Hardware-assisted memory safety

Thumbnail Image
Journal Title
Journal ISSN
Volume Title
School of Science | Doctoral thesis (article-based) | Defence date: 2020-01-20
Degree programme
88 + app. 83
Aalto University publication series DOCTORAL DISSERTATIONS, 8/2020
Computers today are ubiquitous and closely integrated into our everyday lives. But computers are fickle in nature. Programs are written by fallible humans and run on imperfect hardware. As a result, computer systems are plagued by memory vulnerabilities. Many remedies exist; from defensive programming techniques to memory-safe languages. But these approaches require security-expertise and costly porting of existing code. To achieve wide-spread use, we must integrate security into existing tools and languages. Moreover, this must be done with minimal performance and deployment costs. New security features are being rolled out in commodity hardware. They hold the promise of security, but are non-trivial to use effectively. In this dissertation, I show how compile-time instrumentation can use such hardware for performant memory-safety solutions. We explore the recently introduced ARMv8.3-A PA and Intel MPX extensions. PA supports hardware-accelerated signing and verification of pointers. Not only do we address weaknesses in prior PA-based defenses, but we also present novel solutions for memory safety. In particular, we demonstrate how PA can be used for run-time type checking, precise return address protection, and stack safety. Userspace MPX-instrumentation is well-known and uses in-memory metadata to provide bounds checking of memory accesses. The kernel is paramount for security, but using MPX to protect is not straightforward. Because the kernel must manage its own memory, the MPX metadata is not feasible to use. We show how to avoid this issue using kernel-specific MPX instrumentation. But security hardware—such as the Intel SGX—can itself be vulnerable. We investigate Intel SGX side-channels, and show how compile-time instrumentation can be used to mitigate a branch-shadowing attack on SGX. This dissertation presents security schemes that achieve minimal performance overheads by using features in off-the-shelf hardware. Our compile-time instrumentation integrates these features into existing code, without developer intervention. Together, hardware-assistance and compile-time instrumentation paves the way towards security solutions that offer optimal trade-offs in terms of development, deployment and performance costs. Yet, there are many roads ahead. Future work should explore compatibility with real code-bases, for instance, when common programming patterns rely on undefined behavior. Support should also be extended to C++ and other languages; this requires support for new language constructs such as exceptions and polymorphic types. Memory-safe languages could also benefit from hardware-assisted security, for instance, by providing fault isolation or improving performance of existing checks. Together, these directions will allow deployable security along a broad spectrum of projects and developers.
Supervising professor
Asokan, N. Prof., Aalto University, Department of Computer Science, Finland
Thesis advisor
Ekberg, Jan-Erik, Adj. Prof., Aalto University, Department of Computer Science, Finland
platform security, memory safety
Other note
  • [Publication 1]: Elena Reshetova, Hans Liljestrand, Andrew Paverd, N. Asokan. Towards Linux Kernel Memory Safety. Software: Practice and Experience, 2018.
    DOI: 10.1002/spe.2638 View at publisher
  • [Publication 2]: Shohreh Hosseinzadeh, Hans Liljestrand, Ville Leppänen, Andrew Paverd. Mitigating Branch-Shadowing Attacks on Intel SGX using Control Flow Randomization. In Proceedings of the 3rd Workshop on System Software for Trusted Execution, SysTEX ’18, Toronto, ON, Canada, pages 42–47, October 2018.
    DOI: 10.1145/3268935.3268940 View at publisher
  • [Publication 3]: Hans Liljestrand, Thomas Nyman, Kui Wang, Carlos Chinea, Jan-Erik Ekberg, N. Asokan. PAC it up: Towards Pointer Integrity using ARM Pointer Authentication. In Proceedings of the 28th USENIX Security Symposium, Santa Clara, CA, USA, pages 177–195, August 2019.
    DOI: 10.5555/3361338.3361352 View at publisher
  • [Publication 4]: Hans Liljestrand, Zaheer Gauhar, Thomas Nuyman, Jan-Erik Ekberg, N. Asokan. Protecting the stack with PACed canaries. In Proceedings of the 4th Workshop on System Software for Trusted Execution, SysTEX ’19, Huntsville, ON, Canada, 6 pages, October 2019.
    DOI: 10.1145/3342559.3365336 View at publisher
  • [Publication 5]: Hans Liljestrand, Thomas Nyman, Lachlan Gunn, Jan-Erik Ekberg, N. Asokan. PACStack: an Authenticated Call Stack. Submitted, 20 pages, August 2019.
  • [Errata file]: Errata of P3