Juhee Kim,Jinbum Park,Sihyeon Roh,Jaeyoung Chung,Youngjoo Lee,Taesoo Kim,Byoungyoung Lee

2024-06-13

Abstract:ARM Memory Tagging Extension (MTE) is a new hardware feature introduced in ARMv8.5-A architecture, aiming to detect memory corruption vulnerabilities. The low overhead of MTE makes it an attractive solution to mitigate memory corruption attacks in modern software systems and is considered the most promising path forward for improving C/C++ software security. This paper explores the potential security risks posed by speculative execution attacks against MTE. Specifically, this paper identifies new TikTag gadgets capable of leaking the MTE tags from arbitrary memory addresses through speculative execution. With TikTag gadgets, attackers can bypass the probabilistic defense of MTE, increasing the attack success rate by close to 100%. We demonstrate that TikTag gadgets can be used to bypass MTE-based mitigations in real-world systems, Google Chrome and the Linux kernel. Experimental results show that TikTag gadgets can successfully leak an MTE tag with a success rate higher than 95% in less than 4 seconds. We further propose new defense mechanisms to mitigate the security risks posed by TikTag gadgets.

Cryptography and Security

Jinjae Lee,Derry Pratama,Minjae Kim,Howon Kim,Donghyun Kwon

DOI: https://doi.org/10.3390/s21227771

2021-11-22

Abstract:Commodity processor architectures are releasing various instruction set extensions to support security solutions for the efficient mitigation of memory vulnerabilities. Among them, tagged memory extension (TME), such as ARM MTE and SPARC ADI, can prevent unauthorized memory access by utilizing tagged memory. However, our analysis found that TME has performance and security issues in practical use. To alleviate these, in this paper, we propose CoMeT, a new instruction set extension for tagged memory. The key idea behind CoMeT is not only to check whether the tag values in the address tag and memory tag are matched, but also to check the access permissions for each tag value. We implemented the prototype of CoMeT on the RISC-V platform. Our evaluation results confirm that CoMeT can be utilized to efficiently implement well-known security solutions, i.e., shadow stack and in-process isolation, without compromising security.

Rui Chang,Liehui Jiang,Wenzhi Chen,Yang Xiang,Yuxia Cheng,Abdulhameed Alelaiwi

DOI: https://doi.org/10.1007/s10586-017-0833-4

2017-01-01

Cluster Computing

Abstract:With the rapid development of Internet of Things technology and the promotion of embedded devices’ computation performance, smart devices are probably open to security threats and attacks while connecting with rich and novel Internet. Attracting lots of attention in embedded system security community recently, Trusted Execution Environment (TEE), allows for the execution of arbitrary code within environments completely isolated from the rest of a system. However, existing memory protection methods in a TEE are inadequate. In general, the software-based formal methods are not practical and the hardware-based implementation approaches lack of theoretical proof. To address the memory isolation and protection problems in TEE, in this paper, we propose a practical memory integrity protection method on an ARM-based platform, called MIPE, to defend against security threats including kernel data attacks and direct memory access attacks. MIPE utilizes TrustZone technique to create a isolated execution environment, which can protect the sensitive code and data against attacks. To present the integrity protection strategies, we provide the design of MIPE using B method, which is a practical formal method. We also implement MIPE on the Xilinx Zynq ZC702 evaluation board. The evaluation results show that the automatic proof rate of machines using B method is about 78.32%, and the proposed method is effective and feasible in terms of both load time and overhead.

Tong Sun,Borui Li,Yixiao Teng,Yi Gao,Wei Dong

DOI: https://doi.org/10.1109/ipsn61024.2024.00021

2024-01-01

Abstract:Internet of Things (IoT) applications have recently been widely used in safety-critical scenarios. To prevent sensitive information leaks, IoT device vendors provide hardware-assisted protections, called Trusted Execution Environments (TEEs), like ARM Trust-Zone. Programming a TEE-based application requires separate code for two components, significantly slowing down the development process. Existing solutions tackle this issue by automatic code partition while not successfully applying it in two complicated scenarios: adding trusted logic and interactions with secure peripherals.We propose dTEE, a declarative approach to secure IoT applications based on TrustZone. dTEE proposes a rapid approach that enables developers to declare tiered-sensitive variables and functions of existing applications. Besides, dTEE automatically transforms device drivers into trusted ones. We evaluate dTEE on four real-world IoT applications and seven micro-benchmarks. Results show that dTEE achieves high expressiveness for supporting 50% more applications than existing approaches and reduces 90% of the lines of code against handcrafted development.

Konrad Hohentanner,Philipp Zieris,Julian Horsch

DOI: https://doi.org/10.48550/arXiv.2202.08669

2022-02-17

Cryptography and Security

Abstract:Memory safety bugs remain in the top ranks of security vulnerabilities, even after decades of research on their detection and prevention. Various mitigations have been proposed for C/C++, ranging from language dialects to instrumentation. Among these, compiler-based instrumentation is particularly promising, not requiring manual code modifications and being able to achieve precise memory safety. Unfortunately, existing compiler-based solutions compromise in many areas, including performance but also usability and memory safety guarantees. New developments in hardware can help improve performance and security of compiler-based memory safety. ARM Pointer Authentication, added in the ARMv8.3 architecture, is intended to enable hardware-assisted Control Flow Integrity. But since its operations are relatively generic, it also enables other, more comprehensive hardware-supported runtime integrity approaches. As such, we propose PACSafe, a memory safety approach based on ARM Pointer Authentication. PACSafe uses pointer signatures to retrofit full memory safety to C/C++ programs, protecting heap, stack, and globals against temporal and spatial vulnerabilities. We present a full, LLVM-based prototype implementation, running on an M1 MacBook Pro, i.e., on actual ARMv8.3 hardware. Our prototype evaluation shows that the system outperforms similar approaches under real-world conditions. This, together with its compatibility with uninstrumented libraries and cryptographic protection against attacks on metadata, makes PACSafe a viable solution for retrofitting memory safety to C/C++ programs.

Wang Lei,Fang Chen,Mao Bing,Xie Li

DOI: https://doi.org/10.1109/DEPEND.2009.33

2009-01-01

Abstract:Memory corruption attacks account for most parts of malicious attacks toward software security. Recently dynamic taint analysis is proposed and is gaining momentum. This proposed technique attempts to defeat attacks by checking the taintedness and integrity of pointers when accessing memory since vulnerabilities are always motivated by tainting pointers. Unfortunately, there exists some class of attacks without tainting pointers, such as array bounds violation attacks using pointers. In this paper, we propose a novel approach to defeat this kind of undetected attacks using taint-based tracking analysis. Our notion is based on the memory access control, that is, first, we will check the taintedness of the pointers when accessing memory like existing taint-based approaches, second, we will check whether or not the memory area is in the legitimate range of a pointer used to access this memory. Our implementation dose not need source code and is based on Valgrind, hence works on commodity software. To demonstrate our idea, we performed a preliminary empirical experiments, the results are quite promising: TMAC can effectively detect a wide range of attacks, and the average runtime overhead is close to Memcheck, a widely memory error detector. © 2009 IEEE.

Yuan Li,Wende Tan,Zhizheng Lv,Songtao Yang,Mathias Payer,Ying Liu,Chao Zhang

DOI: https://doi.org/10.1145/3548606.3560598

2022-01-01

Abstract:ABSTRACTMemory safety is a key security property that stops memory corruption vulnerabilities. Different types of memory safety enforcement solutions have been proposed and adopted by sanitizers or mitigations to catch and stop such bugs, at the development or deployment phase. However, existing solutions either provide partial memory safety or have overwhelmingly high performance overheads. In this paper, we present a novel sanitizer PACMem to efficiently catch spatial and temporal memory safety bugs. PACMem removes the majority of the overheads by sealing metadata in pointers through the COTS hardware feature -- ARM PA (Pointer Authentication) and saving the overhead of pointer metadata tracking. We have developed a prototype of PACMem and systematically evaluated its security and performance on the Magma, Juliet, Nginx, and SPEC CPU2017 test suites. In our evaluation, PACMem shows no false positives together with negligible false negatives, while introducing stronger bug detection capabilities and lower performance overheads than state-of-the-art sanitizers, including HWASan, ASan, SoftBound+CETS, Memcheck, LowFat, and PTAuth. Compared to the widely deployed ASan, PACMem has no false positives and much fewer false negatives and reduces the runtime overheads by 15.80% and the memory overheads by 71.58%.

Myoung Jin Nam

2024-08-28

Abstract:Ensuring system correctness, such as memory safety, can eliminate security vulnerabilities that attackers could exploit in the first place. However, high and unpredictable performance degradation remains a primary challenge. Recognizing that it is extremely difficult to achieve complete system correctness for production deployment, researchers make trade-offs between performance, detection coverage, interoperability, precision, and detection timing. This research strikes a balance between comprehensive system protection and the costs required to obtain it, identifies the desirable roles of software and hardware, and presents a tagged pointer-based capability system as a stand-alone software solution and a prototype for future hardware design. This paper presents follow-up plans for the FRAMER/Miu generic framework to achieve these goals.

Cryptography and Security

Seonghwan Park,Hayoung Kang,Sanghun Han,Jonghee M. Youn,Donghyun Kwon

DOI: https://doi.org/10.1109/access.2024.3387300

IF: 3.9

2024-04-27

IEEE Access

Abstract:A smart contract is a program executed on a blockchain. However, once the smart contract is deployed on the blockchain, it becomes visible to all participants and remains immutable. Thus, any sensitive information or vulnerabilities in smart contracts can be exposed to potential attackers. To protect the confidentiality of smart contracts, existing studies execute smart contracts in a trusted execution environment (TEE). However, they still suffer from vulnerabilities in smart contracts and potential memory-vulnerability problems. If an attack such as privilege escalation occurs by exploiting this vulnerability, the TEE can have a detrimental effect on the entire system as it has the most privileges in the system. To mitigate the memory vulnerability of the smart contracts in TEE, we propose MECAT, a prototype for memory-safe confidential smart contracts. In essence, MECAT runs smart contracts written in Rust, a memory-safe language, in ARM TrustZone. And MECAT is developed as a software library, allowing developers to easily apply MECAT to their smart contracts. According to our evaluation, MECAT only incurs a 1.36x performance overhead and 0.30% power overhead in single-node environments and can process the 16 clients concurrently in the network made with 8 peer nodes.

computer science, information systems,telecommunications,engineering, electrical & electronic

Konrad Hohentanner,Philipp Zieris,Julian Horsch

DOI: https://doi.org/10.1145/3555776.3577635

2023-05-11

Abstract:Memory safety bugs remain in the top ranks of security vulnerabilities, even after decades of research on their detection and prevention. Various mitigations have been proposed for C/C++, ranging from language dialects to instrumentation. Among these, compiler-based instrumentation is particularly promising, not requiring manual code modifications and being able to achieve precise memory safety. Unfortunately, existing compiler-based solutions compromise in many areas, including performance but also usability and memory safety guarantees. New developments in hardware can help improve performance and security of compiler-based memory safety. ARM Pointer Authentication, added in the ARMv8.3 architecture, is intended to enable hardware-assisted Control Flow Integrity (CFI). But since its operations are generic, it also enables other, more comprehensive hardware-supported runtime integrity approaches. As such, we propose CryptSan, a memory safety approach based on ARM Pointer Authentication. CryptSan uses pointer signatures to retrofit memory safety to C/C++ programs, protecting heap, stack, and globals against temporal and spatial vulnerabilities. We present a full LLVM-based prototype implementation, running on an M1 MacBook Pro, i.e., on actual ARMv8.3 hardware. Our prototype evaluation shows that the system outperforms similar approaches under real-world conditions. This, together with its interoperability with uninstrumented libraries and cryptographic protection against attacks on metadata, makes CryptSan a viable solution for retrofitting memory safety to C/C++ programs.

Cryptography and Security,Programming Languages,Software Engineering

Sacha Ruchlejmer

2024-07-05

Abstract:Memory-unsafe programming languages such as C and C++ are the preferred languages for systems programming, embedded systems, and performance-critical applications. The widespread use of these languages makes the risk of memory-related attacks very high. There are well-known detection mechanisms, but they do not address software resilience. An earlier approach proposes the Secure Domain Rewind and Discard (SDRaD) of isolated domains as a method to enhance the resilience of software targeted by runtime attacks on x86 architecture, based on hardware-enforced Memory Protection Key (MPK). In this work, SDRaD has been adapted to work with the Capability Hardware Enhanced RISC Instructions (CHERI) architecture to be more lightweight and performant. The results obtained in this thesis show that CHERI-SDRaD, the prototype adaption that leverages the memory-safety properties inherent to the CHERI architecture, results in a solution with less performance degradation (2.2% in Nginx benchmarks) compared to earlier results obtained with the original SDRaD prototype on an Intel-based architecture. The adaption to CHERI additionally allowed limitations inherent to the MPK-based approach to be resolved.

Cryptography and Security

Robert Schilling,Mario Werner,Pascal Nasahl,Stefan Mangard

DOI: https://doi.org/10.1145/3274694.3274728

2018-09-24

Abstract:Reading and writing memory are, besides computation, the most common operations a processor performs. The correctness of these operations is therefore essential for the proper execution of any program. However, as soon as fault attacks are considered, assuming that the hardware performs its memory operations as instructed is not valid anymore. In particular, attackers may induce faults with the goal of reading or writing incorrectly addressed memory, which can have various critical safety and security implications. In this work, we present a solution to this problem and propose a new method for protecting every memory access inside a program against address tampering. The countermeasure comprises two building blocks. First, every pointer inside the program is redundantly encoded using a multi-residue error detection code. The redundancy information is stored in the unused upper bits of the pointer with zero overhead in terms of storage. Second, load and store instructions are extended to link data with the corresponding encoded address from the pointer. Wrong memory accesses subsequently infect the data value allowing the software to detect the error. For evaluation purposes, we implemented our countermeasure into a RISC-V processor, tested it on a FPGA development board, and evaluated the induced overhead. Furthermore, a LLVM-based C compiler has been modified to automatically encode all data pointers, to perform encoded pointer arithmetic, and to emit the extended load/store instructions with linking support. Our evaluations show that the countermeasure induces an average overhead of 10% in terms of code size and 7% regarding runtime, which makes it suitable for practical adoption.

Cryptography and Security

Dongwei Chen,Dong Tong,Chun Yang,Xu Cheng

DOI: https://doi.org/10.1109/iccd53106.2021.00042

2021-01-01

Abstract:A tagged-pointer-based memory spatial safety protection system utilizes the unused bits in a pointer to store the boundary information of an object. This paper proposed a hybrid metadata management scheme, MetaTableLite, for tagged-pointer-based protections. We observed that objects of a large size only take a minority part of all the objects in a program. However, recording their boundary metadata with traditional pointer tags will incur large memory overheads. Based on this observation, we introduce a small supplementary table to maintain metadata for these few large objects. For small ones, MetaTableLite represents their boundaries with a 14-bit pointer tag, well utilizing the unused 16 bits in a conventional 64-bit pointer. MetaTableLite can achieve a 6% average memory overhead without alternating the conventional pointer representation.

Jaidev Shastri,Xiaoguang Wang,Basavesh Ammanaghatta Shivakumar,Freek Verbeek,Binoy Ravindran

2024-04-30

Abstract:Data race, a category of insidious software concurrency bugs, is often challenging and resource-intensive to detect and debug. Existing dynamic race detection tools incur significant execution time and memory overhead while exhibiting high false positives. This paper proposes HMTRace, a novel Armv8.5-A memory tag extension (MTE) based dynamic data race detection framework, emphasizing low compute and memory requirements while maintaining high accuracy and precision. HMTRace supports race detection in userspace OpenMP- and Pthread-based multi-threaded C applications. HMTRace showcases a combined f1-score of 0.86 while incurring a mean execution time overhead of 4.01% and peak memory (RSS) overhead of 54.31%. HMTRace also does not report false positives, asserting all reported races.

Distributed, Parallel, and Cluster Computing

Xingman Chen,Yinghao Shi,Zheyu Jiang,Yuan Li,Ruoyu Wang,Haixin Duan,Haoyu Wang,Chao Zhang

2023-01-01

Abstract:Fuzzing has been widely adopted for finding vulnerabilities in programs, especially when source code is not available. But the effectiveness and efficiency of binary fuzzing are curtailed by the lack of memory (safety) sanitizers. This lack of binary sanitizers is due to the information loss in compiling programs and challenges in binary instrumentation. In this paper, we present a feasible and practical hardware-assisted memory sanitizer, MTSan, for binary fuzzing. MTSan can detect both spatial and temporal memory safety violations at runtime. It adopts a novel progressive object recovery scheme to recover objects in binaries, and uses a customized binary rewriting solution to instrument binaries with the memory-tagging-based memory safety sanitizing policy. Further, MTSan uses a hardware feature, ARM Memory Tagging Extension (MTE) to significantly reduce its runtime overhead. We implemented a prototype of MTSan on AArch64 and systematically evaluated its effectiveness and performance. Our evaluation results show that MTSan could detect more memory safety violations than existing binary sanitizers whiling introducing much lower runtime and memory overhead.

Zhe Chen,Qi Zhang,Jun Wu,Junqi Yan,Jingling Xue

DOI: https://doi.org/10.1109/tse.2022.3210580

IF: 7.4

2023-04-21

IEEE Transactions on Software Engineering

Abstract:Low-level control makes C unsafe, resulting in memory errors that can lead to data corruption, security vulnerabilities or program crashes. Dynamic analysis tools, which have been widely used for detecting memory errors at runtime, usually perform instrumentation at the IR or binary level. However, these non-source-level instrumentation frameworks and tools suffer from two inherent drawbacks: optimization sensitivity and platform dependence. Due to optimization sensitivity, the user of these tools must trade either performance for effectiveness by compiling the program at -O0 or effectiveness for performance by compiling the program at a higher optimization level, say, -O3. In this paper, we propose a new source-level instrumentation framework to overcome these two drawbacks, and implement it in a new dynamic analysis tool, called Movec, that adopts a pointer-based monitoring algorithm. We have evaluated Movec comprehensively by using the NIST's SARD benchmark suite (1152 programs), a set of 126 microbenchmarks (with ground truth), a set of 20 MiBench benchmarks and 5 pure-C SPEC CPU 2017 benchmarks. In terms of effectiveness, Movec outperforms three state-of-the-art dynamic analysis tools, AddressSanitizer, SoftBoundCETS and Valgrind, for all the standard optimization levels (from -O0 to -O3). In terms of performance, Movec outperforms SoftBoundCETS and Valgrind, and is slower than AddressSanitizer but consumes less memory.

engineering, electrical & electronic,computer science, software engineering

Alon Hillel-Tuch,Aspen Olmstead

DOI: https://doi.org/10.48550/arXiv.2403.08656

2024-03-14

Abstract:Programming errors, defective hardware components (such as hard disk spindle defects), and environmental hazards can lead to invalid memory operations. In addition, less predictable forms of environmental stress, such as radiation, thermal influence, and energy fluctuations, can induce hardware faults. Sometimes, a soft error can occur instead of a complete failure, such as a bit-flip. The 'natural' factors that can cause bit-flips are replicable through targeted attacks that result in significant compromises, including full privileged system access. Existing physical defense solutions have consistently been circumvented shortly after deployment. We will explore the concept of a novel software-based low-level layer that can protect vulnerable memory targeted by physical attack vectors related to bit-flip vulnerabilities.

Cryptography and Security,Operating Systems

Dongwei Chen,Daliang Xu,Dong Tong,kang dae sun,Xuetao Guan,Chun Yang,Xu Cheng

2020-01-01

Abstract:Memory spatial errors, i.e., buffer overflow vulnerabilities, have been a well-known issue in computer security for a long time and remain one of the root causes of exploitable vulnerabilities. Most of the existing mitigation tools adopt a fail-stop strategy to protect programs from intrusions, which means the victim program will be terminated upon detecting a memory safety violation. Unfortunately, the fail-stop strategy harms the availability of software. In this paper, we propose Saturation Memory Access (SMA), a memory spatial error mitigation mechanism that prevents out-of-bounds access without terminating a program. SMA is based on a key observation that developers generally do not rely on out-of-bounds accesses to implement program logic. SMA modifies dynamic memory allocators and adds paddings to objects to form an enlarged object boundary. By dynamically correcting all the out-of-bounds accesses to operate on the enlarged protecting boundaries, SMA can tolerate out-of-bounds accesses. For the sake of compatibility, we chose tagged pointers to record the boundary metadata of a memory object in the pointer itself, and correct the address upon detecting out-of-bounds access. We have implemented the prototype of SMA on LLVM 10.0. Our results show that our compiler enables the programs to execute successfully through buffer overflow attacks. Experiments on MiBench show that our prototype incurs an overhead of 78\%. Further optimizations would require ISA supports.

Merve Gülmez,Håkan Englund,Jan Tobias Mühlberg,Thomas Nyman

2024-07-12

Abstract:Up to 10% of memory-safety vulnerabilities in languages like C and C++ stem from uninitialized variables. This work addresses the prevalence and lack of adequate software mitigations for uninitialized memory issues, proposing architectural protections in hardware. Capability-based addressing, such as the University of Cambridge's CHERI, mitigates many memory defects, including spatial and temporal safety violations at an architectural level. However, current CHERI designs do not handle undefined behavior from uninitialized variables. We extend the CHERI capability model to include "conditional capabilities", enabling memory-access policies based on prior operations. This allows enforcement of policies that satisfy memory safety objectives such as "no reads to memory without at least one prior write" (Write-before-Read). We present our architecture extension, compiler support, and a detailed evaluation of our approach using the QEMU full-system simulator and our modified FPGA-based CHERI-RISCV softcore. Our evaluation shows Write-before-Read conditional capabilities are practical, with high detection accuracy while adding a small (~3.5%) overhead to the existing CHERI architecture.

Cryptography and Security

Wei Song,Da Xie,Zihan Xue,Peng Liu

DOI: https://doi.org/10.1109/tc.2024.3441835

IF: 3.183

2024-10-12

IEEE Transactions on Computers

Abstract:Hardware-managed tagged memory is the dominant way of supporting tags in current processor designs. Most of these processors reserve a hidden tag partition in the memory dedicated for tags and use a small tag cache (TC) to reduce the extra memory accesses introduced by the tag partition. Recent research shows that storing tags in a hierarchical tag table (HTT) inside the tag partition allows efficient compression in a TC, but the use of the HTT causes special data inconsistency issues when multiple related tag accesses are served simultaneously. How to design a parallel TC for multicore processors remains an open problem. We proposed the first TC capable of serving multiple tag accesses in parallel. It adopts a two-phase locking procedure to maintain data consistency and integrates seven techniques, where three are firstly proposed, and two are theoretical concepts materialized into usable solutions for the first time. Single-core and multicore performance results show that the proposed TC is effective in reducing both the extra amount of memory accesses to the tag partition and the overhead in execution time. It is important to provide enough number of trackers in multicore processors while providing extra trackers is beneficial for running HTT/TC ineffective applications.

engineering, electrical & electronic,computer science, hardware & architecture