skip to main content
research-article

ALEXIA: A Processor with Lightweight Extensions for Memory Safety

Published:15 November 2019Publication History
Skip Abstract Section

Abstract

Illegal use of memory pointers is a serious security vulnerability. A large number of malwares exploit the spatial and temporal nature of these vulnerabilities to subvert execution or glean sensitive data from an application. Recent countermeasures attach metadata to memory pointers, which define the pointer’s capabilities. The metadata is used by the hardware to validate pointer-based memory accesses. However, recent works have considerable overheads. Further, the pointer validation is decoupled from the actual memory access. We show that this could open up vulnerabilities in multithreaded applications and introduce new vulnerabilities due to speculation in out-of-order processors.

In this article, we demonstrate that the overheads can be reduced considerably by efficient metadata management. We show that the hardware can be designed in a manner that would remain safe in multithreaded applications and immune to speculative vulnerabilities. We achieve these by ensuring that the pointer validations and the corresponding memory access is always done atomically and in order. To evaluate our scheme, which we call ALEXIA, we enhance an OpenRISC processor to perform the memory validation at runtime and also add compiler support. ALEXIA is the first hardware countermeasure scheme for memory protection that provides such an end-to-end solution. We evaluate the processor on an Altera FPGA and show that the runtime overhead, on average, is 14%, with negligible impact on the processor’s size and clock frequency. There is also a negligible impact on the program’s code and data sizes.

References

  1. 2001. Once upon a free(). Retrieved from http://phrack.org/issues/57/9.html.Google ScholarGoogle Scholar
  2. 2019. mor1kx - An OpenRISC 1000 processor IP core. Retrieved from https://github.com/openrisc/mor1kx.Google ScholarGoogle Scholar
  3. Periklis Akritidis, Manuel Costa, Miguel Castro, and Steven Hand. 2009. Baggy bounds checking: An efficient and backwards-compatible defense against out-of-bounds errors. In 18th USENIX Security Symposium, Proceedings. 51--66. Retrieved from http://www.usenix.org/events/sec09/tech/full_papers/akritidis.pdf.Google ScholarGoogle Scholar
  4. Winny Thomas, Ali Islam, and Nicole Oppenheim. 2017. SMB exploited: Wannacry use of Eternal Blue. Retrieved from https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-eternalblue.html.Google ScholarGoogle Scholar
  5. Krishna Nandivada and Aman Nougrahiya. 2019. IMOP. Retrieved from http://www.cse.iitm.ac.in/ amannoug/imop/.Google ScholarGoogle Scholar
  6. Todd M. Austin, Scott E. Breach, and Gurindar S. Sohi. 1994. Efficient detection of all pointer and array access errors. In Proceedings of the ACM SIGPLAN 1994 Conference on Programming Language Design and Implementation (PLDI’94). ACM, New York, NY, 290--301. DOI:https://doi.org/10.1145/178243.178446Google ScholarGoogle Scholar
  7. D. Basu Roy, M. Alam, S. Bhattacharya, V. Govindan, F. Regazzoni, R. S. Chakraborty, and D. Mukhopadhyay. 2018. Customized instructions for protection against memory integrity attacks. IEEE Embedded Systems Letters 10, 3 (Sept. 2018), 91--94. DOI:https://doi.org/10.1109/LES.2018.2828506Google ScholarGoogle Scholar
  8. Daniel J. Bernstein. 2005. Cache-Timing Attacks on AES. Technical Report.Google ScholarGoogle Scholar
  9. Joseph Bonneau and Ilya Mironov. 2006. Cache-collision timing attacks against AES. In Cryptographic Hardware and Embedded Systems (CHES’06), Louis Goubin and Mitsuru Matsui (Eds.). Springer, Berlin, 201--215.Google ScholarGoogle Scholar
  10. Weihaw Chuang, Satish Narayanasamy, and Brad Calder. 2007. Accelerating meta data checks for software correctness and security. Journal of Instruction-Level Parallelism 9 (2007), 1--26. Retrieved from http://www.jilp.org/vol9/v9paper10.pdf.Google ScholarGoogle Scholar
  11. CWE. 2018. Common Weakness Enumeration - CWE-122: Heap-Based Buffer Overflow. Retrieved from https://cwe.mitre.org/data/definitions/122.html.Google ScholarGoogle Scholar
  12. Exploit Database. 2018. Exploit Database by Offensive Security. Retrieved from https://www.exploit-db.com/?search[value]=buffer8search[regex]=false.Google ScholarGoogle Scholar
  13. Joe Devietti, Colin Blundell, Milo M. K. Martin, and Steve Zdancewic. 2008. Hardbound: Architectural support for spatial safety of the C programming language. In Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS’08). 103--114. DOI:https://doi.org/10.1145/1346281.1346295Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Dinakar Dhurjati and Vikram S. Adve. 2006. Backwards-compatible array bounds checking for C with very low overhead. In 28th International Conference on Software Engineering (ICSE’06). 162--171. DOI:https://doi.org/10.1145/1134309Google ScholarGoogle Scholar
  15. Zakir Durumeric, Frank Li, James Kasten, Johanna Amann, Jethro Beekman, Mathias Payer, Nicolas Weaver, David Adrian, Vern Paxson, Michael Bailey, and J. Alex Halderman. 2014. The matter of heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference (IMC’14). ACM, New York, NY, 475--488. DOI:https://doi.org/10.1145/2663716.2663755Google ScholarGoogle Scholar
  16. Frank Ch Eigler. 2003. Mudflap: Pointer use checking for C/C+. In Proceedings of the 1st Annual GCC Developers Summit, 57--70.Google ScholarGoogle Scholar
  17. Saugata Ghose, Latoya Gilgeous, Polina Dudnik, Aneesh Aggarwal, and Corey Waxman. 2009. Architectural support for low overhead detection of memory violations. In Proceedings of the Conference on Design, Automation and Test in Europe (DATE’09). European Design and Automation Association, Belgium, 652--657. Retrieved from http://dl.acm.org/citation.cfm?id=1874620.1874782.Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. M. R. Guthaus, J. S. Ringenberg, D. Ernst, T. M. Austin, T. Mudge, and R. B. Brown. 2001. MiBench: A free, commercially representative embedded benchmark suite. In Proceedings of the Workload Characterization, 2001 (WWC-4). 2001 IEEE International Workshop (WWC’01). IEEE Computer Society, Washington, DC, 3--14. DOI:https://doi.org/10.1109/WWC.2001.15Google ScholarGoogle Scholar
  19. Intel. 2014. Intel MPX. Retrieved from https://software.intel.com/en-us/isa-extensions/intel-mpx.Google ScholarGoogle Scholar
  20. Trevor Jim, J. Gregory Morrisett, Dan Grossman, Michael W. Hicks, James Cheney, and Yanling Wang. 2002. Cyclone: A safe dialect of C. In Proceedings of the General Track: 2002 USENIX Annual Technical Conference. 275--288. Retrieved from http://www.usenix.org/publications/library/proceedings/usenix02/jim.html.Google ScholarGoogle Scholar
  21. Richard W. M. Jones and Paul H. J. Kelly. 1997. Backwards-compatible bounds checking for arrays and pointers in C Programs. In Proceedings of the Third International Workshop on Automated Debugging. 13--26. Retrieved from http://www.ep.liu.se/ecp/article.asp?issue=0018article=002.Google ScholarGoogle Scholar
  22. G. Krishnakumar, P. Slpsk, P. K. Vairam, C. Rebeiro, and K. Veezhinathan. 2018. GANDALF: A fine-grained hardware-software co-design for preventing memory attacks. IEEE Embedded Systems Letters 10, 3 (2018), 83--86. DOI:https://doi.org/10.1109/LES.2018.28057Google ScholarGoogle ScholarCross RefCross Ref
  23. Albert Kwon, Udit Dhawan, Jonathan M. Smith, Thomas F. Knight Jr., and André DeHon. 2013. Low-fat pointers: Compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security. In 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS’13). 721--732. DOI:https://doi.org/10.1145/2508859.2516713Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Doug Lea. 2018. Doug Lea’s malloc implementation. Retrieved from ftp://g.oswego.edu/pub/misc/malloc.c.Google ScholarGoogle Scholar
  25. Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown. CoRR abs/1801.01207 (2018). arxiv:1801.01207 http://arxiv.org/abs/1801.01207Google ScholarGoogle Scholar
  26. Arjun Menon, Subadra Murugan, Chester Rebeiro, Neel Gala, and Kamakoti Veezhinathan. 2017. Shakti-T: A RISC-V processor with light weight security extensions. In Proceedings of the Hardware and Architectural Support for Security and Privacy (HASP’17). ACM, Article 2, 8 pages. DOI:https://doi.org/10.1145/3092627.3092629Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Steve Christey (MITRE). 2011. CWE/SANS Top 25 Most Dangerous Software Errors. Retrieved from http://cwe.mitre.org/top25/.Google ScholarGoogle Scholar
  28. Santosh Nagarakatte, Milo M. K. Martin, and Steve Zdancewic. 2012. Watchdog: Hardware for safe and secure manual memory management and full memory safety. In 39th International Symposium on Computer Architecture (ISCA’12). 189--200. DOI:https://doi.org/10.1109/ISCA.2012.6237017Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Santosh Nagarakatte, Milo M. K. Martin, and Steve Zdancewic. 2014. WatchdogLite: Hardware-accelerated compiler-based pointer checking. In 12th Annual IEEE/ACM International Symposium on Code Generation and Optimization (CGO’14). 175. DOI:https://doi.org/10.1145/2544137.2544147Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Santosh Nagarakatte, Jianzhou Zhao, Milo M. K. Martin, and Steve Zdancewic. 2009. SoftBound: Highly compatible and complete spatial memory safety for c. In Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’09). 245--258. DOI:https://doi.org/10.1145/1542476.1542504Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Santosh Nagarakatte, Jianzhou Zhao, Milo M. K. Martin, and Steve Zdancewic. 2010. CETS: Compiler enforced temporal safety for C. In Proceedings of the 9th International Symposium on Memory Management (ISMM’10). 31--40. DOI:https://doi.org/10.1145/1806651.1806657Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. George C. Necula, Scott McPeak, and Westley Weimer. 2002. CCured: Type-safe retrofitting of legacy code. In Conference Record of POPL 2002: The 29th SIGPLAN-SIGACT Symposium on Principles of Programming Languages. 128--139. DOI:https://doi.org/10.1145/503272.503286Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Nicholas Nethercote and Julian Seward. 2007. Valgrind: A framework for heavyweight dynamic binary instrumentation. In Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’07). ACM, New York, NY, 89--100. DOI:https://doi.org/10.1145/1250734.1250746Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Aleph One. 1996. Smashing the Stack for Fun and Profit. Retrieved from http://phrack.org/issues/49/14.htmlGoogle ScholarGoogle Scholar
  35. Hilarie Orman. 2003. The Morris worm: A fifteen-year perspective. IEEE Security and Privacy 1, 5 (Sept. 2003), 35--43. DOI:https://doi.org/10.1109/MSECP.2003.1236233Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Dag Arne Osvik, Adi Shamir, and Eran Tromer. 2006. Cache attacks and countermeasures: The case of AES. In The Cryptographers’ Track at the RSA Conference. 1--20.Google ScholarGoogle Scholar
  37. J. Pincus and B. Baker. 2004. Beyond stack smashing: Recent advances in exploiting buffer overruns. IEEE Security Privacy 2, 4 (July 2004), 20--27. DOI:https://doi.org/10.1109/MSP.2004.36Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Olatunji Ruwase and Monica S. Lam. 2004. A practical dynamic buffer overflow detector. In Proceedings of the Network and Distributed System Security Symposium (NDSS’04). Retrieved from http://www.isoc.org/isoc/conferences/ndss/04/proceedings/Papers/Ruwase.pdf.Google ScholarGoogle Scholar
  39. Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. 2012. AddressSanitizer: A fast address sanity checker. In 2012 USENIX Annual Technical Conference. 309--318. Retrieved from https://www.usenix.org/conference/atc12/technical-sessions/presentation/serebryany.Google ScholarGoogle Scholar
  40. IEEE Spectrum. 2018. The 2018 Top Programming Languages. Retrieved from https://spectrum.ieee.org/at-work/innovation/the-2018-top-programming-languages.Google ScholarGoogle Scholar
  41. Laszlo Szekeres, Mathias Payer, Tao Wei, and R. Sekar. 2014. Eternal war in memory. IEEE Security 8 Privacy 12, 3 (2014), 45--53. DOI:https://doi.org/10.1109/MSP.2014.44Google ScholarGoogle Scholar
  42. Yuval Yarom and Katrina Falkner. 2014. FLUSH+RELOAD: A high resolution, low noise, L3 cache side-channel attack. In 23rd USENIX Security Symposium (USENIX Security’14). USENIX Association, San Diego, CA, 719--732. Retrieved from https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/yarom.Google ScholarGoogle Scholar
  43. Yves Younan, Pieter Philippaerts, Lorenzo Cavallaro, R. Sekar, Frank Piessens, and Wouter Joosen. 2010. PAriCheck: An efficient pointer arithmetic checker for C programs. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security (ASIACCS’10). 145--156. DOI:https://doi.org/10.1145/1755688.1755707Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. ALEXIA: A Processor with Lightweight Extensions for Memory Safety

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    HTML Format

    View this article in HTML Format .

    View HTML Format
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!