[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
research-article
Open access

Rethinking Memory Permissions for Protection Against Cross-Layer Attacks

Published: 08 December 2015 Publication History

Abstract

The inclusive permissions structure (e.g., the Intel ring model) of modern commodity CPUs provides privileged system software layers with arbitrary permissions to access and modify client processes, allowing them to manage these clients and the system resources efficiently. Unfortunately, these inclusive permissions allow a compromised high-privileged software layer to perform arbitrary malicious activities. In this article, our goal is to prevent attacks that cross system layers while maintaining the abilities of system software to manage the system and allocate resources. In particular, we present a hardware-supported page permission framework for physical pages that is based on the concept of noninclusive sets of memory permissions for different layers of system software (such as hypervisors, operating systems, and user-level applications). Instead of viewing privilege levels as an ordered hierarchy with each successive level being more privileged, we view them as distinct levels each with its own set of permissions. In order to enable system software to manage client processes, we define a set of legal permission transitions that support resource allocation but preserve security. We show that the model prevents a range of recent attacks. We also show that it can be implemented with negligible performance overhead (both at load time and at runtime), low hardware complexity, and minimal changes to the commodity OS and hypervisor code.

References

[1]
I. Anati, S. Gueron, S. Johnson, and V. Scarlata. 2013. Innovative technology for CPU based attestation and sealing. In Proceedings of the Workshop on Hardware and Architectural Support for Security and Privacy, with ISCA ’13.
[2]
A. Azab, P. Ning, E. Sezer, and X. Zhang. 2009. HIMA: A hypervisor-based integrity measurement agent. In Proceedings of the Annual Computer Security Applications Conference (ACSAC’09). 461--470.
[3]
A. Baumann, M. Peinado, and G. Hunt. 2014. Shielding applications from an untrusted cloud with haven. In Proceedings of the Symposium on Operating Systems Design and Implementation.
[4]
R. Boivie. 2012. SecureBlue++: CPU Support for Secure Execution. (2012).
[5]
J. Cappaert, N. Kisserli, D. Schellekens, and B. Preneel. 2006. Self-encrypting code to protect against analysis and tampering. In 1st Benelux Workshop on Information Systems Security.
[6]
N. P. Carter, S. W. Keckler, and W. J. Dally. 1994. Hardware support for fast capability-based addressing. In ACM SIGPLAN Notices 29. ACM, 319--327.
[7]
D. Champagne and R. Lee. 2010. Scalable architectural support for trusted software. In Proceedings of the International Symposium on High Performance Computer Architecture.
[8]
S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer. 2005. Non-control-data attacks are realistic threats. In Proceedings of the 14th Conference on USENIX Security Symposium. USENIX Association, Berkeley, CA.
[9]
X. Chen, T. Garfinkel, E. Lewis, P. Subrahmanyam, D. Boneh, J. Dwoskin Dan, and R. Ports. 2008. Overshadow: A virtualization-based approach to retrofitting protection in commodity operating systems. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems.
[10]
S. Chhabra, B. Rogers, Y. Solihin, and M. Prvulovic. 2011. SecureME: A hardware-software approach to full system security. In Proceedings of the International Conference on Supercomputing (ICS’11).
[11]
CVE-2009-1897 2009. CVE-2009-1897: NULL dereference and mmap of /dev/net/tun in Linux kernel allows privilege escalation. Retrieved from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3527.
[12]
CVE-2009-3527 2009. CVE-2009-3527: Race condition in Pipe (IPC) close in FreeBSD allows privilege escalation. (2009). Available online: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1897.
[13]
CVE-2010-4258 2010. CVE-2010-4258: do_exit does not properly handle a KERNEL_DS value allowing privilege escalation. Retrieved from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4258.
[14]
CVE-2012-5513 2012. CVE-2012-5513: XENMEM_exchange handler does not properly check the memory address allowing privilege escalation. Retrieved from http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5513.
[15]
CVE Details 2015. CVE Details: The ultimate security vulnerability datasource. Retrieved from http://www.cvedetails.com/.
[16]
R. de C Valle. 2009. Linux sock_sendpage() NULL pointer dereference. Retrieved from http://packetstormsecurity.com/files/81212/Linux-sock_sendpage-NULL-Po inter-Dereference.html.
[17]
DOD 1985. Trusted Computer System Evaluation Criteria. Technical Report 5200.28-STD. US Department of Defense. Retrieved from http://csrc.nist.gov/publications/history/dod85.pdf.
[18]
L. Domnitser, A. Jaleel, J. Loew, N. Abu-Ghazaleh, and D. Ponomarev. 2012. Non-monopolizable caches: Low-complexity mitigation of cache side channel attacks. ACM Transactions on Architecture and Code Optimization 8, 4 (Jan. 2012), Article Number 35.
[19]
J. Dwoskin and R. Lee. 2007. Hardware-rooted trust for secure key management and transient trust. In Proceedings of the ACM Conference on Computer and Communications Security.
[20]
edb1 2009. EDB-9477: sock_sendpage() local root exploit in Linux. (2009). Available online: http://www.exploit-db.com/exploits/9477/.
[21]
edb2 2011. EDB-17391: DEC Alpha Linux <= 3.0 local root exploit. (2011). Available online: http://www.exploit-db.com/exploits/17391/.
[22]
J. Elwell, R. Riley, N. Abu-Ghazaleh, and D. Ponomarev. 2014. A non-inclusive memory permissions architecture for protecting against cross-layer attacks. In Proceedings of the International Symposium on High Performamce Computer Architecture (HPCA’14).
[23]
D. Evtyushkin, J. Elwell, M. Ozsoy, D. Ponomarev, N. Abu-Ghazaleh, and R. Riley. 2014. Iso-X: A flexible architecture for hardware-managed isolated execution. In Proceedings of the International Symposium on Microarchitecture (MICRO).
[24]
R. S. Fabry. 1974. Capability-based addressing. Communications of the ACM 17, 7 (1974), 403--412.
[25]
H. Fang, Y. Zhao, H. Zang, H. Huang, Y. Song, Y. Sun, and Z. Liu. 2010. VMGuard: An integrity monitoring system for management virtual machines. In Proceedings of the of International Conference on Parallel and Distributed Systems (ICPADS’10).
[26]
T. Garfinkel and M. Rosenblum. 2003. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the Network and Distributed Systems Security Symposium. 191--206.
[27]
M. Hoekstra, R. Lal, P. Pappachan, C. Rozas, and V. Phegade. 2013. Using innovative instructions to create trustworthy software solutions. In Workshop on Hardware and Architectural Support for Security and Privacy, with ISCA’13.
[28]
O. Hofmann, S. Kim, A. Dunn, M. Lee, and E. Witchel. 2013. InkTag: Secure applications on an untrusted operating system. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems.
[29]
Intel. 2014. Intel 64 and IA32 architectures software developer’s manual. (2014). Retrieved from http://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-manual-325462.pdf.
[30]
X. Jiang and X. Wang. 2007. Out-of-the-box monitoring of VM-based high-interaction honeypots. In Recent Advances in Intrusion Detection (RAID’07). 198--218.
[31]
X. Jiang, X. Wang, and D. Xu. 2007. Stealthy malware detection through VMM-based out-of-the-box semantic view reconstruction. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’07).
[32]
V. P. Kemerlis, G. Portokalidis, and A. D. Keromytis. 2012. kGuard: Lightweight kernel protection against return-to-user attacks. In Proceedings of the 21st USENIX Conference on Security Symposium. USENIX Association, 39--39.
[33]
G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. 2009. seL4: Formal verification of an OS kernel. In Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles (SOSP’09). ACM, New York, NY, 207--220.
[34]
R. B. Lee, P. C. S. Kwan, J. P. McGregor, J. Dwoskin, and Z. Wang. 2005. Architecture for protecting critical secrets in microprocessors. In Proceedings of the 32nd International Symposium on Computer Architecture, 2005 (ISCA’05). IEEE, 2--13.
[35]
D. Lie, M. Thekkath, M. Mitchell, P. Lincoln, D. Boneh, J. Mitchell, and M. Horowitz. 2000. Architectural support for copy and tamper resistant software. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems.
[36]
L. Litty, H. Lagar-Cavilla, and D. Lie. 2008. Hypervisor support for identifying covertly executing binaries. In Proceedings of the 17th Usenix Security Symposium.
[37]
MARSS. 2013. MARSSx86: Micro-ARchitectural and System Simulator for x86-based systems. Retrieved from http://marss86.org. Simulator source code and documentation.
[38]
F. McKeen, I. Alexandrovich, A. Berenzon, C.Rozas, H. Shafi, V. Shanbhogue, and U. Savagaonkar. 2013. Innovative instructions and software model for isolated execution. In Proceedings of the Workshop on Hardware and Architectural Support for Security and Privacy, with ISCA’13.
[39]
E. Owusu, J. Guajardo, J. McCune, J. Newsome, A. Perrig, and A. Vadudevan. 2013. OASIS: On achieving a sanctuary for integrity and secrecy on untrusted platforms. In Proceedings of the ACM Conference on Computer and Communications Security.
[40]
M. Payer, T. Hartmann, and T. R. Gross. 2012. Safe loading-a foundation for secure execution of untrusted programs. In Proceedings of the 2012 IEEE Symposium on Security and Privacy (SP’12). IEEE, 18--32.
[41]
B. Payne, M. Carbone, and W. Lee. 2007. Secure and flexible monitoring of virtual machines. In Proceedings of the Annual Computer Security Applications Conference.
[42]
B. Payne, M. Carbone, M. Sharif, and W. Lee. 2008. Lares: An architecture for secure active monitoring using virtualization. In Proceedings of the IEEE Symposium on Security and Privacy.
[43]
R. Riley, X. Jiang, and D. Xu. 2008. Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In Recent Advances in Intrusion Detection (RAID’08). 1--20.
[44]
R. Sailer, X. Zhang, T. Jaeger, and L. van Doorn. 2004. Design and implementation of a TCG-based integrity measurement architecture. In Proceedings of the 13th Usenix Security Symposium.
[45]
Security Focus. 2009. BID-36939: Microsoft windows kernel NULL pointer dereference local privilege escalation vulnerability. (2009). Available online: http://www.securityfocus.com/bid/36939.
[46]
A. Seshadri, M. Luk, N. Qu, and A. Perrig. 2007. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In Proceedings of 21st ACM SIGOPS Symposium on Operating Systems Principles (SOSP’07). ACM, New York, NY, 335--350.
[47]
M. Sharif, W. Lee, W. Cui, and A. Lanzi. 2009. Secure In-VM monitoring using hardware virtualization. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’09).
[48]
S. Jin, J. Ahn, S. Cha, and J. Huh. 2011. Architectural support for secure virtualization under a vulnerable hypervisor. In Proceedings of the International Symposium on Microarchitecture.
[49]
G. Suh, D. Clarke, B. Gassend, M. van Dijk, and S. Devadas. 2003. AEGIS: Architecture for tamper-evident and tamper-resistant processing. In Proceedings of the International Conference on Supercomputing.
[50]
J. Szefer, E. Keller, R. Lee, and J. Rexford. 2011. Eliminating the hypervisor attack surface for a more secure cloud. In Proceedings of the ACM Conference on Computer and Communications Security.
[51]
J. Szefer and R. Lee. 2012. Architectural support for hypervisor-secure virtualization. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems.
[52]
TPM. 2013. TPM main specification. Retrieved from http://www.trustedcomputinggroup.org/resources/tpm_main_specification.
[53]
Z. Wang and R. Lee. 2007. New cache designs for thwarting software cache-based side channel attacks. In Proceedings of the International Symposium on Computer Architecture (ISCA’07).
[54]
Z. Wang and R. Lee. 2008. A novel cache architecture with enhanced performance and security. In Proceedings of the International Symposium on Microarchitecture (MICRO’08).
[55]
E. Witchel, J. Cates, and K. Asanović. 2002. Mondrian memory protection. In Proceedings of the 10th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS X). ACM, 304--316.
[56]
J. Woodruff, R. N. M. Watson, D. Chisnall, S. W. Moore, J. Anderson, B. Davis, B. Laurie, P. G. Neumann, R. Norton, and M. Roe. 2014. The CHERI capability model: Revisiting RISC in an age of risk. In Proceeding of the 41st Annual International Symposium on Computer Architecuture. IEEE Press, 457--468.
[57]
Y. Xia, Y. Lin, and H. Chen. 2013. Architecture support for guest-transparent VM protection from untrusted hypervisor and physical attacks. In Proceedings of the International Symposium on High Performance Computer Architecture.
[58]
Xilinx. 2013. Xilinx 7 Series FPGAs overview. Retrieved from http://www.xilinx.com/support/documentation/data_sheets/ds180_7Series_O verview.pdf.
[59]
F. Zhang, J. Chen, H. Chen, and B. Zang. 2011. Cloudvisor: Retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In Proceedings of the ACM Symposium on Operating Systems Principles.

Cited By

View all
  • (2017)Hardening extended memory access control schemes with self-verified address spacesProceedings of the 36th International Conference on Computer-Aided Design10.5555/3199700.3199752(392-399)Online publication date: 13-Nov-2017
  • (2017)Hardening extended memory access control schemes with self-verified address spaces2017 IEEE/ACM International Conference on Computer-Aided Design (ICCAD)10.1109/ICCAD.2017.8203804(392-399)Online publication date: Nov-2017
  • (2016)Understanding and Mitigating Covert Channels Through Branch PredictorsACM Transactions on Architecture and Code Optimization10.1145/287063613:1(1-23)Online publication date: 7-Mar-2016

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Transactions on Architecture and Code Optimization
ACM Transactions on Architecture and Code Optimization  Volume 12, Issue 4
January 2016
848 pages
ISSN:1544-3566
EISSN:1544-3973
DOI:10.1145/2836331
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 December 2015
Accepted: 01 November 2015
Revised: 01 October 2015
Received: 01 April 2014
Published in TACO Volume 12, Issue 4

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Architecture
  2. security
  3. system software

Qualifiers

  • Research-article
  • Research
  • Refereed

Funding Sources

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)74
  • Downloads (Last 6 weeks)7
Reflects downloads up to 26 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2017)Hardening extended memory access control schemes with self-verified address spacesProceedings of the 36th International Conference on Computer-Aided Design10.5555/3199700.3199752(392-399)Online publication date: 13-Nov-2017
  • (2017)Hardening extended memory access control schemes with self-verified address spaces2017 IEEE/ACM International Conference on Computer-Aided Design (ICCAD)10.1109/ICCAD.2017.8203804(392-399)Online publication date: Nov-2017
  • (2016)Understanding and Mitigating Covert Channels Through Branch PredictorsACM Transactions on Architecture and Code Optimization10.1145/287063613:1(1-23)Online publication date: 7-Mar-2016

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Full Access

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media