system call interposition - peopledawnsong/...more recently: google native client •goal: make a...
TRANSCRIPT
![Page 1: System Call Interposition - Peopledawnsong/...More recently: Google Native Client •Goal: make a web browser plugins as safe as JavaScript –But with the speed of machine code •Uses](https://reader033.vdocuments.site/reader033/viewer/2022052101/603b0197546f4e4b360b5c7f/html5/thumbnails/1.jpg)
System Call Interposition
Computer Security Course. Dawn Song
Slides credit: Dan Boneh
![Page 2: System Call Interposition - Peopledawnsong/...More recently: Google Native Client •Goal: make a web browser plugins as safe as JavaScript –But with the speed of machine code •Uses](https://reader033.vdocuments.site/reader033/viewer/2022052101/603b0197546f4e4b360b5c7f/html5/thumbnails/2.jpg)
Administrative Issues
• Optional reading
• Practice questions for midterm
• Study guide for midterm
• Class survey
![Page 3: System Call Interposition - Peopledawnsong/...More recently: Google Native Client •Goal: make a web browser plugins as safe as JavaScript –But with the speed of machine code •Uses](https://reader033.vdocuments.site/reader033/viewer/2022052101/603b0197546f4e4b360b5c7f/html5/thumbnails/3.jpg)
Alternate design: systrace [P’02]
• systrace only forwards monitored sys-calls to monitor (efficiency)
• systrace resolves sym-links and replaces sys-call path arguments by full path to target
• When app calls execve, monitor loads new policy file
user space
open(“etc/passwd”, “r”)
monitor
permit/deny
policy file for app
monitored application (browser)
sys-call gateway
systrace
![Page 4: System Call Interposition - Peopledawnsong/...More recently: Google Native Client •Goal: make a web browser plugins as safe as JavaScript –But with the speed of machine code •Uses](https://reader033.vdocuments.site/reader033/viewer/2022052101/603b0197546f4e4b360b5c7f/html5/thumbnails/4.jpg)
Filtering Architecture Application
process
System Call Entry
resu
lt
Open(“foo”)
resu
lt
Kernel Proper
tracing interface Open(“foo”)
result
Deny
Monitor
Allo
w/D
eny
Open(“foo”)
User space
Kernel space
process
process
![Page 5: System Call Interposition - Peopledawnsong/...More recently: Google Native Client •Goal: make a web browser plugins as safe as JavaScript –But with the speed of machine code •Uses](https://reader033.vdocuments.site/reader033/viewer/2022052101/603b0197546f4e4b360b5c7f/html5/thumbnails/5.jpg)
Issues with Filtering Architecture
• Filter examines sys-calls and decides whether to block
• Difficulty with syncing state between app and monitor (CWD, UID, ..)
– Incorrect syncing results in security vulnerabilities (e.g. disallowed file opened)
![Page 6: System Call Interposition - Peopledawnsong/...More recently: Google Native Client •Goal: make a web browser plugins as safe as JavaScript –But with the speed of machine code •Uses](https://reader033.vdocuments.site/reader033/viewer/2022052101/603b0197546f4e4b360b5c7f/html5/thumbnails/6.jpg)
Ostia: a Delegation Architecture [GBR04]
Process Emulation library
Process Emulation library
agent
agent
result
result
request
request
Restricted interface
User space
Kernel space
Application
![Page 7: System Call Interposition - Peopledawnsong/...More recently: Google Native Client •Goal: make a web browser plugins as safe as JavaScript –But with the speed of machine code •Uses](https://reader033.vdocuments.site/reader033/viewer/2022052101/603b0197546f4e4b360b5c7f/html5/thumbnails/7.jpg)
Ostia: a delegation architecture [GPR’04]
• Monitored app disallowed from making monitored sys calls – Minimal kernel change (… but app can call close() itself )
• Sys-call delegated to an agent that decides if call is allowed
– Can be done without changing app
(requires an emulation layer in monitored process)
• Incorrect state syncing will not result in policy violation
• What should agent do when app calls execve?
– Process can make the call directly. Agent loads new policy file.
![Page 8: System Call Interposition - Peopledawnsong/...More recently: Google Native Client •Goal: make a web browser plugins as safe as JavaScript –But with the speed of machine code •Uses](https://reader033.vdocuments.site/reader033/viewer/2022052101/603b0197546f4e4b360b5c7f/html5/thumbnails/8.jpg)
Policy Sample policy file:
path allow /tmp/* path deny /etc/passwd network deny all
Manually specifying policy for an app can be difficult:
– Systrace can auto-generate policy by learning how app behaves on “good” inputs
– If policy does not cover a specific sys-call, ask user
… but user has no way to decide
Difficulty with choosing policy for specific apps (e.g. browser) is the main reason this approach is not widely used
![Page 9: System Call Interposition - Peopledawnsong/...More recently: Google Native Client •Goal: make a web browser plugins as safe as JavaScript –But with the speed of machine code •Uses](https://reader033.vdocuments.site/reader033/viewer/2022052101/603b0197546f4e4b360b5c7f/html5/thumbnails/9.jpg)
Virtual Machine Monitor
Computer Security Course. Dawn Song
Slides credit: Dan Boneh
![Page 10: System Call Interposition - Peopledawnsong/...More recently: Google Native Client •Goal: make a web browser plugins as safe as JavaScript –But with the speed of machine code •Uses](https://reader033.vdocuments.site/reader033/viewer/2022052101/603b0197546f4e4b360b5c7f/html5/thumbnails/10.jpg)
Virtualization
Hypervisor
VMM VMM VMM
Base Functionality (eg. Scheduling)
Enhanced Functionality
Application
Operating System
Application
Operating System
Application
Operating System
![Page 11: System Call Interposition - Peopledawnsong/...More recently: Google Native Client •Goal: make a web browser plugins as safe as JavaScript –But with the speed of machine code •Uses](https://reader033.vdocuments.site/reader033/viewer/2022052101/603b0197546f4e4b360b5c7f/html5/thumbnails/11.jpg)
Intrusion Detection / Anti-virus Runs as part of OS kernel and user space process
– Kernel root kit can shutdown protection system
– Common practice for modern malware
Standard solution: run IDS system in the network
– Problem: insufficient visibility into user’s machine
Better: run IDS as part of VMM (protected from malware)
– VMM can monitor virtual hardware for anomalies
– VMI: Virtual Machine Introspection
• Allows VMM to check Guest OS internals
![Page 12: System Call Interposition - Peopledawnsong/...More recently: Google Native Client •Goal: make a web browser plugins as safe as JavaScript –But with the speed of machine code •Uses](https://reader033.vdocuments.site/reader033/viewer/2022052101/603b0197546f4e4b360b5c7f/html5/thumbnails/12.jpg)
Infected VM malw
are
VMM
Guest OS
Hardware
IDS
VMM-based IDS
![Page 13: System Call Interposition - Peopledawnsong/...More recently: Google Native Client •Goal: make a web browser plugins as safe as JavaScript –But with the speed of machine code •Uses](https://reader033.vdocuments.site/reader033/viewer/2022052101/603b0197546f4e4b360b5c7f/html5/thumbnails/13.jpg)
Sample checks Stealth root-kit malware:
– Creates processes that are invisible to “ps”
– Opens sockets that are invisible to “netstat”
1. Lie detector check
– Goal: detect stealth malware that hides processes and network activity
– Method:
• VMM lists processes running in GuestOS
• VMM requests GuestOS to list processes (e.g. ps)
• If mismatch: kill VM
![Page 14: System Call Interposition - Peopledawnsong/...More recently: Google Native Client •Goal: make a web browser plugins as safe as JavaScript –But with the speed of machine code •Uses](https://reader033.vdocuments.site/reader033/viewer/2022052101/603b0197546f4e4b360b5c7f/html5/thumbnails/14.jpg)
Sample checks 2. Application code integrity detector
– VMM computes hash of user app code running in VM
– Compare to whitelist of hashes
• Kills VM if unknown program appears
3. Ensure GuestOS kernel integrity
– example: detect changes to sys_call_table
4. Virus signature detector
– Run virus signature detector on GuestOS memory
![Page 15: System Call Interposition - Peopledawnsong/...More recently: Google Native Client •Goal: make a web browser plugins as safe as JavaScript –But with the speed of machine code •Uses](https://reader033.vdocuments.site/reader033/viewer/2022052101/603b0197546f4e4b360b5c7f/html5/thumbnails/15.jpg)
VM-based Malware: Subvirt [King et al. 2006]
Virus idea:
– Once on victim machine, install a malicious VMM
– Virus hides in VMM
– Invisible to virus detector running inside VM
HW OS
HW
OS VMM and virus
anti-v
irus
anti-v
irus
![Page 16: System Call Interposition - Peopledawnsong/...More recently: Google Native Client •Goal: make a web browser plugins as safe as JavaScript –But with the speed of machine code •Uses](https://reader033.vdocuments.site/reader033/viewer/2022052101/603b0197546f4e4b360b5c7f/html5/thumbnails/16.jpg)
Software Fault Isolation
Computer Security Course. Dawn Song
Slides credit: Dan Boneh, Stephen McCamant
![Page 17: System Call Interposition - Peopledawnsong/...More recently: Google Native Client •Goal: make a web browser plugins as safe as JavaScript –But with the speed of machine code •Uses](https://reader033.vdocuments.site/reader033/viewer/2022052101/603b0197546f4e4b360b5c7f/html5/thumbnails/17.jpg)
• Protect app from untrusted code it has to interact with
– E.g., 3rd party libraries, modules, extensions, device drivers
App
Untrusted code
(lib/extensions)
Goal
![Page 18: System Call Interposition - Peopledawnsong/...More recently: Google Native Client •Goal: make a web browser plugins as safe as JavaScript –But with the speed of machine code •Uses](https://reader033.vdocuments.site/reader033/viewer/2022052101/603b0197546f4e4b360b5c7f/html5/thumbnails/18.jpg)
Solution I: Process Isolation • Running in different processes
• Communicate with inter-process communication
App Untrusted code
Operating system
process process
machine
![Page 19: System Call Interposition - Peopledawnsong/...More recently: Google Native Client •Goal: make a web browser plugins as safe as JavaScript –But with the speed of machine code •Uses](https://reader033.vdocuments.site/reader033/viewer/2022052101/603b0197546f4e4b360b5c7f/html5/thumbnails/19.jpg)
Issues with Process Isolation
• Inefficient for frequent IPC
App Untrusted code
Operating system
process process
machine
![Page 20: System Call Interposition - Peopledawnsong/...More recently: Google Native Client •Goal: make a web browser plugins as safe as JavaScript –But with the speed of machine code •Uses](https://reader033.vdocuments.site/reader033/viewer/2022052101/603b0197546f4e4b360b5c7f/html5/thumbnails/20.jpg)
• App & untrusted code runs in same process
• Security enforcement: untrusted code can only read and write untrusted data segment
• [Wahbe et al. SOSP’93]
Solution II: Software Fault Isolation
App code segment
Untrusted code segment
process
Untrusted data segment
App data segment
Untrusted code can read/write untrusted data
0x1a000000
0x1affffff
0x1effffff
0xda000000
0xdaffffff
0x1e000000
0x1cffffff
0x1c000000
![Page 21: System Call Interposition - Peopledawnsong/...More recently: Google Native Client •Goal: make a web browser plugins as safe as JavaScript –But with the speed of machine code •Uses](https://reader033.vdocuments.site/reader033/viewer/2022052101/603b0197546f4e4b360b5c7f/html5/thumbnails/21.jpg)
SFI: basic idea f00: nop
f04: nop
f08: nop
f0c: nop
f10: nop
f14: sw $t3, 0($t4)
f18: nop
![Page 22: System Call Interposition - Peopledawnsong/...More recently: Google Native Client •Goal: make a web browser plugins as safe as JavaScript –But with the speed of machine code •Uses](https://reader033.vdocuments.site/reader033/viewer/2022052101/603b0197546f4e4b360b5c7f/html5/thumbnails/22.jpg)
SFI: basic idea f00: nop
f04: nop
f08: nop
f0c: nop
f10: sandbox $t4
f14: sw $t3, 0($t4)
f18: nop
![Page 23: System Call Interposition - Peopledawnsong/...More recently: Google Native Client •Goal: make a web browser plugins as safe as JavaScript –But with the speed of machine code •Uses](https://reader033.vdocuments.site/reader033/viewer/2022052101/603b0197546f4e4b360b5c7f/html5/thumbnails/23.jpg)
SFI: basic idea f00: nop
f04: nop
f08: nop
f0c: and $t4, $t4, 0x00ffffff
f10: or $t4, $t4, 0xda000000
f14: sw $t3, 0($t4)
f18: nop
![Page 24: System Call Interposition - Peopledawnsong/...More recently: Google Native Client •Goal: make a web browser plugins as safe as JavaScript –But with the speed of machine code •Uses](https://reader033.vdocuments.site/reader033/viewer/2022052101/603b0197546f4e4b360b5c7f/html5/thumbnails/24.jpg)
SFI: basic idea f00: nop
f04: jr $t5
f08: nop
f0c: and $t4, $t4, 0x00ffffff
f10: or $t4, $t4, 0xda000000
f14: sw $t3, 0($t4)
f18: nop
![Page 25: System Call Interposition - Peopledawnsong/...More recently: Google Native Client •Goal: make a web browser plugins as safe as JavaScript –But with the speed of machine code •Uses](https://reader033.vdocuments.site/reader033/viewer/2022052101/603b0197546f4e4b360b5c7f/html5/thumbnails/25.jpg)
SFI: basic idea f00: nop
f04: jr $t5
f08: nop
f0c: and $s4, $t4, $s1
f10: or $s4, $s4, $s2
f14: sw $t3, 0($s4)
f18: nop
Invariants: $s1 = 0x00ffffff
$s2 = 0xda000000
$s4 = 0xda******
![Page 26: System Call Interposition - Peopledawnsong/...More recently: Google Native Client •Goal: make a web browser plugins as safe as JavaScript –But with the speed of machine code •Uses](https://reader033.vdocuments.site/reader033/viewer/2022052101/603b0197546f4e4b360b5c7f/html5/thumbnails/26.jpg)
Cross domain calls caller
domain callee
domain
call draw draw: return
call stub
br addr br addr br addr
ret stub
• Only stubs allowed to make cross-domain jumps
• Jump table contains allowed exit points
– Addresses are hard coded, read-only segment
br addr br addr br addr
![Page 27: System Call Interposition - Peopledawnsong/...More recently: Google Native Client •Goal: make a web browser plugins as safe as JavaScript –But with the speed of machine code •Uses](https://reader033.vdocuments.site/reader033/viewer/2022052101/603b0197546f4e4b360b5c7f/html5/thumbnails/27.jpg)
SFI and CISC
• The classic SFI approach only works for RISC-style aligned instructions
• Inapplicable to important CISC architectures like x86(-64)
![Page 28: System Call Interposition - Peopledawnsong/...More recently: Google Native Client •Goal: make a web browser plugins as safe as JavaScript –But with the speed of machine code •Uses](https://reader033.vdocuments.site/reader033/viewer/2022052101/603b0197546f4e4b360b5c7f/html5/thumbnails/28.jpg)
CISC challenge: overlapping instructions
• Processor can jump to any byte
![Page 29: System Call Interposition - Peopledawnsong/...More recently: Google Native Client •Goal: make a web browser plugins as safe as JavaScript –But with the speed of machine code •Uses](https://reader033.vdocuments.site/reader033/viewer/2022052101/603b0197546f4e4b360b5c7f/html5/thumbnails/29.jpg)
CISC challenge: overlapping instructions
![Page 30: System Call Interposition - Peopledawnsong/...More recently: Google Native Client •Goal: make a web browser plugins as safe as JavaScript –But with the speed of machine code •Uses](https://reader033.vdocuments.site/reader033/viewer/2022052101/603b0197546f4e4b360b5c7f/html5/thumbnails/30.jpg)
CISC challenge: overlapping instructions
![Page 31: System Call Interposition - Peopledawnsong/...More recently: Google Native Client •Goal: make a web browser plugins as safe as JavaScript –But with the speed of machine code •Uses](https://reader033.vdocuments.site/reader033/viewer/2022052101/603b0197546f4e4b360b5c7f/html5/thumbnails/31.jpg)
More recently: Google Native Client
• Goal: make a web browser plugins as safe as JavaScript
– But with the speed of machine code
• Uses SFI alignment approach
– With variations for x86, ARM, x86-64
• Shipped in Google Chrome browser
![Page 32: System Call Interposition - Peopledawnsong/...More recently: Google Native Client •Goal: make a web browser plugins as safe as JavaScript –But with the speed of machine code •Uses](https://reader033.vdocuments.site/reader033/viewer/2022052101/603b0197546f4e4b360b5c7f/html5/thumbnails/32.jpg)
NaCl: a modern day example
• game: untrusted x86 code
• Two sandboxes:
– outer sandbox: restricts capabilities using system call interposition
– Inner sandbox: uses x86 memory segmentation to isolate application memory among apps
Browser
HTML JavaScript
NPAPI
NaCl runtime
game
![Page 33: System Call Interposition - Peopledawnsong/...More recently: Google Native Client •Goal: make a web browser plugins as safe as JavaScript –But with the speed of machine code •Uses](https://reader033.vdocuments.site/reader033/viewer/2022052101/603b0197546f4e4b360b5c7f/html5/thumbnails/33.jpg)
Isolation: summary • Many sandboxing techniques:
Physical air gap, Virtual air gap (VMMs),
System call interposition, Software Fault isolation
Application specific (e.g. Javascript in browser)
• Often complete isolation is inappropriate
– Apps need to communicate through regulated interfaces
• Hardest aspects of sandboxing:
– Specifying policy: what can apps do and not do
– Preventing covert channels