% ---------------------------- \subsubsection{Process Isolation} % ---------------------------- \begin{frame}[fragile] \frametitle{Why Process isolation?} \begin{itemize} \item Embedded Application requires: \begin{itemize} \item concurrency \item data persistence \item access to (critical) HW \item remote interface (field bus, network) \end{itemize} \item Problem: \begin{itemize} \item attacks can compromise Application parts, which handle the remote access \item compromised parts influence all other parts \end{itemize} \item Solution: \begin{itemize} \item Process isolation \end{itemize} \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Multithreaded Application} \begin{figure}[h] \centering \includegraphics[width=5cm]{images/multithread_norm.png} \end{figure} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Multithreaded Application under attack} \begin{figure}[h] \centering \includegraphics[width=5cm]{images/multithread_attack.png} \end{figure} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Threads and Processes} \begin{itemize} \item Process \begin{itemize} \item one Virtual Address Space (VAS) per Process \item 1..n Threads \end{itemize} \item Thread \begin{itemize} \item separate schedulable entity \item concurrent execution \end{itemize} \item all Threads of a Process share the same VAS! \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Multiprocess vs. Multithread} \begin{itemize} \item Problem: if one Thread has been compromised \dots \begin{itemize} \item all other Threads of the Process are affected \item malicious code has full access to VAS \end{itemize} \item Solution Statement \begin{enumerate} \item define critical and non-critical tasks in Application \item define a communication channel between both parts \item isolate critical and non-critical tasks in separate Processes \end{enumerate} \item Result \begin{itemize} \item compromised tasks can not directly access other parts \item isolate malware/exploits from critical Application parts \item opt: Plausibility check on communication channel \end{itemize} \item \textbf{Process isolation is the base for ALL further security actions!} \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Multiprocess Application} \begin{figure}[h] \centering \includegraphics[width=8cm]{images/multiproc_norm.png} \end{figure} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Multiprocess Application under attack} \begin{figure}[h] \centering \includegraphics[width=8cm]{images/multiproc_attack.png} \end{figure} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Multiprocess: Summary} \begin{itemize} \item Thread: separate scheduling/execution \item Process: separate scheduling/execution and memory (VAS) \item Communication: use Inter-Process-Communication (IPC) to connect Processes \item and all together: \\ \textbf{Process isolation is the base for ALL further security actions!} \end{itemize} \end{frame} % ---------------------------- \subsubsection{Memory Management} % ---------------------------- \begin{frame}[fragile] \frametitle{Memory Management} \begin{itemize} \item fork(): create copy of Process context \item IPC: communication mechanisms \item execve(): overload Process context and execute it \end{itemize} \begin{figure}[h] \centering \includegraphics[width=8cm]{images/proc_isol.png} \end{figure} \end{frame} % ---------------------------- \subsubsection{Multiprocess Programming} % ---------------------------- \begin{frame}[fragile] \frametitle{Multiprocess Programming: Example} \begin{columns}[onlytextwidth] \begin{column}{0.45\textwidth} \begin{beamerboxesrounded}[shadow=true]{Program:} \begin{scriptsize} \begin{verbatim} [...] ret = fork(); if (ret < 0) /* error handling */; pid = ret; if (pid) { /* parent processing */ [...] pid = wait(&status); } else { /* child processing */ execve(argv[0], &argv[0], envp); break; } [...] \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{column} \begin{column}{0.45\textwidth} \begin{beamerboxesrounded}[shadow=true]{Arguments:} \begin{scriptsize} \begin{verbatim} char *argv[] = { "/bin/myappl", "--config", "/etc/myconfig", NULL, }; \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \begin{beamerboxesrounded}[shadow=true]{Environment:} \begin{scriptsize} \begin{verbatim} char *envp[] = { "HOME=/myhome", "PATH=/bin:/usr/bin", "TZ=UTC0", NULL, }; \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{column} \end{columns} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Inter-Process Communication (IPC)} \begin{itemize} \item Requirements \begin{itemize} \item communicate between Processes (e.g. Child to Parent) \item private communication channel \end{itemize} \item Solution Statement \begin{enumerate} \item open an anonymous pipe \item duplicate process with fork() \item Parent and Child choose a communication role \begin{itemize} \item Sender: close the read-FD and send data to write-FD \item Listener: close the write-FD and listen on read-FD \end{itemize} \end{enumerate} \item Note: \begin{itemize} \item pipe-syscall opens two file-descriptors \\ (one for read from, and one for write to the pipe) \item after fork-syscall, both processes has access to pipe file-descriptors \item pipe communication is unidirectional \end{itemize} \item Result \begin{itemize} \item private communication between Parent and Child \item decoupled, buffered communication through pipe \end{itemize} \item other IPC mechanisms (e.g. POSIX IPC) are also possible \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{IPC: Example with anonymous pipe (child -> parent)} \begin{columns}[onlytextwidth] \begin{column}{0.45\textwidth} \begin{beamerboxesrounded}[shadow=true]{Open Pipe before fork():} \begin{scriptsize} \begin{verbatim} int fds[2]; /* open pipe file-descriptors */ ret = pipe(fds); if (ret) /* error handling */; ret = fork(); if (ret < 0) /* error handling */; pid = ret; /* * Both processes, parent and * child, has now access to the * opened pipe file-descriptors. */ \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{column} \begin{column}{0.45\textwidth} \begin{beamerboxesrounded}[shadow=true]{Parent (Listener):} \begin{scriptsize} \begin{verbatim} if (pid) { /* close pipe-write-fd */ close(fds[1]); /* read data from pipe-read-fd */ while ((ret = read(fds[0], &buf,1) > 0)) /* handle read data */; } else { [...] } \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \begin{beamerboxesrounded}[shadow=true]{Child (Sender):} \begin{scriptsize} \begin{verbatim} if (pid) { [...] } else { /* close pipe-read-fd */ close(fds[0]); /* send data to pipe-write-fd */ write(fds[1], buf, strnlen(buf, BUF_LEN)); } \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{column} \end{columns} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{IPC: Example with anonymous pipe (parent -> child)} \begin{columns}[onlytextwidth] \begin{column}{0.45\textwidth} \begin{beamerboxesrounded}[shadow=true]{Open Pipe before fork():} \begin{scriptsize} \begin{verbatim} int fds[2]; /* open pipe file-descriptors */ ret = pipe(fds); if (ret) /* error handling */; ret = fork(); if (ret < 0) /* error handling */; pid = ret; /* * Both processes, parent and * child, has now access to the * opened pipe file-descriptors. */ \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{column} \begin{column}{0.45\textwidth} \begin{beamerboxesrounded}[shadow=true]{Parent (Sender):} \begin{scriptsize} \begin{verbatim} if (pid) { /* close pipe-read-fd */ close(fds[0]); /* send data to pipe-write-fd */ write(fds[1], buf, strnlen(buf, BUF_LEN)); } else { [...] } \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \begin{beamerboxesrounded}[shadow=true]{Child (Listener):} \begin{scriptsize} \begin{verbatim} if (pid) { [...] } else { /* close pipe-write-fd */ close(fds[1]); /* read data from pipe-read-fd */ while ((ret = read(fds[0], &buf, 1) > 0)) /* handle read data */; } \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{column} \end{columns} \end{frame}