SCALPEL: Exploring the Limits of Tag-enforced Compartmentalization
Article No.: 2, Pages 1 - 28
Abstract
We present Secure Compartments Automatically Learned and Protected by Execution using Lightweight metadata (SCALPEL), a tool for automatically deriving compartmentalization policies and lowering them to a tagged architecture for hardware-accelerated enforcement. SCALPEL allows a designer to explore high-quality points in the privilege-reduction vs. performance overhead tradeoff space using analysis tools and a detailed knowledge of the target architecture to make best use of the available hardware. SCALPEL automatically implements hundreds of compartmentalization strategies across the privilege-performance tradeoff space, all without manual tagging or code restructuring. SCALPEL uses two novel optimizations for achieving highly performant policies: the first is an algorithm for packing policies into working sets of rules for favorable rule cache characteristics, and the second is a rule prefetching system that allows it to exploit the highly predictable nature of compartmentalization rules. To create policies, SCALPEL introduces a quantitative privilege metric (the Overprivilege Ratio) that is used to drive its algorithmic compartment generation. We implement SCALPEL on a FreeRTOS stack and target a tag-extended RISC-V core. Our results show that SCALPEL-created policies can reduce overprivilege by orders of magnitude with hundreds of logical compartments while imposing low overheads (<5%).
References
[1]
Ali Abbasi, Jos Wetzels, Thorsten Holz, and Sandro Etalle. 2019. Challenges in designing exploit mitigations for deeply embedded systems. In IEEE European Symposium on Security and Privacy (EuroS&P’19). IEEE, 31–46.
[2]
Daniel Aloise, Amit Deshpande, Pierre Hansen, and Preyas Popat. 2009. NP-hardness of Euclidean sum-of-squares clustering. Mach. Learn. 75, 2 (01 May 2009), 245–248.
[3]
Anmibe. 2010. CPU Features: Non-Executable Memory. Retrieved from https://wiki.ubuntu.com/Security/CPUFeatures.
[4]
ARM. 2016. TrustZone technology for ARM v8-M Architecture. Retrieved from https://developer.arm.com/documentation/100690/latest/.
[5]
Arthur Azevedo de Amorim. 2017. A Methodology for Micro-policies. Ph.D. Dissertation. University of Pennsylvania. Retrieved from http://www.seas.upenn.edu/ aarthur/thesis.pdf.
[6]
Arthur Azevedo de Amorim, Maxime Dénès, Nick Giannarakis, Cătălin Hriţcu, Benjamin C. Pierce, Antal Spector-Zabusky, and Andrew Tolmach. 2015. Micro-policies: Formally verified, tag-based security monitors. In 36th IEEE Symposium on Security and Privacy (Oakland S&P’15). IEEE Computer Society, 813–830.
[7]
Ian Beer. [n.d.]. An iOS zero-click radio proximity exploit odyssey. Retrieved from https://googleprojectzero.blogspot.com/2020/12/an-ios-zero-click-radio-proximity.html.
[8]
Ian Beer. 2019. In-the-wild iOS Exploit Chain 1. Retrieved from https://googleprojectzero.blogspot.com/2019/08/in-wild-ios-exploit-chain-1.html.
[9]
Andrea Bittau, Petr Marchenko, Mark Handley, and Brad Karp. 2008. Wedge: Splitting applications into reduced-privilege compartments. In 5th USENIX Symposium on Networked Systems Design and Implementation (NSDI’08). USENIX Association, Berkeley, CA, 309–322.
[10]
Shimin Chen, Michael Kozuch, Theodoros Strigkos, Babak Falsafi, Phillip B. Gibbons, Todd C. Mowry, Vijaya Ramachandran, Olatunji Ruwase, Michael P. Ryan, and Evangelos Vlachos. 2008. Flexible hardware acceleration for instruction-grain program monitoring. In 35th International Symposium on Computer Architecture (ISCA’08). IEEE, 377–388. Retrieved from http://www.cs.cmu.edu/ lba/papers/LBA-isca08.pdf.
[11]
Abraham A. Clements, Naif Saleh Almakhdhub, Saurabh Bagchi, and Mathias Payer. 2018. ACES: Automatic compartments for embedded systems. In 27th USENIX Security Symposium (USENIX Security’18). USENIX Association, 65–82. Retrieved from https://www.usenix.org/conference/usenixsecurity18/presentation/clements.
[12]
The curl project. [n.d.]. curl: command line tool and library. Retrieved 15 Oct, 2020 from https://curl.se/.
[13]
DARPA. [n.d.]. Transparent Computing. Retrieved 1 Oct, 2020 from https://www.darpa.mil/program/transparent-computing.
[14]
Daniel Y. Deng and G. Edward Suh. 2012. High-performance parallel accelerator for flexible and efficient run-time monitoring. In IEEE/IFIP International Conference on Dependable Systems and Networks (DSN’12). IEEE Computer Society, 1–12. Retrieved from http://tsg.ece.cornell.edu/lib/exe/fetch.php?media=pubs:flex-dsn2012.pdf.
[15]
CVE Details. [n.d.]. CVE Details: Libxml2 Vulnerability Statistics. Retrieved 5 Oct, 2020 from https://www.cvedetails.com/product/3311/Xmlsoft-Libxml2.html?vendor_id=1962.
[16]
Udit Dhawan and André DeHon. 2013. Area-efficient near-associative memories on FPGAs. In International Symposium on Field-programmable Gate Arrays. 191–200. Retrieved from http://ic.ese.upenn.edu/abstracts/dmhc_fpga2013.html.
[17]
Udit Dhawan, Cătălin Hriţcu, Rafi Rubin, Nikos Vasilakis, Silviu Chiricescu, Jonathan M. Smith, Thomas F. Knight, Jr., Benjamin C. Pierce, and André DeHon. 2015. Architectural support for software-defined metadata processing. In International Conference on Architectural Support for Programming Languages and Operating Systems. 487–502. Retrieved from http://ic.ese.upenn.edu/abstracts/sdmp_asplos2015.html.
[18]
Xinshu Dong, Hong Hu, Prateek Saxena, and Zhenkai Liang. 2013. A quantitative evaluation of privilege separation in web browser designs. In European Symposium on Research in Computer Security. Springer, 75–93.
[19]
Dovecot. [n.d.]. Dovecot Mail Server. Retrieved 12 Oct, 2020 from https://github.com/dovecot/core.
[20]
Kevin Elphinstone and Gernot Heiser. 2013. From L3 to seL4 what have we learnt in 20 years of L4 microkernels? In Proceedings of the ACM Symposium on Operating Systems Principles (SOSP’13). ACM, New York, NY, 133–150.
[21]
Joseph A. Fisher and Stefan M. Freudenberger. 1992. Predicting conditional branch directions from previous runs of a program. ACM SIGPLAN Not. 27, 9 (1992), 85–95.
[22]
Institute for Informatics Georg-August-Universitat Gottingen. 1999. The MONDIAL Database. Retrieved 25 Oct, 2020 from https://www.dbis.informatik.uni-goettingen.de/Mondial.
[23]
LLVM Foundation. [n.d.]. The LLVM Compiler Infrastructure. Retrieved from 4 Oct, 2020 https://llvm.org/.
[24]
Sotiria Fytraki, Evangelos Vlachos, Yusuf Onur Koçberber, Babak Falsafi, and Boris Grot. 2014. FADE: A programmable filtering accelerator for instruction-grain monitoring. In 20th IEEE International Symposium on High Performance Computer Architecture. 108–119.
[25]
Khilan Gudka, Robert N. M. Watson, Jonathan Anderson, David Chisnall, Brooks Davis, Ben Laurie, Ilias Marinos, Peter G. Neumann, and Alex Richardson. 2015. Clean application compartmentalization with SOAAP. In 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS’15). ACM, New York, NY, 1016–1031.
[26]
Norm Hardy. 1988. The confused deputy (or why capabilities might have been invented). SIGOPS Oper. Syst. Rev. 22, 4 (Oct. 1988), 36–38.
[27]
HEX-Five. 2020. MultiZone Security Reference Manual. HEX-Five. Retrieved on 14 Oct, 2020 from https://github.com/hex-five/multizone-sdk/blob/master/manual.pdf.
[28]
Terry Ching-Hsiang Hsu, Kevin Hoffman, Patrick Eugster, and Mathias Payer. 2016. Enforcing least privilege memory views for multithreaded applications. In ACM Conference on Computer and Communication Security.
[29]
Chung Hwan Kim, Taegyu Kim, Hongjun Choi, Zhongshu Gu, Byoungyoung Lee, Xiangyu Zhang, and Dongyan Xu. 2018. Securing real-time microcontroller systems through customized memory view switching. In Proceedings of the 25th Network and Distributed System Security Symposium (NDSS ’18).
[30]
Draper Laboratory. [n.d.]. Hope-tools Github Repository. Retrieved 1 June, 2019 from https://github.com/draperlaboratory/hope-src.
[31]
Jochen Liedtke. 1995. On micro-kernel construction. In 15th ACM Symposium on Operating Systems Principles. 237–250.
[32]
Arm Limited. 2013. Arm Cortex-A53 Specification. Retrieved 5 Oct, 2020 from https://developer.arm.com/ip-products/processors/cortex-a/cortex-a53.
[33]
Arm Limited. 2016. ARMv8-M Architecture Reference Manual. Retrieved 6 Oct, 2020 from https://developer.arm.com/documentation/ddi0553/ab/.
[34]
Shen Liu, Dongrui Zeng, Yongzhe Huang, Frank Capobianco, Stephen McCamant, Trent Jaeger, and Gang Tan. 2019. Program-mandering: Quantitative privilege separation. In ACM SIGSAC Conference on Computer and Communications Security (CCS’19). ACM, New York, NY.
[35]
Canonical Ltd.[n.d.]. AppArmor. Retrieved 11 Sept, 2020 from https://wiki.ubuntu.com/AppArmor.
[36]
Sparsh Mittal. 2016. A survey of recent prefetching techniques for processor caches. ACM Comput. Surv. 49, 2 (2016), 1–35.
[37]
Oracle. [n.d.]. Introduction to SPARC M7 and Application Data Integrity (ADI). Retrieved 3 Dec, 2019 from https://swisdev.oracle.com/_files/What-Is-ADI.html.
[38]
Gabriel Parmer and Richard West. 2011. Mutable protection domains: Adapting system fault isolation for reliability and efficiency. IEEE Trans. Softw. Eng. 38, 4 (2011), 875–888.
[39]
Marios Pomonis, Theofilos Petsios, Angelos D. Keromytis, Michalis Polychronakis, and Vasileios P. Kemerlis. 2017. kR^X: Comprehensive kernel protection against just-in-time code reuse. In Proceedings of the Twelfth European Conference on Computer Systems. 420–436.
[40]
The GNOME Project. [n.d.]. The XML C Parser and toolkit of Gnome. Retrieved 4 Oct, 2020 from http://www.xmlsoft.org/.
[41]
Richard F. Rashid and George G. Robertson. 1981. Accent: A communication oriented network operating system kernel. In 8th ACM Symposium on Operating Systems Principles (SOSP’81). ACM, New York, NY, 64–75.
[42]
Nick Roessler. 2018. Exploiting LaTeX with CVE-2018-17407. Retrieved from https://nickroessler.com/latex-cve-2018-17407/.
[43]
Nick Roessler and André DeHon. 2018. Protecting the stack with metadata policies and tagged hardware. In IEEE Symposium on Security and Privacy (Oakland S&P’18). IEEE Computer Society.
[44]
Jerry H. Saltzer and Mike D. Schroeder. 1975. The protection of information in computer systems. Proc. IEEE 63, 9 (Sept. 1975), 1278–1308.
[45]
Andreas Sembrant. 2012. Efficient Techniques for Detecting and Exploiting Runtime Phases. Ph.D. Dissertation. Uppsala University.
[46]
NXP Semiconductors. 2018. NXP Selects Dover Microsystems’ State-of-the-Art CoreGuard Cybersecurity Technology for Future Embedded Platforms. Retrieved from https://media.nxp.com/news-releases/news-release-details/nxp-selects-dover-microsystems-state-art-coreguard-cybersecurity.
[47]
Amazon Web Services. [n.d.]. HTTP Web Server Example. Retrieved 30 Sept, 2020 from https://freertos.org/FreeRTOS-Plus/FreeRTOS_Plus_TCP/HTTP_web_Server.html.
[48]
Timothy Sherwood, Erez Perelman, Greg Hamerly, Suleyman Sair, and Brad Calder. 2003. Discovering and exploiting program phases. IEEE Micro 23, 6 (2003), 84–93.
[49]
Jia Song. 2014. Security Tagging for a Real-time Zero-kernel Operating System: Implementation and Verification. Ph.D. Dissertation. University of Idaho.
[50]
Jia Song and Jim Alves-Foss. 2013. Security tagging for a zero-kernel operating system. In 46th Hawaii International Conference on System Sciences (HICSS’13). IEEE, 5049–5058. Retrieved from http://www.computer.org/csdl/proceedings/hicss/2013/4892/00/4892f049.pdf.
[51]
Gregory T. Sullivan, André DeHon, Steven Milburn, Eli Boling, Marco Ciaffi, Jothy Rosenberg, and Andrew Sutherland. 2017. The Dover inherently secure processor. In IEEE International Symposium on Technologies for Homeland Security (HST’17). IEEE, 1–5.
[52]
Stylianos Tsampas, Akram El-Korashy, Marco Patrignani, Dominique Devriese, Deepak Garg, and Frank Piessens. 2017. Towards automatic compartmentalization of C programs on capability machines. In Workshop on Foundations of Computer Security. 1–14.
[53]
R. N. M. Watson, R. M. Norton, J. Woodruff, S. W. Moore, P. G. Neumann, J. Anderson, D. Chisnall, B. Davis, B. Laurie, M. Roe, N. H. Dave, K. Gudka, A. Joannou, A. T. Markettos, E. Maste, S. J. Murdoch, C. Rothwell, S. D. Son, and M. Vadera. 2016. Fast protection-domain crossing in the CHERI capability-system architecture. IEEE Micro 36, 5 (Sept. 2016), 38–49.
[54]
Emmett Witchel, Junghwan Rhee, and Krste Asanović. 2005. Mondrix: Memory isolation for Linux using Mondriaan memory protection. In 20th ACM Symposium on Operating Systems Principles (SOSP’05). ACM, New York, NY, 31–44.
[55]
Jonathan Woodruff, Robert N. M. Watson, David Chisnall, Simon W. Moore, Jonathan Anderson, Brooks Davis, Ben Laurie, Peter G. Neumann, Robert Norton, and Michael Roe. 2014. The CHERI capability model: Revisiting RISC in an age of risk. In International Symposium on Computer Architecture (ISCA’14). 457–468.
Index Terms
- SCALPEL: Exploring the Limits of Tag-enforced Compartmentalization
Recommendations
Dendritic compartmentalization could underlie competition and attentional biasing of simultaneous visual stimuli
NIPS'00: Proceedings of the 14th International Conference on Neural Information Processing SystemsNeurons in area V4 have relatively large receptive fields (RFs), so multiple visual features are simultaneously "seen" by these cells. Recordings from single V4 neurons suggest that simultaneously presented stimuli compete to set the output firing rate, ...
Sentry tag: an efficient filter scheme for low power cache
In this paper, we focus on low power design at the architecture level and propose a new architecture, called sentry tag, for reducing the on-chip cache power consumption in processors. The many unnecessary activities in the conventional cache-access ...
The role of dendritic spine morphology in the compartmentalization and delivery of surface receptors
Since AMPA receptors are major molecular players in both short- and long-term plasticity, it is important to identify the time-scales of and factors affecting the lateral diffusion of AMPARs on the dendrite surface. Using a mathematical model, we study ...
Comments
Information & Contributors
Information
Published In
January 2022
497 pages
Copyright © 2021 Copyright held by the owner/author(s).
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs International 4.0 License.
Publisher
Association for Computing Machinery
New York, NY, United States
Journal Family
Publication History
Published: 29 September 2021
Accepted: 01 April 2021
Revised: 01 March 2021
Received: 01 October 2020
Published in JETC Volume 18, Issue 1
Check for updates
Author Tags
Qualifiers
- Research-article
- Refereed
Funding Sources
- DARPA under the System Security Integrated Through Hardware and Firmware (SSITH) program
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 1,526Total Downloads
- Downloads (Last 12 months)353
- Downloads (Last 6 weeks)44
Reflects downloads up to 05 Mar 2025
Other Metrics
Citations
View Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatLogin options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in