TY - GEN
T1 - Draco
T2 - 53rd Annual IEEE/ACM International Symposium on Microarchitecture, MICRO 2020
AU - Skarlatos, Dimitrios
AU - Chen, Qingrong
AU - Chen, Jianyan
AU - Xu, Tianyin
AU - Torrellas, Josep
N1 - This work was funded in part by NSF under grants CNS-1956007, CNS-1763658, CCF-1725734, CCF-1816615, CCF-2029049, and a gift from Facebook. The authors thank Andrea Arcangeli from RedHat, Hubertus Franke and Tobin Feldman-Fitzthum from IBM for discussions on Seccomp performance, and Seung Won Min from UIUC for assisting with the Synopsys toolchain.
PY - 2020/10
Y1 - 2020/10
N2 - System call checking is extensively used to protect the operating system kernel from user attacks. However, existing solutions such as Seccomp execute lengthy rule-based checking programs against system calls and their arguments, leading to substantial execution overhead. To minimize checking overhead, this paper proposes Draco, a new architecture that caches system call IDs and argument values after they have been checked and validated. System calls are first looked-up in a special cache and, on a hit, skip all checks. We present both a software and a hardware implementation of Draco. The latter introduces a System Call Lookaside Buffer (SLB) to keep recently-validated system calls, and a System Call Target Buffer to preload the SLB in advance. In our evaluation, we find that the average execution time of macro and micro benchmarks with conventional Seccomp checking is 1.14× and 1.25× higher, respectively, than on an insecure baseline that performs no security checks. With our software Draco, the average execution time reduces to 1.10× and 1.18× higher, respectively, than on the insecure baseline. With our hardware Draco, the execution time is within 1% of the insecure baseline.
AB - System call checking is extensively used to protect the operating system kernel from user attacks. However, existing solutions such as Seccomp execute lengthy rule-based checking programs against system calls and their arguments, leading to substantial execution overhead. To minimize checking overhead, this paper proposes Draco, a new architecture that caches system call IDs and argument values after they have been checked and validated. System calls are first looked-up in a special cache and, on a hit, skip all checks. We present both a software and a hardware implementation of Draco. The latter introduces a System Call Lookaside Buffer (SLB) to keep recently-validated system calls, and a System Call Target Buffer to preload the SLB in advance. In our evaluation, we find that the average execution time of macro and micro benchmarks with conventional Seccomp checking is 1.14× and 1.25× higher, respectively, than on an insecure baseline that performs no security checks. With our software Draco, the average execution time reduces to 1.10× and 1.18× higher, respectively, than on the insecure baseline. With our hardware Draco, the execution time is within 1% of the insecure baseline.
KW - Containers
KW - Microarchitecture
KW - Operating system
KW - Security
KW - System call checking
KW - Virtualization
UR - http://www.scopus.com/inward/record.url?scp=85097355877&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85097355877&partnerID=8YFLogxK
U2 - 10.1109/MICRO50266.2020.00017
DO - 10.1109/MICRO50266.2020.00017
M3 - Conference contribution
AN - SCOPUS:85097355877
T3 - Proceedings of the Annual International Symposium on Microarchitecture, MICRO
SP - 42
EP - 57
BT - Proceedings - 2020 53rd Annual IEEE/ACM International Symposium on Microarchitecture, MICRO 2020
PB - IEEE Computer Society
Y2 - 17 October 2020 through 21 October 2020
ER -