Process-Shared and Persistent Code Caches Derek Bruening and Vladimir Kiriansky VEE 2008.
-
Upload
austen-reed -
Category
Documents
-
view
222 -
download
1
Transcript of Process-Shared and Persistent Code Caches Derek Bruening and Vladimir Kiriansky VEE 2008.
Copyright © 2008 VMware, Inc. All rights reserved. 2
Software Code Caches
Performance boost for runtime systems
Virtual machines, interpreters, dynamic translators
Dynamic compilers (JIT, etc.) and optimizers
Simulators and emulators
Indirection of runtime code manipulation
Avoid transparency and granularity limitations of directly modifying application code
Dynamic tools: profiling, security, optimization, auditing, introspection, analysis, ...
Copyright © 2008 VMware, Inc. All rights reserved. 3
Performance Limitations
As code caches mature, their uses are moving beyond single-application research instances
Deploy on production systems
Apply to many processes simultaneously
Problem: memory usage!
Scalability noticeably more limited than native
Problem: cold code performance!
Desktop application start-up feels sluggish
Copyright © 2008 VMware, Inc. All rights reserved. 4
Contributions
Code cache design that supports both inter-process sharing and inter-execution persistence
Adaptive-level-of-granularity code cache
Evaluation in DynamoRIO industrial-strength system
Base for Determina’s Memory Firewall host intrusion prevention technology
Focus on security:
Scheme that avoids privilege escalation while allowing high-to-low and peer-to-peer sharing
Read-only code caches and data structures in steady state
Copyright © 2008 VMware, Inc. All rights reserved. 5
Outline
Introduction
Sharing
Security
Consistency
Implementation
Evaluation
Copyright © 2008 VMware, Inc. All rights reserved. 6
Shared Libraries Undone
D.dll
A.dll
B.dll
C.dll
X.exe
code cache:executed parts ofA, B, C
Y.exe X.exe
code cache: executed parts ofA, C, D
code cache: executed parts ofA, B, C
Copyright © 2008 VMware, Inc. All rights reserved. 7
Granularity of Sharing
Mirror native code organization
Code caches contain native code translations
Align code cache shareability, removal, and versioning with the units of code that the application loads, unloads, and are updated
Larger units have more limited shareability
Other instances of the same application
Do not share dynamically-generated code
Unlikely to be identical in every process
Copyright © 2008 VMware, Inc. All rights reserved. 8
Process-Shared Code Caches
D.dll
A.dll
B.dll
C.dll
X.exe Y.exe X.exe
D code cache
A code cache
B code cache
C code cache
Copyright © 2008 VMware, Inc. All rights reserved. 9
Mechanism of Sharing
Live versus frozen code caches
Frozen are much simpler, especially for security
File-based versus memory-only
File-based have more security concerns but enable inter-execution sharing (persistence)
Inter-process and inter-execution sharing share many challenges
Copyright © 2008 VMware, Inc. All rights reserved. 10
Outline
Introduction
Sharing
Security
Consistency
Implementation
Evaluation
Copyright © 2008 VMware, Inc. All rights reserved. 11
Code Cache Security
Avoid opening up new vulnerability vectors that do not exist natively:
Privilege escalation
Any input from low to high is a potential vector
Code modifiability
Application executable and library files
ftp server should not let user write ftp.exe code cache
In-memory caches
Copyright © 2008 VMware, Inc. All rights reserved. 12
Prevent Privilege Escalation
Privilege escalation unacceptable
Cannot rely on building bulletproof verifier
No sharing from low to high!
Identify Trusted Computing Base (TCB)
Share only from TCB to everyone, or among peers
Copyright © 2008 VMware, Inc. All rights reserved. 13
Two-Level Hierarchy
NT AUTHORITY\System (S-1-5-18)
NT AUTHORITY\LocalService (S-1-5-19)
NT AUTHORITY\NetworkService (S-1-5-20)
Regular users (S-1-5-21-RID)
Trusted Computing Base
All other users, isolated from each other
Copyright © 2008 VMware, Inc. All rights reserved. 14
Two-Level Hierarchy
Trusted Computing
Base
services.exe
lsass.exe
RpcSs
SvcHost.exe NetSvcs
NetworkService
explorer.exe
firefox.exe
excel.exe
explorer.exe
iexplore.exe
winword.exe
All Other Users
Copyright © 2008 VMware, Inc. All rights reserved. 15
Limit Code Modifiability
Use protected directories
All code cache files kept in directories writable only by the TCB
Users create and merge new caches in user-writable directories
Limited-privilege TCB-launched process verifies user-written files and publishes official files
TCB service watches for new user-written files
Agent that verifies and publishes is not full TCB: only input is new user file, only output is inherited file handle for published file target
Copyright © 2008 VMware, Inc. All rights reserved. 16
Outline
Introduction
Sharing
Security
Consistency
Implementation
Evaluation
Copyright © 2008 VMware, Inc. All rights reserved. 17
Code Cache Consistency
Original libraries are not unchanging
Application updates
Local tools (rebasing, etc.)
Code cache file must be invalidated if its source application file has changed
Cache filename based on module version for initial check, and to support multiple simultaneous versions
Copyright © 2008 VMware, Inc. All rights reserved. 18
Consistency Checks
Offline byte-by-byte prior to publishing
Avoid code modifiability vectors
Online checksum comparisons
Support legitimate application changes
Detect disk corruption
In our threat model, attackers with write access to TCB-owned files are cause for far more worry than modification of code cache files
Copyright © 2008 VMware, Inc. All rights reserved. 20
Outline
Introduction
Sharing
Security
Consistency
Implementation
Evaluation
Copyright © 2008 VMware, Inc. All rights reserved. 21
Re-Design Code Cache
Read-only cache
For file-based sharing and security
Position-independence of cache and data structures
Eliminate and/or combine data structures to remove pointers
Platform and execution dependencies
Micro-architectural dependencies: cache line, etc.
TLS offsets
Copyright © 2008 VMware, Inc. All rights reserved. 22
Data Structures
Existing code cache has fine-grained control
Individual code fragment unlink and removal
Separate data structure per code fragment and each of its exits, memory regions spanned, and incoming links; plus, backpointer from its cache slot
Many separate, writable, variable-sized, inter-linked structures: complex to persist!
Copyright © 2008 VMware, Inc. All rights reserved. 23
Reduce Code Cache Granularity
Switch to coarse-grain scheme
Give up individual code fragment control
Permanent intra-cache links
No per-fragment data structures at all
Treat entire cache as a unit for consistency
Side benefit: reduce single-application memory usage
Copyright © 2008 VMware, Inc. All rights reserved. 24
Persisted File Layout
code cache
exit/lookup indirection pads
R(W)X
relocation data
inter-module link stubs
R
RX
hashtable of entry points
checksums
header
R(W)X
Copyright © 2008 VMware, Inc. All rights reserved. 25
Support Dynamism
Relocation
Use application library relocation tables
Add reloc entries for our own code changes that are not easily made position-independent
Becomes more important with VISTA ASLR
Application code modifications
Invalidate persisted cache; switch to incremental coarse-grain + fine-grain combination
Copyright © 2008 VMware, Inc. All rights reserved. 26
Adaptive Level of Granularity
Start with coarse-grain caches + sharing/persistence
Switch to fine-grain for individual modules or sub-regions of modules after significant consistency events, to avoid expensive entire-module flushes
Support simultaneous fine-grain fragments within coarse-grain regions for corner cases
Match amount of bookkeeping to amount of code change
Majority of application code does not need fine-grain
Copyright © 2008 VMware, Inc. All rights reserved. 27
Support Instrumentation
Preserve instrumentation when persisting
Tools provide relocation info, or produce PIC
Dynamically-varying tools specify do-not-persist
Add tool name to file header and namespace
Only load file that matches current tool
Typical tool deployment is the same tool system-wide, rather than a disparate set of simultaneous tools
Copyright © 2008 VMware, Inc. All rights reserved. 28
Outline
Introduction
Sharing
Security
Consistency
Implementation
Evaluation
Copyright © 2008 VMware, Inc. All rights reserved. 29
System-wide Deployment
Windows XP desktop: boot + auto-logon
Peak committed memory usage once idle
27 processes executed under 4 different users
Copyright © 2008 VMware, Inc. All rights reserved. 33
Related Work: One or the Other
Process Sharing
Czajkowski 02: Inter-JVM sharing
Transitive: translations not persisted due to security concerns
Bungale 07 (PinOS): below OS, so can share at machine page level, but virtual address differences require expensive checks
Persistence
Static instrumentation tools (ATOM, Etch, EEL, etc.)
Hazelwood 03: persistence study
Li 05: persistence across module unloads
Reddi 05, 07: inter-execution persistence in Pin
Copyright © 2008 VMware, Inc. All rights reserved. 34
Related Work: Both
FX!32: per-module persistent translations
Central service translates offline using profile info
.NET NGEN pre-compiler
Shares only cryptographically signed code; if not installed centrally, performs expensive runtime verification
Background service that tracks dependencies and re-compiles as needed, to support inlining
Copyright © 2008 VMware, Inc. All rights reserved. 35
Summary: Improved Scalability
Design for inter-process sharing of code caches that also supports inter-execution persistence
Scheme for sharing without risk of privilege escalation and with read-only code caches and data structures
Evaluation in DynamoRIO where we achieved a two-thirds reduction in both memory usage ( scalability) and startup time