Isolating functions at the hardware limit with virtines

Wanninger, Nicholas C.; Bowden, Joshua J.; Shetty, Kirtankumar; Garg, Ayush; Hale, Kyle C.

doi:10.1145/3492321.3519553

Cited by 12 publications

(5 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In recent years, many works have looked at implementing various forms of compartmentalization [5-10, 12-16, 18, 22, 25, 27, 28, 32-34, 36-38, 44]. Many of these approaches have focused on library isolation [5, 6, 15, 22, 25, 28, 32-34, 37, 44], while others approach isolation in a much more fine-grained way, including function level isolation [13,14,36,38]. Isolation in single-address-space OSes such as Library OSes has also been explored [22,33,36], although using other mechanisms such as memory protection keys.…”

Section: Related Workmentioning

confidence: 99%

“…Contrary to many other protection techniques, compartmentalization allows defending against yet unknown/future vulnerabilities in existing code bases [41]. Many approaches have been proposed in recent years, utilizing different hardware and software isolation mechanisms to compartmentalize libraries [5, 6, 15, 22, 25, 28, 32-34, 37, 44] as well as smaller pieces of code such as functions [3,14,36,38].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Software Compartmentalization Trade-Offs with Hardware Capabilities

Kressel,

Lefeuvre,

Olivier

2023

Proceedings of the 12th Workshop on Programming Languages and Operating Systems

View full text Add to dashboard Cite

Compartmentalization is a form of defensive software design in which an application is broken down into isolated but communicating components. Retrofitting compartmentalization into existing applications is often thought to be expensive from the engineering effort and performance overhead points of view. Still, recent years have seen proposals of compartmentalization methods with promises of low engineering efforts and reduced performance impact. ARM Morello combines a modern ARM processor with an implementation of Capability Hardware Enhanced RISC Instructions (CHERI) aiming to provide efficient and secure compartmentalization. Past works exploring CHERI-based compartmentalization were restricted to emulated/FPGA prototypes.In this paper, we explore possible compartmentalization schemes with CHERI on the Morello chip. We propose two approaches representing different trade-offs in terms of engineering effort, security, scalability, and performance impact. We describe and implement these approaches on a prototype OS running bare metal on the Morello chip, compartmentalize two popular applications, and investigate the performance overheads. Furthermore, we show that compartmentalization can be achieved with an engineering cost that can be quite low if one is willing to trade off on scalability and security, and that performance overheads are similar to other intra-address space isolation mechanisms.CCS Concepts: • Security and privacy → Security in hardware; Operating systems security; Software and application security.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Software Compartmentalization Trade-Offs with Hardware Capabilities

Kressel,

Lefeuvre,

Olivier

2023

Proceedings of the 12th Workshop on Programming Languages and Operating Systems

View full text Add to dashboard Cite

show abstract

“…Isolation Units Communication Mechanism Hardware Features Used Dune [6] Dune processes In-VM system calls Intel VT-x SeCage [20] Secret compartments VMFUNC Intel VT-x & Intel VMFUNC LwC [19] Lightweight contexts Memory mappings switching -Scone [4] Secure containers Shields & asynchronous syscalls Intel SGX Skybridge [21] Client/server processes EPTP switching VM function Intel VMFUNC & Intel EPT Donky [26] Security Domains Domain calls Intel MPK cubicleOS [25] Cubicles Cross-component function call Intel MPK cVM (cap-vm) [24] cap VMs Capability-based function call CHERI Virtines [28] Virtines Hypercalls 1 Intel VT-x, AMD SVM orbit [15] Orbit tasks PTEs copying 2 space in the case of single-threaded processes). This rigidity of processes and threads has been regularly challenged for being unsuitable or insufficient, especially for new EF and isolation scenarios [15], which seek extensibility (e.g., user-defined functions, web browser extensions, kernel extensions, etc.…”

Section: Namementioning

confidence: 99%

“…The current version of the toolchain imposes some constraints on the source code organization (e.g., the main routine for each EF must be implemented in its own file). In the next version, we intend to lift these restrictions and introduce support for additional types of isolation mechanisms (virtual machines, containers, and virtines [28]).…”

Section: Preliminary Prototypementioning

confidence: 99%

xOS

Tchana,

Goepp,

Bitchebe

et al. 2023

Proceedings of the 14th ACM SIGOPS Asia-Pacific Workshop on Systems

View full text Add to dashboard Cite

HAL is a multi-disciplinary open access archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers. L'archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d'enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

show abstract

“…Recent years have seen the appearance of an increasingly large number of new isolation mechanisms [10], [4], [3], [65], [53], [45] that enable fine-grained compartmentalization. This resulted in compartmentalization works targeting finer and finer granularities, such as libraries [67], [60], [19], [42], [53], [35], [5], [51], [29], [2], modules [22], [2], [52], files [2], and even functions/blocks of code [16], [64], [57], [1]. In that context, major attention was dedicated to compartmentalizing existing code, since rewriting software from scratch to work in a compartmentalized manner is costly and complex [16].…”

Section: Introductionmentioning

confidence: 99%

Assessing the Impact of Interface Vulnerabilities in Compartmentalized Software

Lefeuvre¹,

Bădoiu²,

Chien³

et al. 2023

Proceedings 2023 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Least-privilege separation decomposes applications into compartments limited to accessing only what they need. When compartmentalizing existing software, many approaches neglect securing the new inter-compartment interfaces, although what used to be a function call from/to a trusted component is now potentially a targeted attack from a malicious compartment. This results in an entire class of security bugs: Compartment Interface Vulnerabilities (CIVs).This paper provides an in-depth study of CIVs. We taxonomize these issues and show that they affect all known compartmentalization approaches. We propose ConfFuzz, an inmemory fuzzer specialized to detect CIVs at possible compartment boundaries. We apply ConfFuzz to a set of 25 popular applications and 36 possible compartment APIs, to uncover a wide data-set of 629 vulnerabilities. We systematically study these issues, and extract numerous insights on the prevalence of CIVs, their causes, impact, and the complexity to address them. We stress the critical importance of CIVs in compartmentalization approaches, demonstrating an attack to extract isolated keys in OpenSSL and uncovering a decade-old vulnerability in sudo. We show, among others, that not all interfaces are affected in the same way, that API size is uncorrelated with CIV prevalence, and that addressing interface vulnerabilities goes beyond writing simple checks. We conclude the paper with guidelines for CIV-aware compartment interface design, and appeal for more research towards systematic CIV detection and mitigation.

show abstract

Isolating functions at the hardware limit with virtines

Cited by 12 publications

References 28 publications

Software Compartmentalization Trade-Offs with Hardware Capabilities

Software Compartmentalization Trade-Offs with Hardware Capabilities

xOS

Assessing the Impact of Interface Vulnerabilities in Compartmentalized Software

Contact Info

Product

Resources

About