<html> <head> <title>XFI</title> </head> <body> <h1>XFI</h1> <p>Required reading: XFI: software guards for system address spaces. <h2>Introduction</h2> <p>Problem: how to use untrusted code (an "extension") in a trusted program? <ul> <li>Use untrusted jpeg codec in Web browser <li>Use an untrusted driver in the kernel </ul> <p>What are the dangers? <ul> <li>No fault isolations: extension modifies trusted code unintentionally <li>No protection: extension causes a security hole <ul> <li>Extension has a buffer overrun problem <li>Extension calls trusted program's functions <li>Extensions calls a trusted program's functions that is allowed to call, but supplies "bad" arguments <li>Extensions calls privileged hardware instructions (when extending kernel) <li>Extensions reads data out of trusted program it shouldn't. </ul> </ul> <p>Possible solutions approaches: <ul> <li>Run extension in its own address space with minimal privileges. Rely on hardware and operating system protection mechanism. <li>Restrict the language in which the extension is written: <ul> <li>Packet filter language. Language is limited in its capabilities, and it easy to guarantee "safe" execution. <li>Type-safe language. Language runtime and compiler guarantee "safe" execution. </ul> <li>Software-based sandboxing. </ul> <h2>Software-based sandboxing</h2> <p>Sandboxer. A compiler or binary-rewriter sandboxes all unsafe instructions in an extension by inserting additional instructions. For example, every indirect store is preceded by a few instructions that compute and check the target of the store at runtime. <p>Verifier. When the extension is loaded in the trusted program, the verifier checks if the extension is appropriately sandboxed (e.g., are all indirect stores sandboxed? does it call any privileged instructions?). If not, the extension is rejected. If yes, the extension is loaded, and can run. If the extension runs, the instruction that sandbox unsafe instructions check if the unsafe instruction is used in a safe way. <p>The verifier must be trusted, but the sandboxer doesn't. We can do without the verifier, if the trusted program can establish that the extension has been sandboxed by a trusted sandboxer. <p>The paper refers to this setup as instance of proof-carrying code. <h2>Software fault isolation</h2> <p><a href="http://citeseer.ist.psu.edu/wahbe93efficient.html">SFI</a> by Wahbe et al. explored out to use sandboxing for fault isolation extensions; that is, use sandboxing to control that stores and jump stay within a specified memory range (i.e., they don't overwrite and jump into addresses in the trusted program unchecked). They implemented SFI for a RISC processor, which simplify things since memory can be written only by store instructions (other instructions modify registers). In addition, they assumed that there were plenty of registers, so that they can dedicate a few for sandboxing code. <p>The extension is loaded into a specific range (called a segment) within the trusted application's address space. The segment is identified by the upper bits of the addresses in the segment. Separate code and data segments are necessary to prevent an extension overwriting its code. <p>An unsafe instruction on the MIPS is an instruction that jumps or stores to an address that cannot be statically verified to be within the correct segment. Most control transfer operations, such program-counter relative can be statically verified. Stores to static variables often use an immediate addressing mode and can be statically verified. Indirect jumps and indirect stores are unsafe. <p>To sandbox those instructions the sandboxer could generate the following code for each unsafe instruction: <pre> DR0 <- target address R0 <- DR0 >> shift-register; // load in R0 segment id of target CMP R0, segment-register; // compare to segment id to segment's ID BNE fault-isolation-error // if not equal, branch to trusted error code STORE using DR0 </pre> In this code, DR0, shift-register, and segment register are <i>dedicated</i>: they cannot be used by the extension code. The verifier must check if the extension doesn't use they registers. R0 is a scratch register, but doesn't have to be dedicated. The dedicated registers are necessary, because otherwise extension could load DR0 and jump to the STORE instruction directly, skipping the check. <p>This implementation costs 4 registers, and 4 additional instructions for each unsafe instruction. One could do better, however: <pre> DR0 <- target address & and-mask-register // mask segment ID from target DR0 <- DR0 | segment register // insert this segment's ID STORE using DR0 </pre> This code just sets the write segment ID bits. It doesn't catch illegal addresses; it just ensures that illegal addresses are within the segment, harming the extension but no other code. Even if the extension jumps to the second instruction of this sandbox sequence, nothing bad will happen (because DR0 will already contain the correct segment ID). <p>Optimizations include: <ul> <li>use guard zones for <i>store value, offset(reg)</i> <li>treat SP as dedicated register (sandbox code that initializes it) <li>etc. </ul> <h2>XFI</h2> <p>XFI extends SFI in several ways: <ul> <li>Handles fault isolation and protection <li>Uses control-folow integrity (CFI) to get good performance <li>Doesn't use dedicated registers <li>Use two stacks (a scoped stack and an allocation stack) and only allocation stack can be corrupted by buffer-overrun attacks. The scoped stack cannot via computed memory references. <li>Uses a binary rewriter. <li>Works for the x86 </ul> <p>x86 is challenging, because limited registers and variable length of instructions. SFI technique won't work with x86 instruction set. For example if the binary contains: <pre> 25 CD 80 00 00 # AND eax, 0x80CD </pre> and an adversary can arrange to jump to the second byte, then the adversary calls system call on Linux, which has binary the binary representation CD 80. Thus, XFI must control execution flow. <p>XFI policy goals: <ul> <li>Memory-access constraints (like SFI) <li>Interface restrictions (extension has fixed entry and exit points) <li>Scoped-stack integrity (calling stack is well formed) <li>Simplified instructions semantics (remove dangerous instructions) <li>System-environment integrity (ensure certain machine model invariants, such as x86 flags register cannot be modified) <li>Control-flow integrity: execution must follow a static, expected control-flow graph. (enter at beginning of basic blocks) <li>Program-data integrity (certain global variables in extension cannot be accessed via computed memory addresses) </ul> <p>The binary rewriter inserts guards to ensure these properties. The verifier check if the appropriate guards in place. The primary mechanisms used are: <ul> <li>CFI guards on computed control-flow transfers (see figure 2) <li>Two stacks <li>Guards on computer memory accesses (see figure 3) <li>Module header has a section that contain access permissions for region <li>Binary rewriter, which performs intra-procedure analysis, and generates guards, code for stack use, and verification hints <li>Verifier checks specific conditions per basic block. hints specify the verification state for the entry to each basic block, and at exit of basic block the verifier checks that the final state implies the verification state at entry to all possible successor basic blocks. (see figure 4) </ul> <p>Can XFI protect against the attack discussed in last lecture? <pre> unsigned int j; p=(unsigned char *)s->init_buf->data; j= *(p++); s->session->session_id_length=j; memcpy(s->session->session_id,p,j); </pre> Where will <i>j</i> be located? <p>How about the following one from the paper <a href="http://research.microsoft.com/users/jpincus/beyond-stack-smashing.pdf"><i>Beyond stack smashing: recent advances in exploiting buffer overruns</i></a>? <pre> void f2b(void * arg, size_t len) { char buf[100]; long val = ..; long *ptr = ..; extern void (*f)(); memcopy(buff, arg, len); *ptr = val; f(); ... return; } </pre> What code can <i>(*f)()</i> call? Code that the attacker inserted? Code in libc? <p>How about an attack that use <i>ptr</i> in the above code to overwrite a method's address in a class's dispatch table with an address of support function? <p>How about <a href="http://research.microsoft.com/~shuochen/papers/usenix05data_attack.pdf">data-only attacks</a>? For example, attacker overwrites <i>pw_uid</i> in the heap with 0 before the following code executes (when downloading /etc/passwd and then uploading it with a modified entry). <pre> FILE *getdatasock( ... ) { seteuid(0); setsockeope ( ...); ... seteuid(pw->pw_uid); ... } </pre> <p>How much does XFI slow down applications? How many more instructions are executed? (see Tables 1-4) </body>