Abstract
Illegal use of memory pointers is a serious security vulnerability. A large number of malwares exploit the spatial and temporal nature of these vulnerabilities to subvert execution or glean sensitive data from an application. Recent countermeasures attach metadata to memory pointers, which define the pointer’s capabilities. The metadata is used by the hardware to validate pointer-based memory accesses. However, recent works have considerable overheads. Further, the pointer validation is decoupled from the actual memory access. We show that this could open up vulnerabilities in multithreaded applications and introduce new vulnerabilities due to speculation in out-of-order processors.
In this article, we demonstrate that the overheads can be reduced considerably by efficient metadata management. We show that the hardware can be designed in a manner that would remain safe in multithreaded applications and immune to speculative vulnerabilities. We achieve these by ensuring that the pointer validations and the corresponding memory access is always done atomically and in order. To evaluate our scheme, which we call ALEXIA, we enhance an OpenRISC processor to perform the memory validation at runtime and also add compiler support. ALEXIA is the first hardware countermeasure scheme for memory protection that provides such an end-to-end solution. We evaluate the processor on an Altera FPGA and show that the runtime overhead, on average, is 14%, with negligible impact on the processor’s size and clock frequency. There is also a negligible impact on the program’s code and data sizes.
- 2001. Once upon a free(). Retrieved from http://phrack.org/issues/57/9.html.Google Scholar
- 2019. mor1kx - An OpenRISC 1000 processor IP core. Retrieved from https://github.com/openrisc/mor1kx.Google Scholar
- Periklis Akritidis, Manuel Costa, Miguel Castro, and Steven Hand. 2009. Baggy bounds checking: An efficient and backwards-compatible defense against out-of-bounds errors. In 18th USENIX Security Symposium, Proceedings. 51--66. Retrieved from http://www.usenix.org/events/sec09/tech/full_papers/akritidis.pdf.Google Scholar
- Winny Thomas, Ali Islam, and Nicole Oppenheim. 2017. SMB exploited: Wannacry use of Eternal Blue. Retrieved from https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-eternalblue.html.Google Scholar
- Krishna Nandivada and Aman Nougrahiya. 2019. IMOP. Retrieved from http://www.cse.iitm.ac.in/ amannoug/imop/.Google Scholar
- Todd M. Austin, Scott E. Breach, and Gurindar S. Sohi. 1994. Efficient detection of all pointer and array access errors. In Proceedings of the ACM SIGPLAN 1994 Conference on Programming Language Design and Implementation (PLDI’94). ACM, New York, NY, 290--301. DOI:https://doi.org/10.1145/178243.178446Google Scholar
- D. Basu Roy, M. Alam, S. Bhattacharya, V. Govindan, F. Regazzoni, R. S. Chakraborty, and D. Mukhopadhyay. 2018. Customized instructions for protection against memory integrity attacks. IEEE Embedded Systems Letters 10, 3 (Sept. 2018), 91--94. DOI:https://doi.org/10.1109/LES.2018.2828506Google Scholar
- Daniel J. Bernstein. 2005. Cache-Timing Attacks on AES. Technical Report.Google Scholar
- Joseph Bonneau and Ilya Mironov. 2006. Cache-collision timing attacks against AES. In Cryptographic Hardware and Embedded Systems (CHES’06), Louis Goubin and Mitsuru Matsui (Eds.). Springer, Berlin, 201--215.Google Scholar
- Weihaw Chuang, Satish Narayanasamy, and Brad Calder. 2007. Accelerating meta data checks for software correctness and security. Journal of Instruction-Level Parallelism 9 (2007), 1--26. Retrieved from http://www.jilp.org/vol9/v9paper10.pdf.Google Scholar
- CWE. 2018. Common Weakness Enumeration - CWE-122: Heap-Based Buffer Overflow. Retrieved from https://cwe.mitre.org/data/definitions/122.html.Google Scholar
- Exploit Database. 2018. Exploit Database by Offensive Security. Retrieved from https://www.exploit-db.com/?search[value]=buffer8search[regex]=false.Google Scholar
- Joe Devietti, Colin Blundell, Milo M. K. Martin, and Steve Zdancewic. 2008. Hardbound: Architectural support for spatial safety of the C programming language. In Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS’08). 103--114. DOI:https://doi.org/10.1145/1346281.1346295Google Scholar
Digital Library
- Dinakar Dhurjati and Vikram S. Adve. 2006. Backwards-compatible array bounds checking for C with very low overhead. In 28th International Conference on Software Engineering (ICSE’06). 162--171. DOI:https://doi.org/10.1145/1134309Google Scholar
- Zakir Durumeric, Frank Li, James Kasten, Johanna Amann, Jethro Beekman, Mathias Payer, Nicolas Weaver, David Adrian, Vern Paxson, Michael Bailey, and J. Alex Halderman. 2014. The matter of heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference (IMC’14). ACM, New York, NY, 475--488. DOI:https://doi.org/10.1145/2663716.2663755Google Scholar
- Frank Ch Eigler. 2003. Mudflap: Pointer use checking for C/C+. In Proceedings of the 1st Annual GCC Developers Summit, 57--70.Google Scholar
- Saugata Ghose, Latoya Gilgeous, Polina Dudnik, Aneesh Aggarwal, and Corey Waxman. 2009. Architectural support for low overhead detection of memory violations. In Proceedings of the Conference on Design, Automation and Test in Europe (DATE’09). European Design and Automation Association, Belgium, 652--657. Retrieved from http://dl.acm.org/citation.cfm?id=1874620.1874782.Google Scholar
Digital Library
- M. R. Guthaus, J. S. Ringenberg, D. Ernst, T. M. Austin, T. Mudge, and R. B. Brown. 2001. MiBench: A free, commercially representative embedded benchmark suite. In Proceedings of the Workload Characterization, 2001 (WWC-4). 2001 IEEE International Workshop (WWC’01). IEEE Computer Society, Washington, DC, 3--14. DOI:https://doi.org/10.1109/WWC.2001.15Google Scholar
- Intel. 2014. Intel MPX. Retrieved from https://software.intel.com/en-us/isa-extensions/intel-mpx.Google Scholar
- Trevor Jim, J. Gregory Morrisett, Dan Grossman, Michael W. Hicks, James Cheney, and Yanling Wang. 2002. Cyclone: A safe dialect of C. In Proceedings of the General Track: 2002 USENIX Annual Technical Conference. 275--288. Retrieved from http://www.usenix.org/publications/library/proceedings/usenix02/jim.html.Google Scholar
- Richard W. M. Jones and Paul H. J. Kelly. 1997. Backwards-compatible bounds checking for arrays and pointers in C Programs. In Proceedings of the Third International Workshop on Automated Debugging. 13--26. Retrieved from http://www.ep.liu.se/ecp/article.asp?issue=0018article=002.Google Scholar
- G. Krishnakumar, P. Slpsk, P. K. Vairam, C. Rebeiro, and K. Veezhinathan. 2018. GANDALF: A fine-grained hardware-software co-design for preventing memory attacks. IEEE Embedded Systems Letters 10, 3 (2018), 83--86. DOI:https://doi.org/10.1109/LES.2018.28057Google Scholar
Cross Ref
- Albert Kwon, Udit Dhawan, Jonathan M. Smith, Thomas F. Knight Jr., and André DeHon. 2013. Low-fat pointers: Compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security. In 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS’13). 721--732. DOI:https://doi.org/10.1145/2508859.2516713Google Scholar
Digital Library
- Doug Lea. 2018. Doug Lea’s malloc implementation. Retrieved from ftp://g.oswego.edu/pub/misc/malloc.c.Google Scholar
- Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown. CoRR abs/1801.01207 (2018). arxiv:1801.01207 http://arxiv.org/abs/1801.01207Google Scholar
- Arjun Menon, Subadra Murugan, Chester Rebeiro, Neel Gala, and Kamakoti Veezhinathan. 2017. Shakti-T: A RISC-V processor with light weight security extensions. In Proceedings of the Hardware and Architectural Support for Security and Privacy (HASP’17). ACM, Article 2, 8 pages. DOI:https://doi.org/10.1145/3092627.3092629Google Scholar
Digital Library
- Steve Christey (MITRE). 2011. CWE/SANS Top 25 Most Dangerous Software Errors. Retrieved from http://cwe.mitre.org/top25/.Google Scholar
- Santosh Nagarakatte, Milo M. K. Martin, and Steve Zdancewic. 2012. Watchdog: Hardware for safe and secure manual memory management and full memory safety. In 39th International Symposium on Computer Architecture (ISCA’12). 189--200. DOI:https://doi.org/10.1109/ISCA.2012.6237017Google Scholar
Digital Library
- Santosh Nagarakatte, Milo M. K. Martin, and Steve Zdancewic. 2014. WatchdogLite: Hardware-accelerated compiler-based pointer checking. In 12th Annual IEEE/ACM International Symposium on Code Generation and Optimization (CGO’14). 175. DOI:https://doi.org/10.1145/2544137.2544147Google Scholar
Digital Library
- Santosh Nagarakatte, Jianzhou Zhao, Milo M. K. Martin, and Steve Zdancewic. 2009. SoftBound: Highly compatible and complete spatial memory safety for c. In Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’09). 245--258. DOI:https://doi.org/10.1145/1542476.1542504Google Scholar
Digital Library
- Santosh Nagarakatte, Jianzhou Zhao, Milo M. K. Martin, and Steve Zdancewic. 2010. CETS: Compiler enforced temporal safety for C. In Proceedings of the 9th International Symposium on Memory Management (ISMM’10). 31--40. DOI:https://doi.org/10.1145/1806651.1806657Google Scholar
Digital Library
- George C. Necula, Scott McPeak, and Westley Weimer. 2002. CCured: Type-safe retrofitting of legacy code. In Conference Record of POPL 2002: The 29th SIGPLAN-SIGACT Symposium on Principles of Programming Languages. 128--139. DOI:https://doi.org/10.1145/503272.503286Google Scholar
Digital Library
- Nicholas Nethercote and Julian Seward. 2007. Valgrind: A framework for heavyweight dynamic binary instrumentation. In Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’07). ACM, New York, NY, 89--100. DOI:https://doi.org/10.1145/1250734.1250746Google Scholar
Digital Library
- Aleph One. 1996. Smashing the Stack for Fun and Profit. Retrieved from http://phrack.org/issues/49/14.htmlGoogle Scholar
- Hilarie Orman. 2003. The Morris worm: A fifteen-year perspective. IEEE Security and Privacy 1, 5 (Sept. 2003), 35--43. DOI:https://doi.org/10.1109/MSECP.2003.1236233Google Scholar
Digital Library
- Dag Arne Osvik, Adi Shamir, and Eran Tromer. 2006. Cache attacks and countermeasures: The case of AES. In The Cryptographers’ Track at the RSA Conference. 1--20.Google Scholar
- J. Pincus and B. Baker. 2004. Beyond stack smashing: Recent advances in exploiting buffer overruns. IEEE Security Privacy 2, 4 (July 2004), 20--27. DOI:https://doi.org/10.1109/MSP.2004.36Google Scholar
Digital Library
- Olatunji Ruwase and Monica S. Lam. 2004. A practical dynamic buffer overflow detector. In Proceedings of the Network and Distributed System Security Symposium (NDSS’04). Retrieved from http://www.isoc.org/isoc/conferences/ndss/04/proceedings/Papers/Ruwase.pdf.Google Scholar
- Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. 2012. AddressSanitizer: A fast address sanity checker. In 2012 USENIX Annual Technical Conference. 309--318. Retrieved from https://www.usenix.org/conference/atc12/technical-sessions/presentation/serebryany.Google Scholar
- IEEE Spectrum. 2018. The 2018 Top Programming Languages. Retrieved from https://spectrum.ieee.org/at-work/innovation/the-2018-top-programming-languages.Google Scholar
- Laszlo Szekeres, Mathias Payer, Tao Wei, and R. Sekar. 2014. Eternal war in memory. IEEE Security 8 Privacy 12, 3 (2014), 45--53. DOI:https://doi.org/10.1109/MSP.2014.44Google Scholar
- Yuval Yarom and Katrina Falkner. 2014. FLUSH+RELOAD: A high resolution, low noise, L3 cache side-channel attack. In 23rd USENIX Security Symposium (USENIX Security’14). USENIX Association, San Diego, CA, 719--732. Retrieved from https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/yarom.Google Scholar
- Yves Younan, Pieter Philippaerts, Lorenzo Cavallaro, R. Sekar, Frank Piessens, and Wouter Joosen. 2010. PAriCheck: An efficient pointer arithmetic checker for C programs. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security (ASIACCS’10). 145--156. DOI:https://doi.org/10.1145/1755688.1755707Google Scholar
Digital Library
Index Terms
ALEXIA: A Processor with Lightweight Extensions for Memory Safety
Recommendations
An Overview of Prevention/Mitigation against Memory Corruption Attack
ISCSIC '18: Proceedings of the 2nd International Symposium on Computer Science and Intelligent ControlOne of the most prevalent, ancient and devastating vulnerabilities which is increasing rapidly is Memory corruption. It is a vulnerability where a memory location contents of a computer system are altered because of programming errors allowing execution ...
Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecurityControl flow integrity (CFI) has been proposed as an approach to defend against control-hijacking memory corruption attacks. CFI works by assigning tags to indirect branch targets statically and checking them at runtime. Coarse-grained enforcements of ...
Timely Rerandomization for Mitigating Memory Disclosures
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecurityAddress Space Layout Randomization (ASLR) can increase the cost of exploiting memory corruption vulnerabilities. One major weakness of ASLR is that it assumes the secrecy of memory addresses and is thus ineffective in the face of memory disclosure ...






Comments