Secure Interface Design Leveraging Hardware/Software Support

Computer systems rely heavily on abstraction to manage the exponential growth of complexity across hardware and software. Due to practical considerations of compatibility between components of these complex systems across generations, developers have favoured stable interfaces at crucial boundaries such as between hardware and software, or between the kernel and userspace. While these interfaces have persisted across more than 20 years, the modern computing environment has evolved significantly in terms of security and performance. Our increasingly connected systems share code components of widely varying provenance and legacy interfaces are unable to counter modern threats while maintaining strict performance objectives. Computing requires new interfaces with stronger security guarantees which can also support high performance applications. First, the kernel-user interface remains one of the primary vectors for inter-application attacks as compromising the kernel gives an attacker total control over the system's resources and to other applications on the same system. Second, the virtual memory interface has newly emerged as another crucial interface enabling attackers to remotely compromise systems as applications increasingly execute third-party code, for example JavaScript scripts downloaded from the internet. In this thesis, therefore, we investigate these two key interfaces to improve their security and performance limits. The kernel-user system call interface suffers from double-fetch bugs for passed-by-reference arguments stored in user memory. Double fetches allow malicious users to compromise the isolation guaranteed at the kernel-user interface to illegally access memory, cause kernel crashes, or to escalate their privileges. The modern multi-user, multiprocessing environment allows the user to change the arguments read by the kernel by modifying the contents of memory from a concurrent thread. Traditional testing techniques cannot eliminate all double-fetch bugs due to the complexity and configurability of the kernel. The extensibility of the kernel further exacerbates the challenge as third-party modules loaded by the kernel may further introduce double-fetches. We present Midas, a systematic mitigation for kernel double-fetches which leverages the kernel's interface to read user memory to guarantee that every kernel read of a user object during a system call will return the same value. Midas's guarantee makes an implicit assumption by kernel developers explicit, protecting the kernel against a class of bugs while incurring merely 3.4% overhead on diverse workloads across the NPB and PTS benchmark suites.Whereas modern systems software runs code from a plethora of sources with varying degrees of trust, the traditional virtual memory abstraction lacks support for isolating untrusted parts of an application within the same virtual address space. Since all code running within a process execute at the same trust level, buggy or malicious third-party code can compromise the process by directly leaking or modifying memory used by other components of the application. We must redesign the virtual memory interface to allow applications to be compartmentalized, essentially implementing the principle of least privilege by isolating untrusted parts of the application within compartments with limited access to the application's resources. We present SecureCells, a novel architectural interface for intra-address space compartmentaliz