Strato: A Retargetable Framework for Low-Level Inlined-Reference Monitors

Low-level Inlined Reference Monitors (IRM) such as control-flow integrity and software-based fault isolation can foil numerous software attacks. Conventionally, those IRMs are implemented through binary rewriting or transformation on equivalent low-level programs that are tightly coupled with a specific Instruction Set Architecture (ISA). Resulting implementations have poor retargetability to different ISAs. This paper introduces an IRM-implementation framework at a compiler intermediate-representation (IR) level. The IR-level framework enables easy retargetability to different ISAs, but raises the challenge of how to preserve security at the low level, as the compiler backend might invalidate the assumptions at the IR level. We propose a constraint language to encode the assumptions and check whether they still hold after the backend transformations and optimizations. Furthermore, an independent verifier is implemented to validate the security of low-level code. We have implemented the framework inside LLVM to enforce the policy of control-flow integrity and data sandboxing for both reads and writes. Experimental results demonstrate that it incurs modest runtime overhead of 19.90% and 25.34% on SPECint2000 programs for ×86- 32 and ×86-64, respectively.

[1]  Alan Donovan,et al.  PNaCl : Portable Native Client Executables , 2022 .

[2]  Mark N. Wegman,et al.  An efficient method of computing static single assignment form , 1989, POPL '89.

[3]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[4]  Miguel Castro,et al.  Fast byte-granularity software fault isolation , 2009, SOSP '09.

[5]  Martín Abadi,et al.  A Theory of Secure Control Flow , 2005, ICFEM.

[6]  David E. Evans,et al.  Flexible policy-directed code safety , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[7]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[8]  Stephen McCamant,et al.  Evaluating SFI for a CISC Architecture , 2006, USENIX Security Symposium.

[9]  Dan S. Wallach,et al.  Java security: from HotJava to Netscape and beyond , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[10]  Kevin W. Hamlen,et al.  Securing untrusted code via compiler-agnostic binary rewriting , 2012, ACSAC '12.

[11]  Xuejun Yang,et al.  Finding and understanding bugs in C compilers , 2011, PLDI '11.

[12]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[13]  Zhi Wang,et al.  HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity , 2010, 2010 IEEE Symposium on Security and Privacy.

[14]  Dinakar Dhurjati,et al.  Enforcing Alias Analysis for Weakly Typed Languages , 2005 .

[15]  J. Gregory Morrisett,et al.  Combining control-flow integrity and static analysis for efficient and validated data sandboxing , 2011, CCS '11.

[16]  Bennet S. Yee,et al.  Adapting Software Fault Isolation to Contemporary CPU Architectures , 2010, USENIX Security Symposium.

[17]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[18]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[19]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[20]  Andrew W. Appel,et al.  Using memory errors to attack a virtual machine , 2003, 2003 Symposium on Security and Privacy, 2003..

[21]  Joseph Tassarotti,et al.  RockSalt: better, faster, stronger SFI for the x86 , 2012, PLDI.

[22]  Dinakar Dhurjati,et al.  SAFECode: enforcing alias analysis for weakly typed languages , 2005, PLDI '06.

[23]  Úlfar Erlingsson,et al.  IRM enforcement of Java stack inspection , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[24]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[25]  Hovav Shacham,et al.  Return-oriented programming without returns , 2010, CCS '10.

[26]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, SIGP.

[27]  Mark N. Wegman,et al.  Efficiently computing static single assignment form and the control dependence graph , 1991, TOPL.

[28]  Christopher Small MiSFIT: A Tool for Constructing Safe Extensible C++ Systems , 1997, COOTS.

[29]  J. Gregory Morrisett,et al.  Robusta: taming the native beast of the JVM , 2010, CCS '10.

[30]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[31]  Derek Bruening,et al.  Secure Execution via Program Shepherding , 2002, USENIX Security Symposium.

[32]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[33]  Dinakar Dhurjati,et al.  Backwards-compatible array bounds checking for C with very low overhead , 2006, ICSE.

[34]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[35]  Miguel Castro,et al.  Securing software by enforcing data-flow integrity , 2006, OSDI '06.

[36]  Neha Narula,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, IEEE Symposium on Security and Privacy.

[37]  Jack W. Davidson,et al.  Safe virtual execution using software dynamic translation , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..