ppt
advertisement
Efficient Software-Based Fault Isolation Authors: Robert Wahbe Steven Lucco Thomas E. Anderson Susan L. Graham Presenter: Gregory Netland The Big Picture • Two Main things: – Loading the distrusted code into its own fault domain • Only mistrusted • Cheaper RPC for cross fault domains – Modify object code so it doesn’t jump to an area it is not supposed to Introduction – More Big Picture Definitions and such • 1993 - what was happening…133mhz, WTC, microkernels • Sandboxing – only slightly increases execution time • Modifying Object Code • Fault Domains – a logically separate portion of the applications address space, and has a uniques identifier which is used to control its access Examples of Programs that could cause problems • PostGres – queries with extension code can play with data not its own or just mess with database in general • BSD (three areas) • Microsoft’s Object Linking • As more things are moved to the user level, more third party code can mess with kernel operations - ? Other Examples • Unix vnode interface – easy to add file system • I/O / Active Messages – compiled into kernel for reasonable performance • Quark Xpress – extension modules can currupt its data structures What does this show significant portion of time being spent in operating system context switch code only a small amount of code is distrusted Why us software and not Hardware • Does not scale with processor integer performance • High Cost for address switching – RPC example: requires at least • • • • • • • A trap into the operating system kernel Copying each argument from the caller to callee Saving and restoring registers Switching hardware address spaces Possibly flushing the TLB A trap back to user level Rinse and repeat Software Enforced Fault Isolation • Going back to the big picture, we have to locate were faults occur in a software module and then we can look at Sandboxing • Cut up the virtual address space into separate chunks Segment Identifier • Divide an applications virtual address space into segments • All virtual addresses share pattern of upper bits • Fault domain has two segments – One for distrusted module’s code – Other for heap, stack, and static data Software Encapsulation • Distrusted code can only jump within its segment, as well as write to its segment, due to the segment identifiers • All legal jumps have same bit pattern • This doesn’t solve all problems, the os will still need to catch illegal things, such as unmapped pages • We have two techniques for this……. Segment matching • Insert Checking code before any unsafe instruction (unsafe means not statically verifiable…jumps through registers procedure returns, or stores in registers for target address are considered unsafe) • Is it in the correct segment? • If not, trap to system error • Uses 4 registers, but not a problem based on their tests • can pinpoint the offending instruction, there for better for development • Or can skip the pinpointing for efficiency Or Sandboxing • This sets the upper bits to the correct segment identifier • This doesn’t catch, it stops • Verifiable • Takes 5 registers instead of 4 Optimizations • Register + offset and guardzones –this avoids uneeded math to compute target addresses. They sandbox reg and not reg + offset to save an instruction. • MIPS stack pointer as a dedicated register and the stack pointer is only sandboxed when set • Transformation tool to remove sandboxing from loops Process Resources • Need to stop multiple fault domains that share the same virtual address space from corrupting per-address-space resources – Let the operating system know – Cross fault domain RPC Data Sharing • Cant work the same way hardware implementation does because hw solution manipulates page table entries in a different way. • Read only is not a problem because fault domains can read any memory within the address space • Read-write through lazy pointer swizzling – Modify hardware page tables to map the shared memory region into every address space segment that needs access – Automatically translates into own segment through sandboxing • Another option is shared segment matching, dedicated registers to hold bitmap that tells which segments the fault domain can access Implementation and Verification • Unsafe regions are areas of code that modify jump dedicated register • Is the dedicated register valid upon exiting the region • Disadvantages – Most modified compilers only support one language – Compiler and verifier must be synchronized – Binary patching can fix these things, however not robust enough Binary patching • System can encapsulate the module by directly modifying object code • Unfornately, a good technique for this does not exist yet • Jump table is legal address outside the fault domain • Kept in read only, so only modified by trusted code • Stubs are unprotected and responsible for copying cross domain arguments Fast communication between fault domains • Calling a trusted stub outside of your domain – Jump table – only modified by trusted code, and legal entry point outside domain • Arguments are passed between fault domains – Because they are trusted, we can copy directly to target domain*** • Fault isolation – In a cross domain call the registers used by the caller and possibly modified by the callee are protected – Switch execution stack – Validate registers – Establish register context for encapsulation • Errors – Addressing violation, loops, etc… Results • How much overhead? • How fast is cross domain fault? Related Work • At this time it was typical to buld micro-kernel operating systems with separate address spaces – This meant heavy ipc with untrusted domains – Performance problems • Some people loaded modules into kernel address space (co-location) – Which means performance over protection • So, this paper is trying to get performance and protection.
