Skip to main content
SpringerLink
Log in

Hardware Assisted Randomization of Data

  • Conference paper
  • First Online:
Research in Attacks, Intrusions, and Defenses (RAID 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11050))

Abstract

Data-oriented attacks are gaining traction thanks to advances in code-centric mitigation techniques for memory corruption vulnerabilities. Previous work on mitigating data-oriented attacks includes Data Space Randomization (DSR). DSR classifies program variables into a set of equivalence classes, and encrypts variables with a key randomly chosen for each equivalence class. This thwarts memory corruption attacks that introduce illegitimate data flows. However, existing implementations of DSR trade precision for better run-time performance, which leaves attackers sufficient leeway to mount attacks. In this paper, we show that high precision and good run-time performance are not mutually exclusive. We present HARD, a precise and efficient hardware-assisted implementation of DSR. HARD distinguishes a larger number of equivalence classes, and incurs lower run-time overhead than software-only DSR. Our implementation achieves run-time overheads of just 6.61% on average, while the software version with the same protection costs 40.96%.

This material is based upon work partially supported by the Defense Advanced Research Projects Agency (DARPA) under contracts FA8750-15-C-0124 and FA8750-15-C-0085, by the United States Office of Naval Research (ONR) under contract N00014-17-1-2782, by the National Science Foundation under awards CNS-1619211 and CNS-1513837, by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIT) (NRF-2017R1A2A1A17069478), by the Brain Korea 21 Plus Project in 2018, and by the Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIT) (No.2017-0-00213, Development of Cyber Self Mutation Technologies for Proactive Cyber Defense). Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the Defense Advanced Research Projects Agency (DARPA) or its Contracting Agents, the Office of Naval Research or its Contracting Agents, the National Science Foundation, or any other agency of the U.S. Government. The authors also gratefully acknowledge a gift from Oracle Corporation.

B. Belleville and H. Moon—Authors contributed equally to this work.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Akritidis, P., Cadar, C., Raiciu, C., Costa, M., Castro, M.: Preventing memory error exploits with wit. In: IEEE Symposium on Security and Privacy (S&P) (2008)

    Google Scholar 

  2. Asanovi, K., et al.: The rocket chip generator. Technical report, University of California, Berkeley, April 2016

    Google Scholar 

  3. Bhatkar, S., Sekar, R.: Data space randomization. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 1–22. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70542-0_1

    Chapter  Google Scholar 

  4. Cadar, C., Akritidis, P., Costa, M., Martin, J.P., Castro, M.: Data randomization. Technical report MSR-TR-2008-120, Microsoft Research (2008)

    Google Scholar 

  5. Castro, M., Costa, M., Harris, T.: Securing software by enforcing data-flow integrity. In: USENIX Symposium on Operating Systems Design and Implementation (OSDI) (2006)

    Google Scholar 

  6. Chen, S., et al.: Flexible hardware acceleration for instruction-grain program monitoring. In: Annual International Symposium on Computer Architecture (ISCA) (2008)

    Google Scholar 

  7. Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: USENIX Security Symposium (2005)

    Google Scholar 

  8. Mehta, N.: The Heartbleed Bug, Codenomicon (2014). http://heartbleed.com/

  9. Cook, K.: Introduce struct layout randomization plugin (2017). http://www.openwall.com/lists/kernel-hardening/2017/04/06/14

  10. Dang, T.H., Maniatis, P., Wagner, D.: Oscar: a practical page-permissions-based scheme for thwarting dangling pointers. In: USENIX Security Symposium (2017)

    Google Scholar 

  11. Dhurjati, D., Adve, V.: Backwards-compatible array bounds checking for C with very low overhead. In: International Conference on Software Engineering (ICSE) (2006)

    Google Scholar 

  12. Ghose, S., Gilgeous, L., Dudnik, P., Aggarwal, A., Waxman, C.: Architectural support for low overhead detection of memory violations. In: Design, Automation Test in Europe Conference Exhibition (DATE) (2009)

    Google Scholar 

  13. Hu, H., Chua, Z.L., Adrian, S., Saxena, P., Liang, Z.: Automatic generation of data-oriented exploits. In: USENIX Security Symposium (2015)

    Google Scholar 

  14. Hu, H., Shinde, S., Adrian, S., Chua, Z.L., Saxena, P., Liang, Z.: Data-oriented programming: on the expressiveness of non-control data attacks. In: IEEE Symposium on Security and Privacy (S&P) (2016)

    Google Scholar 

  15. Intel Inc.: Intel 64 and IA-32 Architectures Software Developer’s Manual (2013)

    Google Scholar 

  16. Intel R. Corporation: Control-flow enforcement technology preview (2016)

    Google Scholar 

  17. van der Kouwe, E., Nigade, V., Giuffrida, C.: DangSan: scalable use-after-free detection. In: European Conference on Computer Systems (EuroSys) (2017)

    Google Scholar 

  18. Kuvaiskii, D., et al.: SGXBounds: memory safety for shielded execution. In: European Conference on Computer Systems (EuroSys) (2017)

    Google Scholar 

  19. Kwon, A., Dhawan, U., Smith, J.M., Knight Jr., T.F., DeHon, A.: Low-fat pointers: compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security. In: ACM Conference on Computer and Communications Security (CCS) (2013)

    Google Scholar 

  20. Lattner, C., Adve, V.: Automatic pool allocation: improving performance by controlling data structure layout in the heap. In: ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI) (2005)

    Google Scholar 

  21. Lattner, C., Lenharth, A., Adve, V.: Making context-sensitive points-to analysis with heap cloning practical for the real world. In: ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI) (2007)

    Google Scholar 

  22. Lea, D.: A memory allocator (1996)

    Google Scholar 

  23. Lee, B., et al.: Preventing use-after-free with dangling pointers nullification. In: Network and Distributed System Security Symposium (NDSS) (2015)

    Google Scholar 

  24. Lee, Y., et al.: A 45nm 1.3GHz 16.7 double-precision GFLOPS/W RISC-V processor with vector accelerators. In: European Solid State Circuits Conference (ESSCIRC) (2014)

    Google Scholar 

  25. Liu, Y., Zhou, T., Chen, K., Chen, H., Xia, Y.: Thwarting memory disclosure with efficient hypervisor-enforced intra-domain isolation. In: ACM Conference on Computer and Communications Security (CCS) (2015)

    Google Scholar 

  26. Nagarakatte, S., Martin, M.M., Zdancewic, S.: Watchdog: hardware for safe and secure manual memory management and full memory safety. ACM SIGARCH Comput. Arch. News 40(3), 189–200 (2012)

    Article  Google Scholar 

  27. Nagarakatte, S., Zhao, J., Martin, M.M., Zdancewic, S.: SoftBound: highly compatible and complete spatial memory safety for C. In: ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI) (2009)

    Google Scholar 

  28. Nagarakatte, S., Zhao, J., Martin, M.M., Zdancewic, S.: CETS: compiler enforced temporal safety for C. In: International Symposium on Memory Management (ISMM) (2010)

    Google Scholar 

  29. Patil, H., Fischer, C.: Low-cost, concurrent checking of pointer and array accesses in C programs. Softw. Pract. Exp. 27(1), 87–110 (1997)

    Article  Google Scholar 

  30. Rains, T., Miller, M., Weston, D.: Exploitation trends: from potential risk to actual risk. In: RSA Conference (2015)

    Google Scholar 

  31. Ramakesavan, R., et al.: Intel memory protection extensions enabling guide (2016)

    Google Scholar 

  32. Schoeberl, M.: Design and implementation of an efficient stack machine. In: IEEE International Parallel and Distributed Processing Symposium (2005)

    Google Scholar 

  33. Song, C., et al.: HDFI: hardware-assisted data-flow isolation. In: IEEE Symposium on Security and Privacy (S&P) (2016)

    Google Scholar 

  34. Venkataramani, G., Roemer, B., Solihin, Y., Prvulovic, M.: MemTracker: efficient and programmable support for memory access monitoring and debugging. In: IEEE International Symposium on High Performance Computer Architecture (HPCA) (2007)

    Google Scholar 

  35. Xu, W., DuVarney, D.C., Sekar, R.: An efficient and backwards-compatible transformation to ensure memory safety of C programs. In: ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE) (2004)

    Google Scholar 

  36. Yang, J., Shin, K.G.: Using hypervisor to provide data secrecy for user applications on a per-page basis. In: Proceedings of the Fourth ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (2008)

    Google Scholar 

  37. Younan, Y.: FreeSentry: protecting against use-after-free vulnerabilities due to dangling pointers. In: Network and Distributed System Security Symposium (NDSS) (2015)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of California, Irvine, Irvine, USA

    Brian Belleville, Joseph M. Nash, Yeoul Na, Stijn Volckaert, Per Larsen & Michael Franz

  2. ECE and ISRC, Seoul National University, Seoul, South Korea

    Hyungon Moon, Jangseop Shin, Dongil Hwang, Seonhwa Jung & Yunheung Paek

Authors
  1. Brian Belleville
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hyungon Moon
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jangseop Shin
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Dongil Hwang
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Joseph M. Nash
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Seonhwa Jung
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Yeoul Na
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Stijn Volckaert
    View author publications

    You can also search for this author in PubMed Google Scholar

  9. Per Larsen
    View author publications

    You can also search for this author in PubMed Google Scholar

  10. Yunheung Paek
    View author publications

    You can also search for this author in PubMed Google Scholar

  11. Michael Franz
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yunheung Paek .

Editor information

Editors and Affiliations

  1. University of Illinois at Urbana-Champaign, Urbana, IL, USA

    Michael Bailey

  2. Ruhr-Universität Bochum, Bochum, Germany

    Thorsten Holz

  3. Vrije Universiteit Amsterdam, Amsterdam, The Netherlands

    Manolis Stamatogiannakis

  4. Foundation for Research & Technology – Hellas, Heraklion, Crete, Greece

    Sotiris Ioannidis

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Belleville, B. et al. (2018). Hardware Assisted Randomization of Data. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2018. Lecture Notes in Computer Science(), vol 11050. Springer, Cham. https://doi.org/10.1007/978-3-030-00470-5_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-00470-5_16

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-00469-9

  • Online ISBN: 978-3-030-00470-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation