Memory Safety for Low-Level Software/Hardware Interactions

Systems that enforce memory safety for today's operating system kernels and other system software do not account for the behavior of low-level software/hardware interactions such as memory-mapped I/O, MMU configuration, and context switching. Bugs in such low-level interactions can lead to violations of the memory safety guarantees provided by a safe execution environment and can lead to exploitable vulnerabilities in system software. In this work, we present a set of program analysis and run-time instrumentation techniques that ensure that errors in these low-level operations do not violate the assumptions made by a safety checking system. Our design introduces a small set of abstractions and interfaces for manipulating processor state, kernel stacks, memory mapped I/O objects, MMU mappings, and self modifying code to achieve this goal, without moving resource allocation and management decisions out of the kernel. We have added these techniques to a compiler-based virtual machine called Secure Virtual Architecture (SVA), to which the standard Linux kernel has been ported previously. Our design changes to SVA required only an additional 100 lines of code to be changed in this kernel. Our experimental results show that our techniques prevent reported memory safety violations due to low-level Linux operations and that these violations are not prevented by SVA without our techniques. Moreover, the new techniques in this paper introduce very little overhead over and above the existing overheads of SVA. Taken together, these results indicate that it is clearly worthwhile to add these techniques to an existing memory safety system.

[1]  Olatunji Ruwase,et al.  A Practical Dynamic Buffer Overflow Detector , 2004, NDSS.

[2]  Christoforos E. Kozyrakis,et al.  Real-World Buffer Overflow Protection for Userspace and Kernelspace , 2008, USENIX Security Symposium.

[3]  Vikram S. Adve,et al.  Making context-sensitive points-to analysis with heap cloning practical for the real world , 2007, PLDI '07.

[4]  David R. Cheriton,et al.  A caching model of operating system kernel functionality , 1994, OSDI '94.

[5]  William J. Bolosky,et al.  Mach: A New Kernel Foundation for UNIX Development , 1986, USENIX Summer.

[6]  Jonathan Adams,et al.  Design Evolution of the EROS Single-Level Store , 2002, USENIX Annual Technical Conference, General Track.

[7]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[8]  Martín Abadi,et al.  An Overview of the Singularity Project , 2005 .

[9]  Markus S. Miller,et al.  Towards a Verified , General-Purpose Operating System Kernel † , 2004 .

[10]  Adrian Perrig,et al.  SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes , 2007, SOSP.

[11]  Vikram S. Adve,et al.  A Virtual Instruction Set Interface for Operating System Kernels , 2022 .

[12]  Andrew Warfield,et al.  Xen and the art of virtualization , 2003, SOSP '03.

[13]  Krste Asanovic,et al.  Mondrian memory protection , 2002, ASPLOS X.

[14]  Daniel Pierre Bovet,et al.  Understanding the Linux Kernel , 2000 .

[15]  Laurent Réveillère,et al.  Devil: an IDL for hardware programming , 2000, OSDI.

[16]  Dinakar Dhurjati,et al.  Backwards-compatible array bounds checking for C with very low overhead , 2006, ICSE.

[17]  Margo I. Seltzer,et al.  Dealing with disaster: surviving misbehaved kernel extensions , 1996, OSDI '96.

[18]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[19]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[20]  Brian N. Bershad,et al.  Language Support for Extensible Operating Systems , 2007 .

[21]  Andrew Warfield,et al.  Safe Hardware Access with the Xen Virtual Machine Monitor , 2007 .

[22]  Jochen Liedtke,et al.  On micro-kernel construction , 1995, SOSP.

[23]  Aaron B. Brown,et al.  A Decompositional Approach to Computer System Performance Evaluation , 1997 .

[24]  Dinakar Dhurjati,et al.  Enforcing Alias Analysis for Weakly Typed Languages , 2005 .

[25]  Brian N. Bershad,et al.  Improving the reliability of commodity operating systems , 2005, TOCS.

[26]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy software , 2005, TOPL.

[27]  Mark P. Jones,et al.  A principled approach to operating system construction in Haskell , 2005, ICFP '05.

[28]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[29]  Dinakar Dhurjati,et al.  Secure virtual architecture: a safe execution environment for commodity operating systems , 2007, SOSP.

[30]  Krste Asanovic,et al.  Mondrix: memory isolation for linux using mondriaan memory protection , 2005, SOSP '05.

[31]  George C. Necula,et al.  SafeDrive: safe and recoverable extensions using language-based techniques , 2006, OSDI '06.

[32]  Michael Golm,et al.  The JX Operating System , 2002, USENIX Annual Technical Conference, General Track.

[33]  Dinakar Dhurjati,et al.  SAFECode: enforcing alias analysis for weakly typed languages , 2005, PLDI '06.

[34]  Tom Saulpaugh,et al.  Inside the JavaOS operating system , 1999 .