IOSEC - Protection and Memory Safety for Input/Output Security

IOSEC - 输入/输出安全的保护和内存安全

• 批准号: EP/R012458/1
• 负责人: Robert Watson
• 金额: $ 65.23万
• 依托单位: University of Cambridge
• 依托单位国家: 英国
• 项目类别: Research Grant
• 财政年份: 2018
• 资助国家: 英国
• 起止时间: 2018 至 无数据
• 项目状态: 已结题
• 来源: https://gtr.ukri.org/projects?ref=EP%2FR012458%2F1
• 关键词: IOSEC; Protection; Memory; Safety; Input

We wish to re-architect current computer input/output (I/O) systems with security as a first-class design constraint. Existing I/O has evolved organically over the decades and now faces a 'perfect storm' of security vulnerabilities, which we aim to address.Computers today are full of processors: advertised, hidden and even unintentional. Processors, in the form of embedded microcontrollers, are hidden in 'devices' that we name as 'wireless card' or 'system management controller', but fundamentally they form a heterogenous distributed system. The software these processors run is often poorly scrutinised and may be actively malicious. As this field becomes more visible, vulnerabilities are being discovered with increasing frequency.Worse still, the trend is for 'pluggable' devices via interfaces such as USB Type-C and Thunderbolt 3: users are being trained to pick up processors, thinking they are innocuous because theyare shaped like chargers or dongles. For instance, many buildings, aircraft, trains and buses now provide 'USB charging', but, without protection, the Type-C user may be exposing themselves to unexpected threats. Such threats are of substantial and increasing concern to businesses, government and consumers. By redesigning I/O with security at the core, we aim to considerably improve on today's weaknesses. We will investigate the weaknesses of current I/O and propose safer alternatives through three threads of research:1. We will begin by performing a survey of the state-of-the-art of access-control protections in current hardware and software designs, to understand the limits of current pluggable-device security. We will focus in particular on current utilisation of Input/Output Memory Management Units (IOMMUs), which are the primary current defence that prevents devices from having unlimited Direct Memory Access (DMA) - the 'key to the kingdom' of system security that otherwise permits total compromise of firmware, OS, and applications from malicious devices. We will characterise current security-performance tradeoffs to establish a performance baseline. We will systemise new vulnerability classes and develop a corpus of vector-specific attack techniques which future defences must prevent or mitigate.Our existing preliminary results investigating IOMMU use in modern operating systems, and a growing attack literature, suggest substantial security and performance shortcomings. We therefore propose two strands of research to develop and evaluate technical approaches to defend against I/O-based attackers:2. Many I/O devices (e.g., USB and network cards) communicate with the host operating system through messages sent and received via DMA. We will develop new techniques to restructure CPU-to-I/O interconnects to provide a message-based abstraction for untrustworthy devices, rather than depending on DMA, as is current (and highly vulnerable) best practice.3. To address devices for which a memory-oriented semantic is intrinsic (e.g., GPUs and Remote-DMA enabled network cards), we will explore new distributed-memory protection techniques that avoid the granularity and performance limitations of IOMMU-oriented approaches. This will enable greater control of device access to host memory while improving security-performance tradeoffs. For instance we might delegate specific memory access rights to devices, with policy and unforgeability enforced by the interconnect bridges.All research will be performed via hardware-software co-design methodology and FPGA prototyping, with evaluation relative to performance, complexity, compatibility, and security metrics for both hardware and software. We will pursue these goals in close collaboration with ARM Ltd, who provide key insights into industry requirements and a transition path into commercial technologies.

我们希望重新架构当前的计算机输入/输出（I/O）系统的安全性作为一个一流的设计约束。现有的I/O经过几十年的有机发展，现在面临着一场安全漏洞的“完美风暴”，我们的目标是解决这些问题。今天的计算机充满了处理器：广告，隐藏甚至无意的。处理器以嵌入式微控制器的形式隐藏在我们称为“无线卡”或“系统管理器”的“设备”中，但从根本上说，它们形成了一个异构的分布式系统。这些处理器运行的软件通常没有受到严格的审查，并且可能是恶意的。随着这一领域变得越来越明显，漏洞被发现的频率越来越高。更糟糕的是，通过USB Type-C和Thunderbolt 3等接口的“可插拔”设备的趋势：用户正在接受培训，以拿起处理器，认为它们是无害的，因为它们的形状像充电器或加密狗。例如，许多建筑物、飞机、火车和公共汽车现在都提供“USB充电”，但如果没有保护，Type-C用户可能会面临意想不到的威胁。这些威胁是企业、政府和消费者日益关注的重大问题。通过以安全性为核心重新设计I/O，我们的目标是大大改善当今的弱点。我们将通过三个研究线索来调查当前I/O的弱点，并提出更安全的替代方案：1。我们将开始通过执行当前硬件和软件设计中的访问控制保护的最新技术水平的调查，以了解当前可插拔设备安全性的限制。我们将特别关注输入/输出内存管理单元（IOMMU）的当前利用率，这是当前主要的防御措施，可以防止设备具有无限制的直接内存访问（DMA）-系统安全的“王国之钥”，否则会使固件，操作系统和应用程序受到恶意设备的全面危害。我们将描述当前安全性与性能的权衡，以建立性能基线。我们将系统化新的漏洞类别，并开发一个语料库的向量特定的攻击技术，未来的防御必须防止或减轻。我们现有的初步结果调查IOMMU在现代操作系统中的使用，以及越来越多的攻击文献，提出了大量的安全性和性能缺陷。因此，我们提出了两个研究方向来开发和评估防御基于I/O的攻击者的技术方法：2。许多I/O设备（例如，USB和网卡）通过经由DMA发送和接收的消息与主机操作系统通信。我们将开发新的技术来重构CPU到I/O的互连，为不可信的设备提供基于消息的抽象，而不是依赖于DMA，这是当前（也是非常脆弱的）最佳实践。要解决面向内存的语义是固有的设备（例如，GPU和支持远程DMA的网卡），我们将探索新的分布式内存保护技术，以避免面向IOMMU的方法的粒度和性能限制。这将实现对主机内存的设备访问的更好控制，同时改善安全性-性能权衡。例如，我们可以将特定的内存访问权限授予设备，并通过互连桥强制执行策略和不可伪造性。所有研究都将通过软硬件协同设计方法和FPGA原型来执行，并对硬件和软件的性能、复杂性、兼容性和安全性指标进行评估。我们将与ARM公司密切合作，共同实现这些目标，ARM公司提供了对行业需求的关键见解，并提供了向商业技术过渡的途径。

项目成果

Cornucopia: Temporal Safety for CHERI Heaps

• DOI: 10.1109/sp40000.2020.00098
• 发表时间: 2020-05
• 期刊: 2020 IEEE Symposium on Security and Privacy (SP)
• 作者: N. Filardo;B. F. Gutstein;Jonathan Woodruff;S. Ainsworth;Lucian Paul-Trifu;Brooks Davis;Hongyan Xia;E. Napierala;Alexander Richardson;John Baldwin;D. Chisnall;Jessica Clarke;Khilan Gudka;Alexandre Joannou;A. T. Markettos;Alfredo Mazzinghi;Robert M. Norton;M. Roe;Peter Sewell;Stacey D. Son;Timothy M. Jones;S. Moore;P. Neumann;R. Watson

Through computer architecture, darkly

通过计算机体系结构，黑暗

• DOI: 10.1145/3325284
• 发表时间: 2019
• 期刊: Communications of the ACM
• 影响因子: 22.7
• 作者: Markettos A

Thunderclap: Exploring Vulnerabilities in Operating System IOMMU Protection via DMA from Untrustworthy Peripherals

Thunderclap：通过来自不可信外设的 DMA 探索操作系统 IOMMU 保护中的漏洞

• DOI: 10.14722/ndss.2019.23194
• 发表时间: 2019
• 作者: Markettos A

CHERI Concentrate: Practical Compressed Capabilities

CHERI Concentrate：实用的压缩功能

• DOI: 10.1109/tc.2019.2914037
• 发表时间: 2019
• 期刊: IEEE Transactions on Computers
• 影响因子: 3.7
• 作者: Woodruff J

CHERIvoke

奇瑞沃克

• DOI: 10.1145/3352460.3358288
• 发表时间: 2019
• 作者: Xia H