Exploiting Segmentation Mechanism for Protecting against Malicious Mobile Code

This paper describes a mechanism for protecting against malicious mobile code. As mobile code is linked with a hosting application and executed in the same process, a fine-grained protection domain providing an intra-process protection is required to prevent a malicious mobile code from unauthorized access. This paper introduces a multi-protection page table: a mechanism of virtual memory that enables fine-grained protection domains to be supported at the kernel level. A fine-grained protection domain (1) confines the memory accesses by mobile code in authorized areas, (2) restricts the system calls issued by mobile code, and (3) enables efficient cross-domain calls among mobile codes and a hosting application. Efficiency of cross-domain calls encourages the use of fine-grained protection domains. This paper demonstrates that a multi-protection page table can be implemented efficiently on the most widely used architecture; that is, Intel x86 family. The presented implementation achieves reasonable performance for practical use; one round-trip cross-domain call requires 226 to 608 cycles. Experimental results show that the protection overhead is only 6.1% to 15.8% in a real application. ANY OTHER IDENTIFYING INFORMATION OF THIS REPORT Submitted for publication DISTRIBUTION STATEMENT This technical report is available ONLY through http://www.is.s.u-tokyo.ac.jp/techreports/FILES.html. SUPPLEMENTARY NOTES REPORT DATE May 17, 2000 TOTAL NO. OF PAGES 16 WRITTEN LANGUAGE English NO. OF REFERENCES 15 DEPARTMENT OF INFORMATION SCIENCE Faculty of Science, University of Tokyo 7-3-1 Hongo, Bunkyo-ku, Tokyo 113, Japan Exploiting Segmentation Mechanism for Protecting against Malicious Mobile Code Takahiro Shinagawa† Kenji Kono††,††† Takashi Masuda†† †Department of Information Science, Graduate School of Science, University of Tokyo 7-3-1 Hongo Bunkyo-ku, Tokyo 113-0033 Japan Email:shina@is.s.u-tokyo.ac.jp ††Department of Computer Science, University of Electro-Communications 1-5-1 Chofugaoka Chofu-shi, Tokyo 182-8585 Japan Email:{kono, masuda}@cs.uec.ac.jp †††Japan Science and Technology Corporation

[1]  Jochen Liedtke,et al.  The performance of μ-kernel-based systems , 1997, SOSP.

[2]  David A. Wagner,et al.  A Secure Environment for Untrusted Helper Applications , 1996, USENIX Security Symposium.

[3]  Dan S. Wallach,et al.  Extensible security architectures for Java , 1997, SOSP.

[4]  Brian N. Bershad,et al.  Lightweight remote procedure call , 1990 .

[5]  Calton Pu,et al.  Buffer overflows: attacks and defenses for the vulnerability of the decade , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[6]  Stephen Smalley,et al.  The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments , 2000 .

[7]  Takashi Masuda,et al.  Efficient kernel support of fine-grained protection domains for mobile code , 1999, Proceedings. 19th IEEE International Conference on Distributed Computing Systems (Cat. No.99CB37003).

[8]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[9]  George C. Necula,et al.  Proof-carrying code , 1997, POPL '97.

[10]  Margo I. Seltzer,et al.  Dealing with disaster: surviving misbehaved kernel extensions , 1996, OSDI '96.

[11]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[12]  Tzi-cker Chiueh,et al.  Integrating segmentation and paging protection for safe, efficient and transparent software extensions , 1999, SOSP.

[13]  George C. Necula,et al.  Safe kernel extensions without run-time checking , 1996, OSDI '96.