Protecting the Stack with Metadata Policies and Tagged Hardware

The program call stack is a major source of exploitable security vulnerabilities in low-level, unsafe languages like C. In conventional runtime implementations, the underlying stack data is exposed and unprotected, allowing programming errors to turn into security violations. In this work, we design novel metadata-tag based, stack-protection security policies for a general-purpose tagged architecture. Our policies specifically exploit the natural locality of dynamic program call graphs to achieve cacheability of the metadata rules that they require. Our simple Return Address Protection policy has a performance overhead of 1.2% but just protects return addresses. The two richer policies we present, Static Authorities and Depth Isolation, provide object-level protection for all stack objects. When enforcing memory safety, our Static Authorities policy has a performance overhead of 5.7% and our Depth Isolation policy has a performance overhead of 4.5%. When enforcing data-flow integrity (DFI), in which we only detect a violation when a corrupted value is read, our Static Authorities policy has a performance overhead of 3.6% and our Depth Isolation policy has a performance overhead of 2.4%. To characterize our policies, we provide a stack threat taxonomy and show which threats are prevented by both prior work protection mechanisms and our policies.

[1]  G. Edward Suh,et al.  High-performance parallel accelerator for flexible and efficient run-time monitoring , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[2]  Edward A. Feustel Tagged architecture and the semantics of programming languages: Extensible types , 1976, ISCA.

[3]  Heng Yin,et al.  Defeating ROP Through Denial of Stack Pivot , 2015, ACSAC 2015.

[4]  Guru Venkataramani,et al.  FlexiTaint: A programmable accelerator for dynamic taint propagation , 2008, 2008 IEEE 14th International Symposium on High Performance Computer Architecture.

[5]  Wouter Joosen,et al.  RIPE: runtime intrusion prevention evaluator , 2011, ACSAC '11.

[6]  Benjamin C. Pierce,et al.  Micro-Policies: Formally Verified, Tag-Based Security Monitors , 2015, 2015 IEEE Symposium on Security and Privacy.

[7]  Thomas F. Knight,et al.  A Minimal Trusted Computing Base for Dynamically Ensuring Secure Information Flow , 2001 .

[8]  Jonathan M. Smith,et al.  Architectural Support for Software-Defined Metadata Processing , 2015, ASPLOS.

[9]  O. Sami Saydjari,et al.  LOCK trek: navigating uncharted space , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[10]  Jonathan M. Smith,et al.  Hardware Support for Safety Interlocks and Introspection , 2012, 2012 IEEE Sixth International Conference on Self-Adaptive and Self-Organizing Systems Workshops.

[11]  Benjamin C. Pierce,et al.  A verified information-flow architecture , 2014, J. Comput. Secur..

[12]  Stelios Sidiroglou,et al.  Missing the Point(er): On the Effectiveness of Code Pointer Integrity , 2015, 2015 IEEE Symposium on Security and Privacy.

[13]  Per Larsen,et al.  Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks , 2015, CCS.

[14]  Peter G. Neumann,et al.  Beyond the PDP-11: Architectural Support for a Memory-Safe C Abstract Machine , 2015, ASPLOS.

[15]  Gavin Ferris,et al.  Tagged memory and minion cores in the lowRISC SoC , 2014 .

[16]  Peter G. Neumann,et al.  Efficient Tagged Memory , 2017, 2017 IEEE International Conference on Computer Design (ICCD).

[17]  David A. Wagner,et al.  The Performance Cost of Shadow Stacks and Stack Canaries , 2015, AsiaCCS.

[18]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[19]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[20]  Babak Falsafi,et al.  Flexible Hardware Acceleration for Instruction-Grain Program Monitoring , 2008, 2008 International Symposium on Computer Architecture.

[21]  Guy Gogniat,et al.  ARMHEx: A hardware extension for DIFT on ARM-based SoCs , 2017, 2017 27th International Conference on Field Programmable Logic and Applications (FPL).

[22]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[23]  Christoforos E. Kozyrakis,et al.  Raksha: a flexible information flow architecture for software security , 2007, ISCA '07.

[24]  Chris Fallin,et al.  Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[25]  Elliott I. Organick,et al.  Computer System Organization: The B5700/B6700 Series , 1973 .

[26]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[27]  Milo M. K. Martin,et al.  CETS: compiler enforced temporal safety for C , 2010, ISMM '10.

[28]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[29]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.

[30]  Ruby B. Lee,et al.  A software-hardware architecture for self-protecting data , 2012, CCS.

[31]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[32]  Somayeh Sardashti,et al.  The gem5 simulator , 2011, CARN.

[33]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[34]  R. L. Hoffman,et al.  IBM System/38 support for capability-based addressing , 1981, ISCA '81.

[35]  Arthur Azevedo de Amorim A Methodology For Micro-Policies , 2017 .

[36]  Milo M. K. Martin,et al.  Hardbound: architectural support for spatial safety of the C programming language , 2008, ASPLOS.

[37]  Edward A. Feustel,et al.  On The Advantages of Tagged Architecture , 1973, IEEE Transactions on Computers.

[38]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[39]  Hovav Shacham,et al.  When good instructions go bad: generalizing return-oriented programming to RISC , 2008, CCS.

[40]  Zhenkai Liang,et al.  Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[41]  Babak Falsafi,et al.  FADE: A programmable filtering accelerator for instruction-grain monitoring , 2014, 2014 IEEE 20th International Symposium on High Performance Computer Architecture (HPCA).

[42]  Miguel Castro,et al.  Securing software by enforcing data-flow integrity , 2006, OSDI '06.

[43]  Yunheung Paek,et al.  HDFI: Hardware-Assisted Data-Flow Isolation , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[44]  Alessandro Orso,et al.  Effective memory protection using dynamic tainting , 2007, ASE '07.

[45]  George Candea,et al.  Code-pointer integrity , 2014, OSDI.

[46]  Carla E. Brodley,et al.  SmashGuard: A Hardware Solution to Prevent Security Attacks on the Function Return Address , 2006, IEEE Transactions on Computers.

[47]  Peter G. Neumann,et al.  The CHERI capability model: Revisiting RISC in an age of risk , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[48]  Norman P. Jouppi,et al.  CACTI 6.0: A Tool to Model Large Caches , 2009 .

[49]  Miguel Castro,et al.  Preventing Memory Error Exploits with WIT , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[50]  Krste Asanovic,et al.  Mondrian memory protection , 2002, ASPLOS X.