CapeVM: 用於資源受限的物聯網裝置之快速安全虛擬機

Abstract

針對在資源受限的裝置上運行的虛擬機已被廣泛地研究，然而，在設計如何將衆多功能包裝進資源受限的裝置的過程，絕多數的虛擬機都難以同時滿足以下兩種關鍵特性：效能與安全的獨立執行環境，一方面由於幾乎現有的虛擬機皆爲直譯器，往往使得程式運行速度減慢數十至數百倍，另一方面因為受限於裝置上的資源，常常略過驗證位元組碼(bytecode)的步驟，讓虛擬機的防護脆弱且易受到攻擊。 在這篇論文中，我們提出CapeVM，此運行在物聯網裝置的虛擬機，目的就是要能同時兼顧高效能與獨立執行環境的特性，確保惡意程式無法損壞虛擬機的內部狀態，且無法執行尚未被虛擬機驗證的程序。 CapeVM採用提前式編譯器(Ahead-of-Time compilation)轉成機器碼(native code)來提昇效能，並引入一套優化程序來消除大部分的額外運算，目前用於物聯網裝置的提前式編譯器皆無法免除這些額外運算。至於安全的執行環境，一套執行時期與編譯時期的檢查能確保這項特性，因為虛擬機指令集的結構比機器碼更加明確，使虛擬機在轉譯位元組碼的時候，就能夠完成大部分的檢查，比起機器碼的方式省去了昂貴的執行時期檢查。 我們採用了12種具備不同特徵的效能基準來評估CapeVM，包括商用的CoreMark與實際運行在物聯網裝置的應用，儘管使用虛擬機本身與加入安全檢查的步驟會無可避免地增加額外運算，CapeVM的優化程序大幅度地減少這些額外運算，結果顯示其效能僅比缺少安全檢查的機器碼慢2倍，甚至優於具備安全檢查的機器碼，若省去CapeVM的安全檢查，額外運算會再降低至1.7倍，因此，CapeVM專爲資源受限的物聯網裝置整合了虛擬機對於安全與獨立執行環境的需求，並大幅提昇其運行的效能。

Many virtual machines have been developed targeting resource-constrained sensor nodes. While packing an impressive set of features into a very limited space, most fall short in two key aspects: performance, and a safe, sandboxed execution environment. Since most existing VMs are interpreters, a slowdown of one to two orders of magnitude is common. Given the limited resources available, verification of the bytecode is typically omitted, leaving them vulnerable to a wide range of possible attacks. In this dissertation we propose CapeVM, a sensor node virtual machine aimed at delivering both high performance and a sandboxed execution environment that guarantees malicious code cannot corrupt the VM's internal state or perform actions not allowed by the VM. CapeVM uses Ahead-of-Time compilation to native code to improve performance and introduces a set of optimisations to eliminate most of the overhead present in previous work on sensor node AOT compilers. A safe execution environment is guaranteed by a set of run-time and translation-time checks. The more structured nature of the VM's instruction set, compared to native code, allows the VM to perform most checks when the bytecode is translated, reducing the need for expensive run-time checks compared to native code approaches. We evaluate CapeVM using a set of 12 benchmarks with varying characteristic, including the commercial mybench{CoreMark} benchmark and real-world sensor node applications. While some overhead from using a VM and adding safety checks cannot be avoided, CapeVM's optimisations reduce this overhead dramatically. This results in a performance 2.0x slower than unsafe native code, which is comparable to or better than existing native solutions to provide safety. Without safety checks, the overhead drops to 1.7x. Thus, CapeVM combines the desirable properties of existing work on both safety and virtual machines for sensor nodes, with significantly improved performance.