Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Automatic ISA analysis for Secure Context Switching

Neelu S. Kalani, Thomas Bourgeat, Guerney D. H. Hunt, Wojciech Ozga

TL;DR

Addressing the ABI layer vulnerability surface in secure contexts, the paper presents Sailor, a tool that converts machine readable Sail ISA specifications into actionable security sensitive ISA state for context switching. Sailor uses a three component pipeline (Scanner, Analyzer, Validator) to automatically identify which ISA state must be swapped and to validate these findings against Isla traces. Evaluation on four open source confidential computing frameworks reveals three classes of mishandled ISA state and five vulnerability types tied to ISA extensions, demonstrating that automated ISA state analysis can accelerate secure context switch correctness and inform ISA design and verification frameworks. The work advocates integrating Sailor into development and verification workflows to strengthen confidentiality across security domains as ISAs continue to evolve.

Abstract

Instruction set architectures are complex, with hundreds of registers and instructions that can modify dozens of them during execution, variably on each instance. Prose-style ISA specifications struggle to capture these intricacies of the ISAs, where often the important details about a single register are spread out across hundreds of pages of documentation. Ensuring that all ISA-state is swapped in context switch implementations of privileged software requires meticulous examination of these pages. This manual process is tedious and error-prone. We propose a tool called Sailor that leverages machine-readable ISA specifications written in Sail to automate this task. Sailor determines the ISA-state necessary to swap during the context switch using the data collected from Sail and a novel algorithm to classify ISA-state as security-sensitive. Using Sailor's output, we identify three different classes of mishandled ISA-state across four open-source confidential computing systems. We further reveal five distinct security vulnerabilities that can be exploited using the mishandled ISA-state. This research exposes an often overlooked attack surface that stems from mishandled ISA-state, enabling unprivileged adversaries to exploit system vulnerabilities.

Automatic ISA analysis for Secure Context Switching

TL;DR

Addressing the ABI layer vulnerability surface in secure contexts, the paper presents Sailor, a tool that converts machine readable Sail ISA specifications into actionable security sensitive ISA state for context switching. Sailor uses a three component pipeline (Scanner, Analyzer, Validator) to automatically identify which ISA state must be swapped and to validate these findings against Isla traces. Evaluation on four open source confidential computing frameworks reveals three classes of mishandled ISA state and five vulnerability types tied to ISA extensions, demonstrating that automated ISA state analysis can accelerate secure context switch correctness and inform ISA design and verification frameworks. The work advocates integrating Sailor into development and verification workflows to strengthen confidentiality across security domains as ISAs continue to evolve.

Abstract

Instruction set architectures are complex, with hundreds of registers and instructions that can modify dozens of them during execution, variably on each instance. Prose-style ISA specifications struggle to capture these intricacies of the ISAs, where often the important details about a single register are spread out across hundreds of pages of documentation. Ensuring that all ISA-state is swapped in context switch implementations of privileged software requires meticulous examination of these pages. This manual process is tedious and error-prone. We propose a tool called Sailor that leverages machine-readable ISA specifications written in Sail to automate this task. Sailor determines the ISA-state necessary to swap during the context switch using the data collected from Sail and a novel algorithm to classify ISA-state as security-sensitive. Using Sailor's output, we identify three different classes of mishandled ISA-state across four open-source confidential computing systems. We further reveal five distinct security vulnerabilities that can be exploited using the mishandled ISA-state. This research exposes an often overlooked attack surface that stems from mishandled ISA-state, enabling unprivileged adversaries to exploit system vulnerabilities.

Paper Structure

This paper contains 27 sections, 6 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Motivation & Background
  3. ISAs are Complex
  4. Overlooking security at the ABI-layer
  5. Secure Context Switches
  6. Sailor Design
  7. Scanner
  8. Primer on Sail
  9. Capturing ISA-level insights
  10. Analyzer
  11. Validator
  12. Implementation
  13. Scanner and Analyzer Implementation
  14. Validator Implementation
  15. Architecture Independent Implementation
  16. ...and 12 more sections

Figures (6)

  • Figure 1: Security domains isolated by a privileged software that mediates the context switch between the domains. The security domains access the ISA-state through the Application Binary Interface (ABI). The privileged software must swap all security-sensitive ISA-state to prevent attacks.
  • Figure 2: Sailor Overview
  • Figure 3: RISC-V Sail Model implementation flow block diagram
  • Figure 4: Algorithm to classify architectural state as security-sensitive. Source and Target correspond to privilege modes of the security domains involved in the context switch.
  • Figure 5: Sailor Validator
  • ...and 1 more figures