CONFLLVM: Compiler-Based Information Flow Control in Low-Level Code

We present a compiler-based scheme for information flow control in low-level applications (e.g. those written in C) in the presence of an active adversary. In our scheme, the programmer marks private data by writing lightweight annotations on the top-level definitions in the source code. The compiler then uses a combination of static dataflow analysis and runtime instrumentation to prevent data leaks even in the presence of low-level attacks. To keep the overheads of the instrumentation low, the compiler uses a novel memory layout and a taint-aware form of control flow integrity. We formalize our scheme and prove its security. We have also implemented our scheme within the LLVM compiler and evaluated it on the CPU-intensive SPEC micro-benchmarks, and on larger, real-world applications, including the NGINX webserver and the OpenLDAP directory server. We find that performance overheads introduced by our instrumentation are moderate (average 12% on SPEC), and the programmer effort to port the applications is minimal.

[1]  Sanjit A. Seshia,et al.  A design and verification methodology for secure isolated regions , 2016, PLDI.

[2]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[3]  David A. Wagner,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Detecting Format String Vulnerabilities with Type Qualifiers , 2001 .

[4]  Alexander Aiken,et al.  A theory of type qualifiers , 1999, PLDI '99.

[5]  Jun Wang,et al.  StraightTaint: Decoupled offline symbolic taint analysis , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[6]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[7]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[8]  Heng Yin,et al.  DECAF: A Platform-Neutral Whole-System Dynamic Binary Analysis Platform , 2017, IEEE Transactions on Software Engineering.

[9]  Wei Xu,et al.  Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks , 2006, USENIX Security Symposium.

[10]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[11]  David A. Wagner,et al.  The Performance Cost of Shadow Stacks and Stack Canaries , 2015, AsiaCCS.

[12]  Michael Franz,et al.  Venerable Variadic Vulnerabilities Vanquished , 2017, USENIX Security Symposium.

[13]  Benjamin C. Pierce,et al.  Explicit Secrecy: A Policy for Taint Tracking , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[14]  Yuanyuan Zhou,et al.  BugBench: Benchmarks for Evaluating Bug Detection Tools , 2005 .

[15]  Tzi-cker Chiueh,et al.  A General Dynamic Information Flow Tracking Framework for Security Applications , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[16]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[17]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[18]  Christof Fetzer,et al.  Intel MPX Explained: An Empirical Study of Intel MPX and Software-based Bounds Checking Approaches , 2017, ArXiv.

[19]  Hovav Shacham,et al.  Return-Oriented Programming: Systems, Languages, and Applications , 2012, TSEC.

[20]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[21]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[22]  Erik van der Kouwe,et al.  TypeSan: Practical Type Confusion Detection , 2016, CCS.

[23]  Mads Tofte,et al.  Region-based Memory Management , 1997, Inf. Comput..

[24]  George Candea,et al.  Code-pointer integrity , 2014, OSDI.

[25]  James Cheney,et al.  Region-based memory management in cyclone , 2002, PLDI '02.

[26]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy software , 2005, TOPL.

[27]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[28]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[29]  David Sands,et al.  On flow-sensitive security types , 2006, POPL '06.

[30]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[31]  Jim Sermersheim,et al.  Lightweight Directory Access Protocol (LDAP): The Protocol , 2006, RFC.

[32]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[33]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[34]  George C. Necula,et al.  Dependent Types for Low-Level Programming , 2007, ESOP.

[35]  James Newsom,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software, Network and Distributed System Security Symposium Conference Proceedings : 2005 , 2005 .

[36]  Miguel Castro,et al.  Fast byte-granularity software fault isolation , 2009, SOSP '09.

[37]  Zhiyong Shan,et al.  Suspicious-Taint-Based Access Control for Protecting OS from Network Attacks , 2016, International Journal of Engineering in Computer Science.

[38]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[39]  Dawson R. Engler,et al.  How to Build Static Checking Systems Using Orders of Magnitude Less Code , 2016, ASPLOS.

[40]  Mathias Payer,et al.  DataShield: Configurable Data Confidentiality and Integrity , 2017, AsiaCCS.