345 research outputs found
CHERI: A hybrid capability-system architecture for scalable software compartmentalization
CHERI extends a conventional RISC Instruction-
Set Architecture, compiler, and operating system to support
fine-grained, capability-based memory protection to mitigate
memory-related vulnerabilities in C-language TCBs. We describe
how CHERI capabilities can also underpin a hardware-software
object-capability model for application compartmentalization
that can mitigate broader classes of attack. Prototyped as an
extension to the open-source 64-bit BERI RISC FPGA softcore
processor, FreeBSD operating system, and LLVM compiler,
we demonstrate multiple orders-of-magnitude improvement in
scalability, simplified programmability, and resulting tangible
security benefits as compared to compartmentalization based on
pure Memory-Management Unit (MMU) designs. We evaluate
incrementally deployable CHERI-based compartmentalization
using several real-world UNIX libraries and applications.We thank our colleagues Ross Anderson, Ruslan Bukin,
Gregory Chadwick, Steve Hand, Alexandre Joannou, Chris
Kitching, Wojciech Koszek, Bob Laddaga, Patrick Lincoln,
Ilias Marinos, A Theodore Markettos, Ed Maste, Andrew W.
Moore, Alan Mujumdar, Prashanth Mundkur, Colin Rothwell,
Philip Paeps, Jeunese Payne, Hassen Saidi, Howie Shrobe, and
Bjoern Zeeb, our anonymous reviewers, and shepherd Frank
Piessens, for their feedback and assistance. This work is part of
the CTSRD and MRC2 projects sponsored by the Defense Advanced
Research Projects Agency (DARPA) and the Air Force
Research Laboratory (AFRL), under contracts FA8750-10-C-
0237 and FA8750-11-C-0249. The views, opinions, and/or
findings contained in this paper are those of the authors and
should not be interpreted as representing the official views
or policies, either expressed or implied, of the Department
of Defense or the U.S. Government. We acknowledge the EPSRC
REMS Programme Grant [EP/K008528/1], Isaac Newton
Trust, UK Higher Education Innovation Fund (HEIF), Thales
E-Security, and Google, Inc.This is the author accepted manuscript. The final version is available at http://dx.doi.org/10.1109/SP.2015.
Master of Science
thesisMany of the operating system kernels we use today are monolithic. They consist of numerous file systems, device drivers, and other subsystems interacting with no isolation and full trust. As a result, a vulnerability or bug in one part of a kernel can compromise an entire machine. Our work is motivated by the following observations: (1) introducing some form of isolation into the kernel can help confine the effects of faulty code, and (2) modern hardware platforms are better suited for a decomposed kernel than platforms of the past. Platforms today consist of numerous cores, large nonuniform memories, and processor interconnects that resemble a miniature distributed system. We argue that kernels and hypervisors must eventually evolve beyond their current symmetric mulitprocessing (SMP) design toward a corresponding distributed design. But the path to this goal is not easy. Building such a kernel from scratch that has the same capabilities as an equivalent monolithic kernel could take years of effort. In this work, we explored the feasibility of incrementally isolating subsystems in the Linux kernel as a path toward a distributed kernel. We developed a design and techniques for moving kernel modules into strongly isolated domains in a way that is transparent to existing code, and we report on the feasibility of our approach
Fast Protection-Domain Crossing in the CHERI Capability-System Architecture
Capability Hardware Enhanced RISC Instructions (CHERI) supplement the conventional memory management unit (MMU) with instruction-set architecture (ISA) extensions that implement a capability system model in the address space. CHERI can also underpin a hardware-software object-capability model for scalable application compartmentalization that can mitigate broader classes of attack. This article describes ISA additions to CHERI that support fast protection-domain switching, not only in terms of low cycle count, but also efficient memory sharing with mutual distrust. The authors propose ISA support for sealed capabilities, hardware-assisted checking during protection-domain switching, a lightweight capability flow-control model, and fast register clearing, while retaining the flexibility of a software-defined protection-domain transition model. They validate this approach through a full-system experimental design, including ISA extensions, a field-programmable gate array prototype (implemented in Bluespec SystemVerilog), and a software stack including an OS (based on FreeBSD), compiler (based on LLVM), software compartmentalization model, and open-source applications.This work is part of the CTSRD and MRC2 projects sponsored by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C-0237 and FA8750-11-C-0249. We also acknowledge the Engineering and Physical Sciences Research Council (EPSRC) REMS Programme Grant [EP/K008528/1], the EPSRC Impact Acceleration Account [EP/K503757/1], EPSRC/ARM iCASE studentship [13220009], Microsoft studentship [MRS2011-031], the Isaac Newton Trust, the UK Higher Education Innovation Fund (HEIF), Thales E-Security, and Google, Inc.This is the author accepted manuscript. The final version of the article can be found at: http://ieeexplore.ieee.org/document/7723791
Secure and efficient application monitoring and replication
Memory corruption vulnerabilities remain a grave threat to systems software written in C/C++. Current best practices dictate compiling programs with exploit mitigations such as stack canaries, address space layout randomization, and control-flow integrity. However, adversaries quickly find ways to circumvent such mitigations, sometimes even before these mitigations are widely deployed. In this paper, we focus on an "orthogonal" defense that amplifies the effectiveness of traditional exploit mitigations. The key idea is to create multiple diversified replicas of a vulnerable program and then execute these replicas in lockstep on identical inputs while simultaneously monitoring their behavior. A malicious input that causes the diversified replicas to diverge in their behavior will be detected by the monitor; this allows discovery of previously unknown attacks such as zero-day exploits. So far, such multi-variant execution environments (MVEEs) have been held back by substantial runtime overheads. This paper presents a new design, ReMon, that is non-intrusive, secure, and highly efficient. Whereas previous schemes either monitor every system call or none at all, our system enforces cross-checking only for security critical system calls while supporting more relaxed monitoring policies for system calls that are not security critical. We achieve this by splitting the monitoring and replication logic into an in-process component and a cross-process component. Our evaluation shows that ReMon offers same level of security as conservative MVEEs and run realistic server benchmarks at near-native speeds
Vetting undesirable behaviors in android apps with permission use analysis
Android platform adopts permissions to protect sensitive resources from untrusted apps. However, after permissions are granted by users at install time, apps could use these permissions (sensitive resources) with no further restrictions. Thus, recent years have witnessed the explosion of undesirable behaviors in Android apps. An important part in the defense is the accurate analysis of Android apps. However, traditional syscall-based analysis techniques are not well-suited for Android, because they could not capture critical interactions between the application and the Android system. This paper presents VetDroid, a dynamic analysis platform for reconstructing sensitive behaviors in Android apps from a novel permission use perspective. VetDroid features a systematic frame-work to effectively construct permission use behaviors, i.e., how applications use permissions to access (sensitive) system resources, and how these acquired permission-sensitive resources are further utilized by the application. With permission use behaviors, security analysts can easily examine the internal sensitive behaviors of an app. Using real-world Android malware, we show that VetDroid can clearly reconstruct fine-grained malicious behaviors to ease malware analysis. We further apply VetDroid to 1,249 top free apps in Google Play. VetDroid can assist in finding more information leaks than TaintDroid [24], a state-of-the-art technique. In addition, we show howwe can use VetDroid to analyze fine-grained causes of information leaks that TaintDroid cannot reveal. Finally, we show that VetDroid can help identify subtle vulnerabilities in some (top free) applications otherwise hard to detect
Hardware IPC for a TrustZone-assisted Hypervisor
Dissertação de mestrado em Engenharia Eletrónica Industrial e ComputadoresIn this modern era ruled by technology and the IoT (Internet of Things),
embedded systems have an ubiquitous presence in our daily lives. Although they
do differ from each other in their functionalities and end-purpose, they all share the
same basic requirements: safety and security. Whether in a non-critical system
such as a smartphone, or a critical one, like an electronic control unit of any
modern vehicle, these requirements must always be fulfilled in order to accomplish
a reliable and trust-worthy system.
One well-established technology to address this problem is virtualization. It
provides isolation by encapsulating each subsystem in separate Virtual-Machines
(VMs), while also enabling the sharing of hardware resources. However, these
isolated subsystems may still need to communicate with each other. Inter-Process
Communication is present in most OSes’ stacks, representing a crucial part of
it, which allows, through a myriad of different mechanisms, communication be-
tween tasks. In a virtualized system, Inter-Partition Communication mechanisms
implement the communication between the different subsystems referenced above.
TrustZone technology has been in the forefront of hardware-assisted security
and it has been explored for virtualization purposes, since natively it provides sep-
aration between two execution worlds while enforcing, by design, different privi-
lege to these execution worlds. LTZVisor, an open-source lightweight TrustZone-
assisted hypervisor, emerged as a way of providing a platform for exploring how
TrustZone can be exploited to assist virtualization. Its IPC mechanism, TZ-
VirtIO, constitutes a standard virtual I/O approach for achieving communication
between the OSes, but some overhead is caused by the introduction of the mech-
anism. Hardware-based solutions are yet to be explored with this solution, which
could bring performance and security benefits while diminishing overhead.
Attending the reasons mentioned above, hTZ-VirtIO was developed as a way
to explore the offloading of the software-based communication mechanism of the
LTZVisor to hardware-based mechanisms.Atualmente, onde a tecnologia e a Internet das Coisas (IoT) dominam a so-
ciedade, os sistemas embebidos são omnipresentes no nosso dia-a-dia, e embora
possam diferir entre as funcionalidades e objetivos finais, todos partilham os mes-
mos requisitos básicos. Seja um sistema não crítico, como um smartphone, ou
um sistema crítico, como uma unidade de controlo de um veículo moderno, estes
requisitos devem ser cumpridos de maneira a se obter um sistema confiável.
Uma tecnologia bem estabelecida para resolver este problema é a virtualiza-
ção. Esta abordagem providencia isolamento através do encapsulamento de sub-
sistemas em máquinas virtuais separadas, além de permitir a partilha de recursos
de hardware. No entanto, estes subsistemas isolados podem ter a necessidade de
comunicar entre si. Comunicação entre tarefas está presente na maioria das pilhas
de software de qualquer sistema e representa uma parte crucial dos mesmos. Num
sistema virtualizado, os mecanismos de comunicação entre-partições implementam
a comunicação entre os diferentes subsistemas mencionados acima.
A tecnologia TrustZone tem estado na vanguarda da segurança assistida por
hardware, e tem sido explorada na implementação de sistemas virtualizados, visto
que permite nativamente a separação entre dois mundos de execução, e impondo
ao mesmo tempo, por design, privilégios diferentes a esses mundos de execução. O
LTZVisor, um hypervisor em código-aberto de baixo overhead assistido por Trust-
Zone, surgiu como uma forma de fornecer uma plataforma que permite a explo-
ração da TrustZone como tecnologia de assistência a virtualização. O TZ-VirtIO,
mecanismo de comunicação do LTZVisor, constitui uma abordagem padrão de
E/S virtuais, para permitir comunicação entre os sistemas operativos. No entanto,
a introdução deste mecanismo provoca sobrecarga sobre o hypervisor. Soluções
baseadas em hardware para o TZ-VirtIO ainda não foram exploradas, e podem
trazer benefícios de desempenho e segurança, e diminuir a sobrecarga.
Atendendo às razões mencionadas acima, o hTZ-VirtIO foi desenvolvido como
uma maneira de explorar a migração do mecanismo de comunicação baseado em
software do LTZVisor para mecanismos baseados em hardware
Costs of Security in the PFS File System
Various principles have been proposed for the design of trustworthy systems. But there is little data about their impact on system performance. A filesystem that pervasively instantiates a number of well-known security principles was implemented and the performance impact of various design choices was analyzed. The overall performance of this filesystem was also compared to a Linux filesystem that largely ignores the security principles.Supported in part by NICECAP cooperative agreement FA8750-07-2-0037 administered by AFRL, AFOSR grant F9550-06-0019, National Science Foundation grants 0430161, 0964409, and CCF-0424422 (TRUST), ONR grants N00014-01-1-0968 and N00014-09-1-0652, and grants from Microsoft
- …