research-article

Public Access

Milkomeda: Safeguarding the Mobile GPU Interface Using WebGL Security Checks

Authors:

Saeed Mirzamohammadi,

Ardalan Amiri Sani,

Mathias PayerAuthors Info & Claims

CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

Pages 1455 - 1469

https://doi.org/10.1145/3243734.3243772

Published: 15 October 2018 Publication History

Abstract

GPU-accelerated graphics is commonly used in mobile applications. Unfortunately, the graphics interface exposes a large amount of potentially vulnerable kernel code (i.e., the GPU device driver) to untrusted applications. This broad attack surface has resulted in numerous reported vulnerabilities that are exploitable from unprivileged mobile apps. We observe that web browsers have faced and addressed the exact same problem in WebGL, a framework used by web apps for graphics acceleration. Web browser vendors have developed and deployed a plethora of security checks for the WebGL interface. We introduce Milkomeda, a system solution for automatically repurposing WebGL security checks to safeguard the mobile graphics interface. We show that these checks can be used with minimal modifications (which we have automated using a tool called CheckGen), significantly reducing the engineering effort. Moreover, we demonstrate an in-process shield space for deploying these checks for mobile applications. Compared to the multi-process architecture used by web browsers to protect the integrity of the security checks, our solution improves the graphics performance by eliminating the need for Inter-Process Communication and shared memory data transfer, while providing integrity guarantees for the evaluation of security checks. Our evaluation shows that Milkomeda achieves close-to-native GPU performance at reasonably increased CPU utilization.

Supplementary Material

MP4 File (p1455-yao.mp4)

Download
386.71 MB

References

[1]

M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. 2005. Control-Flow Integrity. In Proc. ACM CCS.

Digital Library

[2]

A. Amiri Sani. 2017. SchrodinText: Strong Protection of Sensitive Textual Content of Mobile Applications Proc. ACM MobiSys.

Digital Library

[3]

A. Amiri Sani, L. Zhong, and D. S. Wallach. 2014. Glider: A GPU Library Driver for Improved System Security. Technical Report 2014--11--14, Rice University (2014).

[4]

ARM. 2007. Architecture Reference Manual, ARMv7-A and ARMv7-R edition. ARM DDI Vol. 0406A (2007).

[5]

ARM. 2013. Architecture Reference Manual, ARMv8, for ARMv8-A architecture profile. ARM DDI Vol. 0487A.a (ID090413) (2013).

[6]

M. Backes, S. Bugiel, C. Hammer, O. Schranz, and P. von Styp-Rekowsky. 2015. Boxify: Full-fledged App Sandboxing for Stock Android Proc. USENIX Security Symposium.

Digital Library

[7]

A. Belay, A. Bittau, A. Mashtizadeh, D. Terei, D. Mazieres, and C. Kozyrakis. 2012. Dune: Safe User-level Access to Privileged CPU Features Proc. USENIX OSDI.

Digital Library

[8]

A. Bittau, P. Marchenko, M. Handley, and B. Karp. 2008. Wedge: Splitting Applications into Reduced-Privilege Compartments Proc. USENIX NSDI.

Digital Library

[9]

D. Brumley and D. Song. 2004. Privtrans: Automatically Partitioning Programs for Privilege Separation Proc. USENIX Security Symposium.

Digital Library

[10]

N. Burow, S. A. Carr, J. Nash, P. Larsen, M. Franz, S. Brunthaler, and M. Payer. 2017. Control-Flow Integrity: Precision, Security, and Performance. ACM Computing Surveys (CSUR) (2017).

Digital Library

[11]

A. Chou, J. Yang, B. Chelf, S. Hallem, and D. Engler. 2001. An Empirical Study of Operating Systems Errors. In Proc. ACM SOSP.

Digital Library

[12]

Ding, R. and Qian, C. and Song, C. and Harris, B. and Kim, T. and Lee, W. 2017. Efficient Protection of Path-Sensitive Control Security Proc. USENIX Security Symposium.

Digital Library

[13]

K. Elphinstone and G. Heiser. 2013. From L3 to seL4 What Have We Learnt in 20 Years of L4 Microkernels? Proc. ACM SOSP.

Digital Library

[14]

T. Frassetto, P. Jauernig, C. Liebchen, and A. Sadeghi. 2018. IMIX: In-Process Memory Isolation EXtension. In Proc. USENIX Security Symposium.

Digital Library

[15]

P. Frigo, C. Giuffrida, H. Bos, and K. Razavi. 2018. Grand Pwning Unit: Accelerating Microarchitectural Attacks with the GPU Proc. IEEE Security and Privacy (S&P). bibtex: frigo2018.

[16]

V. Ganapathy, M. J. Renzelmann, A. Balakrishnan, M. M. Swift, and S. Jha. 2008. The Design and Implementation of Microdrivers. In Proc. ACM ASPLOS.

Digital Library

[17]

T. Ho, D. Dean, X. Gu, and W. Enck. 2014. PREC: Practical Root Exploit Containment for Android Devices Proc. ACM CODASPY.

Digital Library

[18]

T. C. Hsu, K. Hoffman, P. Eugster, and M. Payer. 2016. Enforcing Least Privilege Memory Views for Multithreaded Applications Proc. ACM CCS.

Digital Library

[19]

W. Li, S. Luo, Z. Sun, Y. Xia, L. Lu, H. Chen, B. Zang, and H. Guan. 2018. VButton: Practical Attestation of User-driven Operations in Mobile Apps Proc. ACM MobiSys.

Digital Library

[20]

J. Litton, A. Vahldiek-Oberwagner, E. Elnikety, D. Garg, B. Bhattacharjee, and P. Druschel. 2016. Light-Weight Contexts: An OS Abstraction for Safety and Performance Proc. USENIX OSDI.

Digital Library

[21]

J. M. McCune, Y. Li, N. Qu, Z. Zhou, A. Datta, V. Gligor, and A. Perrig. 2010. TrustVisor: Efficient TCB Reduction and Attestation Proc. IEEE Symposium on Security and Privacy (S&P).

Digital Library

[22]

J. M. McCune, B. J. Parno, A. Perrig, M. K. Reiter, and H. Isozaki. 2008. Flicker: An Execution Infrastructure for TCB Minimization Proc. ACM EuroSys.

Digital Library

[23]

N. Palix, G. Thomas, S. Saha, C. Calvès, J. Lawall, and G. Muller. 2011. Faults in Linux: Ten Years Later. In Proc. ACM ASPLOS.

Digital Library

[24]

M. Payer, E. Kravina, and T. R. Gross. 2013. Lightweight Memory Tracing. In Proc. USENIX ATC.

Digital Library

[25]

P. Pearce, A. P. Felt, G. Nunez, and D. Wagner. 2012. AdDroid: Privilege Separation for Applications and Advertisers in Android Proc. ACM Symposium on Information, Computer and Communications Security (AsiaCCS).

Digital Library

[26]

N. Provos. 2003. Improving Host Security with System Call Policies Proc. USENIX Security Symposium.

Digital Library

[27]

N. Provos, M. Friedl, and P. Honeyman. 2003. Preventing Privilege Escalation. In Proc. USENIX Security Symposium.

Digital Library

[28]

A. Razeen, A. R. Lebeck, D. H. Liu, A. Meijer, V. Pistol, and L. P. Cox. 2018. SandTrap: Tracking Information Flows On Demand with Parallel Permissions Proc. ACM MobiSys.

Digital Library

[29]

F. Roesner and T. Kohno. 2013. Securing Embedded User Interfaces: Android and Beyond Proc. USENIX Security Symposium.

Digital Library

[30]

S. Shekhar, M. Dietz, and D. S. Wallach. 2012. AdSplit: Separating Smartphone Advertising from Applications Proc. USENIX Security Symposium.

Digital Library

[31]

R. Strackx, P. Agten, N. Avonds, and F. Piessens. 2015. Salus: Kernel Support for Secure Process Compartments. EAI Endorsed Transactions on Security and Safety (2015).

[32]

M. M. Swift, B. N. Bershad, and H. M. Levy. 2003. Improving the Reliability of Commodity Operating Systems Proc. ACM SOSP.

Digital Library

[33]

V. van der Veen, D. Andriesse, E. Göktacs, B. Gras, L. Sambuc, A. Slowinska, H. Bos, and C. Giuffrida. 2015. Practical Context-Sensitive CFI. In Proc. ACM CCS.

Digital Library

[34]

L. Vilanova, M. Ben-Yehuda, N. Navarro, Y. Etsion, and M. Valero. 2014. CODOMs: Protecting Software with Code-centric Memory Domains Proc. ACM/IEEE ISCA.

Digital Library

[35]

R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. 1993. Efficient Software-Based Fault Isolation. In Proc. ACM SOSP.

Digital Library

[36]

J. Wang, X. Xiong, and P. Liu. 2015. Between Mutual Trust and Mutual Distrust: Practical Fine-grained Privilege Separation in Multithreaded Applications. In Proc. USENIX ATC.

Digital Library

[37]

R. N. M. Watson, J. Anderson, B. Laurie, and K. Kennaway. 2010. Capsicum: Practical Capabilities for UNIX. In Proc. USENIX Security Symposium.

Digital Library

[38]

J. Woodruff, R. N. M. Watson, D. Chisnall, S. W. Moore, J. Anderson, B. Davis, B. Laurie, P. G. Neumann, R. Norton, and M. Roe. 2014. The CHERI Capability Model: Revisiting RISC in an Age of Risk Proc. ACM/IEEE ISCA.

Digital Library

[39]

Z. Yao, Z. Ma, Y. Liu, A. Amiri Sani, and A. Chandramowlishwaran. 2018. Sugar: Secure GPU Acceleration in Web Browsers. In Proc. ACM ASPLOS.

Digital Library

[40]

B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. 2009. Native Client: A Sandbox for Portable, Untrusted x86 Native Code Proc. IEEE Symposium on Security and Privacy (S&P).

Digital Library

[41]

K. Ying, A. Ahlawat, B. Alsharifi, Y. Jiang, P. Thavai, and W. Du. 2018. TruZ-Droid: Integrating TrustZone with Mobile Operating System Proc. ACM MobiSys.

Digital Library

[42]

N. Zeldovich, H. Kannan, M. Dalton, and C. Kozyrakis. 2008. Hardware Enforcement of Application Security Policies Using Tagged Memory Proc. USENIX OSDI.

Digital Library

[43]

H. Zhang, D. She, and Z. Qian. 2015. Android Root and its Providers: A Double-Edged Sword Proc. ACM CCS.

Digital Library

[44]

F. Zhou, J. Condit, Z. Anderson, I. Bagrak, R. Ennals, M. Harren, G. Necula, and E. Brewer. 2006. SafeDrive: Safe and Recoverable Extensions Using Language-Based Techniques Proc. USENIX OSDI.

Digital Library

[45]

S. Zhu, L. Lu, and K. Singh. 2016. Case: Comprehensive Application Security Enforcement on COTS Mobile Devices Proc. ACM MobiSys.

Digital Library

Cited By

Bi WMa YHan YChen YTian DDu JChua TNgo CKa-Wei Lee RKumar RLauw H(2024)FusionRender: Harnessing WebGPU's Power for Enhanced Graphics Performance on Web BrowsersProceedings of the ACM Web Conference 202410.1145/3589334.3645395(2890-2901)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645395
Peng HYao ZSani ATian DPayer MCalandrino JTroncoso C(2023)GLeeFuzzProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620343(1883-1899)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620343
Naghibijouybari HKoruyeh EAbu-Ghazaleh N(2022)Microarchitectural Attacks in Heterogeneous Systems: A SurveyACM Computing Surveys10.1145/354410255:7(1-40)Online publication date: 15-Jun-2022
https://dl.acm.org/doi/10.1145/3544102
Show More Cited By

Index Terms

Milkomeda: Safeguarding the Mobile GPU Interface Using WebGL Security Checks
1. Security and privacy
  1. Systems security
    1. Browser security
    2. Operating systems security
      1. Mobile platform security

Recommendations

Evaluation of Rodinia Codes on Intel Xeon Phi
ISMS '13: Proceedings of the 2013 4th International Conference on Intelligent Systems, Modelling and Simulation

High performance computing (HPC) is a niche area where various parallel benchmarks are constantly used to explore and evaluate the performance of Heterogeneous computing systems on the horizon. The Rodinia benchmark suite, a collection of parallel ...
On the Efficacy of a Fused CPU+GPU Processor (or APU) for Parallel Computing
SAAHPC '11: Proceedings of the 2011 Symposium on Application Accelerators in High-Performance Computing

The graphics processing unit (GPU) has made significant strides as an accelerator in parallel computing. However, because the GPU has resided out on PCIe as a discrete device, the performance of GPU applications can be bottlenecked by data transfers ...
Mars: Accelerating MapReduce with Graphics Processors

We design and implement Mars, a MapReduce runtime system accelerated with graphics processing units (GPUs). MapReduce is a simple and flexible parallel programming paradigm originally proposed by Google, for the ease of large-scale data processing on ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

October 2018

2359 pages

ISBN:9781450356930

DOI:10.1145/3243734

General Chairs:
David Lie
University of Toronto
,
Mohammad Mannan
Concordia University
,
Program Chairs:
Michael Backes
CISPA Helmholtz Center i.G.
,
XiaoFeng Wang
Indiana University

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 October 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

CCS '18

Sponsor:

SIGSAC

CCS '18: 2018 ACM SIGSAC Conference on Computer and Communications Security

October 15 - 19, 2018

Toronto, Canada

Acceptance Rates

CCS '18 Paper Acceptance Rate 134 of 809 submissions, 17%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
762
Total Downloads

Downloads (Last 12 months)144
Downloads (Last 6 weeks)37

Reflects downloads up to 10 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Bi WMa YHan YChen YTian DDu JChua TNgo CKa-Wei Lee RKumar RLauw H(2024)FusionRender: Harnessing WebGPU's Power for Enhanced Graphics Performance on Web BrowsersProceedings of the ACM Web Conference 202410.1145/3589334.3645395(2890-2901)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645395
Peng HYao ZSani ATian DPayer MCalandrino JTroncoso C(2023)GLeeFuzzProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620343(1883-1899)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620343
Naghibijouybari HKoruyeh EAbu-Ghazaleh N(2022)Microarchitectural Attacks in Heterogeneous Systems: A SurveyACM Computing Surveys10.1145/354410255:7(1-40)Online publication date: 15-Jun-2022
https://dl.acm.org/doi/10.1145/3544102
Wu SLi SCao YWang NHeninger NTraynor P(2019)Rendered privateProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361453(1645-1660)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361453

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten