SPAM: Stateless Permutation of Application Memory

In this paper, we propose the Stateless Permutation of Application Memory (SPAM), a software defense that enables fine-grained data permutation for C programs. The key benefits include resilience against attacks that directly exploit software errors (i.e., spatial and temporal memory safety violations) in addition to attacks that exploit hardware vulnerabilities such as ColdBoot, RowHammer or hardware side-channels to disclose or corrupt memory using a single cohesive technique. Unlike prior work, SPAM is stateless by design making it automatically applicable to multi-threaded applications. We implement SPAM as an LLVM compiler pass with an extension to the compiler-rt runtime. We evaluate it on the C subset of the SPEC2017 benchmark suite and three real-world applications: the Nginx web server, the Duktape Javascript interpreter, and the WolfSSL cryptographic library. We further show SPAM's scalability by running a multi-threaded benchmark suite. SPAM has greater security coverage and comparable performance overheads to state-of-the-art software techniques for memory safety on contemporary x86_64 processors. Our security evaluation confirms SPAM's effectiveness in preventing intra/inter spatial/temporal memory violations by making the attacker success chances as low as 1/16!.

[1]  Omer Khan,et al.  CRONO: A Benchmark Suite for Multithreaded Graph Algorithms Executing on Futuristic Multicores , 2015, 2015 IEEE International Symposium on Workload Characterization.

[2]  Milo M. K. Martin,et al.  CETS: compiler enforced temporal safety for C , 2010, ISMM '10.

[3]  Emery D. Berger,et al.  DieHard: probabilistic memory safety for unsafe languages , 2006, PLDI '06.

[4]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[5]  Pierre L'Ecuyer,et al.  TestU01: A C library for empirical testing of random number generators , 2006, TOMS.

[6]  Hiroshi Sasaki,et al.  Practical Byte-Granular Memory Blacklisting using Califorms , 2019, MICRO.

[7]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[8]  S. Bharadwaj Yadavalli,et al.  Raising binaries to LLVM IR with MCTOLL (WIP paper) , 2019, LCTES.

[9]  Brent Byunghoon Kang,et al.  POLaR: Per-Allocation Object Layout Randomization , 2019, 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[10]  S. Bhatkar,et al.  Data Space Randomization , 2008, DIMVA.

[11]  Roland H. C. Yap,et al.  Heap bounds protection with low fat pointers , 2016, CC.

[12]  Frank Piessens,et al.  Breaking the memory secrecy assumption , 2009, EUROSEC '09.

[13]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[14]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[15]  Emery D. Berger,et al.  STABILIZER: statistically sound performance evaluation , 2013, ASPLOS '13.

[16]  Soyeon Park,et al.  libmpk: Software Abstraction for Intel Memory Protection Keys (Intel MPK) , 2019, USENIX Annual Technical Conference.

[17]  John Johansen,et al.  PointGuard™: Protecting Pointers from Buffer Overflow Vulnerabilities , 2003, USENIX Security Symposium.

[18]  Carl A. Gunter,et al.  Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX , 2017, CCS.

[19]  Roland H. C. Yap,et al.  Stack Bounds Protection with Low Fat Pointers , 2017, NDSS.

[20]  David Thomas,et al.  The Art in Computer Programming , 2001 .

[21]  Stefan Mangard,et al.  Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches , 2015, USENIX Security Symposium.

[22]  Donald Ervin Knuth,et al.  The Art of Computer Programming, Volume II: Seminumerical Algorithms , 1970 .

[23]  Emery D. Berger,et al.  DieHarder: securing the heap , 2010, CCS '10.

[24]  Christof Fetzer,et al.  Intel MPX Explained , 2018, PERV.

[25]  Michael L. Scott,et al.  Hodor: Intra-Process Isolation for High-Throughput Data Plane Libraries , 2019, USENIX Annual Technical Conference.

[26]  Thorsten Holz,et al.  STEROIDS for DOPed Applications: A Compiler for Automated Data-Oriented Programming , 2019, 2019 IEEE European Symposium on Security and Privacy (EuroS&P).

[27]  Phillip Rogaway,et al.  A Synopsis of Format-Preserving Encryption , 2010 .

[28]  Todd M. Austin,et al.  Smokestack: Thwarting DOP Attacks with Runtime Stack Layout Randomization , 2019, 2019 IEEE/ACM International Symposium on Code Generation and Optimization (CGO).

[29]  Roland H. C. Yap,et al.  An Extended Low Fat Allocator API and Applications , 2018, ArXiv.

[30]  Timothy M. Jones,et al.  CHERIvoke: Characterising Pointer Revocation using CHERI Capabilities for Temporal Memory Safety , 2019, MICRO.

[31]  Ahmad-Reza Sadeghi,et al.  Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming , 2015, NDSS.

[32]  Chris Fallin,et al.  Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[33]  Zhiqiang Lin,et al.  FreeGuard: A Faster Secure Heap Allocator , 2017, CCS.

[34]  Ye Wang,et al.  Shapeshifter: Intelligence-driven data plane randomization resilient to data-oriented programming attacks , 2020, Comput. Secur..

[35]  Mathias Payer,et al.  CUP: Comprehensive User-Space Protection for C/C++ , 2017, AsiaCCS.

[36]  Peter Druschel,et al.  ERIM: Secure, Efficient In-process Isolation with Protection Keys (MPK) , 2019, USENIX Security Symposium.

[37]  Sandya Mannarswamy,et al.  Practical structure layout optimization and advice , 2006, International Symposium on Code Generation and Optimization (CGO'06).

[38]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[39]  Zhisheng Hu,et al.  Feedback control can make data structure layout randomization more cost-effective under zero-day attacks , 2018, Cybersecur..

[40]  Peng Liu,et al.  A Practical Approach for Adaptive Data Structure Layout Randomization , 2015, ESORICS.

[41]  Tong Zhang,et al.  BOGO: Buy Spatial Memory Safety, Get Temporal Memory Safety (Almost) Free , 2019, ASPLOS.

[42]  Ruby B. Lee,et al.  Arbitrary bit permutations in one or two cycles , 2003, Proceedings IEEE International Conference on Application-Specific Systems, Architectures, and Processors. ASAP 2003.

[43]  Trent Jaeger,et al.  Exploitation Techniques and Defenses for Data-Oriented Attacks , 2019, 2019 IEEE Cybersecurity Development (SecDev).

[44]  Marcus Peinado,et al.  High-Resolution Side Channels for Untrusted Operating Systems , 2017, USENIX Annual Technical Conference.

[45]  Wouter Joosen,et al.  RIPE: runtime intrusion prevention evaluator , 2011, ACSAC '11.

[46]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[47]  Xu Liu,et al.  StructSlim: A lightweight profiler to guide structure splitting , 2016, 2016 IEEE/ACM International Symposium on Code Generation and Optimization (CGO).

[48]  David A. Wagner,et al.  Oscar: A Practical Page-Permissions-Based Scheme for Thwarting Dangling Pointers , 2017, USENIX Security Symposium.

[49]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[50]  Peter G. Neumann,et al.  CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization , 2015, 2015 IEEE Symposium on Security and Privacy.

[51]  Eugene H. Spafford,et al.  Improved kernel security through memory layout randomization , 2013, 2013 IEEE 32nd International Performance Computing and Communications Conference (IPCCC).

[52]  Thomas Pornin,et al.  Perfect Block Ciphers with Small Blocks , 2007, FSE.

[53]  J. Wishart Statistical tables , 2018, Global Education Monitoring Report.

[54]  Zhiqiang Lin,et al.  Guarder: A Tunable Secure Allocator , 2018, USENIX Security Symposium.

[55]  Thomas Ristenpart,et al.  The Mix-and-Cut Shuffle: Small-Domain Encryption Secure against N Queries , 2013, CRYPTO.

[56]  Jóakim von Kistowski,et al.  SPEC CPU2017: Next-Generation Compute Benchmark , 2018, ICPE Companion.

[57]  Ahmad-Reza Sadeghi,et al.  Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications , 2015, 2015 IEEE Symposium on Security and Privacy.

[58]  Dongyan Xu,et al.  Polymorphing Software by Randomizing Data Structure Layout , 2009, DIMVA.

[59]  Anne Rogers,et al.  Supporting dynamic data structures on distributed-memory machines , 1995, TOPL.

[60]  Roland H. C. Yap,et al.  EffectiveSan: type and memory error detection using dynamically typed C/C++ , 2017, PLDI.

[61]  Jonathan M. Smith,et al.  USENIX Association , 2000 .

[62]  Phillip Rogaway,et al.  An Enciphering Scheme Based on a Card Shuffle , 2012, CRYPTO.

[63]  Kui Wang,et al.  PAC it up: Towards Pointer Integrity using ARM Pointer Authentication , 2018, USENIX Security Symposium.

[64]  Brent Byunghoon Kang,et al.  On the Analysis of Byte-Granularity Heap Randomization , 2021, IEEE Transactions on Dependable and Secure Computing.

[65]  Yves Younan,et al.  FreeSentry: protecting against use-after-free vulnerabilities due to dangling pointers , 2015, NDSS.

[66]  Xi Chen,et al.  The Dynamics of Innocent Flesh on the Bone: Code Reuse Ten Years Later , 2017, CCS.

[67]  M. Castro,et al.  Data Randomization , 2008 .

[68]  Yuebin Bai,et al.  LWPTool: A Lightweight Profiler to Guide Data Layout Optimization , 2018, IEEE Transactions on Parallel and Distributed Systems.

[69]  Andrew McGregor,et al.  Mesh: compacting memory management for C/C++ applications , 2019, PLDI.

[70]  Ruby B. Lee,et al.  Efficient permutation instructions for fast software cryptography , 2001 .

[71]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[72]  Zhenkai Liang,et al.  Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[73]  Miguel Castro,et al.  Securing software by enforcing data-flow integrity , 2006, OSDI '06.

[74]  Junfeng Yang,et al.  Shuffler: Fast and Deployable Continuous Code Re-Randomization , 2016, OSDI.