SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of...
Transcript of SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of...
![Page 1: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/1.jpg)
MICHAEL ROITZSCH
Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group
SOFTWARE-BASED FAULT ISOLATION
![Page 2: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/2.jpg)
TU Dresden Software-Based Fault Isolation
OVERVIEW● Motivation ● The Idea ● Concepts ● Evaluation ● Ideas for Enhancements ● XFI: Enhancing SFI ● XFI: Evaluation ● NaCl Excursion ● Summary
2
![Page 3: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/3.jpg)
TU Dresden Software-Based Fault Isolation
CREDITSThis first part is based on the paper
Efficient Software-Based Fault Isolation by
Robert Wahbe, Steven Lucco, Thomas E. Anderson and Susan L. Graham
and appeared at the Symposium on Operating System Principles in 1993
3
![Page 4: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/4.jpg)
TU Dresden Software-Based Fault Isolation
MOTIVATION● Hardware-based isolation ● Applications with extensible interfaces (Plugins, Codecs,
Query Code) ● HFI Slow (ten thousands of Cycles, @40 MHz DEC Station) → often not used (Postgres)
● RPC in one address space = dozens of cycles @40MHz DEC!
● But address spaces provide no fault isolation :(
4
![Page 5: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/5.jpg)
TU Dresden Software-Based Fault Isolation
MOTIVATION● DECstation 5000/240 Mips R3400 @40MHz ● Integer performance comparable to 486DX4/100 ● Source: ● http://john.ccac.rwth-aachen.de:8000/alf/ds5000_240/ ● Alfred Arnold
5
![Page 6: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/6.jpg)
TU Dresden Software-Based Fault Isolation
THE IDEA
● Do not use hardware isolation (paging) but map plugins and co into the address space, fast rpc (dozens of cycles)
● Price: stability ● Example: Quark Express Desktop Publishing ● Plugins crash main system (overwrite/corrupt state of
main program), crashiness attributed to Quark → bad for reputation
6
![Page 7: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/7.jpg)
TU Dresden Software-Based Fault Isolation
THE IDEA (IMPROVED)
● Provide guarantees of HFI without the costs ● Use a custom compiler that enables the sandboxing of
the software ● Verifier checks if the binary is correctly sandboxed ● Approach is especially beneficial for systems with high
amounts of communication
7
![Page 8: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/8.jpg)
TU Dresden Software-Based Fault Isolation
CONCEPTS● Segment Matching ● Address Sandboxing ● Resource Access ● Data Sharing ● Verification ● RPC
8
![Page 9: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/9.jpg)
TU Dresden Software-Based Fault Isolation
SEGMENT MATCHING
9
How to ensure stores only to “own” memory?
dedicated-reg <= target address Move target address into dedicated register. scratch-reg <= (dedicated-reg>>shift-reg) Right-shift address to get segment identifier scratch-reg is not a dedicated register shift-reg is a dedicated register compare scratch-reg and segment-reg segment-reg is a dedicated register trap if not equal Trap if store address is outside of segment store instruction uses dedicated reg
![Page 10: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/10.jpg)
TU Dresden Software-Based Fault Isolation
ADDRESS SANDBOXING● Is there a simpler way? Do we need those guarantees?
10
dedicated-reg <= target-reg&and-mask-reg Use dedicated register and-mask-reg to clear segment identifier bits dedicated-reg <= dedicated-reg | segment-reg Use dedicated register segment-reg to set segment identifier bits store instruction uses dedicated reg
![Page 11: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/11.jpg)
TU Dresden Software-Based Fault Isolation
OPTIMIZATION● Do we really need to verify all accesses? This is expensive! ● We lose some address arithmetic features reg <= mem[EAX+/-off]
● Solution: Guardzones!
11
![Page 12: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/12.jpg)
TU Dresden Software-Based Fault Isolation
RESOURCE ACCESS
● Shared resources in one address space ● Arbitration in Kernel ● … or by restricting resource access to trusted arbitration
code
12
![Page 13: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/13.jpg)
TU Dresden Software-Based Fault Isolation
DATA SHARING● Reading is trivial ● R/W through shared (aliased) pages
13
RAM
0x8000 0000
0x4000 00000x4010 0000
0x8010 0000
struct node { … struct node *next; }
node *a = 0x4000 0000 a->next = 0x4000 0010 a->next->next = null_ptr
![Page 14: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/14.jpg)
TU Dresden Software-Based Fault Isolation
RPC
● One Stub-pair per caller/callee pair
● Stubs are trusted ● Signals for Fault
Isolation
14
How do segments communicate?
![Page 15: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/15.jpg)
TU Dresden Software-Based Fault Isolation
VERIFICATION
● Simplified by dedicated jump register ● Scan code segment (Fixed-width Opcodes :)) ● Verify statical calls / accesses / jumps ● Check others for dedicated register
15
![Page 16: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/16.jpg)
TU Dresden Software-Based Fault Isolation
EVALUATION
16
![Page 17: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/17.jpg)
TU Dresden Software-Based Fault Isolation
EVALUATION
17
![Page 18: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/18.jpg)
TU Dresden Software-Based Fault Isolation
EVALUATION
18
![Page 19: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/19.jpg)
TU Dresden Software-Based Fault Isolation
IDEAS FOR ENHANCEMENTS
● Compiler support is a problem ● Can we do without the compiler? Binary rewriting! ● Can this be applied to CISC architectures (verification is
more difficult!) ● is the limitation to one specific segment feasible? ● Can we allow more fine-granular access?
19
![Page 20: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/20.jpg)
TU Dresden Software-Based Fault Isolation
CREDITSThis second part is based on the paper
XFI: Software Guards for System Address Spaces by
Ulfar Erlingsson, Martin Abadi, Michael Vrable, Mihai Budiu and George C. Necula
and appeared at the Symposium on Operating System Design and
Implementation in 2006
20
![Page 21: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/21.jpg)
TU Dresden Software-Based Fault Isolation
XFI – ENHANCING SFIChallanges Addressed by XFI ● Make SFI work in systems software (drivers) ● Remove the single segment limit ● Prevent attacks through ROP techniques ● Protect individual system instructions
21
![Page 22: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/22.jpg)
TU Dresden Software-Based Fault Isolation
GENERAL CONCEPT
22
![Page 23: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/23.jpg)
TU Dresden Software-Based Fault Isolation
ENFORCED PROPERTIES
● P1: Memory-access constraints ● P2: Interface Restrictions ● P3: Scoped Stack Integrity ● P4: Simplified Instruction Semantics ● P5: System-environment integrity ● P6: Control-flow integrity ● P7: Program-data integrity
23
![Page 24: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/24.jpg)
TU Dresden Software-Based Fault Isolation
CONTROL FLOW INTEGRITY
24
EAX := 0x12345677 # Identifier - 1 EAX := EAX + 1 if Mem[EBX - 4] ≠ EAX, goto CFIERR
call EBX
...
0x12345678 # Target identifier L: push EBP # Callee code
![Page 25: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/25.jpg)
TU Dresden Software-Based Fault Isolation
MEMORY RANGE GUARDS
25
# mrguard(EAX, L, H) ::= if EAX < A + L, goto S if B - H < EAX, goto S M: Mem[EAX] := 42 # Two writes Mem[EAX - L] := 7 # both allowed ... S: push EAX # Arguments for push L, H # slower guard call SlowpathGuard jump M # Allow writes
![Page 26: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/26.jpg)
TU Dresden Software-Based Fault Isolation
ACCESS CONTROL
● Slowpath guards enable byte granularity permissions ● System level ● For individual instructions the “unsafe region” can be
specified ● This enables the protection of outside code
26
![Page 27: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/27.jpg)
TU Dresden Software-Based Fault Isolation
REQUIRED RUNTIME SUPPORT
● Slowpath permission tables ● Allocation-Stack manager ● Software Call Gates (changed stack model!) ● Exception Handling Support (Windows SEH)
27
![Page 28: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/28.jpg)
TU Dresden Software-Based Fault Isolation
ARCHITECTURE SUPPORT● Guards may be implemented in Hardware ● Can be simulated as NOP guards ● Required Instructions: − cfilabel instruction − variants of jump/call/return instructions − mrguard instruction
● Implemented in Alpha architecture simulator
28
![Page 29: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/29.jpg)
TU Dresden Software-Based Fault Isolation
REGISTER PRESSURE
● Do not use dedicated registers (esp. on x86) ● Verification is more difficult ● Needs verification state ● must check all paths
29
![Page 30: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/30.jpg)
TU Dresden Software-Based Fault Isolation
VERIFICATION
30
Code Verification State
mrguard(EAX,0,8)
EDX := Mem[EAX]
Mem[EAX+4] := EDX
EAX := Mem[ASP-4]
POP ASP
RET # SSP := SSP+4; jump Mem[SSP-4]
![Page 31: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/31.jpg)
TU Dresden Software-Based Fault Isolation
VERIFICATION
31
Code Verification State{origSSP = SSP+8, valid[SSP,SSP+8) } {retaddr=Mem[SSP+4]} {origASP=Mem[SSP],valid[ASP-32,ASP)}
mrguard(EAX,0,8)
EDX := Mem[EAX]
Mem[EAX+4] := EDX
EAX := Mem[ASP-4]
POP ASP
RET # SSP := SSP+4; jump Mem[SSP-4]
![Page 32: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/32.jpg)
TU Dresden Software-Based Fault Isolation
VERIFICATION
32
Code Verification State{origSSP = SSP+8, valid[SSP,SSP+8) } {retaddr=Mem[SSP+4]} {origASP=Mem[SSP],valid[ASP-32,ASP)}
mrguard(EAX,0,8)
{valid[EAX-0,EAX+8)}EDX := Mem[EAX]
Mem[EAX+4] := EDX
EAX := Mem[ASP-4]
POP ASP
RET # SSP := SSP+4; jump Mem[SSP-4]
![Page 33: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/33.jpg)
TU Dresden Software-Based Fault Isolation
VERIFICATION
33
Code Verification State{origSSP = SSP+8, valid[SSP,SSP+8) } {retaddr=Mem[SSP+4]} {origASP=Mem[SSP],valid[ASP-32,ASP)}
mrguard(EAX,0,8)
{valid[EAX-0,EAX+8)}EDX := Mem[EAX]
Mem[EAX+4] := EDX
EAX := Mem[ASP-4]
POP ASP # ASP := Mem[SSP]; SSP := SSP+4{origASP=ASP, valid[SSP,SSP+4)} {origSSP=SSP+4, retaddr=Mem[SSP]}
RET # SSP := SSP+4; jump Mem[SSP-4]
![Page 34: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/34.jpg)
TU Dresden Software-Based Fault Isolation
XFI - EVALUATION
34
![Page 35: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/35.jpg)
TU Dresden Software-Based Fault Isolation
CONCLUSION
● SFI is also feasible on x86 ● Verification becomes more complex ● Mechanisms also enable other restrictions ● SFI is feasible for kernel code ● Separate allocation- and scoped stacks reduce
exploitability
35
![Page 36: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/36.jpg)
TU Dresden Software-Based Fault Isolation
SFI IN THE WILDThis third part is based on the paper
Native Client: A Sandbox for Portable, Untrusted x86 Native Code
by Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula and Nicholas Fullager
and appeared at the Symposium on Security and Privacy in 2009
36
![Page 37: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/37.jpg)
TU Dresden Software-Based Fault Isolation
APPLICATIONS● Implemented as “Pepper” in Chrome ● Used for − Flash − PDF Viewer − Quake − Doom − Lara Croft and the Guardian of Light
● Uses LLVM IR bytecode for platform independence
37
![Page 38: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/38.jpg)
TU Dresden Software-Based Fault Isolation
METHODOLOGY● x86-32 segmentation for memory isolation ● SFI for arm / amd64 ● CFI through restriction on indirect jumps − must be to 32 byte aligned basic blocks − no opcodes are allowed to cross this boundary
● Requires Recompilation
38
![Page 39: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/39.jpg)
TU Dresden Software-Based Fault Isolation
PERFORMANCE RESULTS
39
![Page 40: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/40.jpg)
TU Dresden Software-Based Fault Isolation
SIZE OVERHEAD
40
![Page 41: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/41.jpg)
TU Dresden Software-Based Fault Isolation
GAMING PERFORMANCE
41
The Catch: Software rendering ;)
![Page 42: SOFTWARE-BASED FAULT ISOLATIONos.inf.tu-dresden.de/Studium/IOS/SS2018/04-SFI.pdf · Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group SOFTWARE-BASED](https://reader036.fdocuments.us/reader036/viewer/2022090607/605ca304b29c811dd32a3b53/html5/thumbnails/42.jpg)
TU Dresden Software-Based Fault Isolation
SUMMARY● Software-based Fault Isolation ● … can be done on CISC and RISC architectures ● … enables finer grained access controls and enforcement ● … at a (quite high) performance price ● … but is mitigated for applications with high communication
frequency by reduced context switching overhead ● … can be used to enforce other policies than only memory
protection ● … is actively used by Google Chrome
42