ABSTRACT
Compartmentalization decomposes a program into separate parts with mediated interactions through compartment interfaces---hiding information that would otherwise be accessible from a compromised component. Unfortunately, most code was not developed assuming its interfaces as trust boundaries. Left unchecked, these interfaces expose confused deputy attacks where data flowing from malicious inputs can coerce a compartment into accessing previously hidden information on-behalf-of the untrusted caller.
We introduce a novel program analysis that models data flows through compartment interfaces to automatically and comprehensively find and measure the attack surface from compartment bypassing data flows. Using this analysis we examine the Linux kernel along diverse compartment boundaries and characterize the degree of vulnerability. We find that there are many compartment bypassing paths (395/4394 driver interfaces have 22741 paths), making it impossible to correct by hand. We introduce CIVSCOPE as a comprehensive and sound approach to analyze and uncover the lower-bound and potential upper-bound risks associated with the memory operations in compartment boundary interfaces.
- Azab, A. M., Ning, P., Shah, J., Chen, Q., Bhutkar, R., Ganesh, G., Ma, J., and Shen, W. Hypervision across worlds: Real-time kernel protection from the arm trustzone secure world. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (2014), pp. 90--102.Google ScholarDigital Library
- Costan, V., and Devadas, S. Intel sgx explained. Cryptology ePrint Archive (2016).Google Scholar
- Cui, R., Zhao, L., and Lie, D. Emilia: Catching iago in legacy code. In Proceedings of 29th Network and Distributed System Security (NDSS) (2022), NDSS'22.Google Scholar
- Gudka, K., Watson, R. N., Anderson, J., Chisnall, D., Davis, B., Laurie, B., Marinos, I., Neumann, P. G., and Richardson, A. Clean application compartmentalization with soaap. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (2015), pp. 1016--1031.Google ScholarDigital Library
- Hu, H., Chua, Z. L., Liang, Z., and Saxena, P. Identifying arbitrary memory access vulnerabilities in privilege-separated software. In Proceedings of the 20th European Symposium on Research in Computer Security (Cham, 2015), G. Pernul, P. Y A Ryan, and E. Weippl, Eds., ESORICS'15, Springer International Publishing, pp. 312--331.Google Scholar
- Huang, Y., Narayanan, V., Detweiler, D., Huang, K., Tan, G., Jaeger, T., and Burtsev, A. Ksplit: Automating device driver isolation. In 16th USENIX Symposium on Operating Systems Design and Implementation (OSDI 22) (2022), pp. 613--631.Google Scholar
- Jia, J., Sahu, R., Oswald, A., Williams, D., Le, M. V., and Xu, T. Kernel extension verification is untenable. In Proceedings of the 19th Workshop on Hot Topics in Operating Systems (2023), pp. 150--157.Google ScholarDigital Library
- Khan, A., Xu, D., and Tian, D. J. Ec: Embedded systems compartmentalization via intra-kernel isolation. In 2023 IEEE Symposium on Security and Privacy (SP) (2023), IEEE, pp. 2990--3007.Google ScholarCross Ref
- Khan, A., Xu, D., and Tian, D. J. Low-cost privilege separation with compile time compartmentalization for embedded systems. In 2023 IEEE Symposium on Security and Privacy (SP) (2023), IEEE, pp. 3008--3025.Google ScholarCross Ref
- Lefeuvre, H., Bădoiu, V.-A., Chien, Y., Huici, F., Dautenhahn, N., and Olivier, P. Assessing the impact of interface vulnerabilities in compartmentalized software. In Proceedings of the 30th Annual Network and Distributed System Security Symposium (2023), NDSS'23.Google Scholar
- Lefeuvre, H., Bădoiu, V.-A., Jung, A., Teodorescu, S. L., Rauch, S., Huici, F., Raiciu, C., and Olivier, P. Flexos: Towards flexible os isolation. In Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (2022), pp. 467--482.Google ScholarDigital Library
- Lefeuvre, H., Bădoiu, V.-A., Teodorescu, Ş., Olivier, P., Mosnoi, T., Deaconescu, R., Huici, F., and Raiciu, C. Flexos: Making os isolation flexible. In Proceedings of the Workshop on Hot Topics in Operating Systems (2021), pp. 79--87.Google ScholarDigital Library
- Li, J., Miller, S., Zhuo, D., Chen, A., Howell, J., and Anderson, T. An incremental path towards a safer os kernel. In Proceedings of the Workshop on Hot Topics in Operating Systems (2021), pp. 183--190.Google ScholarDigital Library
- Li, L., Bhattar, A., Chang, L., Zhu, M., and Machiry, A. Checked-cbox: Type directed program partitioning with checked c for incremental spatial memory safety. arXiv preprint arXiv:2302.01811 (2023).Google Scholar
- Mao, Y., Chen, H., Zhou, D., Wang, X., Zeldovich, N., and Kaashoek, M. F. Software fault isolation with api integrity and multi-principal modules. In Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles (2011), pp. 115--128.Google ScholarDigital Library
- Mao, Y., Chen, H., Zhou, D., Wang, X., Zeldovich, N., and Kaashoek, M. F. Software fault isolation with api integrity and multi-principal modules. In Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles (New York, NY, USA, 2011), SOSP '11, Association for Computing Machinery, p. 115--128.Google ScholarDigital Library
- McKee, D., Giannaris, Y., Perez, C. O., Shrobe, H., Payer, M., Okhravi, H., and Burow, N. Preventing kernel hacks with hakc. In Proceedings 2022 Network and Distributed System Security Symposium. NDSS (2022), vol. 22, pp. 1--17.Google ScholarCross Ref
- Narayan, S., Disselkoen, C., Garfinkel, T., Froyd, N., Rahm, E., Lerner, S., Shacham, H., and Stefan, D. Retrofitting fine grain isolation in the firefox renderer. In Proceedings of the 29th USENIX Security Symposium (Aug. 2020), USENIX Security'20, USENIX Association, pp. 699--716.Google ScholarDigital Library
- Narayan, S., Disselkoen, C., Garfinkel, T., Froyd, N., Rahm, E., Lerner, S., Shacham, H., and Stefan, D. Retrofitting fine grain isolation in the firefox renderer (extended version). arXiv preprint arXiv:2003.00572 (2020).Google Scholar
- Olivier, P., Barbalace, A., and Ravindran, B. The case for intra-unikernel isolation. Workshop on Systems for Post-Moore Architectures 3, 7 (2020), 8--12.Google Scholar
- Roessler, N., Atayde, L., Palmer, I., McKee, D., Pandey, J., Kemerlis, V. P., Payer, M., Bates, A., Smith, J. M., DeHon, A., et al. μscope: A methodology for analyzing least-privilege compartmentalization in large software artifacts. In Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses (2021), pp.296--311.Google ScholarDigital Library
- Saltzer, J. H., and Schroeder, M. D. The protection of information in computer systems. Proceedings of the IEEE 63, 9 (1975), 1278--1308.Google ScholarCross Ref
- Sartakov, V. A., Vilanova, L., and Pietzuch, P. Cubicleos: A library os with software componentisation for practical isolation. In Proceedings of the 26th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (2021), pp. 546--558.Google ScholarDigital Library
- Sung, M., Olivier, P., Lankes, S., and Ravindran, B. Intra-unikernel isolation with intel memory protection keys. In Proceedings of the 16th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (New York, NY, USA, 2020), VEE '20, Association for Computing Machinery, p. 143--156.Google Scholar
- Vahldiek-Oberwagner, A., Elnikety, E., Duarte, N. O., Sammler, M., Druschel, P., and Garg, D. Erim: Secure, efficient in-process isolation with protection keys mpk. In 28th USENIX Security Symposium (USENIX Security 19) (2019), pp. 1221--1238.Google Scholar
- Van Bulck, J., Oswald, D., Marin, E., Aldoseri, A., Garcia, F. D., and Piessens, F. A tale of two worlds: Assessing the vulnerability of enclave shielding runtimes. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (New York, NY, USA, 2019), CCS '19, Association for Computing Machinery, p. 1741--1758.Google Scholar
- Vasilakis, N., Karel, B., Roessler, N., Dautenhahn, N., DeHon, A., and Smith, J. M. Breakapp: Automated, flexible application compartmentalization. In NDSS (2018).Google ScholarCross Ref
- Wahbe, R., Lucco, S., Anderson, T. E., and Graham, S. L. Efficient software-based fault isolation. In Proceedings of the fourteenth ACM symposium on Operating systems principles (1993), pp. 203--216.Google ScholarDigital Library
- Watson, R. N., Woodruff, J., Neumann, P. G., Moore, S. W., Anderson, J., Chisnall, D., Dave, N., Davis, B., Gudka, K., Laurie, B., et al. Cheri: A hybrid capability-system architecture for scalable software compartmentalization. In 2015 IEEE Symposium on Security and Privacy (2015), IEEE, pp. 20--37.Google ScholarDigital Library
- Weiser, M. Program slicing. IEEE Transactions on Software Engineering SE-10, 4 (July 1984), 352--357.Google ScholarDigital Library
Recommendations
An Overview of Prevention/Mitigation against Memory Corruption Attack
ISCSIC '18: Proceedings of the 2nd International Symposium on Computer Science and Intelligent ControlOne of the most prevalent, ancient and devastating vulnerabilities which is increasing rapidly is Memory corruption. It is a vulnerability where a memory location contents of a computer system are altered because of programming errors allowing execution ...
Defeating Memory Corruption Attacks via Pointer Taintedness Detection
DSN '05: Proceedings of the 2005 International Conference on Dependable Systems and NetworksMost malicious attacks compromise system security through memory corruption exploits. Recently proposed techniques attempt to defeat these attacks by protecting program control data. We have constructed a new class of attacks that can compromise network ...
SEnFuzzer: Detecting SGX Memory Corruption via Information Feedback and Tailored Interface Analysis
RAID '23: Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and DefensesIntel SGX provides protected memory called enclave to secure the private user data against corrupted or malicious OS environment. However, several researches have shown that the SGX applications suffer from memory corruption vulnerabilities, thus ...
Comments