A Least-Privilege Memory Protection Model for Modern Hardware

A Least-Privilege Memory Protection Model for Modern Hardware

We present a new least-privilege-based model of addressing on which to base memory management functionality in an OS for modern computers like phones or server-based accelerators. Existing software assumptions do not account for heterogeneous cores with different views of the address space, leading...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:arXiv.org 2019-08
Hauptverfasser: Achermann, Reto, Hossle, Nora, Humbel, Lukas, Schwyn, Daniel, Cock, David, Roscoe, Timothy
Format: Artikel
Sprache:eng
Schlagworte:
Accelerators
Computer simulation
Hardware
Memory devices
Memory management
System on chip
Virtual memory systems
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page
container_issue
container_start_page
container_title arXiv.org
container_volume
creator Achermann, Reto
Hossle, Nora
Humbel, Lukas
Schwyn, Daniel
Cock, David
Roscoe, Timothy
description We present a new least-privilege-based model of addressing on which to base memory management functionality in an OS for modern computers like phones or server-based accelerators. Existing software assumptions do not account for heterogeneous cores with different views of the address space, leading to the related problems of numerous security bugs in memory management code (for example programming IOMMUs), and an inability of mainstream OSes to securely manage the complete set of hardware resources on, say, a phone System-on-Chip. Our new work is based on a recent formal model of address translation hardware which views the machine as a configurable network of address spaces. We refine this to capture existing address translation hardware from modern SoCs and accelerators at a sufficiently fine granularity to model minimal rights both to access memory and configure translation hardware. We then build an executable specification in Haskell, which expresses the model and metadata structures in terms of partitioned capabilities. Finally, we show a fully functional implementation of the model in C created by extending the capability system of the Barrelfish research OS. Our evaluation shows that our unoptimized implementation has comparable (and in some cases) better performance than the Linux virtual memory system, despite both capturing all the functionality of modern hardware addressing and enabling least-privilege, decentralized authority to access physical memory and devices.
format Article
fullrecord <record><control><sourceid>proquest</sourceid><recordid>TN_cdi_proquest_journals_2280229374</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2280229374</sourcerecordid><originalsourceid>FETCH-proquest_journals_22802293743</originalsourceid><addsrcrecordid>eNpjYuA0MjY21LUwMTLiYOAtLs4yMDAwMjM3MjU15mSwdVTwSU0sLtENKMosy8xJTU9V8E3NzS-qVAgoyi9JTS7JzM9T8M1PSc1RSMsvArOK8hQ8EotSyhOLUnkYWNMSc4pTeaE0N4Oym2uIs4duQVF-YWlqcUl8Vn5pUR5QKt7IyMLAyMjS2NzEmDhVADQYN2k</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2280229374</pqid></control><display><type>article</type><title>A Least-Privilege Memory Protection Model for Modern Hardware</title><source>Free E- Journals</source><creator>Achermann, Reto ; Hossle, Nora ; Humbel, Lukas ; Schwyn, Daniel ; Cock, David ; Roscoe, Timothy</creator><creatorcontrib>Achermann, Reto ; Hossle, Nora ; Humbel, Lukas ; Schwyn, Daniel ; Cock, David ; Roscoe, Timothy</creatorcontrib><description>We present a new least-privilege-based model of addressing on which to base memory management functionality in an OS for modern computers like phones or server-based accelerators. Existing software assumptions do not account for heterogeneous cores with different views of the address space, leading to the related problems of numerous security bugs in memory management code (for example programming IOMMUs), and an inability of mainstream OSes to securely manage the complete set of hardware resources on, say, a phone System-on-Chip. Our new work is based on a recent formal model of address translation hardware which views the machine as a configurable network of address spaces. We refine this to capture existing address translation hardware from modern SoCs and accelerators at a sufficiently fine granularity to model minimal rights both to access memory and configure translation hardware. We then build an executable specification in Haskell, which expresses the model and metadata structures in terms of partitioned capabilities. Finally, we show a fully functional implementation of the model in C created by extending the capability system of the Barrelfish research OS. Our evaluation shows that our unoptimized implementation has comparable (and in some cases) better performance than the Linux virtual memory system, despite both capturing all the functionality of modern hardware addressing and enabling least-privilege, decentralized authority to access physical memory and devices.</description><identifier>EISSN: 2331-8422</identifier><language>eng</language><publisher>Ithaca: Cornell University Library, arXiv.org</publisher><subject>Accelerators ; Computer simulation ; Hardware ; Memory devices ; Memory management ; System on chip ; Virtual memory systems</subject><ispartof>arXiv.org, 2019-08</ispartof><rights>2019. This work is published under http://arxiv.org/licenses/nonexclusive-distrib/1.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>776,780</link.rule.ids></links><search><creatorcontrib>Achermann, Reto</creatorcontrib><creatorcontrib>Hossle, Nora</creatorcontrib><creatorcontrib>Humbel, Lukas</creatorcontrib><creatorcontrib>Schwyn, Daniel</creatorcontrib><creatorcontrib>Cock, David</creatorcontrib><creatorcontrib>Roscoe, Timothy</creatorcontrib><title>A Least-Privilege Memory Protection Model for Modern Hardware</title><title>arXiv.org</title><description>We present a new least-privilege-based model of addressing on which to base memory management functionality in an OS for modern computers like phones or server-based accelerators. Existing software assumptions do not account for heterogeneous cores with different views of the address space, leading to the related problems of numerous security bugs in memory management code (for example programming IOMMUs), and an inability of mainstream OSes to securely manage the complete set of hardware resources on, say, a phone System-on-Chip. Our new work is based on a recent formal model of address translation hardware which views the machine as a configurable network of address spaces. We refine this to capture existing address translation hardware from modern SoCs and accelerators at a sufficiently fine granularity to model minimal rights both to access memory and configure translation hardware. We then build an executable specification in Haskell, which expresses the model and metadata structures in terms of partitioned capabilities. Finally, we show a fully functional implementation of the model in C created by extending the capability system of the Barrelfish research OS. Our evaluation shows that our unoptimized implementation has comparable (and in some cases) better performance than the Linux virtual memory system, despite both capturing all the functionality of modern hardware addressing and enabling least-privilege, decentralized authority to access physical memory and devices.</description><subject>Accelerators</subject><subject>Computer simulation</subject><subject>Hardware</subject><subject>Memory devices</subject><subject>Memory management</subject><subject>System on chip</subject><subject>Virtual memory systems</subject><issn>2331-8422</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2019</creationdate><recordtype>article</recordtype><sourceid>BENPR</sourceid><recordid>eNpjYuA0MjY21LUwMTLiYOAtLs4yMDAwMjM3MjU15mSwdVTwSU0sLtENKMosy8xJTU9V8E3NzS-qVAgoyi9JTS7JzM9T8M1PSc1RSMsvArOK8hQ8EotSyhOLUnkYWNMSc4pTeaE0N4Oym2uIs4duQVF-YWlqcUl8Vn5pUR5QKt7IyMLAyMjS2NzEmDhVADQYN2k</recordid><startdate>20190823</startdate><enddate>20190823</enddate><creator>Achermann, Reto</creator><creator>Hossle, Nora</creator><creator>Humbel, Lukas</creator><creator>Schwyn, Daniel</creator><creator>Cock, David</creator><creator>Roscoe, Timothy</creator><general>Cornell University Library, arXiv.org</general><scope>8FE</scope><scope>8FG</scope><scope>ABJCF</scope><scope>ABUWG</scope><scope>AFKRA</scope><scope>AZQEC</scope><scope>BENPR</scope><scope>BGLVJ</scope><scope>CCPQU</scope><scope>DWQXO</scope><scope>HCIFZ</scope><scope>L6V</scope><scope>M7S</scope><scope>PIMPY</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>PRINS</scope><scope>PTHSS</scope></search><sort><creationdate>20190823</creationdate><title>A Least-Privilege Memory Protection Model for Modern Hardware</title><author>Achermann, Reto ; Hossle, Nora ; Humbel, Lukas ; Schwyn, Daniel ; Cock, David ; Roscoe, Timothy</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-proquest_journals_22802293743</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2019</creationdate><topic>Accelerators</topic><topic>Computer simulation</topic><topic>Hardware</topic><topic>Memory devices</topic><topic>Memory management</topic><topic>System on chip</topic><topic>Virtual memory systems</topic><toplevel>online_resources</toplevel><creatorcontrib>Achermann, Reto</creatorcontrib><creatorcontrib>Hossle, Nora</creatorcontrib><creatorcontrib>Humbel, Lukas</creatorcontrib><creatorcontrib>Schwyn, Daniel</creatorcontrib><creatorcontrib>Cock, David</creatorcontrib><creatorcontrib>Roscoe, Timothy</creatorcontrib><collection>ProQuest SciTech Collection</collection><collection>ProQuest Technology Collection</collection><collection>Materials Science &amp; Engineering Collection</collection><collection>ProQuest Central (Alumni Edition)</collection><collection>ProQuest Central UK/Ireland</collection><collection>ProQuest Central Essentials</collection><collection>ProQuest Central</collection><collection>Technology Collection</collection><collection>ProQuest One Community College</collection><collection>ProQuest Central Korea</collection><collection>SciTech Premium Collection</collection><collection>ProQuest Engineering Collection</collection><collection>Engineering Database</collection><collection>Publicly Available Content Database</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>ProQuest Central China</collection><collection>Engineering Collection</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Achermann, Reto</au><au>Hossle, Nora</au><au>Humbel, Lukas</au><au>Schwyn, Daniel</au><au>Cock, David</au><au>Roscoe, Timothy</au><format>book</format><genre>document</genre><ristype>GEN</ristype><atitle>A Least-Privilege Memory Protection Model for Modern Hardware</atitle><jtitle>arXiv.org</jtitle><date>2019-08-23</date><risdate>2019</risdate><eissn>2331-8422</eissn><abstract>We present a new least-privilege-based model of addressing on which to base memory management functionality in an OS for modern computers like phones or server-based accelerators. Existing software assumptions do not account for heterogeneous cores with different views of the address space, leading to the related problems of numerous security bugs in memory management code (for example programming IOMMUs), and an inability of mainstream OSes to securely manage the complete set of hardware resources on, say, a phone System-on-Chip. Our new work is based on a recent formal model of address translation hardware which views the machine as a configurable network of address spaces. We refine this to capture existing address translation hardware from modern SoCs and accelerators at a sufficiently fine granularity to model minimal rights both to access memory and configure translation hardware. We then build an executable specification in Haskell, which expresses the model and metadata structures in terms of partitioned capabilities. Finally, we show a fully functional implementation of the model in C created by extending the capability system of the Barrelfish research OS. Our evaluation shows that our unoptimized implementation has comparable (and in some cases) better performance than the Linux virtual memory system, despite both capturing all the functionality of modern hardware addressing and enabling least-privilege, decentralized authority to access physical memory and devices.</abstract><cop>Ithaca</cop><pub>Cornell University Library, arXiv.org</pub><oa>free_for_read</oa></addata></record>
fulltext fulltext
identifier EISSN: 2331-8422
ispartof arXiv.org, 2019-08
issn 2331-8422
language eng
recordid cdi_proquest_journals_2280229374
source Free E- Journals
subjects Accelerators
Computer simulation
Hardware
Memory devices
Memory management
System on chip
Virtual memory systems
title A Least-Privilege Memory Protection Model for Modern Hardware
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-02-04T12%3A40%3A56IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=document&rft.atitle=A%20Least-Privilege%20Memory%20Protection%20Model%20for%20Modern%20Hardware&rft.jtitle=arXiv.org&rft.au=Achermann,%20Reto&rft.date=2019-08-23&rft.eissn=2331-8422&rft_id=info:doi/&rft_dat=%3Cproquest%3E2280229374%3C/proquest%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2280229374&rft_id=info:pmid/&rfr_iscdi=true