basiccontrol-flowintegrity– “Scopedstack”preventsout-of-orderexecu9onpathseveniftheymatchcontrol-flowgraph
– Dangerousinstruc9onsareneverexecutedortheirexecu9onisrestricted• Forexample,privilegedinstruc9onsthatchangeprotec9onstate,modifyx86flags,etc.
• Therefore,XFImodulescanevenruninkernel