• Corpus ID: 201645310

A Least-Privilege Memory Protection Model for Modern Hardware

  title={A Least-Privilege Memory Protection Model for Modern Hardware},
  author={Reto Achermann and Nora Hossle and Lukas Humbel and Daniel David Schwyn and David A. Cock and Timothy Roscoe},
We present a new least-privilege-based model of addressing on which to base memory management functionality in an OS for modern computers like phones or server-based accelerators. Existing software assumptions do not account for heterogeneous cores with different views of the address space, leading to the related problems of numerous security bugs in memory management code (for example programming IOMMUs), and an inability of mainstream OSes to securely manage the complete set of hardware… 
1 Citation

Figures and Tables from this paper

An I/O Separation Model for Formal Verification of Kernel Implementations

A formal I/O separation model is presented, which defines a separation policy based on authorization of I-O transfers and is hardware agnostic and enables the discovery of heretofore unknown design and implementation vulnerabilities of the original Wimpy kernel.

Authorization, Protection, and Allocation of Memory in a Large System

Barrelfish’s memory system requires no virtualization support, and outperforms VMM-based approaches for all but the smallest working sets, and a set of algorithms which allow Barrelfish to process capability operations when capabilities exist on multiple cores without risking that different cores have different views of the global set of capabilities.

Physical Addressing on Real Hardware in Isabelle/HOL

A formal model in Isabelle/HOL is presented to express this complex addressing hardware that captures the intricacies of different real platforms or Systems-on-Chip (SoCs), and is used to generate correct code at compile time and device configuration at runtime in the Barrelfish research OS.

Popcorn: bridging the programmability gap in heterogeneous-ISA platforms

A new software architecture is proposed that is composed of an operating system and a compiler framework to run ordinary shared memory applications, written for homogeneous machines, on OS-capable heterogeneous-ISA machines, and is shown to be up to 6.2 times faster than an offloading programming model.

A Declarative Language Approach to Device Configuration

It is shown that the merits and drawbacks of a new approach separating hardware configuration logic (algorithms to determine configuration parameter values) from mechanism (programming device registers) are tractable, and can successfully configure a wide range of PCs with competitive runtime cost.

Formalizing Memory Accesses and Interrupts

This work proposes a formal model of address spaces and resources in a system that allows to express and verify invariants of the system's runtime configuration, and illustrates it with several real platforms the authors have encountered in the process of OS implementation.

The multikernel: a new OS architecture for scalable multicore systems

This work investigates a new OS structure, the multikernel, that treats the machine as a network of independent cores, assumes no inter-core sharing at the lowest level, and moves traditional OS functionality to a distributed system of processes that communicate via message-passing.

IOMMU protection against I/O attacks: a vulnerability and a proof of concept

A design weakness that is discovered in the configuration of an IOMMU is discovered and a possible exploitation scenario that would allow a malicious peripheral to bypass the underlying protection mechanism is implemented.

Bypassing IOMMU Protection against I/O Attacks

A design weakness that is discovered in the configuration of an IOMMU by the Intel I OMMU Linux driver is discovered and a possible exploitation scenario that would allow a malicious peripheral to bypass the underlying protection mechanism is implemented.

CBufs: efficient, system-wide memory management and sharing

The CBuf system for the global management of virtual and physical memory, including zero-copy sharing between protection domains is introduced, and it is shown that a CBuf-enabled webserver achieves over a factor of 2.5 throughput speedup while using less processing time than Apache on Linux, and that the system can intentionally control system throughput through intelligent memory allocation.

Do-It-Yourself Virtual Memory Translation

The Do-It-Yourself virtual memory translation architecture is introduced as a flexible complement for current hardware-fixed translation flows and it is shown that different DVMT configurations preserve the native performance, while achieving speedups of 1.2x to 2.0x in virtualized environments.