Building intrusion-tolerant secure software

In this work, we develop a secret sharing based compiler solution to achieve confidentiality, integrity and availability (intrusion tolerance) of critical data together, rather than tackling them one by one as in previous approaches. Under our scheme, the compiler automatically identifies some critical data values, whereas the user specifies some others. The compiler generates code for scattering/assembling and verifying of those critical data values using secret sharing scheme. In this way, we achieve data confidentiality and integrity. We also provide mechanisms to gracefully recover upon data tampering, achieving intrusion tolerance. The implementation of our secret sharing scheme is carefully crafted to achieve low overhead. We further propose several compiler optimizations such as secret-sharing-aware register allocation, rematerialization etc. to reduce the cost of secret sharing further, making our scheme a practical solution in a high performance system.

[1]  Yi-Min Wang,et al.  Checkpointing and its applications , 1995, Twenty-Fifth International Symposium on Fault-Tolerant Computing. Digest of Papers.

[2]  G. Edward Suh,et al.  Caches and hash trees for efficient memory integrity verification , 2003, The Ninth International Symposium on High-Performance Computer Architecture, 2003. HPCA-9 2003. Proceedings..

[3]  Matthew K. Franklin,et al.  Efficient Generation of Shared RSA Keys (Extended Abstract) , 1997, CRYPTO.

[4]  Todd M. Austin,et al.  The SimpleScalar tool set, version 2.0 , 1997, CARN.

[5]  John Cocke,et al.  A methodology for the real world , 1981 .

[6]  John Johansen,et al.  PointGuard™: Protecting Pointers from Buffer Overflow Vulnerabilities , 2003, USENIX Security Symposium.

[7]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[8]  David R. Karger,et al.  Wide-area cooperative storage with CFS , 2001, SOSP.

[9]  Jun Yang,et al.  Fast Secure Processor for Inhibiting Software Piracy and Tampering , 2003, MICRO.

[10]  John Cocke,et al.  Register Allocation Via Coloring , 1981, Comput. Lang..

[11]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[12]  George Varghese,et al.  Hardware and Binary Modification Support for Code Pointer Protection From Buffer Overflow , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[13]  Matthew K. Franklin,et al.  Efficient generation of shared RSA keys , 2001, JACM.

[14]  Keith D. Cooper,et al.  Improvements to graph coloring register allocation , 1994, TOPL.

[15]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[16]  Tao Zhang,et al.  HIDE: an infrastructure for efficiently protecting information leakage on the address bus , 2004, ASPLOS XI.

[17]  Dan Boneh,et al.  Architectural support for copy and tamper resistant software , 2000, SIGP.

[18]  G. Edward Suh,et al.  Efficient Memory Integrity Verification and Encryption for Secure Processors , 2003, MICRO.