Automatic ISA analysis for Secure Context Switching

TL;DR

This paper introduces Sailor, a tool that automates ISA analysis for secure context switching by leveraging machine-readable specifications, revealing security vulnerabilities caused by mishandled ISA-state in confidential systems.

Contribution

We present Sailor, a novel tool that automates ISA-state analysis for secure context switching, identifying security-sensitive states and vulnerabilities in open-source confidential computing systems.

Findings

Identified three classes of mishandled ISA-state

Discovered five security vulnerabilities exploitable via ISA-state mishandling

Automated analysis reduces manual effort and errors in ISA security assessment

Abstract

Instruction set architectures are complex, with hundreds of registers and instructions that can modify dozens of them during execution, variably on each instance. Prose-style ISA specifications struggle to capture these intricacies of the ISAs, where often the important details about a single register are spread out across hundreds of pages of documentation. Ensuring that all ISA-state is swapped in context switch implementations of privileged software requires meticulous examination of these pages. This manual process is tedious and error-prone. We propose a tool called Sailor that leverages machine-readable ISA specifications written in Sail to automate this task. Sailor determines the ISA-state necessary to swap during the context switch using the data collected from Sail and a novel algorithm to classify ISA-state as security-sensitive. Using Sailor's output, we identify three different classes of mishandled ISA-state across four open-source confidential computing systems. We further reveal five distinct security vulnerabilities that can be exploited using the mishandled ISA-state. This research exposes an often overlooked attack surface that stems from mishandled ISA-state, enabling unprivileged adversaries to exploit system vulnerabilities.