© darío Álvarez 2005 securing applications. performance of rotor cas protection and capabilities...
Post on 22-Dec-2015
220 views
TRANSCRIPT
© D
ar í
o Á
l vare
z 2
00
5
Securing applications.Securing applications.Performance of Rotor CAS Performance of Rotor CAS protection and capabilitiesprotection and capabilities
Darío Álvarez GutiérrezDarío Álvarez Gutiérrez,,M. Ángeles Díaz Fondón, Iván Suárez M. Ángeles Díaz Fondón, Iván Suárez
RodríguezRodríguez
[email protected]@uniovi.es
Department of InformaticsDepartment of InformaticsUniversity of Oviedo, Asturias, SpainUniversity of Oviedo, Asturias, Spain
2
© D
ar í
o Á
l vare
z 2
00
5
ContextContext• Project to build an operating system based on an Project to build an operating system based on an
OO Abstract Machine (“managed code”).OO Abstract Machine (“managed code”).
• Own OO AM with object modelOwn OO AM with object model– RISC-like, not a-la-java (no stack, f.i.)RISC-like, not a-la-java (no stack, f.i.)
• Search for access control mechanism (protection)Search for access control mechanism (protection)– To control whether a “client” object can call a method To control whether a “client” object can call a method
of a “server object” (Eg: an “student” object can call of a “server object” (Eg: an “student” object can call the “change” method of a “grade” object).the “change” method of a “grade” object).
• Found (pure) capabilities are best for this Found (pure) capabilities are best for this environment (applied own variant)environment (applied own variant)– => Protection should be part of the object model=> Protection should be part of the object model
• RFPv1: Implementation into Rotor (RotorCapa)RFPv1: Implementation into Rotor (RotorCapa)
3
© D
ar í
o Á
l vare
z 2
00
5
Protection MechanismProtection Mechanism(Access Control)(Access Control)
• Access Control Mechanism (protection)Access Control Mechanism (protection)– To control whether a piece of code (“subject”) To control whether a piece of code (“subject”)
can access a resource (“server” or “resource”).can access a resource (“server” or “resource”).
– Example: Access Control ListsExample: Access Control Lists
• Access Control Mechanism in an OO Access Control Mechanism in an OO environmentenvironment– To control whether a “client” object can call a To control whether a “client” object can call a
method of a “server object”method of a “server object”• Eg: an “student” object can call the “change” Eg: an “student” object can call the “change”
method of a “grade” object.method of a “grade” object.
4
© D
ar í
o Á
l vare
z 2
00
5
Access Control inAccess Control inOO Abstract MachinesOO Abstract Machines
• Examples of Access Control in OO environments Examples of Access Control in OO environments based on OO Abstract Machinesbased on OO Abstract Machines– Access Control ListsAccess Control Lists
– .NET Code Access Security.NET Code Access Security• Based on a form of stack introspection (stack walking)Based on a form of stack introspection (stack walking)
• Other access control mechanisms:Other access control mechanisms:(pure) CAPABILITIES(pure) CAPABILITIES
• Our Focus: Application of capabilities to OO Our Focus: Application of capabilities to OO Abstract MachinesAbstract Machines– To our own OO Abstract Machine (Carbayonia)To our own OO Abstract Machine (Carbayonia)
– Integration of capability-based protection in the Integration of capability-based protection in the SSCLI-RotorSSCLI-Rotor
5
© D
ar í
o Á
l vare
z 2
00
5
Pure CapabilitiesPure Capabilities• What is a capability (pure or object What is a capability (pure or object
capability)capability)
– A reference to an object together with a set of A reference to an object together with a set of permissions on the methods of that objectpermissions on the methods of that object
Holding a capability with the specific Holding a capability with the specific permission asserted is necessary and permission asserted is necessary and sufficient to access the methodsufficient to access the method
Objeto
Op1
Op2
Op3
...
Opn
Cap
acid
ad
6
© D
ar í
o Á
l vare
z 2
00
5
Applying capabilities toApplying capabilities toOO Abstract MachinesOO Abstract Machines
• Integrate protection into the object model (make Integrate protection into the object model (make protection a property of the object model)protection a property of the object model)– Protection information (permissions) is integrated with Protection information (permissions) is integrated with
the referencesthe references
– The control mechanism is integrated with the method The control mechanism is integrated with the method call mechanismcall mechanism
– Modifications to instructions (and structures) related Modifications to instructions (and structures) related to references must be doneto references must be done
– Just a new instruction to restrict permissions in a Just a new instruction to restrict permissions in a reference (principle of least privilege) is neededreference (principle of least privilege) is needed
1 0 0 1
Protection mechanismObjectX.op1+ capability
(1)(2)
(3)
ObjectX.op1ObjectXObjectY
7
© D
ar í
o Á
l vare
z 2
00
5
Applying capabilities toApplying capabilities toOO Abstract Machines (2)OO Abstract Machines (2)
• AdvantagesAdvantages– Naming and protection are combinedNaming and protection are combined
– Flexibility and adaptabilityFlexibility and adaptability
– High performanceHigh performance• permission checks take “constant” timepermission checks take “constant” time
– Integration with the object model (conceptual Integration with the object model (conceptual simplicity)simplicity)
– Fine granularity of protectionFine granularity of protection• At the level of individual methods and object At the level of individual methods and object
instancesinstances
– Reduced Trusted Computing BaseReduced Trusted Computing Base• A simple mechanism is implemented with a small A simple mechanism is implemented with a small
code.code.
8
© D
ar í
o Á
l vare
z 2
00
5
Applying capabilities toApplying capabilities toOO Abstract Machines (3)OO Abstract Machines (3)
• Advantages (2)Advantages (2)– More hardened systemsMore hardened systems
• The principle of least privilege can be followed The principle of least privilege can be followed with no restrictionswith no restrictions
– ““restrict” instruction at the level of single methods for restrict” instruction at the level of single methods for specific references of objects.specific references of objects.
– Compatibility with existing applicationsCompatibility with existing applications• Capabilities are stored and used in objects as Capabilities are stored and used in objects as
normal references in applications.normal references in applications.
– ScalabilityScalability• Managing capabilities for thousands of objects is Managing capabilities for thousands of objects is
not a problem, as each object manages and not a problem, as each object manages and stores its own capabilities (as normal references)stores its own capabilities (as normal references)
9
© D
ar í
o Á
l vare
z 2
00
5
Applying capabilities toApplying capabilities toOO Abstract Machines (4)OO Abstract Machines (4)
• DrawbacksDrawbacks
– Control of propagationControl of propagation• sol.: Reference monitorsol.: Reference monitor
– Revocation of permissionsRevocation of permissions• sol.: Facadessol.: Facades
10
© D
ar í
o Á
l vare
z 2
00
5
Why Capabilities for .NET?Why Capabilities for .NET?• Capabilities have its own meritsCapabilities have its own merits
– Clearly superior to ACLs, for exampleClearly superior to ACLs, for example
• .NET can be used just as a platform to .NET can be used just as a platform to research on other protection mechanismsresearch on other protection mechanisms
• .NET CAS is good and comprehensive, but .NET CAS is good and comprehensive, but there are problems sometimes (why there are problems sometimes (why capabilities?)capabilities?)– Complexity (evidence, policies, permission sets...)Complexity (evidence, policies, permission sets...)
• Too much for many applicationsToo much for many applications
• Footprint and overhead, although just a small Footprint and overhead, although just a small fraction is usedfraction is used
• Big Trusted Computing BaseBig Trusted Computing Base
11
© D
ar í
o Á
l vare
z 2
00
5
Why Capabilities for .NET? (2)Why Capabilities for .NET? (2)– Access to source code of “server” neededAccess to source code of “server” needed
• To add protection to a class, a “demand To add protection to a class, a “demand permissions” sentence, and the code to create permissions” sentence, and the code to create permissions must be includedpermissions must be included
• With capabilities any binary object can be With capabilities any binary object can be protected anytime (just setting permissions in the protected anytime (just setting permissions in the references)references)
– Protection at the level of the class, not at the level of Protection at the level of the class, not at the level of individual instancesindividual instances• Permissions are assigned based (roughly speaking) on Permissions are assigned based (roughly speaking) on
the class of a client instance, not on an instance-by-the class of a client instance, not on an instance-by-instance basisinstance basis
• With capabilities, permissions are assigned on a With capabilities, permissions are assigned on a reference-by-reference basisreference-by-reference basis
– Two objects of the same class can hold different permissions Two objects of the same class can hold different permissions when calling a third object.when calling a third object.
12
© D
ar í
o Á
l vare
z 2
00
5
Implanting Capabilities into Implanting Capabilities into Rotor: OverviewRotor: Overview
• Add data to represent permissions in Add data to represent permissions in referencesreferences
• Modify instructions accordinglyModify instructions accordingly
– Method calls (check permission is asserted in Method calls (check permission is asserted in the reference)the reference)
– Copying and passing references (copying Copying and passing references (copying permissions)permissions)
• Add instruction to restrict permissions in a Add instruction to restrict permissions in a referencereference
13
© D
ar í
o Á
l vare
z 2
00
5Implanting Capabilities into Implanting Capabilities into Rotor: Alternative 1: Extend Rotor: Alternative 1: Extend
referencesreferences• Extend the structure representing machine Extend the structure representing machine references (OBJECTREF)references (OBJECTREF)– Internally, a pointer to the memory Internally, a pointer to the memory
representing the objectrepresenting the object
– Add protection information here, and Add protection information here, and complementcomplement
• ButBut– Pointers are directly used in many places (JIT)Pointers are directly used in many places (JIT)
• Alternative not possibleAlternative not possible
14
© D
ar í
o Á
l vare
z 2
00
5Implanting Capabilities into Implanting Capabilities into Rotor: Alt- 2: Permissions Rotor: Alt- 2: Permissions
object (1)object (1)• Create a (managed) object to store the Create a (managed) object to store the permissionspermissions
• Modify the system to use this object with Modify the system to use this object with the referencesthe references– When creating an object, create associated When creating an object, create associated
permissions objects for the references alsopermissions objects for the references also
– When passing a reference, pass the When passing a reference, pass the permissions object alsopermissions object also
– Modify references-related code to take into Modify references-related code to take into account the associated permissions objects.account the associated permissions objects.
15
© D
ar í
o Á
l vare
z 2
00
5Implanting Capabilities into Implanting Capabilities into Rotor: Alt. 2: Permissions Rotor: Alt. 2: Permissions
object (2)object (2)• Examples of modifications neededExamples of modifications needed– JIT HelpersJIT Helpers
– Library functions with native implementationLibrary functions with native implementation
• ButBut– Almost a thousand native functionsAlmost a thousand native functions
– What if one of these is forgotten?What if one of these is forgotten?
• Alternative not selectedAlternative not selected
16
© D
ar í
o Á
l vare
z 2
00
5Implanting Capabilities into Implanting Capabilities into
Rotor: Alt. Selected: Objects as Rotor: Alt. Selected: Objects as containerscontainers• Permissions for references in objects Permissions for references in objects
(members)(members)– Use object structure as a container for Use object structure as a container for
permissionspermissions
• Permissions for references in activation Permissions for references in activation records (local variables and arguments)records (local variables and arguments)Permissions for references in evaluation Permissions for references in evaluation stackstack– Use thread structure as a container for Use thread structure as a container for
permissionspermissions
• Modify instructions accordinglyModify instructions accordingly
• Add “restrict” instructionAdd “restrict” instruction
17
© D
ar í
o Á
l vare
z 2
00
5
RepresentingRepresentingpermissionspermissionsfor referencesfor referencesin objectsin objects
• Add a field to theAdd a field to thestructure representingstructure representingan objectan object
– Pointer to an structurePointer to an structureholding the permissionsholding the permissionsassociated to eachassociated to eachreference in the objectreference in the object(“CapabilitiesTable”).(“CapabilitiesTable”).
– Lazy-creationLazy-creation
class ExampleClass {
0 1 0 0 0
Permissions(a capability)
CapabilitiesTable
A capability foreach reference
in the array
CapabilitiesTable
A capability foreach attribute in
the object
CapabilitiesTableAttribute 1
Attribute 2
...
Attribute n
Attribute 3
CapabilitiesTablea. reference 1
a. reference 2
...
a. reference n
a. reference 3
void Method1() {...}void Method2() {...}
...
void Methodk() {...}}
OBJECT
ARRAY
18
© D
ar í
o Á
l vare
z 2
00
5Permissions for references in Permissions for references in
execution and evaluation execution and evaluation stacksstacks• Representing permissions for local variables and Representing permissions for local variables and
argument references (references in a stack argument references (references in a stack frame)frame)– Tables similar to those for references in objectsTables similar to those for references in objects
– A stack with permissions for the references in stack A stack with permissions for the references in stack frames grows in parallel with the execution stack frames grows in parallel with the execution stack
• Representing permissions for references stacked Representing permissions for references stacked in the evaluation stackin the evaluation stack– A stack with permissions for each stacked reference A stack with permissions for each stacked reference
grows in parallel with the evaluation stackgrows in parallel with the evaluation stack
• Thread object is used as a container for these Thread object is used as a container for these structuresstructures
19
© D
ar í
o Á
l vare
z 2
00
5
Permissions forPermissions forreferences inreferences inexecution andexecution andevaluationevaluationstacksstacks
Grow in parallelwith the stackframes
Capabilities Stack
Permissions forelements in theoperation stack (oneentry per elemen)
Permissions forlocal variables (oneentry per method in thestack)
Permissions forattributes (one entryper method in thestack)
Grow in parallelwith theoperation stack
Local Variables Stack
Method Attributes Stack
Local Variables Stack
CapabilitiesTableStack
Method Attributes Stack
CapabilitiesTableStack
Capabilities Stack
CapabilitiesStackCapabilities 0Capabilities 1
Capabilities N
THREAD
Table 0Table 1
Table N
Table 0Table 1
Table N
CapabilitiesTableLocal Var 0
Local Var M
Local Var 1
Local Var 2
CapabilitiesTableMethod Attr 0
Method Attr M
Method Attr 1
Method Attr 2
Permissions (a capability)
0 1 0 0 0...
20
© D
ar í
o Á
l vare
z 2
00
5
Changes to instructions (1)Changes to instructions (1)• New instruction “New instruction “restrictrestrict <method>” <method>”
– Acts upon reference in top of stackActs upon reference in top of stack
– Denies access to the given methodDenies access to the given method
– Primitive security operationPrimitive security operation
• Secure computation in a capabilities system Secure computation in a capabilities system using “using “restrictrestrict””– The reference creating an object returns all The reference creating an object returns all
permissions set (“owner”)permissions set (“owner”)
– Reference is duplicatedReference is duplicated
– Reference is restrictedReference is restricted
– Reference is passed to other objects in a method Reference is passed to other objects in a method call for secure computationcall for secure computation
21
© D
ar í
o Á
l vare
z 2
00
5
Changes to instructions (2)Changes to instructions (2)• ““callcall” and “” and “callvirtcallvirt” now check ” now check
permissionspermissions– To make secure computation possibleTo make secure computation possible
– Method calls check the permissions in the Method calls check the permissions in the reference used to make the call (reference in reference used to make the call (reference in the top of the stack)the top of the stack)
– An exception is raised if the permission for the An exception is raised if the permission for the method is not asserted in the referencemethod is not asserted in the reference
– This is the only instruction with different This is the only instruction with different semantics than before (now an exception might semantics than before (now an exception might be thrown)be thrown)• And this only if permissions are restrictedAnd this only if permissions are restricted
22
© D
ar í
o Á
l vare
z 2
00
5
Changes to instructions (3)Changes to instructions (3)• Modifications to (many) other instructionsModifications to (many) other instructions
– Other instructions that deal with references must Other instructions that deal with references must take into account the associated permissions take into account the associated permissions (copying, deleting, etc.):(copying, deleting, etc.):• Creation of new objects: Creation of new objects: newobjnewobj
– The reference returned has an associated set of permissions, The reference returned has an associated set of permissions, initially set to “1” for the creator).initially set to “1” for the creator).
• Storing from the stack: Storing from the stack: stargstarg, , stlocsstlocs, , stfldstfld, , stsfldstsfld– When storing a reference, the associated permissions must When storing a reference, the associated permissions must
also be copied to the destination referencealso be copied to the destination reference
• Loading: Loading: ldargldarg, , ldlocldloc, , ldnullldnull, , ldelem.xldelem.x, , ldelem.refldelem.ref, , ldfldldfld, , ldsfldldsfld, , ldsfldaldsflda, , ldstrldstr
– symmetrically, permissions associated to a reference must symmetrically, permissions associated to a reference must be copied when the reference is pushed in the evaluation be copied when the reference is pushed in the evaluation stackstack
• Various: Various: dupdup, , isinstisinst, , boxbox, , unboxunbox
23
© D
ar í
o Á
l vare
z 2
00
5
Sample CLI code with “restrict”Sample CLI code with “restrict” ......
// An object is created and a reference// An object is created and a reference// (capability) is left on the stack// (capability) is left on the stack
newobjnewobj instance void Test::.ctor() instance void Test::.ctor()
// A method is restricted in the capability// A method is restricted in the capability// in the top of the stack// in the top of the stack
restrictrestrict instance void Test::Message() instance void Test::Message()
// Now the method is invoked using the// Now the method is invoked using the// reference in the top of the stack// reference in the top of the stack
// The reference can be stored, cloned,// The reference can be stored, cloned,// passed as an argument to other objects, etc.// passed as an argument to other objects, etc.
callvirtcallvirt instance void Test::Message() instance void Test::Message()
// The call will not succeed and an exception// The call will not succeed and an exception// is raised at this point, as the reference used// is raised at this point, as the reference used// has not the permission to call “Message” set// has not the permission to call “Message” set
......
24
© D
ar í
o Á
l vare
z 2
00
5Cost of securing applications Cost of securing applications
using capability-based using capability-based protectionprotection• Early perfomance results encouragingEarly perfomance results encouraging
• Next project: Thorough performance tests. Next project: Thorough performance tests. Planned goals:Planned goals:– Improve implementation of RotorCapa VMImprove implementation of RotorCapa VM
– Develop “synthetic” benchmarksDevelop “synthetic” benchmarks• Evaluate performance of Rotor and .NET CAS Evaluate performance of Rotor and .NET CAS
protection with “default” permissions (phase1) protection with “default” permissions (phase1) and with “custom” permissions (phase2) to and with “custom” permissions (phase2) to compare with capabilitiescompare with capabilities
• Varying the number of domains, stack depth, etc.Varying the number of domains, stack depth, etc.
– Instrument “real” user applications (delayed)Instrument “real” user applications (delayed)• How protection is used in “real life” and its costHow protection is used in “real life” and its cost
25
© D
ar í
o Á
l vare
z 2
00
5
Improving the implementation Improving the implementation of RotorCapaof RotorCapa
• RotorCapa adds capabilities for objectsRotorCapa adds capabilities for objects
• Make it work with all Rotor elements (structs, byref pointers, Make it work with all Rotor elements (structs, byref pointers, etc.)etc.)
– Wrong decision, in retrospect. Big delay, and it was not really Wrong decision, in retrospect. Big delay, and it was not really important for the goal of the projectimportant for the goal of the project
– Slow, error-prone, difficult to debugSlow, error-prone, difficult to debug
• Our design has to “shadow” references with the Our design has to “shadow” references with the corresponding permissionscorresponding permissions
• References are really deep into Rotor, and we have to touch References are really deep into Rotor, and we have to touch thisthis
• Every time and place a reference is moved, copied, etc., we Every time and place a reference is moved, copied, etc., we have to do the same for the corresponding permissionhave to do the same for the corresponding permission
• This is done in many places inside Rotor, unmanaged code This is done in many places inside Rotor, unmanaged code
– Not 100% complete. Put to standby.Not 100% complete. Put to standby.
• Delayed the project. Besides, chasing subtle bug introduced Delayed the project. Besides, chasing subtle bug introduced (may have to resort to previous version)(may have to resort to previous version)
26
© D
ar í
o Á
l vare
z 2
00
5
““Synthetic” benchmarks for Synthetic” benchmarks for protectionprotection
• Benchmarks to exercise the machines with Benchmarks to exercise the machines with differentdifferent– DomainsDomains
– Stack sizesStack sizes
– Method complexitiesMethod complexities
– Classes, methods and protected methods, etc.Classes, methods and protected methods, etc.
• Cost of checking permissions for a method Cost of checking permissions for a method with different configurationswith different configurations
• Insight on parameters affecting Insight on parameters affecting performance of protection in Rotorperformance of protection in Rotor– and .NETand .NET
27
© D
ar í
o Á
l vare
z 2
00
5
““Synthetic” benchmarks for Synthetic” benchmarks for protection (3)protection (3)
• Design used: program generatorDesign used: program generator– Input: Value of parameters (number of domains, Input: Value of parameters (number of domains,
stack size, classes, etc.)stack size, classes, etc.)
– Output: Benchmark program with that configurationOutput: Benchmark program with that configuration
• Benchmark programBenchmark program– Builds desired configuration (creates domains, Builds desired configuration (creates domains,
instances, builds stack, etc.)instances, builds stack, etc.)
– Repeatedly calls a method protected by a Repeatedly calls a method protected by a permissionpermission
– Outputs time taken to do the calls (i.e: execution Outputs time taken to do the calls (i.e: execution time for the method – i.e. cost of protecting the time for the method – i.e. cost of protecting the method)method)
28
© D
ar í
o Á
l vare
z 2
00
5
““Synthetic” benchmarks for Synthetic” benchmarks for protection (4)protection (4)
• PhasesPhases– ““Default” configuration – Rotor (.NET)Default” configuration – Rotor (.NET)
• Built-in, default permissions for Application Built-in, default permissions for Application DomainsDomains
– ““Complex” configuration – Rotor (.NET)Complex” configuration – Rotor (.NET)• Custom (“user” permissions)Custom (“user” permissions)
• Different permissions for Application DomainsDifferent permissions for Application Domains– (data not yet available)(data not yet available)
29
© D
ar í
o Á
l vare
z 2
00
5
““Synthetic” benchmarks for Synthetic” benchmarks for protection (5)protection (5)
• Phase 1. First batchPhase 1. First batch
• 1.800 runs approx. for configurations1.800 runs approx. for configurations– Rotor, .NET (1.0)Rotor, .NET (1.0)
– Security enabled / disabledSecurity enabled / disabled
– Fulltrust / Specific permissions setFulltrust / Specific permissions set
– 1-5 Application Domains1-5 Application Domains
– Different numbers of classes, methods, Different numbers of classes, methods, instances, etc.instances, etc.
30
© D
ar í
o Á
l vare
z 2
00
5
The cost of “default” protection (1)The cost of “default” protection (1)
• Overall preliminary analysis – phase 1Overall preliminary analysis – phase 1– .NET is also very fast regarding CAS protection .NET is also very fast regarding CAS protection
• Times almost not measurable (same configuration Times almost not measurable (same configuration as Rotor for reasonable run times of benchmarks)as Rotor for reasonable run times of benchmarks)
– Number of instances not relevant (expected)Number of instances not relevant (expected)
– Number of methods not relevant (expected)Number of methods not relevant (expected)
– Fulltrust slightly quicker than specific permission Fulltrust slightly quicker than specific permission sets (expected)sets (expected)
– Small tendency to increase times with stack size Small tendency to increase times with stack size (clear in Rotor – about 4% difference from 1 (clear in Rotor – about 4% difference from 1 domain to 5 domains with x5 stack size also)domain to 5 domains with x5 stack size also)
31
© D
ar í
o Á
l vare
z 2
00
5
The cost of “default” protection (2)The cost of “default” protection (2)
• Number of domains not relevant – with Number of domains not relevant – with same stack sizesame stack size
• However, not totally representative as default However, not totally representative as default policy gives all domains the same permissionspolicy gives all domains the same permissions
32
© D
ar í
o Á
l vare
z 2
00
5
The cost of “default” protection (3)The cost of “default” protection (3)• Details on a specific batch run with varying stack Details on a specific batch run with varying stack
sizes and method complexitysizes and method complexity
Time for a "null" method call
0
0,05
0,1
Size of stack
Tim
e
Rotor fulltrust Rotor caspol off
.NET fulltrust .NET caspol off
• Security disabled Security disabled faster than checking faster than checking (expected)(expected)
• Checking permissions Checking permissions slows with stack sizeslows with stack size
• .NET much faster .NET much faster than Rotor (expected than Rotor (expected ), but behaviour ), but behaviour similarsimilar
• Mean overhead Mean overhead between 70% (Rotor) between 70% (Rotor) and 210% (.NET)and 210% (.NET)
33
© D
ar í
o Á
l vare
z 2
00
5
The cost of “default” protection (3)The cost of “default” protection (3)Time for a "nullx100" method call
(ROTOR)
88,5
99,510
10,511
10 30 50 70 90 150
300
500
700
900
Size of stack
Tim
e
Rotor fulltrust Rotor caspol off
• Strange “pikes” for Rotor at Strange “pikes” for Rotor at given stack sizesgiven stack sizes
• Mean overhead negligible (evenMean overhead negligible (even-0.3%)-0.3%)
• Mean overhead about 40%, but Mean overhead about 40%, but less as stack size is smallerless as stack size is smaller
• Absolute overhead, however, Absolute overhead, however, very smallvery small
Time for a "nullx100" method call (.NET)
0
0,02
0,04
0,06
0,08
0,1
10 30 50 70 90 150
300
500
700
900
Size of stack
Tim
e
.NET fulltrust .NET caspol off
34
© D
ar í
o Á
l vare
z 2
00
5
The cost of “default” protection (3)The cost of “default” protection (3)• Analogous behaviourAnalogous behaviour
– Strange “pikes” for Rotor at given Strange “pikes” for Rotor at given stack sizesstack sizes
• Mean overhead neglible Mean overhead neglible (0,059%)(0,059%)
• Analogous behaviourAnalogous behaviour
• Mean overhead (8%)Mean overhead (8%)
• Absolute overhead, however, Absolute overhead, however, very smallvery small
Time for a "nullx1000" method call (ROTOR)
225
230
235
240
245
250
10 30 50 70 90 150
300
500
700
900
Size of stack
Tim
e
Rotor fulltrust Rotor caspol off
Time for a "nullx1000" method call (.NET)
0,3
0,32
0,34
0,36
0,38
10 30 50 70 90 150
300
500
700
900
Size of stack
Tim
e
.NET fulltrust .NET caspol off
35
© D
ar í
o Á
l vare
z 2
00
5
Conclusions phase 1 Conclusions phase 1 “default” protection“default” protection
• Overhead of protection is very small in Overhead of protection is very small in absolute termsabsolute terms
• For “user” methods with modest For “user” methods with modest complexity (just 100 times the complexity complexity (just 100 times the complexity of a “null” call in the case of Rotor), it is in of a “null” call in the case of Rotor), it is in fact negligible)fact negligible)
• All “user” calls could be protected by All “user” calls could be protected by default if this holdsdefault if this holds
36
© D
ar í
o Á
l vare
z 2
00
5
More benchmarksMore benchmarks• Benchmarks phase 2Benchmarks phase 2
– Being finishedBeing finished
– Thousands still to run (more being generated Thousands still to run (more being generated also for phase 1)also for phase 1)
– Application domains with custom permissions Application domains with custom permissions and permission sets (will the behaviour be and permission sets (will the behaviour be similar for this) (and comparison with similar for this) (and comparison with RotorCapa)RotorCapa)
– Complete results expected soonComplete results expected soon
© D
ar í
o Á
l vare
z 2
00
5
Securing applications.Securing applications.Performance of Rotor CAS Performance of Rotor CAS protection and capabilitiesprotection and capabilitieshttp://www.di.uniovi.es/~darioa/rotorcapahttp://www.di.uniovi.es/~darioa/rotorcapa
//
Darío Álvarez GutiérrezDarío Álvarez Gutiérrez,,M. Ángeles Díaz Fondón, Iván Suárez M. Ángeles Díaz Fondón, Iván Suárez
RodríguezRodríguez
[email protected]@uniovi.es
Department of InformaticsDepartment of InformaticsUniversity of Oviedo, Asturias, SpainUniversity of Oviedo, Asturias, Spain