research-article

Open access

Rethinking Memory Permissions for Protection Against Cross-Layer Attacks

Authors:

Nael Abu-Ghazaleh,

Dmitry Ponomarev,

Iliano CervesatoAuthors Info & Claims

ACM Transactions on Architecture and Code Optimization (TACO), Volume 12, Issue 4

Article No.: 56, Pages 1 - 27

https://doi.org/10.1145/2842621

Published: 08 December 2015 Publication History

Abstract

The inclusive permissions structure (e.g., the Intel ring model) of modern commodity CPUs provides privileged system software layers with arbitrary permissions to access and modify client processes, allowing them to manage these clients and the system resources efficiently. Unfortunately, these inclusive permissions allow a compromised high-privileged software layer to perform arbitrary malicious activities. In this article, our goal is to prevent attacks that cross system layers while maintaining the abilities of system software to manage the system and allocate resources. In particular, we present a hardware-supported page permission framework for physical pages that is based on the concept of noninclusive sets of memory permissions for different layers of system software (such as hypervisors, operating systems, and user-level applications). Instead of viewing privilege levels as an ordered hierarchy with each successive level being more privileged, we view them as distinct levels each with its own set of permissions. In order to enable system software to manage client processes, we define a set of legal permission transitions that support resource allocation but preserve security. We show that the model prevents a range of recent attacks. We also show that it can be implemented with negligible performance overhead (both at load time and at runtime), low hardware complexity, and minimal changes to the commodity OS and hypervisor code.

References

[1]

I. Anati, S. Gueron, S. Johnson, and V. Scarlata. 2013. Innovative technology for CPU based attestation and sealing. In Proceedings of the Workshop on Hardware and Architectural Support for Security and Privacy, with ISCA ’13.

[2]

A. Azab, P. Ning, E. Sezer, and X. Zhang. 2009. HIMA: A hypervisor-based integrity measurement agent. In Proceedings of the Annual Computer Security Applications Conference (ACSAC’09). 461--470.

Digital Library

[3]

A. Baumann, M. Peinado, and G. Hunt. 2014. Shielding applications from an untrusted cloud with haven. In Proceedings of the Symposium on Operating Systems Design and Implementation.

Digital Library

[4]

R. Boivie. 2012. SecureBlue++: CPU Support for Secure Execution. (2012).

[5]

J. Cappaert, N. Kisserli, D. Schellekens, and B. Preneel. 2006. Self-encrypting code to protect against analysis and tampering. In 1st Benelux Workshop on Information Systems Security.

[6]

N. P. Carter, S. W. Keckler, and W. J. Dally. 1994. Hardware support for fast capability-based addressing. In ACM SIGPLAN Notices 29. ACM, 319--327.

Digital Library

[7]

D. Champagne and R. Lee. 2010. Scalable architectural support for trusted software. In Proceedings of the International Symposium on High Performance Computer Architecture.

[8]

S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer. 2005. Non-control-data attacks are realistic threats. In Proceedings of the 14th Conference on USENIX Security Symposium. USENIX Association, Berkeley, CA.

Digital Library

[9]

X. Chen, T. Garfinkel, E. Lewis, P. Subrahmanyam, D. Boneh, J. Dwoskin Dan, and R. Ports. 2008. Overshadow: A virtualization-based approach to retrofitting protection in commodity operating systems. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems.

Digital Library

[10]

S. Chhabra, B. Rogers, Y. Solihin, and M. Prvulovic. 2011. SecureME: A hardware-software approach to full system security. In Proceedings of the International Conference on Supercomputing (ICS’11).

Digital Library

[11]

CVE-2009-1897 2009. CVE-2009-1897: NULL dereference and mmap of /dev/net/tun in Linux kernel allows privilege escalation. Retrieved from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3527.

[12]

CVE-2009-3527 2009. CVE-2009-3527: Race condition in Pipe (IPC) close in FreeBSD allows privilege escalation. (2009). Available online: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1897.

[13]

CVE-2010-4258 2010. CVE-2010-4258: do_exit does not properly handle a KERNEL_DS value allowing privilege escalation. Retrieved from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4258.

[14]

CVE-2012-5513 2012. CVE-2012-5513: XENMEM_exchange handler does not properly check the memory address allowing privilege escalation. Retrieved from http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5513.

[15]

CVE Details 2015. CVE Details: The ultimate security vulnerability datasource. Retrieved from http://www.cvedetails.com/.

[16]

R. de C Valle. 2009. Linux sock_sendpage() NULL pointer dereference. Retrieved from http://packetstormsecurity.com/files/81212/Linux-sock_sendpage-NULL-Po inter-Dereference.html.

[17]

DOD 1985. Trusted Computer System Evaluation Criteria. Technical Report 5200.28-STD. US Department of Defense. Retrieved from http://csrc.nist.gov/publications/history/dod85.pdf.

[18]

L. Domnitser, A. Jaleel, J. Loew, N. Abu-Ghazaleh, and D. Ponomarev. 2012. Non-monopolizable caches: Low-complexity mitigation of cache side channel attacks. ACM Transactions on Architecture and Code Optimization 8, 4 (Jan. 2012), Article Number 35.

Digital Library

[19]

J. Dwoskin and R. Lee. 2007. Hardware-rooted trust for secure key management and transient trust. In Proceedings of the ACM Conference on Computer and Communications Security.

Digital Library

[20]

edb1 2009. EDB-9477: sock_sendpage() local root exploit in Linux. (2009). Available online: http://www.exploit-db.com/exploits/9477/.

[21]

edb2 2011. EDB-17391: DEC Alpha Linux <= 3.0 local root exploit. (2011). Available online: http://www.exploit-db.com/exploits/17391/.

[22]

J. Elwell, R. Riley, N. Abu-Ghazaleh, and D. Ponomarev. 2014. A non-inclusive memory permissions architecture for protecting against cross-layer attacks. In Proceedings of the International Symposium on High Performamce Computer Architecture (HPCA’14).

[23]

D. Evtyushkin, J. Elwell, M. Ozsoy, D. Ponomarev, N. Abu-Ghazaleh, and R. Riley. 2014. Iso-X: A flexible architecture for hardware-managed isolated execution. In Proceedings of the International Symposium on Microarchitecture (MICRO).

Digital Library

[24]

R. S. Fabry. 1974. Capability-based addressing. Communications of the ACM 17, 7 (1974), 403--412.

Digital Library

[25]

H. Fang, Y. Zhao, H. Zang, H. Huang, Y. Song, Y. Sun, and Z. Liu. 2010. VMGuard: An integrity monitoring system for management virtual machines. In Proceedings of the of International Conference on Parallel and Distributed Systems (ICPADS’10).

Digital Library

[26]

T. Garfinkel and M. Rosenblum. 2003. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the Network and Distributed Systems Security Symposium. 191--206.

[27]

M. Hoekstra, R. Lal, P. Pappachan, C. Rozas, and V. Phegade. 2013. Using innovative instructions to create trustworthy software solutions. In Workshop on Hardware and Architectural Support for Security and Privacy, with ISCA’13.

Digital Library

[28]

O. Hofmann, S. Kim, A. Dunn, M. Lee, and E. Witchel. 2013. InkTag: Secure applications on an untrusted operating system. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems.

Digital Library

[29]

Intel. 2014. Intel 64 and IA32 architectures software developer’s manual. (2014). Retrieved from http://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-manual-325462.pdf.

[30]

X. Jiang and X. Wang. 2007. Out-of-the-box monitoring of VM-based high-interaction honeypots. In Recent Advances in Intrusion Detection (RAID’07). 198--218.

Digital Library

[31]

X. Jiang, X. Wang, and D. Xu. 2007. Stealthy malware detection through VMM-based out-of-the-box semantic view reconstruction. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’07).

Digital Library

[32]

V. P. Kemerlis, G. Portokalidis, and A. D. Keromytis. 2012. kGuard: Lightweight kernel protection against return-to-user attacks. In Proceedings of the 21st USENIX Conference on Security Symposium. USENIX Association, 39--39.

Digital Library

[33]

G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. 2009. seL4: Formal verification of an OS kernel. In Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles (SOSP’09). ACM, New York, NY, 207--220.

Digital Library

[34]

R. B. Lee, P. C. S. Kwan, J. P. McGregor, J. Dwoskin, and Z. Wang. 2005. Architecture for protecting critical secrets in microprocessors. In Proceedings of the 32nd International Symposium on Computer Architecture, 2005 (ISCA’05). IEEE, 2--13.

Digital Library

[35]

D. Lie, M. Thekkath, M. Mitchell, P. Lincoln, D. Boneh, J. Mitchell, and M. Horowitz. 2000. Architectural support for copy and tamper resistant software. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems.

Digital Library

[36]

L. Litty, H. Lagar-Cavilla, and D. Lie. 2008. Hypervisor support for identifying covertly executing binaries. In Proceedings of the 17th Usenix Security Symposium.

Digital Library

[37]

MARSS. 2013. MARSSx86: Micro-ARchitectural and System Simulator for x86-based systems. Retrieved from http://marss86.org. Simulator source code and documentation.

[38]

F. McKeen, I. Alexandrovich, A. Berenzon, C.Rozas, H. Shafi, V. Shanbhogue, and U. Savagaonkar. 2013. Innovative instructions and software model for isolated execution. In Proceedings of the Workshop on Hardware and Architectural Support for Security and Privacy, with ISCA’13.

Digital Library

[39]

E. Owusu, J. Guajardo, J. McCune, J. Newsome, A. Perrig, and A. Vadudevan. 2013. OASIS: On achieving a sanctuary for integrity and secrecy on untrusted platforms. In Proceedings of the ACM Conference on Computer and Communications Security.

Digital Library

[40]

M. Payer, T. Hartmann, and T. R. Gross. 2012. Safe loading-a foundation for secure execution of untrusted programs. In Proceedings of the 2012 IEEE Symposium on Security and Privacy (SP’12). IEEE, 18--32.

Digital Library

[41]

B. Payne, M. Carbone, and W. Lee. 2007. Secure and flexible monitoring of virtual machines. In Proceedings of the Annual Computer Security Applications Conference.

[42]

B. Payne, M. Carbone, M. Sharif, and W. Lee. 2008. Lares: An architecture for secure active monitoring using virtualization. In Proceedings of the IEEE Symposium on Security and Privacy.

Digital Library

[43]

R. Riley, X. Jiang, and D. Xu. 2008. Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In Recent Advances in Intrusion Detection (RAID’08). 1--20.

Digital Library

[44]

R. Sailer, X. Zhang, T. Jaeger, and L. van Doorn. 2004. Design and implementation of a TCG-based integrity measurement architecture. In Proceedings of the 13th Usenix Security Symposium.

Digital Library

[45]

Security Focus. 2009. BID-36939: Microsoft windows kernel NULL pointer dereference local privilege escalation vulnerability. (2009). Available online: http://www.securityfocus.com/bid/36939.

[46]

A. Seshadri, M. Luk, N. Qu, and A. Perrig. 2007. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In Proceedings of 21st ACM SIGOPS Symposium on Operating Systems Principles (SOSP’07). ACM, New York, NY, 335--350.

Digital Library

[47]

M. Sharif, W. Lee, W. Cui, and A. Lanzi. 2009. Secure In-VM monitoring using hardware virtualization. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’09).

Digital Library

[48]

S. Jin, J. Ahn, S. Cha, and J. Huh. 2011. Architectural support for secure virtualization under a vulnerable hypervisor. In Proceedings of the International Symposium on Microarchitecture.

Digital Library

[49]

G. Suh, D. Clarke, B. Gassend, M. van Dijk, and S. Devadas. 2003. AEGIS: Architecture for tamper-evident and tamper-resistant processing. In Proceedings of the International Conference on Supercomputing.

Digital Library

[50]

J. Szefer, E. Keller, R. Lee, and J. Rexford. 2011. Eliminating the hypervisor attack surface for a more secure cloud. In Proceedings of the ACM Conference on Computer and Communications Security.

Digital Library

[51]

J. Szefer and R. Lee. 2012. Architectural support for hypervisor-secure virtualization. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems.

Digital Library

[52]

TPM. 2013. TPM main specification. Retrieved from http://www.trustedcomputinggroup.org/resources/tpm_main_specification.

[53]

Z. Wang and R. Lee. 2007. New cache designs for thwarting software cache-based side channel attacks. In Proceedings of the International Symposium on Computer Architecture (ISCA’07).

Digital Library

[54]

Z. Wang and R. Lee. 2008. A novel cache architecture with enhanced performance and security. In Proceedings of the International Symposium on Microarchitecture (MICRO’08).

Digital Library

[55]

E. Witchel, J. Cates, and K. Asanović. 2002. Mondrian memory protection. In Proceedings of the 10th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS X). ACM, 304--316.

Digital Library

[56]

J. Woodruff, R. N. M. Watson, D. Chisnall, S. W. Moore, J. Anderson, B. Davis, B. Laurie, P. G. Neumann, R. Norton, and M. Roe. 2014. The CHERI capability model: Revisiting RISC in an age of risk. In Proceeding of the 41st Annual International Symposium on Computer Architecuture. IEEE Press, 457--468.

Digital Library

[57]

Y. Xia, Y. Lin, and H. Chen. 2013. Architecture support for guest-transparent VM protection from untrusted hypervisor and physical attacks. In Proceedings of the International Symposium on High Performance Computer Architecture.

Digital Library

[58]

Xilinx. 2013. Xilinx 7 Series FPGAs overview. Retrieved from http://www.xilinx.com/support/documentation/data_sheets/ds180_7Series_O verview.pdf.

[59]

F. Zhang, J. Chen, H. Chen, and B. Zang. 2011. Cloudvisor: Retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In Proceedings of the ACM Symposium on Operating Systems Principles.

Digital Library

Cited By

Elwell JEvtyushkin DPonomarev DAbu-Ghazaleh NRiley RParameswaran S(2017)Hardening extended memory access control schemes with self-verified address spacesProceedings of the 36th International Conference on Computer-Aided Design10.5555/3199700.3199752(392-399)Online publication date: 13-Nov-2017
https://dl.acm.org/doi/10.5555/3199700.3199752
Elwell JEvtyushkin DPonomarev DAbu-Ghazaleh NRiley R(2017)Hardening extended memory access control schemes with self-verified address spaces2017 IEEE/ACM International Conference on Computer-Aided Design (ICCAD)10.1109/ICCAD.2017.8203804(392-399)Online publication date: Nov-2017
https://doi.org/10.1109/ICCAD.2017.8203804
Evtyushkin DPonomarev DAbu-Ghazaleh N(2016)Understanding and Mitigating Covert Channels Through Branch PredictorsACM Transactions on Architecture and Code Optimization10.1145/287063613:1(1-23)Online publication date: 7-Mar-2016
https://dl.acm.org/doi/10.1145/2870636

Index Terms

Rethinking Memory Permissions for Protection Against Cross-Layer Attacks
1. Computer systems organization
  1. Architectures
2. Security and privacy
  1. Security services
    1. Access control
  2. Systems security
    1. Operating systems security

Recommendations

Architectural support of multiple hypervisors over single platform for enhancing cloud computing security
CF '12: Proceedings of the 9th conference on Computing Frontiers

This paper presents MultiHype, a novel architecture that supports multiple hypervisors (or virtual machine monitors) on a single physical platform by leveraging many-core based cloud-on-chip architecture. A MultiHype platform consists of a control plane ...
Lightweight Shadow Paging for Efficient Memory Isolation in Gandalf VMM
ISORC '08: Proceedings of the 2008 11th IEEE Symposium on Object Oriented Real-Time Distributed Computing

Demands are increasing for consolidating multiple OSes on a single multi-core CPU rather than using multiple sets of an OS and a CPU. A VMM enables multiple guest OSes to run concurrently on one CPU while providing separate security domains. We have ...
DoS Attacks on Your Memory in Cloud
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

In cloud computing, network Denial of Service (DoS) attacks are well studied and defenses have been implemented, but severe DoS attacks on a victim's working memory by a single hostile VM are not well understood. Memory DoS attacks are Denial of Service (...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Architecture and Code Optimization

ACM Transactions on Architecture and Code Optimization Volume 12, Issue 4

January 2016

848 pages

ISSN:1544-3566

EISSN:1544-3973

DOI:10.1145/2836331

Editor:
Koen De Bosschere
Ghent University

Issue’s Table of Contents

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 December 2015

Accepted: 01 November 2015

Revised: 01 October 2015

Received: 01 April 2014

Published in TACO Volume 12, Issue 4

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

Qatar National Research Fund

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
516
Total Downloads

Downloads (Last 12 months)69
Downloads (Last 6 weeks)8

Reflects downloads up to 10 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Elwell JEvtyushkin DPonomarev DAbu-Ghazaleh NRiley RParameswaran S(2017)Hardening extended memory access control schemes with self-verified address spacesProceedings of the 36th International Conference on Computer-Aided Design10.5555/3199700.3199752(392-399)Online publication date: 13-Nov-2017
https://dl.acm.org/doi/10.5555/3199700.3199752
Elwell JEvtyushkin DPonomarev DAbu-Ghazaleh NRiley R(2017)Hardening extended memory access control schemes with self-verified address spaces2017 IEEE/ACM International Conference on Computer-Aided Design (ICCAD)10.1109/ICCAD.2017.8203804(392-399)Online publication date: Nov-2017
https://doi.org/10.1109/ICCAD.2017.8203804
Evtyushkin DPonomarev DAbu-Ghazaleh N(2016)Understanding and Mitigating Covert Channels Through Branch PredictorsACM Transactions on Architecture and Code Optimization10.1145/287063613:1(1-23)Online publication date: 7-Mar-2016
https://dl.acm.org/doi/10.1145/2870636

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Media

Figures

Other

Tables

View Issue’s Table of Contents