SlideShare a Scribd company logo

Lord of the X86 Rings: A Portable User Mode Privilege Separation Architecture on X86 (CCS'18)

星曼 陈

Lord of the X86 Rings: A Portable User Mode Privilege Separation Architecture on X86 (CCS'18) [Unofficial] Slide presented by cxm95

Technology
1 of 30
Download to read offline
Lord of the X86 Rings: A Portable User Mode Privilege Separation Architecture on X86 Memory Defense Paper Sharing(I) ccs 2018 Hojoon Lee, Chihyun Song, Brent Byunghoon Kang Presented by Xingman Chen 2018-10-09
In-Process Isolation ● Most attacks against ○ Control Flow ■ Control flow hijack/bending ○ Data Flow ■ Non-control data attack 2
In-Process Isolation ● Most attacks against ○ Control Flow ■ Control flow hijack/bending ○ Data Flow ■ Non-control data attack ● Sensitive data in memory ○ Cryptographic keys ○ Function table ○ Control flow intergrity mitigation metadata ○ (Un)trust libs ● Need to be protected 3
Motivations ● HeartBleed Vulnerability ○ A malicious memcpy(bp,pl,payload) in openssl nearly bring down the HTTPs ○ Sensitive data: Private key 4
Motivations ● Metadata Protection ○ Shadow Stack ■ Backup return address to avoid ret based control flow hijack ■ Sensitive data: backup return address ○ Code Pointer Intergrity ■ Move code pointer and indirect code pointers to safe region ■ Sensitive data: safe region 5
Motivations ● Metadata Protection ○ Shadow Stack ■ Backup return address to avoid ret based control flow hijack ■ Sensitive data: backup return address ○ Code Pointer Intergrity ■ Move code pointer and indirect code pointers to safe region ■ Sensitive data: safe region 6
Motivations ● Untrusted Library ○ Blackhat’17 by Chaitin: Many Birds, One Stone: Exploiting a Single SQLite Vulnerability Across Multiple Software ○ CVE-2015-7036 ■ SQLite fts3_tokenizer Untrusted Pointer Remote Code Execution Vulnerability 7
In-Process Isolation: Approaches ● Software based ○ Randomization based ■ e.g. ASLR ○ Instrument non-sen code with bounds checks prior to indirect memory accesses ■ e.g. SFI 8 Application Sen-Code (Sensitive Data Related Code) Non Sen Code Non Sen Memory Sen Memory
● Software based ○ Randomization based ■ e.g. ASLR ○ Instrument non-sen code with bounds checks prior to indirect memory accesses ■ e.g. Software Fault Isolation(SFI) ● OS/Hardware based ○ OS feature based: Paging or Segmentation based appoarches ○ Hardware feature based ■ e.g. intel MPX(CFIXX), SGX, CET, MPK; arm Memory Domain(Shred) In-Process Isolation: Approaches 9 Application Sen-Code (Sensitive Data Related Code) Non Sen Code Non Sen Memory Sen Memory
Lord of the x86 Rings: A Portable User Mode Privilege Separation Architecture on x86 ● Presented LOTRx86, a novel approach that establishes a new user privilege layer safeguards secure access sensitive data to achieve in-process privilege separation ● OS Feature based ● Feature ○ No extra hardware feature needed ○ Fast: average of 30.40% overhead on Intel processor 10
Motivation ● Randomization based: Weak ● SFI: High overhead ● Hardware feature based: Not portable ● LOTRx86: Trade off ○ Portable approach based on segmentation & paging features ○ Harnesses the underused x86 intermediate Rings (Ring1 and Ring2) 11
Preliminaries: Addressing in x86 ● Segmentation in x86(IA-32,386) ○ DPL(Description Priviliege Level): in GDT/LDT ○ CPL(Current Priviliege Level): 2bit in Segment register(cs) ○ RPL(Request Privilege Level) 12
Preliminaries: Addressing in x86 ● Pagging in x86 ○ 2-level page table ■ User/Supervisor: priviliege required for accessing this page 13
Preliminaries: Addressing in x64 ● x64(x86_64,amd64/IA-32e, EM64T): Weakened Segmentation 14
Preliminaries: Addressing in x64 ● x64(x86_64,amd64/IA-32e, EM64T): Weakened Segmentation ○ Treats the segment base of CS, DS, ES, SS as zero, creating a linear address ○ Used only for memory protection ○ CPL Remained ■ DPL: Valid for code segment descriptor, ignored for data segment descriptor 15
Preliminaries: Callgate ● Callgate: Privilege escalation & de-escalation ○ Callgate Descriptor defined at GDT/LDT ○ DPLg: minium priv requirement ○ Stack pivot after escalation/decalation 16
Preliminaries: Inter-bitness control transfer ● Bitness(32/64): defined by the currently active code segment descriptor ○ L bit ○ callgate cannot target a 32-bit code segment in long mode(64 bit) 17
Thread Model & Target ● Thread Model ○ Arbitary Code Execution ● Security Guarantee ○ User mode cannot directly access a region protected 18 Application Sen-Code (Sensitive Data Related Code) Non Sen Code Non Sen Memory Sen Memory
● Establishing PrivUser memory space ○ M-SR1. User mode must not be able to access PrivUser memory ■ set S-page PTE s-bit Design 19
● Establishing PrivUser memory space ○ M-SR1. User mode must not be able to access PrivUser memory ■ set S-page PTE s-bit ○ M-SR2. PrivUser mode must not be able to access kernel memory space ■ set privuser code page as 32-bit segmentation enabled code segment ● run 32bit code with special segment(cs) Design 20
Design ● Challenges ○ Hardware constraint: 32-bit call gate is disabled, a 64-bit call gate have to be introduced ○ Potential risk: any non-ring3 64-bit code can access kernel memory ■ if Privuser jump to 64-bit call gate area instead of call gate entry, it can access the kernel memory 21
Design ● Challenges ○ Hardware constraint: 32-bit call gate is disabled, a 64-bit call gate have to be introduced ○ Potential risk: any non-ring3 64-bit code can access kernel memory ■ if Privuser jump to 64-bit call gate area instead of call gate entry, it can access the kernel memory ● Solution: Inescapable segmentation enforcement ○ An ring-1 callgate(x64) with lret 22
Design ● Challenges ○ Hardware constraint: 32-bit call gate is disabled, a 64-bit call gate have to be introduced ○ Potential risk: any non-ring3 64-bit code can access kernel memory ■ if Privuser jump to 64-bit call gate area instead of call gate entry, it can access the kernel memory ● Solution: Inescapable segmentation enforcement ○ An ring-1 callgate(x64) with lret 23
Implementation ● Components ○ lotr-kmod: build PrivUser space ■ space size is fixed ■ generate LDT, init S-page PTE, init ring1 ring2 ○ liblotr: util functions for calling initalize PrivUser space, entering, etc. ○ lotr-libc: private libc, no scalable ○ kernel modification: let mmap/mprotect bypass and return error 24
Implementation ● Components ○ lotr-build: create 32-bit machine code 25
Evaluation ● Micro-benchmark ○ compare with normal function ■ But why intel different with amd? 26 no cache opt
Evaluation ● micro-Benchmark ○ compare with normal function 27
Evaluation ● LOTRx86 enabled web server ○ latency: response time 28
Discussion ● Portable but no scalable ○ e.g. Size, Libc, argument passing ● Low automation ● High Overhead: 35% 29
Thanks! 30

Recommended

Queue Type on Mikrotik
Queue Type on MikrotikQueue Type on Mikrotik
Queue Type on Mikrotik
GLC Networks
 
Deploy STM32 family on Zephyr - SFO17-102
Deploy STM32 family on Zephyr - SFO17-102Deploy STM32 family on Zephyr - SFO17-102
Deploy STM32 family on Zephyr - SFO17-102
Linaro
 
Distributed unique id generation
Distributed unique id generationDistributed unique id generation
Distributed unique id generation
Tung Nguyen
 
SDN Programming with Go
SDN Programming with GoSDN Programming with Go
SDN Programming with Go
Donaldson Tan
 
Radio Optimization In Telco - Part 2
Radio Optimization In Telco - Part 2Radio Optimization In Telco - Part 2
Radio Optimization In Telco - Part 2
GLC Networks
 
OSPF On Router OS7
OSPF On Router OS7OSPF On Router OS7
OSPF On Router OS7
GLC Networks
 
ACL on Linux - Part 1
ACL on Linux - Part 1ACL on Linux - Part 1
ACL on Linux - Part 1
GLC Networks
 
Module: drand - the Distributed Randomness Beacon
Module: drand - the Distributed Randomness BeaconModule: drand - the Distributed Randomness Beacon
Module: drand - the Distributed Randomness Beacon
Ioannis Psaras
 

Recommended

Queue Type on Mikrotik
Queue Type on MikrotikQueue Type on Mikrotik
Queue Type on Mikrotik
GLC Networks
 
Deploy STM32 family on Zephyr - SFO17-102
Deploy STM32 family on Zephyr - SFO17-102Deploy STM32 family on Zephyr - SFO17-102
Deploy STM32 family on Zephyr - SFO17-102
Linaro
 
Distributed unique id generation
Distributed unique id generationDistributed unique id generation
Distributed unique id generation
Tung Nguyen
 
SDN Programming with Go
SDN Programming with GoSDN Programming with Go
SDN Programming with Go
Donaldson Tan
 
Radio Optimization In Telco - Part 2
Radio Optimization In Telco - Part 2Radio Optimization In Telco - Part 2
Radio Optimization In Telco - Part 2
GLC Networks
 
OSPF On Router OS7
OSPF On Router OS7OSPF On Router OS7
OSPF On Router OS7
GLC Networks
 
ACL on Linux - Part 1
ACL on Linux - Part 1ACL on Linux - Part 1
ACL on Linux - Part 1
GLC Networks
 
Module: drand - the Distributed Randomness Beacon
Module: drand - the Distributed Randomness BeaconModule: drand - the Distributed Randomness Beacon
Module: drand - the Distributed Randomness Beacon
Ioannis Psaras
 
CCNA : Intro to Cisco IOS - Part 1
CCNA : Intro to Cisco IOS - Part 1CCNA : Intro to Cisco IOS - Part 1
CCNA : Intro to Cisco IOS - Part 1
GLC Networks
 
MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1
GLC Networks
 
MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1
GLC Networks
 
Zabbix for Monitoring
Zabbix for MonitoringZabbix for Monitoring
Zabbix for Monitoring
GLC Networks
 
BUD17-416: Benchmark and profiling in OP-TEE
BUD17-416: Benchmark and profiling in OP-TEE BUD17-416: Benchmark and profiling in OP-TEE
BUD17-416: Benchmark and profiling in OP-TEE
Linaro
 
Using Zettabyte Filesystem (ZFS)
Using Zettabyte Filesystem (ZFS)Using Zettabyte Filesystem (ZFS)
Using Zettabyte Filesystem (ZFS)
GLC Networks
 
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
Leszek Mi?
 
Layer 7 Firewall on Mikrotik
Layer 7 Firewall on MikrotikLayer 7 Firewall on Mikrotik
Layer 7 Firewall on Mikrotik
GLC Networks
 
LAS16-504: Secure Storage updates in OP-TEE
LAS16-504: Secure Storage updates in OP-TEELAS16-504: Secure Storage updates in OP-TEE
LAS16-504: Secure Storage updates in OP-TEE
Linaro
 
Best Current Practice (BCP) 38 Ingress Filtering for Security
Best Current Practice (BCP) 38 Ingress Filtering for SecurityBest Current Practice (BCP) 38 Ingress Filtering for Security
Best Current Practice (BCP) 38 Ingress Filtering for Security
GLC Networks
 
BUD17-302: LLVM Internals #2
BUD17-302: LLVM Internals #2 BUD17-302: LLVM Internals #2
BUD17-302: LLVM Internals #2
Linaro
 
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
GLC Networks
 
BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1
GLC Networks
 
CCNA : Intro to Cisco IOS - Part 2
CCNA : Intro to Cisco IOS - Part 2CCNA : Intro to Cisco IOS - Part 2
CCNA : Intro to Cisco IOS - Part 2
GLC Networks
 
MTCNA Intro to routerOS
MTCNA Intro to routerOSMTCNA Intro to routerOS
MTCNA Intro to routerOS
GLC Networks
 
Up and Running SSH Service - Part 1
Up and Running SSH Service - Part 1Up and Running SSH Service - Part 1
Up and Running SSH Service - Part 1
GLC Networks
 
Internet Protocol Deep-Dive
Internet Protocol Deep-DiveInternet Protocol Deep-Dive
Internet Protocol Deep-Dive
GLC Networks
 
Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1
GLC Networks
 
CNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingCNIT 1417. Keyed Hashing
CNIT 1417. Keyed Hashing
Sam Bowne
 
Telecommunication Evolution
Telecommunication EvolutionTelecommunication Evolution
Telecommunication Evolution
GLC Networks
 
Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshop
Tamas K Lengyel
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
DefCamp
 

More Related Content

What's hot

CCNA : Intro to Cisco IOS - Part 1
CCNA : Intro to Cisco IOS - Part 1CCNA : Intro to Cisco IOS - Part 1
CCNA : Intro to Cisco IOS - Part 1
GLC Networks
 
MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1
GLC Networks
 
MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1
GLC Networks
 
Zabbix for Monitoring
Zabbix for MonitoringZabbix for Monitoring
Zabbix for Monitoring
GLC Networks
 
BUD17-416: Benchmark and profiling in OP-TEE
BUD17-416: Benchmark and profiling in OP-TEE BUD17-416: Benchmark and profiling in OP-TEE
BUD17-416: Benchmark and profiling in OP-TEE
Linaro
 
Using Zettabyte Filesystem (ZFS)
Using Zettabyte Filesystem (ZFS)Using Zettabyte Filesystem (ZFS)
Using Zettabyte Filesystem (ZFS)
GLC Networks
 
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
Leszek Mi?
 
Layer 7 Firewall on Mikrotik
Layer 7 Firewall on MikrotikLayer 7 Firewall on Mikrotik
Layer 7 Firewall on Mikrotik
GLC Networks
 
LAS16-504: Secure Storage updates in OP-TEE
LAS16-504: Secure Storage updates in OP-TEELAS16-504: Secure Storage updates in OP-TEE
LAS16-504: Secure Storage updates in OP-TEE
Linaro
 
Best Current Practice (BCP) 38 Ingress Filtering for Security
Best Current Practice (BCP) 38 Ingress Filtering for SecurityBest Current Practice (BCP) 38 Ingress Filtering for Security
Best Current Practice (BCP) 38 Ingress Filtering for Security
GLC Networks
 
BUD17-302: LLVM Internals #2
BUD17-302: LLVM Internals #2 BUD17-302: LLVM Internals #2
BUD17-302: LLVM Internals #2
Linaro
 
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
GLC Networks
 
BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1
GLC Networks
 
CCNA : Intro to Cisco IOS - Part 2
CCNA : Intro to Cisco IOS - Part 2CCNA : Intro to Cisco IOS - Part 2
CCNA : Intro to Cisco IOS - Part 2
GLC Networks
 
MTCNA Intro to routerOS
MTCNA Intro to routerOSMTCNA Intro to routerOS
MTCNA Intro to routerOS
GLC Networks
 
Up and Running SSH Service - Part 1
Up and Running SSH Service - Part 1Up and Running SSH Service - Part 1
Up and Running SSH Service - Part 1
GLC Networks
 
Internet Protocol Deep-Dive
Internet Protocol Deep-DiveInternet Protocol Deep-Dive
Internet Protocol Deep-Dive
GLC Networks
 
Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1
GLC Networks
 
CNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingCNIT 1417. Keyed Hashing
CNIT 1417. Keyed Hashing
Sam Bowne
 
Telecommunication Evolution
Telecommunication EvolutionTelecommunication Evolution
Telecommunication Evolution
GLC Networks
 

What's hot (20)

CCNA : Intro to Cisco IOS - Part 1
CCNA : Intro to Cisco IOS - Part 1CCNA : Intro to Cisco IOS - Part 1
CCNA : Intro to Cisco IOS - Part 1
 
MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1MPLS on Router OS V7 - Part 1
MPLS on Router OS V7 - Part 1
 
MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1MTCNA : Intro to RouterOS - Part 1
MTCNA : Intro to RouterOS - Part 1
 
Zabbix for Monitoring
Zabbix for MonitoringZabbix for Monitoring
Zabbix for Monitoring
 
BUD17-416: Benchmark and profiling in OP-TEE
BUD17-416: Benchmark and profiling in OP-TEE BUD17-416: Benchmark and profiling in OP-TEE
BUD17-416: Benchmark and profiling in OP-TEE
 
Using Zettabyte Filesystem (ZFS)
Using Zettabyte Filesystem (ZFS)Using Zettabyte Filesystem (ZFS)
Using Zettabyte Filesystem (ZFS)
 
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
 
Layer 7 Firewall on Mikrotik
Layer 7 Firewall on MikrotikLayer 7 Firewall on Mikrotik
Layer 7 Firewall on Mikrotik
 
LAS16-504: Secure Storage updates in OP-TEE
LAS16-504: Secure Storage updates in OP-TEELAS16-504: Secure Storage updates in OP-TEE
LAS16-504: Secure Storage updates in OP-TEE
 
Best Current Practice (BCP) 38 Ingress Filtering for Security
Best Current Practice (BCP) 38 Ingress Filtering for SecurityBest Current Practice (BCP) 38 Ingress Filtering for Security
Best Current Practice (BCP) 38 Ingress Filtering for Security
 
BUD17-302: LLVM Internals #2
BUD17-302: LLVM Internals #2 BUD17-302: LLVM Internals #2
BUD17-302: LLVM Internals #2
 
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
Troubleshooting Layer 2 Ethernet Problem: Loop, Broadcast, Security
 
BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1BGP on RouterOS7 -Part 1
BGP on RouterOS7 -Part 1
 
CCNA : Intro to Cisco IOS - Part 2
CCNA : Intro to Cisco IOS - Part 2CCNA : Intro to Cisco IOS - Part 2
CCNA : Intro to Cisco IOS - Part 2
 
MTCNA Intro to routerOS
MTCNA Intro to routerOSMTCNA Intro to routerOS
MTCNA Intro to routerOS
 
Up and Running SSH Service - Part 1
Up and Running SSH Service - Part 1Up and Running SSH Service - Part 1
Up and Running SSH Service - Part 1
 
Internet Protocol Deep-Dive
Internet Protocol Deep-DiveInternet Protocol Deep-Dive
Internet Protocol Deep-Dive
 
Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1Automatic Backup via FTP - Part 1
Automatic Backup via FTP - Part 1
 
CNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingCNIT 1417. Keyed Hashing
CNIT 1417. Keyed Hashing
 
Telecommunication Evolution
Telecommunication EvolutionTelecommunication Evolution
Telecommunication Evolution
 

Similar to Lord of the X86 Rings: A Portable User Mode Privilege Separation Architecture on X86 (CCS'18)

Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshop
Tamas K Lengyel
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
DefCamp
 
Mirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in GoMirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in Go
linuxlab_conf
 
Linux Stammtisch Munich: Ceph - Overview, Experiences and Outlook
Linux Stammtisch Munich: Ceph - Overview, Experiences and OutlookLinux Stammtisch Munich: Ceph - Overview, Experiences and Outlook
Linux Stammtisch Munich: Ceph - Overview, Experiences and Outlook
Danny Al-Gaaf
 
A Journey into Hexagon: Dissecting Qualcomm Basebands
A Journey into Hexagon: Dissecting Qualcomm BasebandsA Journey into Hexagon: Dissecting Qualcomm Basebands
A Journey into Hexagon: Dissecting Qualcomm Basebands
Priyanka Aash
 
Advanced MySql Data-at-Rest Encryption in Percona Server
Advanced MySql Data-at-Rest Encryption in Percona ServerAdvanced MySql Data-at-Rest Encryption in Percona Server
Advanced MySql Data-at-Rest Encryption in Percona Server
Severalnines
 
cachegrand: A Take on High Performance Caching
cachegrand: A Take on High Performance Cachingcachegrand: A Take on High Performance Caching
cachegrand: A Take on High Performance Caching
ScyllaDB
 
Security issues in FPGA based systems.
Security issues in FPGA based systems.Security issues in FPGA based systems.
Security issues in FPGA based systems.
Rajeev Verma
 
Advanced microprocessor
Advanced microprocessorAdvanced microprocessor
Advanced microprocessor
Shehrevar Davierwala
 
One Stone, Three Birds_ Finer-Grained Encryption with Apache Parquet @ Large ...
One Stone, Three Birds_ Finer-Grained Encryption with Apache Parquet @ Large ...One Stone, Three Birds_ Finer-Grained Encryption with Apache Parquet @ Large ...
One Stone, Three Birds_ Finer-Grained Encryption with Apache Parquet @ Large ...
XinliShang1
 
An Introduction to Apache Cassandra
An Introduction to Apache CassandraAn Introduction to Apache Cassandra
An Introduction to Apache Cassandra
Saeid Zebardast
 
Improving Scalability of Xen: The 3,000 Domains Experiment
Improving Scalability of Xen: The 3,000 Domains ExperimentImproving Scalability of Xen: The 3,000 Domains Experiment
Improving Scalability of Xen: The 3,000 Domains Experiment
The Linux Foundation
 
Operation Unthinkable – Software Defined Storage @ Booking.com (Peter Buschman)
Operation Unthinkable – Software Defined Storage @ Booking.com (Peter Buschman)Operation Unthinkable – Software Defined Storage @ Booking.com (Peter Buschman)
Operation Unthinkable – Software Defined Storage @ Booking.com (Peter Buschman)
data://disrupted®
 
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Anne Nicolas
 
Do you know what your digital pins are "really" saying
Do you know what your digital pins are "really" sayingDo you know what your digital pins are "really" saying
Do you know what your digital pins are "really" saying
Leroy Levin
 
Bluetooth Low Energy - A Case Study
Bluetooth Low Energy - A Case StudyBluetooth Low Energy - A Case Study
Bluetooth Low Energy - A Case Study
FReeze FRancis
 
Study on 32-bit Cortex - M3 Powered MCU: STM32F101
Study on 32-bit Cortex - M3 Powered MCU: STM32F101Study on 32-bit Cortex - M3 Powered MCU: STM32F101
Study on 32-bit Cortex - M3 Powered MCU: STM32F101
Premier Farnell
 
Kubernetes from scratch at veepee sysadmins days 2019
Kubernetes from scratch at veepee sysadmins days 2019Kubernetes from scratch at veepee sysadmins days 2019
Kubernetes from scratch at veepee sysadmins days 2019
🔧 Loïc BLOT
 
module01.ppt
module01.pptmodule01.ppt
module01.ppt
Subhasis Dash
 
Lect 1 Into.pptx
Lect 1 Into.pptxLect 1 Into.pptx
Lect 1 Into.pptx
SangeetaTripathi8
 

Similar to Lord of the X86 Rings: A Portable User Mode Privilege Separation Architecture on X86 (CCS'18) (20)

Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshop
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
 
Mirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in GoMirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in Go
 
Linux Stammtisch Munich: Ceph - Overview, Experiences and Outlook
Linux Stammtisch Munich: Ceph - Overview, Experiences and OutlookLinux Stammtisch Munich: Ceph - Overview, Experiences and Outlook
Linux Stammtisch Munich: Ceph - Overview, Experiences and Outlook
 
A Journey into Hexagon: Dissecting Qualcomm Basebands
A Journey into Hexagon: Dissecting Qualcomm BasebandsA Journey into Hexagon: Dissecting Qualcomm Basebands
A Journey into Hexagon: Dissecting Qualcomm Basebands
 
Advanced MySql Data-at-Rest Encryption in Percona Server
Advanced MySql Data-at-Rest Encryption in Percona ServerAdvanced MySql Data-at-Rest Encryption in Percona Server
Advanced MySql Data-at-Rest Encryption in Percona Server
 
cachegrand: A Take on High Performance Caching
cachegrand: A Take on High Performance Cachingcachegrand: A Take on High Performance Caching
cachegrand: A Take on High Performance Caching
 
Security issues in FPGA based systems.
Security issues in FPGA based systems.Security issues in FPGA based systems.
Security issues in FPGA based systems.
 
Advanced microprocessor
Advanced microprocessorAdvanced microprocessor
Advanced microprocessor
 
One Stone, Three Birds_ Finer-Grained Encryption with Apache Parquet @ Large ...
One Stone, Three Birds_ Finer-Grained Encryption with Apache Parquet @ Large ...One Stone, Three Birds_ Finer-Grained Encryption with Apache Parquet @ Large ...
One Stone, Three Birds_ Finer-Grained Encryption with Apache Parquet @ Large ...
 
An Introduction to Apache Cassandra
An Introduction to Apache CassandraAn Introduction to Apache Cassandra
An Introduction to Apache Cassandra
 
Improving Scalability of Xen: The 3,000 Domains Experiment
Improving Scalability of Xen: The 3,000 Domains ExperimentImproving Scalability of Xen: The 3,000 Domains Experiment
Improving Scalability of Xen: The 3,000 Domains Experiment
 
Operation Unthinkable – Software Defined Storage @ Booking.com (Peter Buschman)
Operation Unthinkable – Software Defined Storage @ Booking.com (Peter Buschman)Operation Unthinkable – Software Defined Storage @ Booking.com (Peter Buschman)
Operation Unthinkable – Software Defined Storage @ Booking.com (Peter Buschman)
 
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
 
Do you know what your digital pins are "really" saying
Do you know what your digital pins are "really" sayingDo you know what your digital pins are "really" saying
Do you know what your digital pins are "really" saying
 
Bluetooth Low Energy - A Case Study
Bluetooth Low Energy - A Case StudyBluetooth Low Energy - A Case Study
Bluetooth Low Energy - A Case Study
 
Study on 32-bit Cortex - M3 Powered MCU: STM32F101
Study on 32-bit Cortex - M3 Powered MCU: STM32F101Study on 32-bit Cortex - M3 Powered MCU: STM32F101
Study on 32-bit Cortex - M3 Powered MCU: STM32F101
 
Kubernetes from scratch at veepee sysadmins days 2019
Kubernetes from scratch at veepee sysadmins days 2019Kubernetes from scratch at veepee sysadmins days 2019
Kubernetes from scratch at veepee sysadmins days 2019
 
module01.ppt
module01.pptmodule01.ppt
module01.ppt
 
Lect 1 Into.pptx
Lect 1 Into.pptxLect 1 Into.pptx
Lect 1 Into.pptx
 

Recently uploaded

[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
UiPathCommunity
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
FilipTomaszewski5
 
"What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w..."What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w...
Fwdays
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
christinelarrosa
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
ScyllaDB
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
Fwdays
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Neo4j
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
BibashShahi
 
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
zjhamm304
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
DanBrown980551
 

Recently uploaded (20)

[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
 
"What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w..."What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w...
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
 
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
 

Lord of the X86 Rings: A Portable User Mode Privilege Separation Architecture on X86 (CCS'18)

  • 1. Lord of the X86 Rings: A Portable User Mode Privilege Separation Architecture on X86 Memory Defense Paper Sharing(I) ccs 2018 Hojoon Lee, Chihyun Song, Brent Byunghoon Kang Presented by Xingman Chen 2018-10-09
  • 2. In-Process Isolation ● Most attacks against ○ Control Flow ■ Control flow hijack/bending ○ Data Flow ■ Non-control data attack 2
  • 3. In-Process Isolation ● Most attacks against ○ Control Flow ■ Control flow hijack/bending ○ Data Flow ■ Non-control data attack ● Sensitive data in memory ○ Cryptographic keys ○ Function table ○ Control flow intergrity mitigation metadata ○ (Un)trust libs ● Need to be protected 3
  • 4. Motivations ● HeartBleed Vulnerability ○ A malicious memcpy(bp,pl,payload) in openssl nearly bring down the HTTPs ○ Sensitive data: Private key 4
  • 5. Motivations ● Metadata Protection ○ Shadow Stack ■ Backup return address to avoid ret based control flow hijack ■ Sensitive data: backup return address ○ Code Pointer Intergrity ■ Move code pointer and indirect code pointers to safe region ■ Sensitive data: safe region 5
  • 6. Motivations ● Metadata Protection ○ Shadow Stack ■ Backup return address to avoid ret based control flow hijack ■ Sensitive data: backup return address ○ Code Pointer Intergrity ■ Move code pointer and indirect code pointers to safe region ■ Sensitive data: safe region 6
  • 7. Motivations ● Untrusted Library ○ Blackhat’17 by Chaitin: Many Birds, One Stone: Exploiting a Single SQLite Vulnerability Across Multiple Software ○ CVE-2015-7036 ■ SQLite fts3_tokenizer Untrusted Pointer Remote Code Execution Vulnerability 7
  • 8. In-Process Isolation: Approaches ● Software based ○ Randomization based ■ e.g. ASLR ○ Instrument non-sen code with bounds checks prior to indirect memory accesses ■ e.g. SFI 8 Application Sen-Code (Sensitive Data Related Code) Non Sen Code Non Sen Memory Sen Memory
  • 9. ● Software based ○ Randomization based ■ e.g. ASLR ○ Instrument non-sen code with bounds checks prior to indirect memory accesses ■ e.g. Software Fault Isolation(SFI) ● OS/Hardware based ○ OS feature based: Paging or Segmentation based appoarches ○ Hardware feature based ■ e.g. intel MPX(CFIXX), SGX, CET, MPK; arm Memory Domain(Shred) In-Process Isolation: Approaches 9 Application Sen-Code (Sensitive Data Related Code) Non Sen Code Non Sen Memory Sen Memory
  • 10. Lord of the x86 Rings: A Portable User Mode Privilege Separation Architecture on x86 ● Presented LOTRx86, a novel approach that establishes a new user privilege layer safeguards secure access sensitive data to achieve in-process privilege separation ● OS Feature based ● Feature ○ No extra hardware feature needed ○ Fast: average of 30.40% overhead on Intel processor 10
  • 11. Motivation ● Randomization based: Weak ● SFI: High overhead ● Hardware feature based: Not portable ● LOTRx86: Trade off ○ Portable approach based on segmentation & paging features ○ Harnesses the underused x86 intermediate Rings (Ring1 and Ring2) 11
  • 12. Preliminaries: Addressing in x86 ● Segmentation in x86(IA-32,386) ○ DPL(Description Priviliege Level): in GDT/LDT ○ CPL(Current Priviliege Level): 2bit in Segment register(cs) ○ RPL(Request Privilege Level) 12
  • 13. Preliminaries: Addressing in x86 ● Pagging in x86 ○ 2-level page table ■ User/Supervisor: priviliege required for accessing this page 13
  • 14. Preliminaries: Addressing in x64 ● x64(x86_64,amd64/IA-32e, EM64T): Weakened Segmentation 14
  • 15. Preliminaries: Addressing in x64 ● x64(x86_64,amd64/IA-32e, EM64T): Weakened Segmentation ○ Treats the segment base of CS, DS, ES, SS as zero, creating a linear address ○ Used only for memory protection ○ CPL Remained ■ DPL: Valid for code segment descriptor, ignored for data segment descriptor 15
  • 16. Preliminaries: Callgate ● Callgate: Privilege escalation & de-escalation ○ Callgate Descriptor defined at GDT/LDT ○ DPLg: minium priv requirement ○ Stack pivot after escalation/decalation 16
  • 17. Preliminaries: Inter-bitness control transfer ● Bitness(32/64): defined by the currently active code segment descriptor ○ L bit ○ callgate cannot target a 32-bit code segment in long mode(64 bit) 17
  • 18. Thread Model & Target ● Thread Model ○ Arbitary Code Execution ● Security Guarantee ○ User mode cannot directly access a region protected 18 Application Sen-Code (Sensitive Data Related Code) Non Sen Code Non Sen Memory Sen Memory
  • 19. ● Establishing PrivUser memory space ○ M-SR1. User mode must not be able to access PrivUser memory ■ set S-page PTE s-bit Design 19
  • 20. ● Establishing PrivUser memory space ○ M-SR1. User mode must not be able to access PrivUser memory ■ set S-page PTE s-bit ○ M-SR2. PrivUser mode must not be able to access kernel memory space ■ set privuser code page as 32-bit segmentation enabled code segment ● run 32bit code with special segment(cs) Design 20
  • 21. Design ● Challenges ○ Hardware constraint: 32-bit call gate is disabled, a 64-bit call gate have to be introduced ○ Potential risk: any non-ring3 64-bit code can access kernel memory ■ if Privuser jump to 64-bit call gate area instead of call gate entry, it can access the kernel memory 21
  • 22. Design ● Challenges ○ Hardware constraint: 32-bit call gate is disabled, a 64-bit call gate have to be introduced ○ Potential risk: any non-ring3 64-bit code can access kernel memory ■ if Privuser jump to 64-bit call gate area instead of call gate entry, it can access the kernel memory ● Solution: Inescapable segmentation enforcement ○ An ring-1 callgate(x64) with lret 22
  • 23. Design ● Challenges ○ Hardware constraint: 32-bit call gate is disabled, a 64-bit call gate have to be introduced ○ Potential risk: any non-ring3 64-bit code can access kernel memory ■ if Privuser jump to 64-bit call gate area instead of call gate entry, it can access the kernel memory ● Solution: Inescapable segmentation enforcement ○ An ring-1 callgate(x64) with lret 23
  • 24. Implementation ● Components ○ lotr-kmod: build PrivUser space ■ space size is fixed ■ generate LDT, init S-page PTE, init ring1 ring2 ○ liblotr: util functions for calling initalize PrivUser space, entering, etc. ○ lotr-libc: private libc, no scalable ○ kernel modification: let mmap/mprotect bypass and return error 24
  • 25. Implementation ● Components ○ lotr-build: create 32-bit machine code 25
  • 26. Evaluation ● Micro-benchmark ○ compare with normal function ■ But why intel different with amd? 26 no cache opt
  • 28. Evaluation ● LOTRx86 enabled web server ○ latency: response time 28
  • 29. Discussion ● Portable but no scalable ○ e.g. Size, Libc, argument passing ● Low automation ● High Overhead: 35% 29