acceleration in web browsers zhihao yao sugar: secure gpu ...ardalan/slides/yao_asplos18.pdf ·...
TRANSCRIPT
Sugar: Secure GPU Acceleration in Web Browsers
Zhihao Yao, Zongheng Ma, Yingtong Liu, Ardalan Amiri Sani, Aparna Chandramowlishwaran
Trustworthy Systems Lab, UC Irvine
1
WebGL was released in 2011
Source: https://www.google.com/map2
WebGL is popular
WebGL adoption rate by top 100 websites
3
47.0%53.0%
WebGL is popular
Browser support rate (48.8 million visitors)
Source: http://webglstats.com (2017)
Does not support
4
4.0%
96.0%
https://www.apple.com/macos/sierra/
http://dlmf.nist.gov
https://www.google.com/map
https://eyes.nasa.gov/curiosity/ 5
WebGL recap
6
First, a quick recap on OpenGLNative app
GL libs
Kernel mode GPU driver
GPU hardware
7
user space
kernel space
kernel space
hardware
Native app
GL libs
Native app
GL libs
Kernel mode GPU driver
GPU hardware
function call
First, a quick recap on OpenGL
8
user space
kernel space
kernel space
hardware
First, a quick recap on OpenGL
Native app
GL libs
Native app
GL libs
Kernel mode GPU driver
GPU hardware
syscall
9
user space
kernel space
kernel space
hardware
Use the same design for WebGL?
Web app
GL libs
Kernel mode GPU driver
GPU hardware
10
user space
kernel space
kernel space
hardware
Buggy
Compromised
Malicious
Web app
GL libs
Kernel mode GPU driver
GPU hardware
11
Web apps are not trusted
user space
kernel space
kernel space
hardware
Buggy
Compromised
Malicious
Web app
GL libs
Kernel mode GPU driver
GPU hardware
12
GPU driver is buggy
Buggy
Compromised
Malicioususer space
kernel space
kernel space
hardware
web app
GL libs
Kernel driver is compromised
Web app
GL libs
Kernel mode GPU driver
GPU hardware
13
user space
kernel space
kernel space
hardware
Buggy
Compromised
Malicious
Current WebGL design
14
Kernel mode GPU driver
Browser
GPU hardware
GPU Process
ChecksGL libs
Web appWeb appWeb app
user space
kernel space
kernel space
hardware
Current WebGL design
15
Kernel mode GPU driver
Browser
Web appWeb appWeb app
GPU hardware
GPU Process
ChecksGL libs
IPC
Browser user space
kernel space
kernel space
hardware
Security checks in GPU Process
16
Kernel mode GPU driver
Browser
GPU hardware
GPU Process
ChecksGL libs
Web appWeb appWeb app
user space
kernel space
kernel space
hardware
TCB of current WebGL Design
17
Kernel mode GPU driver
Browser
GPU hardware
GPU Process
ChecksGL libs
Web appWeb appWeb app 158,000 LoC (GPU Process)457,000 LoC(GL libraries)
123,000 LoC(GPU driver)
18
Kernel mode GPU driver
Browser
GPU hardware
GPU Process
ChecksGL libs
Web appWeb appWeb app
CVE-2014-1556CVE-2015-7179CVE-2013-2874CVE-2017-5031CVE-2014-1502
Vulnerabilities in GPU process
Kernel driver is compromised
19
CVE-2011-2601*Chrome 153469Chrome 483877*CVE-2011-2367CVE-2011-3653
Kernel mode GPU driver
Browser
GPU hardware
GPU Process
ChecksGL libs
Web appWeb appWeb app
*Not yet fixed
Vulnerability examplesCVE-2014-1556 execute arbitrary codeCVE-2015-7179 execute arbitrary codeCVE-2013-2874 read browser UICVE-2017-5031 read GPU process memoryCVE-2014-1502 use of cross-origin contentsChrome Issue 593680 browser hangChrome Issue 83841 leak system usernameCVE-2011-2601* system UI freezeChrome issue 153469 kernel panicChrome issue 483877* system UI freezeCVE-2011-2367 read of GPU memoryCVE-2011-3653 read of GPU memoryCVE-2014-3173 read of GPU memory
20 *Not yet fixed
Our WebGL vulnerability study
21
https://trusslab.github.io/sugar/webgl_bugs
High performance
Knownvulnerabilities
Zero day vulnerabilities
System UI freeze
Current WebGL design
22
CVE-2014-3173, read of GPU graphics memory
We type some private notes in terminal:
23
CVE-2014-3173, read of GPU graphics memory
24
Overview of Sugar
Key idea:
• Use GPU virtualization to give an untrusted web app a separate vGPU
25
Intel GPU virtualization
26
• We build a prototype on Intel GPU virtualization
● Intel GPU virtualization is available since the 4th generation Core processors [1]
[1] https://www.usenix.org/conference/atc14/technical-sessions/presentation/tian Photo credit: https://www.intel.com/pressroom/archive/releases/2008/20081117comp_sm.htm
27
GPU GPU
vGPU 2 vGPU 1
28
Sugar’s design
Kernel mode GPU driver
Browser
vGPU
GPU hardware
Web app
GL libsvGPU driver
GPU Process
GL libs
29
user space
kernel space
hardware
Sugar’s design
Kernel mode GPU driver
Browser
vGPU
GPU hardware
Web app
GL libsvGPU driver
GPU Process
GL libs
function call
30
user space
kernel space
hardware
Sugar’s design
Kernel mode GPU driver
Browser
vGPU
GPU hardware
Web app
GL libsvGPU driver
GPU Process
GL libsfunction call
31
user space
kernel space
hardware
Sugar’s design
Kernel mode GPU driver
Browser
vGPU
GPU hardware
Web app
GL libsvGPU driver
GPU Process
GL libs
32
user space
kernel space
hardware
Sugar’s design
virtual graphics plane
primary graphics plane
Kernel mode GPU driver
Browser
vGPU
GPU hardware
Web app
GL libsvGPU driver
GPU Process
GL libs
33
Why is Sugar secure?
34
Web app process is untrusted
Kernel mode GPU driver
Browser
vGPU
GPU hardware
Web app
GL libsvGPU driver
GPU Process
GL libs
35
user space
kernel space
hardware
Web app process is sandboxed
Kernel mode GPU driver
Browser
vGPU
GPU hardware
Web app
GL libsvGPU driver
GPU Process
GL libs
36
user space
kernel space
hardware
vGPU is isolated
Kernel mode GPU driver
Browser
vGPU
GPU hardware
Web app
GL libsvGPU driver
GPU Process
GL libs
37
user space
kernel space
hardware
Sugar’s TCB is small
Kernel mode GPU driver
Browser
vGPU
GPU hardware
Web app
GL libsvGPU driver
GPU Process
GL libs
38
34,400 LoC(GPU virtualization)
user space
kernel space
hardware
Vulnerability examplesCVE-2014-1556 execute arbitrary codeCVE-2015-7179 execute arbitrary codeCVE-2013-2874 read browser UICVE-2017-5031 read GPU process memoryCVE-2014-1502 use of cross-origin contentsChrome Issue 593680 browser hangChrome Issue 83841 leak system usernameCVE-2011-2601* system UI freezeChrome issue 153469 kernel panicChrome issue 483877* system UI freezeCVE-2011-2367 read of GPU memoryCVE-2011-3653 read of GPU memoryCVE-2014-3173 read of GPU memory
39 *Not yet fixed
Limitation of this Sugar designIntel vGPU hang will cause a real GPU hang
40
Dual-GPU Sugar
Key idea: Use two GPUs to fully isolate the virtual graphics plane and the primary graphics plane.
● Solves system UI freeze
● Provides better performance isolation
41
Dual-GPU Sugar’s design
Kernel mode GPU 1 driver
GPU 1 hardware
Browser
vGPU
GPU 2 hardware
Kernel mode GPU 2 driver
Web app
GL libsvGPU driver
GPU process
GL libs
42
user space
kernel space
hardware
Photo credit: https://www.amd.com/zh-tw/products/graphics/desktop/6000/6990
Many computers have two GPUs
apple.com/macbook-pro
dell.com/Inspiron15
store.hp.com/envy43
Source: https://newsroom.intel.com/news/8th-gen-intel-core-radeon-rx-vega-m-graphics
Intel’s 8th Generation Core Processors with Radeon RX Vega M Graphics
44
Sugar’s implementation
45
WebKit / Blink
WebGL frontend
WebGL backend
GL libs
vGPU driver
WebGL in web app process
GPU Process
WebGL backend
GL libs
Reuse most of GPU process code
46
Ported from GPU process
vGPU driver as a library
WebKit / Blink
WebGL frontend
WebGL backend
GL libs
vGPU driver
We modify GL libs to issue function calls instead of syscalls
47
function call
Register: trap and emulate
Kernel mode GPU driver
Browser
vGPU
GPU hardware
Web app
GL libsvGPU driver
GPU Process
GL libsMapped registers
48
user space
kernel space
hardware
Register: trap and emulate
Kernel mode GPU driver
Browser
vGPU
GPU hardware
Web app
GL libsvGPU driver
GPU Process
GL libsMapped registers
GPU virtualization layer will emulate
49
user space
kernel space
hardware
Interrupt: deliver as signal
Kernel mode GPU driver
Browser
vGPU
GPU hardware
Web app
GL libsvGPU driver
GPU Process
GL libs
Interrupt
50
user space
kernel space
hardware
Interrupt: deliver as signal
Kernel mode GPU driver
Browser
vGPU
GPU hardware
Web app
GL libsvGPU driver
GPU Process
GL libs
Interrupt
51
The virtualization layer delivers as a signal
user space
kernel space
hardware
Interrupt: deliver as signal
Kernel mode GPU driver
Browser
vGPU
GPU hardware
Web app
GL libsvGPU driver
GPU Process
GL libs
Interrupt
Signal
52
user space
kernel space
hardware
DMA overview
Main memoryGPU
53
DMA
DMA overview
Main memoryvGPU
54
DMAPagetable
Evaluations
55
Sugar’s performance is goodunder the same WebGL benchmarks that Chrome uses
56
Sugar’s performance is goodunder the same WebGL benchmarks that Chrome uses
57
60 FPS
Sugar’s CPU overhead is lowSugar is better than CPU rendering by 375% on average
58
Summary
● Sugar leverages modern GPU virtualization solutions to isolate WebGL
● Sugar addresses this by repurposing Intel vGPU driver to a library
Thank you!
Sugar is open source: https://trusslab.github.io/sugar59