Secure and efficient in-process monitor (and library) protection with Intel MPK

The process reference monitor is a common technique to enforce security policies for application execution. Reference monitors can be used to detect attacks, enforce access control, check program integrity and even transform program state. Deciding where the monitor resides involves a trade-off between strong monitor isolation and low switching overheads. Running the monitor in the same address space as the protected/traced application (in-process monitors) allows for low overhead but raises isolation concerns. Thus, existing work place monitors in a separate address space, which leads to expensive monitor invocation latencies. We present MonGuard, a system in which a high-performance in-process monitor is efficiently isolated from the rest of the application. To that aim, we leverage the Intel Memory Protection Key (MPK) technology to enforce execute-only memory, combined with code randomization to protect and hide the monitor. MonGuard instruments around sensitive instructions to further prevent possible code reuse attacks. The carefully constructed monitor call gate switches the monitor memory permission in a context-sensitive way. We have built a prototype of MonGuard mostly as a loader extension and implemented a multi-variant execution (MVX) monitor. The evaluation shows MonGuard performs faster than the out-of-process monitor approach.

[1]  David Lie,et al.  Using VMM-based sensors to monitor honeypots , 2006, VEE '06.

[2]  Peter Druschel,et al.  Light-Weight Contexts: An OS Abstraction for Safety and Performance , 2016, OSDI.

[3]  Junfeng Yang,et al.  Shuffler: Fast and Deployable Continuous Code Re-Randomization , 2016, OSDI.

[4]  Yue Chen,et al.  ARMlock: Hardware-based Fault Isolation for ARM , 2014, CCS.

[5]  Angelos D. Keromytis,et al.  ret2dir: Rethinking Kernel Isolation , 2014, USENIX Security Symposium.

[6]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[7]  Vern Paxson,et al.  The Matter of Heartbleed , 2014, Internet Measurement Conference.

[8]  Michael Franz,et al.  Orchestra: intrusion detection using parallel execution and monitoring of program variants in user-space , 2009, EuroSys '09.

[9]  Binoy Ravindran,et al.  A binary-compatible unikernel , 2019, VEE.

[10]  Christoforos E. Kozyrakis,et al.  Usenix Association 10th Usenix Symposium on Operating Systems Design and Implementation (osdi '12) 335 Dune: Safe User-level Access to Privileged Cpu Features , 2022 .

[11]  Koen Koning,et al.  Secure and Efficient Multi-Variant Execution Using Hardware-Assisted Process Virtualization , 2016, 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[12]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[13]  Wenke Lee,et al.  Secure in-VM monitoring using hardware virtualization , 2009, CCS.

[14]  Dan Boneh,et al.  Hacking Blind , 2014, 2014 IEEE Symposium on Security and Privacy.

[15]  Per Larsen,et al.  Secure and Efficient Application Monitoring and Replication , 2016, USENIX Annual Technical Conference.

[16]  Peter Druschel,et al.  ERIM: Secure, Efficient In-process Isolation with Protection Keys (MPK) , 2019, USENIX Security Symposium.

[17]  David Evans,et al.  N-Variant Systems: A Secretless Framework for Security through Diversity , 2006, USENIX Security Symposium.

[18]  Xi Chen,et al.  No Need to Hide: Protecting Safe Regions on Commodity Hardware , 2017, EuroSys.

[19]  Bart Coppens,et al.  Cloning Your Gadgets: Complete ROP Attack Immunity with Multi-Variant Execution , 2016, IEEE Transactions on Dependable and Secure Computing.

[20]  Soyeon Park,et al.  libmpk: Software Abstraction for Intel Memory Protection Keys (Intel MPK) , 2019, USENIX Annual Technical Conference.

[21]  George Candea,et al.  Code-pointer integrity , 2014, OSDI.

[22]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[23]  Yue Chen,et al.  Design and Implementation of SecPod, A Framework for Virtualization-Based Security Systems , 2015, IEEE Transactions on Dependable and Secure Computing.

[24]  Yutao Liu,et al.  Thwarting Memory Disclosure with Efficient Hypervisor-enforced Intra-domain Isolation , 2015, CCS.

[25]  Brent Byunghoon Kang,et al.  Lord of the x86 Rings: A Portable User Mode Privilege Separation Architecture on x86 , 2018, CCS.

[26]  Michael L. Scott,et al.  Hodor: Intra-Process Isolation for High-Throughput Data Plane Libraries , 2019, USENIX Annual Technical Conference.

[27]  Michael Backes,et al.  You Can Run but You Can't Read: Preventing Disclosure Exploits in Executable Code , 2014, CCS.