Enforcing Least Privilege Memory Views for Multithreaded Applications

Failing to properly isolate components in the same address space has resulted in a substantial amount of vulnerabilities. Enforcing the least privilege principle for memory accesses can selectively isolate software components to restrict attack surface and prevent unintended cross-component memory corruption. However, the boundaries and interactions between software components are hard to reason about and existing approaches have failed to stop attackers from exploiting vulnerabilities caused by poor isolation. We present the secure memory views (SMV) model: a practical and efficient model for secure and selective memory isolation in monolithic multithreaded applications. SMV is a third generation privilege separation technique that offers explicit access control of memory and allows concurrent threads within the same process to partially share or fully isolate their memory space in a controlled and parallel manner following application requirements. An evaluation of our prototype in the Linux kernel (TCB < 1,800 LOC) shows negligible runtime performance overhead in real-world applications including Cherokee web server (< 0.69%), Apache httpd web server (< 0.93%), and Mozilla Firefox web browser (< 1.89%) with at most 12 LOC changes.

[1]  Ciarán Bryce,et al.  An approach to safe object sharing , 2000, OOPSLA '00.

[2]  Christoforos E. Kozyrakis,et al.  Hardware Enforcement of Application Security Policies Using Tagged Memory , 2008, OSDI.

[3]  Juan del Cuvillo,et al.  Using innovative instructions to create trustworthy software solutions , 2013, HASP '13.

[4]  Jun Wang,et al.  Between Mutual Trust and Mutual Distrust: Practical Fine-grained Privilege Separation in Multithreaded Applications , 2013, USENIX Annual Technical Conference.

[5]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[6]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[7]  Cristiano Giuffrida,et al.  Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization , 2012, USENIX Security Symposium.

[8]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[9]  Adrian Perrig,et al.  TrustVisor: Efficient TCB Reduction and Attestation , 2010, 2010 IEEE Symposium on Security and Privacy.

[10]  Kathryn S. McKinley,et al.  Hoard: a scalable memory allocator for multithreaded applications , 2000, SIGP.

[11]  Frank Piessens,et al.  Fides: selectively hardening software application components against kernel-level or process-level malware , 2012, CCS '12.

[12]  Winnie Cheng,et al.  Abstractions for Usable Information Flow Control in Aeolus , 2012, USENIX Annual Technical Conference.

[13]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[14]  Christoforos E. Kozyrakis,et al.  Usenix Association 10th Usenix Symposium on Operating Systems Design and Implementation (osdi '12) 335 Dune: Safe User-level Access to Privileged Cpu Features , 2022 .

[15]  Peter G. Neumann,et al.  The CHERI capability model: Revisiting RISC in an age of risk , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[16]  Anil Kurmus,et al.  A Tale of Two Kernels: Towards Ending Kernel Hardening Wars with Split Kernel , 2014, CCS.

[17]  Chris Fallin,et al.  Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[18]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[19]  Michael K. Reiter,et al.  Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.

[20]  Kai Li,et al.  The PARSEC benchmark suite: Characterization and architectural implications , 2008, 2008 International Conference on Parallel Architectures and Compilation Techniques (PACT).

[21]  Robert N. M. Watson,et al.  Capsicum: Practical Capabilities for UNIX , 2010, USENIX Security Symposium.

[22]  Donald E. Porter,et al.  Laminar: practical fine-grained decentralized information flow control , 2009, PLDI '09.

[23]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[24]  Toshio Nakatani,et al.  Cloneable JVM: a new approach to start isolated java applications faster , 2007, VEE '07.

[25]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[26]  Muli Ben-Yehuda,et al.  CODOMs: Protecting software with Code-centric memory Domains , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[27]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[28]  Patrick Th. Eugster,et al.  Ribbons: a partially shared memory programming model , 2011, OOPSLA '11.

[29]  Stephen McCamant,et al.  Evaluating SFI for a CISC Architecture , 2006, USENIX Security Symposium.

[30]  Frank Piessens,et al.  Salus: Kernel Support for Secure Process Compartments , 2015, EAI Endorsed Trans. Security Safety.

[31]  Milo M. K. Martin,et al.  Everything You Want to Know About Pointer-Based Checking , 2015, SNAPL.

[32]  Will Dietz,et al.  Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege Separation , 2015, ASPLOS.

[33]  David A. Wagner,et al.  Joe-E: A Security-Oriented Subset of Java , 2010, NDSS.

[34]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[35]  Mark Handley,et al.  Wedge: Splitting Applications into Reduced-Privilege Compartments , 2008, NSDI.

[36]  David Brumley,et al.  Privtrans: Automatically Partitioning Programs for Privilege Separation , 2004, USENIX Security Symposium.

[37]  Úlfar Erlingsson,et al.  Language-independent sandboxing of just-in-time compilation and self-modifying code , 2011, PLDI '11.

[38]  Zhenkai Liang,et al.  Automatic Generation of Data-Oriented Exploits , 2015, USENIX Security Symposium.

[39]  Ittai Anati,et al.  Innovative Technology for CPU Based Attestation and Sealing , 2013 .

[40]  Michael Franz,et al.  Compartmental memory management in a modern web browser , 2011, ISMM '11.

[41]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[42]  Jerome H. Saltzer,et al.  Protection and the control of information sharing in multics , 1974, CACM.