Title: Hardware-based Always-On Memory Safety

Date: Thursday, July 27th 

Time: 8:30 AM – 10:00 AM (EDT)

Location: Klaus 2100

Virtual: Zoom Link (Meeting Code: 854 234 9794, Passcode: 110142)

Yonghae Kim

Ph.D. Candidate

School of Computer Science

Georgia Institute of Technology

Committee:

Dr. Hyesoon Kim (Advisor) - School of Computer Science, Georgia Institute of Technology

Dr. Moinuddin Qureshi - School of Computer Science, Georgia Institute of Technology

Dr. Taesoo Kim - School of Computer Science and School of Cybersecurity and Privacy, Georgia Institute of Technology

Dr. Vivek Sarkar - School of Computer Science, Georgia Institute of Technology

Dr. Jaekyu Lee - Arm

Abstract:

For decades, memory safety issues have exposed substantial security threats to computer systems. Memory safety violations occur when instructions perform illegitimate memory accesses to a program’s address space. There are broadly two types of memory safety violations. If a memory access occurs outside of its allowed range, e.g., out-of- bounds (OOB) access, it violates spatial memory safety. When a memory region is accessed after the region is no longer valid, temporal memory safety is violated, e.g., use-after-free (UAF). Despite long-term efforts to resolve, memory safety issues are still the most prevalent and problematic. Recent studies show that ∼70% of security vulnerabilities addressed in industry stemmed from memory violations.

In this dissertation, we first note the prevalence of control-flow attacks in real world. Control-flow attacks aim to alter the control flow of a program to achieve arbitrary code execution, privilege escalation, etc. To protect systems against such attacks, we propose Code-Pointer Tagging (CPT), a hardware-assisted solution for forward-edge control-flow integrity (CFI). CPT combines security properties of CFI and cryptographic solutions and thereby enables effective detection of malicious control-flow changes. We further analyze the security of existing pointer authentication (PA) solutions and observe that replay attacks, which leak signed pointers from memory and reuse them, remain as the major attack vector. To further harden security, we propose Authenticated Control-Flow Integrity (aCFI). In this work, we form a baseline using Google CFI and Arm PA. On top of our design, we develop a mitigation method for replay attacks, called MAC closure. All together, we demonstrate that aCFI enforces strict CFI combined with PA while sustaining high performance.

Besides control-flow attacks, recent work has shown that Turing-complete attacks are possible without altering the control flow. Such data-oriented attacks corrupt variables that influence a program’s decision making or just leak sensitive information without hijacking the control flow. To prevent such attacks and achieve complete memory safety, we propose defense mechanisms for mitigating root cause violations of memory safety. First, we present Always-On memory Safety (AOS), a low-overhead heap protection mechanism. AOS proposes a data-pointer signing scheme that utilizes the unused upper bits of a pointer for a security purpose. With the proposed hardware support, AOS achieves efficient metadata management and bounds checks transparently performed in hardware. Second, we present RV-CURE, a RISC-V capability architecture that orchestrates compiler, architecture, and system designs. RV-CURE proposes data-pointer tagging (DPT) that generalizes a pointer-tagging method for all memory types, including stack, heap, and global memory. In addition, RV-CURE investigates efficient, lightweight hardware extensions for DPT based on the RISC-V BOOM core.