计算机科学技术学报 ›› 2020,Vol. 35 ›› Issue (2): 418-432.doi: 10.1007/s11390-020-9703-2

• • 上一篇    下一篇

IMPULP:一种通过用户级分区进行进程内内存保护的硬件方法

Yang-Yang Zhao1,2, Student, Member, IEEE, Ming-Yu Chen1,2,3,*, Member, CCF, ACM, IEEE Yu-Hang Liu1,2,3, Member, CCF, ACM, IEEE, Zong-Hao Yang1,2, Xiao-Jing Zhu1, Zong-Hui Hong2, Yun-Ge Guo2   

  1. 1 State Key Laboratory of Computer Architecture, Institute of Computing Technology, Chinese Academy of Sciences Beijing 100190, China;
    2 University of Chinese Academy of Sciences, Beijing 100049, China;
    3 PengCheng Laboratory, Shenzhen 518055, China
  • 收稿日期:2019-05-09 修回日期:2020-02-04 出版日期:2020-03-05 发布日期:2020-03-18
  • 通讯作者: Ming-Yu Chen E-mail:cmy@ict.ac.cn
  • 作者简介:Yang-Yang Zhao received her M.E. degree in electronic and communication engineering from Harbin Institute of Technology, Harbin, in 2013. She is a Ph.D. candidate in computer architecture of University of Chinese Academy of Sciences, Beijing. She is also a student member of IEEE. Her main research interests include architecture, memory system, and security.
  • 基金资助:
    This work was supported by the National Key Research and Development Plan of China under Grant No. 2016YFB1000200, the National Natural Science Foundation of China under Grant No. 61772497, and the State Key Laboratory of Computer Architecture Foundation under Grant Nos. CARCH4405 and CARCH2601.

IMPULP: A Hardware Approach for In-Process Memory Protection via User-Level Partitioning

Yang-Yang Zhao1,2, Student, Member, IEEE, Ming-Yu Chen1,2,3,*, Member, CCF, ACM, IEEE Yu-Hang Liu1,2,3, Member, CCF, ACM, IEEE, Zong-Hao Yang1,2, Xiao-Jing Zhu1, Zong-Hui Hong2, Yun-Ge Guo2        

  1. 1 State Key Laboratory of Computer Architecture, Institute of Computing Technology, Chinese Academy of Sciences Beijing 100190, China;
    2 University of Chinese Academy of Sciences, Beijing 100049, China;
    3 PengCheng Laboratory, Shenzhen 518055, China
  • Received:2019-05-09 Revised:2020-02-04 Online:2020-03-05 Published:2020-03-18
  • Contact: Ming-Yu Chen E-mail:cmy@ict.ac.cn
  • About author:Yang-Yang Zhao received her M.E. degree in electronic and communication engineering from Harbin Institute of Technology, Harbin, in 2013. She is a Ph.D. candidate in computer architecture of University of Chinese Academy of Sciences, Beijing. She is also a student member of IEEE. Her main research interests include architecture, memory system, and security.
  • Supported by:
    This work was supported by the National Key Research and Development Plan of China under Grant No. 2016YFB1000200, the National Natural Science Foundation of China under Grant No. 61772497, and the State Key Laboratory of Computer Architecture Foundation under Grant Nos. CARCH4405 and CARCH2601.

近年来,当恶意代码滥用进程内内存资源时,会产生很多安全攻击。随应用程序日益复杂,不可避免的会调用第三方代码,该代码无法由程序员控制,且可能包含安全漏洞,使用户有遭受信息泄漏和控制流劫持的风险。但是,诸如英特尔内存保护扩展之类的当前解决方案会严重降低性能,而诸如英特尔内存保护密钥之类的其他方法则缺乏划分安全域的灵活性。在本文中,我们提出了进程内用户级分区保护(IMPULP),一种用于进程内内存保护的有效且高效的硬件方法。IMPULP的基本原理是用户级分区,即根据用户的指令地址将用户代码段划分为不同的安全域。通过一组边界寄存器为每个域动态指定可访问的存储空间。根据其安全域和相应的边界检查与内存访问相关的每条指令,防止不受信任的代码段进行非法的进程内内存访问。IMPULP可以用来防止各种进程内内存滥用攻击,例如缓冲区溢出和内存泄漏。我们开发了基于RISC-V指令集架构的FPGA原型系统用于测试。我们测试了七个案例以验证IMPULP的有效性,包括五个内存保护功能测试,一个针对典型缓冲区溢出的防御测试以及一个针对名为Heartbleed的著名内存泄漏攻击的防御测试。我们执行SPEC CPU2006基准测试程序来评估IMPULP的效率。IMPULP的平均运行时间开销小于0.2%,可以忽略不计。IMPULP修改硬件的资源开销小于5.5%。

关键词: 进程内隔离, 内存保护, 越界, 用户级分区

Abstract: In recent years many security attacks occur when malicious codes abuse in-process memory resources. Due to the increasing complexity, an application program may call third-party code which cannot be controlled by programmers but may contain security vulnerabilities. As a result, the users have the risk of suffering information leakage and control flow hijacking. However, current solutions like Intel memory protection extensions (MPX) severely degrade performance, while other approaches like Intel memory protection keys (MPK) lack flexibility in dividing security domains. In this paper, we propose IMPULP, an effective and efficient hardware approach for in-process memory protection. The rationale of IMPULP is user-level partitioning that user code segments are divided into different security domains according to their instruction addresses, and accessible memory spaces are specified dynamically for each domain via a set of boundary registers. Each instruction related to memory access will be checked according to its security domain and the corresponding boundaries, and illegal in-process memory access of untrusted code segments will be prevented. IMPULP can be leveraged to prevent a wide range of in-process memory abuse attacks, such as buffer overflows and memory leakages. For verification, an FPGA prototype based on RISC-V instruction set architecture has been developed. We present eight tests to verify the effectiveness of IMPULP, including five memory protection function tests, a test to defense typical buffer overflow, a test to defense famous memory leakage attack named Heartbleed, and a test for security benchmark. We execute the SPEC CPU2006 benchmark programs to evaluate the efficiency of IMPULP. The performance overhead of IMPULP is less than 0.2% runtime on average, which is negligible. Moreover, the resource overhead is less than 5.5% for hardware modification of IMPULP.

Key words: in-process isolation, memory protection, out-of-bounds, user-level partitioning

[1] Jacomme C, Kremer S, Scerri G. Symbolic models for isolated execution environments. In Proc. the 2007 IEEE European Symposium on Security and Privacy, April 2017, pp.530-545.
[2] Chen Y H, Reymondjohnson S, Sun Z, Lu L. Shreds:Finegrained execution units with private memory. In Proc. the 2006 IEEE Symposium on Security and Privacy, May 2016, pp.56-71.
[3] Kudo N, Yamauchi T, Austin T H. Access control for plugins in Cordova-based hybrid applications. In Proc. the 31st IEEE International Conference on Advanced Information Networking and Applications, March 2017, pp.1063-1069.
[4] McCamant S, Morrisett G. Evaluating SFI for a CISC architecture. In Proc. the 15th USENIX Security Symposium, July 2006, Article No. 9.
[5] Wahbe R, Lucco S, Anderson T E, Graham S L. Efficient software-based fault isolation. ACM SIGOPS Operating Systems Review, 1993, 27(5):203-216.
[6] Sehr D, Muth R, Biffle C, Khimenko V, Pasko E, Schimpf K, Yee B, Chen B. Adapting software fault isolation to contemporary CPU architectures. In Proc. the 19th USENIX Security Symposium, August 2010, pp.1-12.
[7] Otterstad C W. A brief evaluation of Intel®MPX. In Proc. the 2015 Annual IEEE Systems Conference, April 2015, pp.1-7.
[8] One Aleph. Smashing the stack for fun and profit. Phrack Magazine, 1996, 7(49):Article No. 14.
[9] Schuster F, Tendyck T, Liebchen C, Davi L, Sadeghi A R, Holz T. Counterfeit object-oriented programming:On the difficulty of preventing code reuse attacks in C++ applications. In Proc. the 36th IEEE Symposium on Security and Privacy, May 2015, pp.745-762.
[10] Shacham H. The geometry of innocent flesh on the bone:Return-into-libc without function calls (on the x86). In Proc. the 2007 ACM SIGSAC Conference on Computer and Communications Security, October 2007, pp.552-561.
[11] Snow K Z, Monrose F, Davi L, Dmitrienko A, Liebchen C, Sadeghi A. Just-in-time code reuse:On the effectiveness of fine-grained address space layout randomization. In Proc. the 34th IEEE Symposium on Security and Privacy, May 2013, pp.574-588.
[12] Chen S, Xu J, Sezer E C. Non-control-data attacks are realistic threats. In Proc. the 14th USENIX Security Symposium, July 2005, Article No. 13.
[13] Hu H, Chua Z L, Adrian S, Saxena P, Liang Z. Automatic generation of data-oriented exploits. In Proc. the 24th USENIX Security Symposium, August 2015, pp.177-192.
[14] Hu H, Shinde S, Adrian S, Chua Z L, Saxena P, Liang Z. Data-oriented programming:On the expressiveness of noncontrol data attacks. In Proc. the 37th IEEE Symposium on Security and Privacy, May 2016, pp.969-986.
[15] Roemer R, Buchanan E, Shacham H, Savage S. Returnoriented programming system, languages, and applications. ACM Transactions on Information and System Security, 2012, 15(1):Article No. 2.
[16] Sadeghi A A, Niksefat S, Rostamipour M. Pure-call oriented programming (PCOP):Chaining the gadgets using call instructions. Journal of Computer Virology and Hacking Techniques, 2018, 14(2):139-156.
[17] Bletsch T, Jiang X, Freeh V, Liang Z. Jump oriented programming:A new class of code-reuse attack. In Proc. the 6th ACM Symposium on Information, Computer and Communications Security, March 2011, pp.30-40.
[18] Lu K, Song C, Lee B, Chung S P, Lee W. ASLR-guard:Stopping address space leakage for code reuse attacks. In Proc. the 22nd ACM SIGSAC Conference on Computer and Communications Security, October 2015, pp.280-291.
[19] Abadi M, Budiu M, Erlingsson U, Ligatti J. Control-flow integrity. In Proc. the 12th ACM SIGSAC Conference on Computer and Communications Security, November 2005, pp.340-353.
[20] Kuznetsov V, Szekeres L, Payer M, Candea G, Sekar R, Song D. Code-pointer integrity. In Proc. the 11th USENIX Symposium on Operating Systems Design and Implementation, October 2014, pp.147-163.
[21] Evans I, Fingeret S, Gonzalez J, Otgonbaatar U, Tang T, Shrobe H, Sidiroglou-Douskos S, Rinard M, Okhravi H. Missing the point(er):On the effectiveness of code pointer integrity. In Proc. the 36th IEEE Symposium on Security and Privacy, May 2015, pp.781-796.
[22] Akritidis P, Cadar C, Raiciu C, Costa M, Castro M. Preventing memory error exploits with WIT. In Proc. the 29th IEEE Symposium on Security and Privacy, May 2008, pp.263-277.
[23] Castro M, Costa M, Harris T. Securing software by enforcing data-flow integrity. In Proc. the 7th USENIX Symposium on Operating Systems Design and Implementation, November 2006, pp.147-160.
[24] Frassetto T, Jauernig P, Liebchen C, Sadeghi A, Darmstadt T U. IMIX:In-process memory isolation eXtension. In Proc. the 27th USENIX Security Symposium, August 2018, pp.83-97.
[25] Costan V, Devadas S. Intel SGX explained. IACR Cryptology ePrint Archive, 2016, 2016:Article No. 86.
[26] Feustel E A. On the advantages of tagged architecture. IEEE Transactions on Computers, 1973, 22(7):644-656.
[27] Tsai T, Singh N. Libsafe:Transparent system-wide protection against buffer overflow attacks. In Proc. the 2002 International Conference on Dependable Systems and Networks, June 2002, Article No. 541.
[28] Lin Z, Mao B, Xie L. LibsafeXP:A practical and transparent tool for run-time buffer overflow preventions. In Proc. the 7th Annual IEEE Information Assurance Workshop, June 2006, pp.332-339.
[29] Dang T H Y, Maniatis P, Wagner D. The performance cost of shadow stacks and stack canaries. In Proc. the 10th ACM Symposium on Information, Computer and Communications Security, April 2015, pp.555-566.
[30] Belay A, Bittau A, Mashtizadeh A, Terei D, Mazières D, Kozyrakis C. Dune:Safe user-level access to privileged CPU features. In Proc. the 10th USENIX Symposium on Operating Systems Design and Implementation, October 2012, pp.335-348.
[31] Chen Y, Reymondjohnson S, Sun Z, Lu L. Shreds:Finegrained execution units with private memory. In Proc. the 2016 IEEE Symposium on Security and Privacy, May 2016, pp.56-71.
[32] Zitser M, Lippmann R, Leek T. Testing static analysis tools using exploitable buffer overflows from open source code. In Proc. the 12th ACM SIGSOFT International Symposium on Foundations of Software Engineering, October 2004, pp.97-106.
[33] Carlini N, Barresi A, Payer M, Wagner D, Gross T R. Control-flow bending:On the effectiveness of control-flow integrity. In Proc. the 24th USENIX Security Symposium, August 2015, pp.161-176.
No related articles found!
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
[1] 周笛;. A Recovery Technique for Distributed Communicating Process Systems[J]. , 1986, 1(2): 34 -43 .
[2] 刘明业; 洪恩宇;. Some Covering Problems and Their Solutions in Automatic Logic Synthesis Systems[J]. , 1986, 1(2): 83 -92 .
[3] C.Y.Chung; 华宣仁;. A Chinese Information Processing System[J]. , 1986, 1(2): 15 -24 .
[4] 吴恩华;. A Graphics System Distributed across a Local Area Network[J]. , 1986, 1(3): 53 -64 .
[5] 章萃; 赵沁平; 徐家福;. Kernel Language KLND[J]. , 1986, 1(3): 65 -79 .
[6] 屈延文;. AGDL: A Definition Language for Attribute Grammars[J]. , 1986, 1(3): 80 -91 .
[7] 王建潮; 魏道政;. An Effective Test Generation Algorithm for Combinational Circuits[J]. , 1986, 1(4): 1 -16 .
[8] 闵应骅; 韩智德;. A Built-in Test Pattern Generator[J]. , 1986, 1(4): 62 -74 .
[9] 黄学东; 蔡莲红; 方棣棠; 迟边进; 周立; 蒋力;. A Computer System for Chinese Character Speech Input[J]. , 1986, 1(4): 75 -83 .
[10] 史忠植;. Knowledge-Based Decision Support System[J]. , 1987, 2(1): 22 -29 .
版权所有 © 《计算机科学技术学报》编辑部
本系统由北京玛格泰克科技发展有限公司设计开发 技术支持:support@magtech.com.cn
总访问量: