skip to main content
research-article

HIPStR: Heterogeneous-ISA Program State Relocation

Published:25 March 2016Publication History
Skip Abstract Section

Abstract

Heterogeneous Chip Multiprocessors have been shown to provide significant performance and energy efficiency gains over homogeneous designs. Recent research has expanded the dimensions of heterogeneity to include diverse Instruction Set Architectures, called Heterogeneous-ISA Chip Multiprocessors. This work leverages such an architecture to realize substantial new security benefits, and in particular, to thwart Return-Oriented Programming. This paper proposes a novel security defense called HIPStR -- Heterogeneous-ISA Program State Relocation -- that performs dynamic randomization of run-time program state, both within and across ISAs. This technique outperforms the state-of-the-art just-in-time code reuse (JIT-ROP) defense by an average of 15.6%, while simultaneously providing greater security guarantees against classic return-into-libc, ROP, JOP, brute force, JIT-ROP, and several evasive variants.

References

  1. R. Kumar, D. M. Tullsen, N. Jouppi, and P. Ranganathan, "Heterogeneous chip multiprocessors," Computer, vol. 38, no. 11, 2005.Google ScholarGoogle Scholar
  2. "Variable SMP - A Multi-Core CPU Architecture for Low Power and High Performance," tech. rep., NVidia, 2011.Google ScholarGoogle Scholar
  3. P. Greenhalgh, "big.LITTLE Processing with ARM Cortex- A15 & Cortex-A7," tech. rep., ARM, 2011.Google ScholarGoogle Scholar
  4. M. Hill and M. Marty, "Amdahl's Law in the Multicore Era," Computer, July 2008.Google ScholarGoogle Scholar
  5. "2nd Generation Intel Core vPro Processor Family," tech. rep., Intel, 2008.Google ScholarGoogle Scholar
  6. "The future is fusion: The Industry-Changing Impact of Accelerated Computing.," tech. rep., AMD, 2008.Google ScholarGoogle Scholar
  7. "The Benefits of Multiple CPU Cores in Mobile Devices," tech. rep., NVidia, 2010.Google ScholarGoogle Scholar
  8. J. A. Kahle, M. N. Day, H. P. Hofstee, C. R. Johns, T. R. Maeurer, and D. Shippy, "Introduction to the Cell multiprocessor," IBM Journal of Research and Development, July 2005.Google ScholarGoogle Scholar
  9. L. A. Barroso and U. Holzle, "The case for energy-proportional computing," IEEE computer, 2007.Google ScholarGoogle Scholar
  10. D. Lo, L. Cheng, R. Govindaraju, L. A. Barroso, and C. Kozyrakis, "Towards energy proportionality for large-scale latency-critical workloads," in Proceedings of the 41st Annual International Symposium on Computer Architecuture, 2014.Google ScholarGoogle Scholar
  11. G. Varsamopoulos, Z. Abbasi, and S. K. Gupta, "Trends and effects of energy proportionality on server provisioning in data centers," in Proceedings of the 17th Annual International Conference on High Performance Computing, 2010.Google ScholarGoogle Scholar
  12. R. Kumar, K. I. Farkas, N. P. Jouppi, P. Ranganathan, and D. M. Tullsen, "Single-ISA Heterogeneous Multi-core Architectures: The Potential for Processor Power Reduction," in International Symposium on Microarchitecture, Dec. 2003.Google ScholarGoogle Scholar
  13. R. Kumar, D. M. Tullsen, P. Ranganathan, N. P. Jouppi, and K. I. Farkas, "Single-ISA Heterogeneous Multi-core Architectures for Multithreaded Workload Performance," in International Symposium on Computer Architecture, June 2004.Google ScholarGoogle Scholar
  14. M. DeVuyst, A. Venkat, and D. M. Tullsen, "Execution migration in a heterogeneous-isa chip multiprocessor," in Proceedings of the Seventeenth International Conference on Architectural Support for Programming Languages and Operating Systems, 2012.Google ScholarGoogle Scholar
  15. A. Venkat and D. M. Tullsen, "Harnessing ISA diversity: Design of a heterogeneous-ISA chip multiprocessor," in Proceedings of the International Symposium on Computer Architecture, 2014.Google ScholarGoogle Scholar
  16. A. Barbalace, M. Sadini, S. Ansary, C. Jelesnianski, A. Ravichandran, C. Kendir, A. Murray, and B. Ravindran, "Popcorn: Bridging the Programmability Gap in heterogeneous-ISA Platforms," in Proceedings of the 10th European Conference on Computer Systems, Apr. 2015.Google ScholarGoogle Scholar
  17. T. Li, P. Brett, R. Knauerhase, D. Koufaty, D. Reddy, and S. Hahn, "Operating system support for overlapping-ISA heterogeneous multi-core architectures," in Proceedings of the 16th International Symposium on High Performance Computer Architecture, Jan. 2010.Google ScholarGoogle Scholar
  18. D. Lustig, C. Trippel, M. Pellauer, and M. Martonosi, "ArMOR: Defending Against Memory Consistency Model Mismatches in Heterogeneous Architectures," in Proceedings of the 42nd International Symposium on Computer Architecture, June 2015.Google ScholarGoogle Scholar
  19. R. Roemer, E. Buchanan, H. Shacham, and S. Savage, "Return-oriented programming: Systems, languages, and applications," ACM Transactions on Information and System Security, 2012.Google ScholarGoogle Scholar
  20. H. Shacham, "The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86)," in Proceedings of the 14th ACM conference on Computer and Communications Security, 2007.Google ScholarGoogle Scholar
  21. T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang, "Jump-oriented programming: a new class of code-reuse attack," in Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, 2011.Google ScholarGoogle Scholar
  22. E. Buchanan, R. Roemer, H. Shacham, and S. Savage, "When good instructions go bad: generalizing return-oriented programming to RISC," in Proceedings of the 15th ACM conference on Computer and Communications Security, 2008.Google ScholarGoogle Scholar
  23. S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy, "Return-oriented programming without returns," in Proceedings of the 17th ACM conference on Computer and Communications Security, 2010.Google ScholarGoogle Scholar
  24. S. Checkoway and E. W. Felten, "Can DREs provide long-lasting security? The case of return-oriented programming and the AVC Advantage," 2009.Google ScholarGoogle Scholar
  25. T. Kornau, "Return oriented programming for the ARM architecture," Master's thesis, Ruhr-Universitat Bochum, 2010.Google ScholarGoogle Scholar
  26. M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti, "Control-flow integrity," in Proceedings of the 12th ACM conference on Computer and Communications Security, 2005.Google ScholarGoogle Scholar
  27. C. Cowan, C. Pu, D. Maier, et al., "StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks," in Proceedings of the 7th USENIX Security Symposium, 1998.Google ScholarGoogle Scholar
  28. L. Davi, A.-R. Sadeghi, and M. Winandy, "ROPdefender: A detection tool to defend against return-oriented programming attacks," in Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, 2011.Google ScholarGoogle Scholar
  29. H. Etoh, "GCC extension for protecting applications from stack-smashing attacks," 2003.Google ScholarGoogle Scholar
  30. M. Kayaalp, M. Ozsoy, N. Abu Ghazaleh, and D. Ponomarev, "Branch regulation: low-overhead protection from code reuse attacks," in Proceedings of the 39th Annual International Symposium on Computer Architecture, 2012.Google ScholarGoogle Scholar
  31. M. Zhang and R. Sekar, "Control flow integrity for COTS binaries," in Proceedings of the 22nd USENIX Security Symposium, 2013.Google ScholarGoogle Scholar
  32. C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou, "Practical control flow integrity and randomization for binary executables," in Proceedings of the 34th IEEE Symposium on Security and Privacy, 2013.Google ScholarGoogle Scholar
  33. V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song, "Code-pointer integrity," in USENIX Symposium on Operating Systems Design and Implementation (OSDI), 2014.Google ScholarGoogle Scholar
  34. Michael Backes and Stefan Nurnberger, "Oxymoron: Making Fine-Grained Memory Randomization Practical by Allowing Code Sharing," in Proceedings of the 23rd USENIX Security Symposium, Aug 2014.Google ScholarGoogle Scholar
  35. L. Davi, C. Liebchen, A.-R. Sadeghi, K. Z. Snow, and F. Monrose, "Isomeron: Code randomization resilient to (just-in-time) return-oriented programming," July 2015.Google ScholarGoogle Scholar
  36. J. Hiser, A. Nguyen Tuong, M. Co, M. Hall, and J. W. Davidson, "ILR: Where'd My Gadgets Go?," in Proceedings of the 33rd IEEE Symposium on Security and Privacy, 2012.Google ScholarGoogle Scholar
  37. G. S. Kc, A. D. Keromytis, and V. Prevelakis, "Countering code-injection attacks with instruction-set randomization," in Proceedings of the 10th ACM conference on Computer and Communications Security, 2003.Google ScholarGoogle Scholar
  38. V. Pappas, M. Polychronakis, and A. D. Keromytis, "Smashing the gadgets: Hindering return-oriented programming using in-place code randomization," in Proceedings of the 33rd IEEE Symposium on Security and Privacy, 2012.Google ScholarGoogle Scholar
  39. PaX Team, "PaX address space layout randomization," 2003.Google ScholarGoogle Scholar
  40. E. Shioji, Y. Kawakoya, M. Iwamura, and T. Hariu, "Code shredding: byte-granular randomization of program layout for detecting code-reuse attacks.," in Proceedings of the 28th Annual Computer Security Applications Conference, 2012.Google ScholarGoogle Scholar
  41. R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin, "Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code," in Proceedings of the 2012 ACM conference on Computer and Communications Security, 2012.Google ScholarGoogle Scholar
  42. G. F. Roglia, L. Martignoni, R. Paleari, and D. Bruschi, "Surgically returning to randomized lib (c)," in Proceedings of the 25th Annual Computer Security Applications Conference, 2009.Google ScholarGoogle Scholar
  43. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh, "On the effectiveness of address-space randomization," in Proceedings of the 11th ACM conference on Computer and Communications Security, 2004.Google ScholarGoogle Scholar
  44. B.-J. Wever, "Internet Explorer IFRAME src&name parameter BoF remote compromise," 2004.Google ScholarGoogle Scholar
  45. K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi, "Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization," in Proceedings of the 34th IEEE Symposium on Security and Privacy, 2013.Google ScholarGoogle Scholar
  46. A. Bittau, A. Belay, A. Mashtizadeh, D. Mazieres, and D. Boneh, "Hacking Blind," in Security and Privacy, July 2014.Google ScholarGoogle Scholar
  47. H. D. Moore, "Microsoft Internet Explorer data binding memory corruption," 2010.Google ScholarGoogle Scholar
  48. Solar Designer, "Getting around non-executable stack (and fix)," 1997.Google ScholarGoogle Scholar
  49. G. Kyriazia, "Heterogeneous Systems Architecture: A Technical Review," tech. rep., 2012.Google ScholarGoogle Scholar
  50. A. Putnam, A. M. Caulfield, E. S. Chung, D. Chiou, K. Constantinides, J. Demme, H. Esmaeilzadeh, J. Fowers, G. P. Gopal, J. Gray, et al., "A reconfigurable fabric for accelerating large-scale datacenter services," in Proceedings of the 41st International Symposium on Computer Architecture, June 2014.Google ScholarGoogle Scholar
  51. D. Allred and G. Martinez, "Maximizing the Power of ARM with DSP," tech. rep., Texas Instruments, 2010.Google ScholarGoogle Scholar
  52. S. Dutta, R. Jensen, and A. Rieckmann, "Viper: A multiprocessor SoC for advanced set-top box and digital TV systems," Design & Test of Computers, IEEE, vol. 18, no. 5, 2001.Google ScholarGoogle Scholar
  53. "Intel IXP425 Network Processor," tech. rep., 2006.Google ScholarGoogle Scholar
  54. Qualcomm, "Snapdragon S4 Processors: System on Chip Solutions for a New Mobile Age," tech. rep., Oct. 2011.Google ScholarGoogle Scholar
  55. "National Vulnerability Database,"Google ScholarGoogle Scholar
  56. D. Jang, Z. Tatlock, and S. Lerner, "SAFEDISPATCH: Securing C++ virtual calls from memory corruption attacks," in Proceedings of the 21st International Symposium on Network and Distributed System Security, Feb. 2014.Google ScholarGoogle Scholar
  57. E. J. Schwartz, T. Avgerinos, and D. Brumley, "Q: Exploit Hardening Made Easy.," in Proceddings of the 20th USENIX Security Symposium, 2011.Google ScholarGoogle Scholar
  58. Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis, "Transparent ROP Exploit Mitigation Using Indirect Branch Tracing," in Proceedings of the 22nd USENIX Security Symposium, 2013.Google ScholarGoogle Scholar
  59. C. Cowan, S. Beattie, R. F. Day, C. Pu, P. Wagle, and E. Walthinsen, "Protecting systems from stack smashing attacks with StackGuard," in Proceedings of the 5th Linux Expo, 1999.Google ScholarGoogle Scholar
  60. H. Ozdoganoglu, T. Vijaykumar, C. E. Brodley, B. A. Kuperman, and A. Jalote, "SmashGuard: A hardware solution to prevent security attacks on the function return address," IEEE Transactions on Computers, 2006.Google ScholarGoogle Scholar
  61. G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas, "Secure program execution via dynamic information flow tracking," in Proceedings of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems, 2004.Google ScholarGoogle Scholar
  62. Vendicator, "StackShield: A Stack Smashing Technique Protection Tool for Linux," 2001.Google ScholarGoogle Scholar
  63. I. Evans, S. Fingeret, J. Gonzalez, U. Otgonbaatar, T. Tang, H. Shrobe, S. Sidiroglou-Douskos, M. Rinard, and H. Okhravi, "Missing the point (er): On the effectiveness of code pointer integrity1," in Proceedings of the 36th IEEE Symposium on Security and Privacy, 2015.Google ScholarGoogle Scholar
  64. N. Carlini, A. Barresi, M. Payer, D. Wagner, and T. R. Gross, "Control-flow bending: On the effectiveness of control-flow integrity," in Proceedings of the 24th USENIX Security Symposium, 2015.Google ScholarGoogle Scholar
  65. E. Goktas, E. Athanasopoulos, H. Bos, and G. Portokalidis, "Out of control: Overcoming control-flow integrity," in Proceedings of the 35th IEEE Symposium on Security and Privacy, May 2014.Google ScholarGoogle Scholar
  66. E. Goktas, E. Athanasopoulos, M. Polychronakis, H. Bos, and G. Portokalidis, "Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard," in Proceedings of the 23rd USENIX Security Symposium, Aug. 2014.Google ScholarGoogle Scholar
  67. N. Carlini and D. Wagner, "Rop is still dangerous: Breaking modern defenses," in Proceedings of the 23rd USENIX Security Symposium, Aug. 2014.Google ScholarGoogle Scholar
  68. Lucas Davi, Daniel Lehmann, and Ahmad-Reza Sadeghi, "The Beast is in Your Memory: Return-Oriented Programming Attacks Against Modern Control-Flow Integrity Protection Te chniques," in BlackHat USA, Aug 2014.Google ScholarGoogle Scholar
  69. L. Davi, D. Lehmann, A.-R. Sadeghi, and F. Monrose, "Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection," in Proceedings of the 23rd USENIX Security Symposium, Aug. 2014.Google ScholarGoogle Scholar
  70. F. Schuster, T. Tendyck, C. Liebchen, L. Davi, A.-R. Sadeghi, and T. Holz, "Counterfeit object-oriented programming," May 2015.Google ScholarGoogle Scholar
  71. S. Bhatkar and R. Sekar, "Data space randomization," in Detection of Intrusions and Malware, and Vulnerability Assessment, 2008.Google ScholarGoogle Scholar
  72. C. Cadar, P. Akritidis, M. Costa, J.-P. Martin, and M. Castro, "Data randomization," tech. rep., Technical Report MSR-TR- 2008-120, Microsoft Research, 2008.Google ScholarGoogle Scholar
  73. K. Onarlioglu, L. Bilge, A. Lanzi, D. Balzarotti, and E. Kirda, "G-Free: defeating return-oriented programming through gadget-less binaries," in Proceedings of the 26th Annual Computer Security Applications Conference, 2010.Google ScholarGoogle Scholar
  74. A. Papadogiannakis, L. Loutsis, V. Papaefstathiou, and S. Ioannidis, "ASIST: architectural support for instruction set randomization," in Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, 2013.Google ScholarGoogle Scholar
  75. C. Rohlf and Y. Ivnitskiy, "Attacking clientside JIT compilers," Black Hat, USA, 2011.Google ScholarGoogle Scholar
  76. J. Smith and R. Nair, Virtual Machines: Versatile Platforms for Systems and Processes. Morgan Kaufmann Publishers Inc., June 2005.Google ScholarGoogle ScholarDigital LibraryDigital Library
  77. F. Bellard, "Qemu, a fast and portable dynamic translator," in USENIX Technical Conference, Apr. 2005.Google ScholarGoogle Scholar
  78. MSDN, "Introduction to code signing,"Google ScholarGoogle Scholar
  79. J. Ansel, P. Marchenko, U. Erlingsson, E. Taylor, B. Chen, D. L. Schuff, D. Sehr, C. L. Biffle, and B. Yee, "Language- independent sandboxing of just-in-time compilation and self- modifying code," ACM SIGPLAN Notices, 2011.Google ScholarGoogle Scholar
  80. Intel, "Software guard extensions programming reference," 2014.Google ScholarGoogle Scholar
  81. Y. Cheng, Z. Zhou, M. Yu, X. Ding, and R. H. Deng, "ROPecker: A generic and practical approach for defending against ROP attacks," in Symposium on Network and Distributed System Security (NDSS), 2014.Google ScholarGoogle Scholar
  82. N. L. Binkert, R. G. Dreslinski, L. R. Hsu, K. T. Lim, A. G. Saidi, and S. K. Reinhardt, "The M5 Simulator: Modeling Networked Systems," Micro, IEEE, 2006.Google ScholarGoogle ScholarDigital LibraryDigital Library
  83. T. Sherwood, E. Perelman, G. Hamerly, and B. Calder, "Automatically Characterizing Large Scale Program Behavior," in Proceedings of the 7th International Conference on Architectural Support for Programming Languages and Operating Systems, Oct. 2002.Google ScholarGoogle Scholar
  84. A. Venkat, A. Krishnaswamy, K. Yamada, and R. Palanivel, "Binary Translation driven Program State Relocation," in United States Patent Grant US009135435B2, 2015.Google ScholarGoogle Scholar

Index Terms

  1. HIPStR: Heterogeneous-ISA Program State Relocation

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      • Published in

        cover image ACM SIGPLAN Notices
        ACM SIGPLAN Notices  Volume 51, Issue 4
        ASPLOS '16
        April 2016
        774 pages
        ISSN:0362-1340
        EISSN:1558-1160
        DOI:10.1145/2954679
        • Editor:
        • Andy Gill
        Issue’s Table of Contents
        • cover image ACM Conferences
          ASPLOS '16: Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems
          March 2016
          824 pages
          ISBN:9781450340915
          DOI:10.1145/2872362
          • General Chair:
          • Tom Conte,
          • Program Chair:
          • Yuanyuan Zhou

        Copyright © 2016 ACM

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 25 March 2016

        Check for updates

        Qualifiers

        • research-article

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!