Secure web browsers, malicious hardware, and hardware suppo - PowerPoint Presentation

Slide1

Secure web browsers, malicious hardware, and hardware support for binary translation

Sam KingSlide2

Browser motivation

Browsers most commonly used application today

Browsers are an application platform

Email, banking, investing, shopping, television, and more!

Browsers are plagued with vulnerabilitiesInternet Explorer: 57 vulnerabilitiesMozilla/Firefox: 122 vulnerabilitiesSafari + Opera: 66 vulnerabilitiesStudies from Microsoft, Google, and University of Washington show web browser is attacker target

2

/14Slide3

The OP Browser

Goal: build a secure web browserProvide an architecture for secure web browsingMaintain security guarantees even when compromised

Driven by OS and formal methods design principles

3

/14Slide4

OP design

Decompose into browser subsystemsWeb page instance further divided

Use message passing

All messages through browser kernel

Dedicated subsystems for OS operationsHost OS sandboxing

4

/14Slide5

Design enables security

Partitioning and constrained communication enable new security mechanismsClean separation of browser functionality and security

Policy

Plugin

security policies, xssFormal methodsSOP + URL address bar invariant 5

/14Slide6

Research questions

OP: more secure browser can be practicalHopefully no longer weakest link in comp. stack

Can you operate with a malicious OS?

What

portions of the OS does browser kernel replicate?What portions of the OS does browser kernel rely on?6/14Slide7

Replicate portions of the OS

Extracts parts of OS needed for web client secCustom labeling and access control systemRPC / message passing layer

Window manager (limited extent)

7

/14Slide8

Assumptions about OS

Process-level isolation (easy)Memory protection

well-known IPC mechanisms

System-level

sandboxing (moderate)Isolate processes from system resourcesRestrict system call capabilitiesResource management (hard)Create processes, message forwarding and namingNetwork, disk, screenPossible techniques for

enforcing assumptions

Bottom up: SVA

, binary

trans,

hardware isolation

primitives

Top down: Simple web client, not a full browser

8

/14Slide9

Untrusted computing base: defending

against malicious hardwareSlide10

Building secure systems

We make assumptions when designing secure systemsBreak secure system, break assumptionsE.g., look for crypto keys in memory

People assume hardware is correct

What if we break this assumption?

10/14Slide11

Malicious hardware

Is it possible to modify design of

processors?

Implementing hardware is difficult

Implementing HW-based attacks is easy!Small hardware level footholds

Execute

high-level high-value attacks WITHOUT exploiting any software bugs

11

/14Slide12

Defenses

Based on insights from foothold devel.Analyze circuit at design time

Highlight potentially malicious circuits

Closely related to operating systems

Both have symbolic representation, compiled3rd party tools and librariesPrinciples learned from exercise could apply to OSFundamentally an issue untrusted lower layers

12

/14Slide13

Hardware support for dynamic binary translationSlide14

H/W for dynamic bin. trans.

Problem: instrument individual inst is slowEspecially true for security applications

Goal: amortize the cost across

mult

. instructionsFast path for common case, efficient check for correctE.g., don’t read tainted memorySlow path for correct (fully instrumented) case

Solution: hardware support

HW signatures

(e.g., bloom filter) to

summarize

E.g., addresses for load / store instructions

Apply

known tricks to security case

Extra

registers,

parallel optimization

,

a

tomic regions, etc.

14

/14Slide15

Questions?

15/14Slide16

Performance

Load latencies do not impact usability

Load time in seconds

16

/14