Secure Popcorn Linux

Abstract

We propose to develop Secure Popcorn Linux, a combination of Linux kernel, ABI, and compiler technologies thatenable seamless migra""tion of a running process between non-compatible binary architectures such as x86, ARM, andMIPS, and leverage this migration to sub""stantially mitigate or effectively eliminate the dominant classes of attacktechniques: code reuse (such as ROP/JOP, JIT-ROP, and ot""hers) and hardware-based side channels (such asRowhammer, FLUSH+RELOAD, and others). Our approach also mitigates the effects of inf""ormation leakvulnerabilities, which have become a necessary part of advanced exploitation.Our proposed architecture establishes se""curity boundaries inside a process, and enforces these intra-processboundaries via the seamless and lightweight migration mechanism""s of Popcorn Linux. The boundaries are defined atthe natural ABI granularity using the ELF-bac system, and leverage existing featur""es of the Linux runtime binarytoolchain and the development toolchain.In a nutshell, a Linux program protected by a Secure Popcorn" policy migrates the execu-tion of its security sensitivefunctions or components between binary-incompatible execution environments", additionally transforming andrandomizing its state. The points of such migra-tion can be determined either statically or dynamica""lly. This severelyreduces the usefulness to the attacker of any memory leaks, memory grooming techniques, pre-packaged binaryexplo""it payloads that assume that the vulnerable code executes in the same memory space as the payload, and anyside channel techniques t""hat depend on sharing of memory space or hardware state between the attacker~s actualtarget and a weak component, breaking the expl""oit~s underlying execution model.Importantly, the proposed new kinds of security primitives and policies do not require changes to"" legacy code.Our key enabling ideas include run-time Instruction-Set-Architecture (ISA) randomiza-tion~i.e., run-time randomizedmi""gration of executing code across diverse ISAs and ABIs, run-time transformation of program state, and the use ofseveral non-binary" compatible ABIs; they also include physical isolation of sensitive state and the threads handling itfrom other threads. The code a"nd state rewriting mechanisms are lightweight, and in certain applications may actuallyimprove performance vs energy consumption tr""ade-offs.Our proposed system will address the challenges of cloud deployments, by allowing se-curity sensitive phases of a program~""s computation to be transparently shifted to dedicated nodes, where usual modes of cloud attacks will not avail the attacker. We env"ision sim-ple integration of Secure Popcorn policies with app container deployment systemssuch as Docker.

Document Details

Document Type

DoD Grant Award

Publication Date

Dec 20, 2017

Source ID

N000141812022

Entities

Tags