Slides
Graphical User Interface for Virtualized Mobile Handsets Janis Danisevskis, Michael Peter, Jan Nordholz, Matthias Petschick, Julian Vetter Security in Telecommunications ¨ Berlin Technische Universitat MoST San Jose´ May 21st , 2015 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Bring You Own Device Business Phone Policy (possibly) Restricted set of apps Restricted internet access (VPN/Firewall) Business Remote provisioning Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 2/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Bring You Own Device Private Private Phone Policy (likely) This is my phone, so I do whatever I want. And, don’t meddle with my stuff. Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 3/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Our approach on BYOD Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 4/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Our approach on BYOD Hypervisor/Microkernel Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 4/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Our approach on BYOD virtual machine Private Hypervisor/Microkernel Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 4/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Our approach on BYOD virtual machine Private virtual machine Business Hypervisor/Microkernel Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 4/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Challenges addressed by this work Corporate Login Threat Model Private side is under the control of an attacker Impersonation attacks Username: Password: Eavesdropping attacks Evasion of isolation Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 5/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Challenges addressed by this work Corporate Email App Threat Model Private side is under the control of an attacker From: Your Boss Subject: New Aquisition Eavesdropping attacks Transfer $gazillion to account no: xxxevilxxxx Evasion of isolation Your Boss Impersonation attacks Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 5/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Challenges addressed by this work Threat Model Private side is under the control of an attacker Impersonation attacks Eavesdropping attacks Keylogging/ Logging of touch events Spying on screen output Evasion of isolation Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 5/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Challenges addressed by this work Threat Model Private side is under the control of an attacker DMA devices can threaten isolation [7] Cloudburst (2009) Eavesdropping attacks [6] Dark Side of the Shader: Mobile GPU-Aided Malware Delivery (2013) Evasion of isolation [3, 5, 4] “Fire in the (root) hole!” (2014) Impersonation attacks Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 5/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Challenges addressed by this work Threat Model Private side is under the control of an attacker Design Goals High graphics performance Impersonation attacks Low impact on CPU load Eavesdropping attacks Low impact on the TCB Evasion of isolation Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 5/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Challenges addressed by this work Threat Model Private side is under the control of an attacker Design Goals High graphics performance Impersonation attacks Low impact on CPU load Eavesdropping attacks Low impact on the TCB Evasion of isolation Design and Implementation Secure GUI (Trusted path) Secure Mobile GPU Virtualization Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 5/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Output label Private Speaker: Janis Danisevskis Business Graphical User Interface for Virtualized Mobile Handsets 6/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion label framebuffer 1 framebuffer switch client VM 1 1 client VM 2 2 client framebuffers client region label region Screen is split into label region and client region Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 7/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion label framebuffer 1 framebuffer switch client VM 1 1 client VM 2 2 client framebuffers client region label region Client VMs have private framebuffers Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 7/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion label framebuffer 1 framebuffer switch client VM 1 1 client VM 2 2 client framebuffers client region label region Label controlled by the switcher indicates output routing Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 7/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion label framebuffer 1 framebuffer switch client VM 1 1 client VM 2 2 client framebuffers client region label region Zero copy and composition in hardware Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 7/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion client 2 client 1 guest physical memory label buffer display controller driver client 1 buffer client 2 buffer not visible visible controls physical memory scan-out region 1 control register scan-out region 2 control register display controller Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 8/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion vsync interrupt input events display controller driver input driver framebuffer switch input switch event == ! output data client 1 VM client 2 VM policy master decision maker Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets 9/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Summary: Secure GUI Unforgeable labels → prevents impersonation Private framebuffers and exclusive input routing → prevent eavesdropping Zero copy with hardware overlays → low CPU load and low complexity Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets10/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Mobile GPU Driver Stack User-space driver Application GPU abstraction (OpenGL/EGL) user space GPU driver Provides: OpenGL/EGL abstraction Comprises: shader compiler, linker, . . . Kernel-space driver Schedules rendering tasks Protects memory Kernel GPU driver Hardware MMU GPU Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets11/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Mobile GPU Driver Stack User-space driver Application GPU abstraction (OpenGL/EGL) user space GPU driver Provides: OpenGL/EGL abstraction Comprises: shader compiler, linker, . . . Kernel-space driver Schedules rendering tasks Protects memory Kernel GPU driver Hardware MMU GPU Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets11/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Mobile GPU Driver Stack User-space driver Provides: OpenGL/EGL abstraction Comprises: shader compiler, linker, . . . Application GPU abstraction (OpenGL/EGL) user space GPU driver Kernel-space driver Schedules rendering tasks Protects memory process address space Kernel GPU job GPU driver Hardware GPU address space MMU GPU physical address space Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets11/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Mobile GPU Driver Stack (paravirtualized) User-space driver unmodified virtual machine User-kernel interface unmodified Custom protocol between GPU driver stub and GPU server Application GPU abstraction (OpenGL/EGL) user space GPU driver Guest Kernel GPU driver stub GPU server Hypervisor Hardware MMU GPU Speaker: Janis Danisevskis No forwarding of high bandwidth data, such as textures, attribute lists, or shader programs Forwards job requests to the GPU server (and job completion notifications to the client) Forwards mapping requests to the GPU server Graphical User Interface for Virtualized Mobile Handsets12/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Mobile GPU Driver Stack (paravirtualized) User-space driver unmodified virtual machine User-kernel interface unmodified Custom protocol between GPU driver stub and GPU server Application GPU abstraction (OpenGL/EGL) user space GPU driver Guest Kernel GPU driver stub GPU server Hypervisor Hardware MMU GPU Speaker: Janis Danisevskis No forwarding of high bandwidth data, such as textures, attribute lists, or shader programs Forwards job requests to the GPU server (and job completion notifications to the client) Forwards mapping requests to the GPU server Graphical User Interface for Virtualized Mobile Handsets12/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Mobile GPU Driver Stack (paravirtualized) User-space driver unmodified virtual machine User-kernel interface unmodified Custom protocol between GPU driver stub and GPU server Application GPU abstraction (OpenGL/EGL) user space GPU driver Guest Kernel GPU driver stub GPU server Hypervisor Hardware MMU GPU Speaker: Janis Danisevskis No forwarding of high bandwidth data, such as textures, attribute lists, or shader programs Forwards job requests to the GPU server (and job completion notifications to the client) Forwards mapping requests to the GPU server Graphical User Interface for Virtualized Mobile Handsets12/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Mobile GPU Driver Stack (paravirtualized) virtual machine GPU address space Application GPU job GPU abstraction (OpenGL/EGL) user space GPU driver guest mappings effective shadow mappings Guest Kernel GPU driver stub GPU server guest physical address space Hypervisor Hardware VM1 VM3 VM2 host physical address space MMU GPU Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets12/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Prototype Hardware Samsung Galaxy SIII Exynos4412 SoC 4 × ARM Cortex A9 @ 1.4 GHz ARM Mali 400 MP4 GPU Software Fiasco.OC (based on rev. 38) L4Re (based on rev. 38) L4Linux (based on Linux 3.0.101) Cyanogenmod CM-10.1.3 Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets13/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion TCB impact Module GPU-RG2 display driver framebuffer switch input driver input switch total 1 2 SLOC1 2,679 2,382 548 710 539 6,858 Source lines of code measured with David A. Wheeler’s “SLOCCount” GPU-RG: Name of our GPU-server (RG is for resource governor) Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets14/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Performance evaluation — experiments Native Cyanogenmod on Linux on bare metal Pass-through Cyanogenmod on L4Linux on Fiasco.OC GPU driven by the guest kernel GPU-RG Cyanogenmod on L4Linux on Fiasco.OC GPU driven by GPU-RG Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets15/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Performance evaluation — benchmarks 80 native GPU-RG pass-through 70 Frame-rate (fps) 60 50 40 30 20 10 0 Cube Blending Fog Teapot Quake III Benchmark Cube, Blending, Fog, and Teapot are part of the 0xbench [1] benchmark suite. Quake III is the FOUR.DM 68 demo of QuakeIII Arena run with QIII4A [2]. Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets16/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Performance evaluation — benchmarks 500 native GPU-RG pass-through Frame-rate [fps] 400 300 200 100 0 Cube unsynced Benchmark Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets17/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Job Submission and Notification cost experiment native pass-through GPU-RG submit submit notify submit notify [µs] [µs] [µs] [µs] [µs] GP1 15.0 22.1 3.6 47.3 52.8 PP1 25.2 34.9 3.2 67.5 49.7 Takeaway: To meet a job submission rate of 60 Hz, an additional 2.3 % of CPU utilization is incurred on one CPU core. 1 The ARM Mali 400 MP4 GPU has a geometry processor (GP) and 4 pixel presenters (PP) Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets18/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Conclusion Secure GUI (Trusted Path) addresses: Impersonation attacks Eavesdropping attacks Impact on CPU load and TCB Speaker: Janis Danisevskis Secure GPU virtualization addresses: Enforced isolation of GPU jobs Low overhead for GPU jobs Low impact on TCB Graphical User Interface for Virtualized Mobile Handsets19/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion Questions? Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets20/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion References I [1] 0xbench. https://code.google.com/p/0xbench/. [2] Qiii4a. https://play.google.com/store/apps/details? id=com.n0n3m4.QIII4A&hl=de. [3] Cve-2014-0972. http://cve.mitre.org/cgi-bin/cvename.cgi? name=CVE-2014-0972, 01 1014. Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets21/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion References II [4] Rob Clark. Fire in the (root) hole! http://bloggingthemonkey.blogspot.de/2014/ 06/fire-in-root-hole.html. [5] Rob Clark. Kilroy. https://github.com/robclark/kilroy. Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets22/20 Motivation Secure GUI (Trusted Path) Secure Virtual GPU Evaluation Conclusion References III [6] Janis Danisevskis, Marta Piekarska, and Jean-Pierre Seifert. Dark side of the shader: Mobile gpu-aided malware delivery. In Hyang-Sook Lee and Dong-Guk Han, editors, Information Security and Cryptology - ICISC 2013 - 16th International Conference, Seoul, Korea, November 27-29, 2013, Revised Selected Papers, volume 8565 of Lecture Notes in Computer Science, pages 483–495. Springer, 2013. [7] Kostya Kortchinsky. Cloudburst. Black Hat USA June, 2009. Speaker: Janis Danisevskis Graphical User Interface for Virtualized Mobile Handsets23/20
© Copyright 2024