ARMOR: A Recompilation and Instrumentation-Free Monitoring Architecture for Detecting Memory Exploits

Software written in programming languages that permit manual memory management, such as C and C++, are often littered with exploitable memory errors. These memory bugs enable attackers to leak sensitive information, hijack program control flow, or otherwise compromise the system and are a critical concern for computer security. Many runtime monitoring and protection approaches have been proposed to detect memory errors in C and C++ applications, however, they require source code recompilation or binary instrumentation, creating compatibility challenges for applications using proprietary or closed source code, libraries, or plug-ins. This paper introduces a new approach for detecting heap memory errors that does not require applications to be recompiled or instrumented. We show how to leverage the calling convention of a processor to track all dynamic memory allocations made by an application during runtime. We also present a transparent tracking and caching architecture to efficiently verify program heap memory accesses. Performance simulations of our architecture using SPEC benchmarks and real-world application workloads show our architecture achieves hit rates over 95 percent for a 256-entry cache, resulting in only 2.9 percent runtime overhead. Security analysis using a software prototype shows our architecture detects 98 percent of heap memory errors from selected test cases in the Juliet Test Suite and real-world exploits.

[1]  Daniel Quinlan,et al.  Runtime checking C programs , 2015, SAC.

[2]  Alessandro Orso,et al.  Effective and Efficient Memory Protection Using Dynamic Tainting , 2012, IEEE Transactions on Computers.

[3]  Konstantin Serebryany,et al.  MemorySanitizer: Fast detector of uninitialized memory use in C++ , 2015, 2015 IEEE/ACM International Symposium on Code Generation and Optimization (CGO).

[4]  Guru Venkataramani,et al.  MemTracker: Efficient and Programmable Support for Memory Access Monitoring and Debugging , 2007, 2007 IEEE 13th International Symposium on High Performance Computer Architecture.

[5]  Hovav Shacham,et al.  Return-Oriented Programming: Systems, Languages, and Applications , 2012, TSEC.

[6]  Jonathan M. Smith,et al.  Architectural Support for Software-Defined Metadata Processing , 2015, ASPLOS.

[7]  Lizy Kurian John,et al.  Analysis of redundancy and application balance in the SPEC CPU2006 benchmark suite , 2007, ISCA '07.

[8]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[9]  G. Edward Suh,et al.  High-performance parallel accelerator for flexible and efficient run-time monitoring , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[10]  Jing Luo,et al.  Secure dynamic code generation against spraying , 2010, CCS '10.

[11]  Guru Venkataramani,et al.  FlexiTaint: A programmable accelerator for dynamic taint propagation , 2008, 2008 IEEE 14th International Symposium on High Performance Computer Architecture.

[12]  Jonathan M. Smith,et al.  Low-fat pointers: compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security , 2013, CCS.

[13]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[14]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[15]  David Brumley,et al.  BYTEWEIGHT: Learning to Recognize Functions in Binary Code , 2014, USENIX Security Symposium.

[16]  Milo M. K. Martin,et al.  Watchdog: Hardware for safe and secure manual memory management and full memory safety , 2012, 2012 39th Annual International Symposium on Computer Architecture (ISCA).

[17]  David A. Patterson,et al.  The Berkeley Out-of-Order Machine (BOOM): An Industry-Competitive, Synthesizable, Parameterized RISC-V Processor , 2015 .

[18]  Aleksandar Milenkovic,et al.  Performance evaluation of cache replacement policies for the SPEC CPU2000 benchmark suite , 2004, ACM-SE 42.

[19]  Nicholas Nethercote,et al.  Using Valgrind to Detect Undefined Value Errors with Bit-Precision , 2005, USENIX Annual Technical Conference, General Track.

[20]  K. Pagiamtzis,et al.  Content-addressable memory (CAM) circuits and architectures: a tutorial and survey , 2006, IEEE Journal of Solid-State Circuits.

[21]  Dawn Song,et al.  Mitigating buffer overflows by operating system randomization , 2002 .

[22]  Adam M. Izraelevitz,et al.  The Rocket Chip Generator , 2016 .

[23]  Timothy Sherwood,et al.  A small cache of large ranges: Hardware methods for efficiently searching, storing, and updating big dataflow tags , 2008, 2008 41st IEEE/ACM International Symposium on Microarchitecture.

[24]  Susan Horwitz,et al.  Protecting C programs from attacks via invalid pointer dereferences , 2003, ESEC/FSE-11.

[25]  Mayler G. A. Martins,et al.  Open Cell Library in 15nm FreePDK Technology , 2015, ISPD.

[26]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[27]  Viktor K. Prasanna,et al.  High throughput and large capacity pipelined dynamic search tree on FPGA , 2010, FPGA '10.

[28]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[29]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[30]  Ravishankar K. Iyer,et al.  AHEMS: Asynchronous Hardware-Enforced Memory Safety , 2014, 2014 17th Euromicro Conference on Digital System Design.

[31]  John L. Henning SPEC CPU2006 benchmark descriptions , 2006, CARN.