skip to main content
10.1145/3052973.3052983acmconferencesArticle/Chapter ViewAbstractPublication Pagesasia-ccsConference Proceedingsconference-collections
research-article
Public Access

DataShield: Configurable Data Confidentiality and Integrity

Published: 02 April 2017 Publication History

Abstract

Applications written in C/C++ are prone to memory corruption, which allows attackers to extract secrets or gain control of the system. With the rise of strong control-flow hijacking defenses, non-control data attacks have become the dominant threat. As vulnerabilities like HeartBleed have shown, such attacks are equally devastating. Data Confidentiality and Integrity (DCI) is a low-overhead non-control-data protection mechanism for systems software. DCI augments the C/C++ programming languages with an- notations, allowing the programmer to protect selected data types. The DCI compiler and runtime system prevent illegal reads (confidentiality) and writes (integrity) to instances of these types. The programmer selects types that contain security critical information such as passwords, cryptographic keys, or identification tokens. Protecting only this critical data greatly reduces performance overhead relative to complete memory safety.
Our prototype implementation of DCI, DataShield, shows the applicability and efficiency of our approach. For SPEC CPU2006, the performance overhead is at most 16.34%. For our case studies, we instrumented mbedTLS, astar, and libquantum to show that our annotation approach is practical. The overhead of our SSL/TLS server is 35.7% with critical data structures protected at all times. Our security evaluation shows DataShield mitigates a recently discovered vulnerability in mbedTLS.

References

[1]
M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow Integrity. CCS 2005.
[2]
P. Akritidis. Cling: A Memory Allocator to Mitigate Dangling Pointers. USENIX Security 2010.
[3]
P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro. Preventing Memory Error Exploits with WIT. In S&P 2008.
[4]
P. Akritidis, M. Costa, M. Castro, and S. Hand. Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense Against Out-of-Bounds Errors. In USENIX Security 2009.
[5]
E. D. Berger and B. G. Zorn. DieHard: Probabilistic Memory Safety for Unsafe Languages. PLDI 2006.
[6]
T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang. Jump-oriented programming: a new class of code-reuse attack. In ASIACCS '11.
[7]
N. Burow, S. A. Carr, J. Nash, P. Larsen, M. Franz, S. Brunthaler, and M. Payer. Control-Flow Integrity: Protection, Security, and Performance. In CSUR, 2017.
[8]
N. Carlini, A. Barresi, M. Payer, D. Wagner, and T. R. Gross. Control-Flow Bending: On the Effectiveness of Control-Flow Integrity. In USENIX Security 2015.
[9]
S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer. Non-control-data Attacks Are Realistic Threats. SSYM 2005.
[10]
Y. Chen, S. Reymondjohnson, Z. sun, and L. Lu. Shreds: Fine-grained Execution Units with Private Memory. In S&P 2016.
[11]
P. Collingbourne. LLVM -- Control Flow Integrity, 2015. http://clang.llvm.org/docs/ControlFlowIntegrity.html.
[12]
C. Cowan, C. Pu, D. Maier, H. Hintony, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In USENIX Security 1998.
[13]
C. Cowan, C. Pu, D. Maier, H. Hintony, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-overflow Attacks. SSYM 1998.
[14]
J. Devietti, C. Blundell, M. M. K. Martin, and S. Zdancewic. Hardbound: Architectural Support for Spatial Safety of the C Programming Language. ASPLOS XIII (2008).
[15]
D. Dhurjati, S. Kowshik, and V. Adve. SAFECode: Enforcing Alias Analysis for Weakly Typed Languages. PLDI 2006.
[16]
Z. Durumeric, F. Li, J. Kasten, J. Amann, J. Beekman, M. Payer, N. Weaver, D. Adrian, V. Paxson, M. Bailey, and J. A. Halderman. The Matter of Heartbleed. In IMC 2014.
[17]
H.-C. Estler, C. Furia, M. Nordio, M. Piccioni, and B. Meyer. Contracts in Practice. In FM 2014: Formal Methods.
[18]
I. Evans, S. Fingeret, J. Gonzalez, U. Otgonbaatar, T. Tang, H. Shrobe, S. Sidiroglou-Douskos, M. Rinard, and H. Okhravi. Missing the Point: On the Effectiveness of Code Pointer Integrity. In S&P 2015.
[19]
I. Evans, F. Long, U. Otgonbaatar, H. Shrobe, M. Rinard, H. Okhravi, and S. Sidiroglou-Douskos. Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity. In CCS 2015.
[20]
I. Evans, F. Long, U. Otgonbaatar, H. Shrobe, M. Rinard, H. Okhravi, and S. Sidiroglou-Douskos. Control Jujutsu: On the Weaknesses of fine-grained Control Flow Integrity. 2015.
[21]
E. Goktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out Of Control: Overcoming Control-Flow Integrity. In S&P 2014.
[22]
I. Haller, E. van der Kouwe, C. Giuffrida, and H. Bos. METAlloc: Efficient and Comprehensive Metadata Management for Software Security Hardening. EuroSec 2006.
[23]
M. Hicks. What is memory safety. http://www.pl-enthusiast.net/2014/07/21/memory-safety/.
[24]
H. Hu, S. Shinde, S. Adrian, Z. L. Chua, P. Saxena, and Z. Liang. Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks. In 2016 IEEE Symposium on Security and Privacy (SP), pages 969--986, May 2016.
[25]
D. Jang, Z. Tatlock, and S. Lerner. SAFEDISPATCH: Securing C
[26]
virtual calls from memory corruption attacks. In NDSS 2014.
[27]
T. Jim, J. G. Morrisett, D. Grossman, M. W. Hicks, J. Cheney, and Y. Wang. Cyclone: A Safe Dialect of C. ATEC 2002.
[28]
V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-Pointer Integrity. In OSDI 2014.
[29]
S. McCamant and G. Morrisett. Evaluating SFI for a CISC Architecture. In USENIX Security 2006.
[30]
Microsoft Corporation. Control Flow Guard (Windows). https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065(v=vs.85).aspx, 2016.
[31]
S. Nagarakatte, M. M. K. Martin, and S. Zdancewic. Everything You Want to Know About Pointer-Based Checking. In SNAPL 2015.
[32]
S. Nagarakatte, M. M. K. Martin, and S. Zdancewic. Watchdog: Hardware for Safe and Secure Manual Memory Management and Full Memory Safety. ISCA 2012.
[33]
S. Nagarakatte, M. M. K. Martin, and S. Zdancewic. WatchdogLite: Hardware-Accelerated Compiler-Based Pointer Checking. CGO 2014.
[34]
S. Nagarakatte, J. Zhao, M. M. Martin, and S. Zdancewic. CETS: Compiler Enforced Temporal Safety for C. ISMM 2010.
[35]
S. Nagarakatte, J. Zhao, M. M. Martin, and S. Zdancewic. SoftBound: Highly Compatible and Complete Spatial Memory Safety for C. PLDI 2009.
[36]
G. C. Necula, J. Condit, M. Harren, S. McPeak, and W. Weimer. CCured: Type-safe Retrofitting of Legacy Software. ACM Trans. Program. Lang. Syst.
[37]
Nergal. The advanced return-into-lib(c) exploits. Phrack, 11(58):http://phrack.com/issues.html?issue=67&id=8, Nov. 2007.
[38]
B. Niu and G. Tan. Modular Control-flow Integrity. PLDI 2014.
[39]
B. Niu and G. Tan. Monitor Integrity Protection with Space Efficiency and Separate Compilation. CCS 2013.
[40]
B. Niu and G. Tan. Per-Input Control-Flow Integrity. CCS 2015.
[41]
B. Niu and G. Tan. RockJIT: Securing Just-In-Time Compilation Using Modular Control-Flow Integrity. CCS 2014.
[42]
G. Novark and E. D. Berger. DieHarder: Securing the Heap. CCS 2010.
[43]
A. Oikonomopoulos, E. Athanasopoulos, H. Bos, and C. Giuffrida. Poking Holes in Information Hiding. In USENIX Security 2016).
[44]
K. Pattabiraman, V. Grover, and B. G. Zorn. Samurai: Protecting Critical Data in Unsafe Languages. Eurosys 2008.
[45]
PaX-Team. PaX ASLR. http://pax.grsecurity.net/docs/aslr.txt, 2003.
[46]
M. Payer, A. Barresi, and T. R. Gross. Fine-Grained Control-Flow Integrity Through Binary Hardening. In DIMVA 2015.
[47]
T. W. Schiller, K. Donohue, F. Coward, and M. D. Ernst. Case Studies and Tools for Contract Specifications. ICSE 2014.
[48]
C. Schlesinger, K. Pattabiraman, N. Swamy, D. Walker, and B. Zorn. Modular Protections against Non-Control Data Attacks. In CSF 2011.
[49]
F. Schuster, T. Tendyck, C. Liebchen, L. Davi, A.-R. Sadeghi, and T. Holz. Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C
[50]
Applications. In S&P 2015.
[51]
C. Song, B. Lee, K. Lu, W. R. Harris, T. Kim, and W. Lee. Enforcing Kernel Security Invariants with Data Flow Integrity. In NDSS 2016.
[52]
L. Szekeres, M. Payer, T. Wei, and D. Song. SoK: Eternal War in Memory. S&P 2013.
[53]
C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, Ú. Erlingsson, L. Lozano, and G. Pike. Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM. In USENIX Security 2014.
[54]
A. van de Ven and I. Molnar. Exec Shield. https://www.redhat.com/f/pdf/rhel/WHP0006US_Execshield.pdf, 2004.
[55]
V. van der Veen, D. Andriesse, E. Göktaş, B. Gras, L. Sambuc, A. Slowinska, H. Bos, and C. Giuffrida. Practical Context-Sensitive CFI. CCS 2015.
[56]
G. Vranken. CVE-2015--5291: remote heap corruption in ARM mbed TLS / PolarSSL, October 2015.
[57]
J. Wagner, V. Kuznetsov, G. Candea, and J. Kinder. High System-Code Security with Low Overhead. In S&P 2015.
[58]
B. Yee, D. Sehr, G. Dardyk, B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native Client: A Sandbox for Portable, Untrusted x86 Native Code. In S&P 2009.
[59]
Y. Younan, P. Philippaerts, L. Cavallaro, R. Sekar, F. Piessens, and W. Joosen. PAriCheck: An Efficient Pointer Arithmetic Checker for C Programs. ASIACCS 2010.

Cited By

View all
  • (2025)InvisiGuard: Data Integrity for Microcontroller-Based Devices via Hardware-Triggered Write MonitoringIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2024.339906822:1(343-358)Online publication date: Jan-2025
  • (2024)Not quite writeProceedings of the 18th USENIX Conference on Offensive Technologies10.5555/3696933.3696946(171-187)Online publication date: 12-Aug-2024
  • (2024)Bitmap-Based Security Monitoring for Deeply Embedded SystemsACM Transactions on Software Engineering and Methodology10.1145/367246033:7(1-31)Online publication date: 18-Jun-2024
  • Show More Cited By

Index Terms

  1. DataShield: Configurable Data Confidentiality and Integrity

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security
      April 2017
      952 pages
      ISBN:9781450349444
      DOI:10.1145/3052973
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 02 April 2017

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. memory safety
      2. runtime monitors
      3. software security

      Qualifiers

      • Research-article

      Funding Sources

      Conference

      ASIA CCS '17
      Sponsor:

      Acceptance Rates

      ASIA CCS '17 Paper Acceptance Rate 67 of 359 submissions, 19%;
      Overall Acceptance Rate 418 of 2,322 submissions, 18%

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)241
      • Downloads (Last 6 weeks)33
      Reflects downloads up to 18 Jan 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2025)InvisiGuard: Data Integrity for Microcontroller-Based Devices via Hardware-Triggered Write MonitoringIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2024.339906822:1(343-358)Online publication date: Jan-2025
      • (2024)Not quite writeProceedings of the 18th USENIX Conference on Offensive Technologies10.5555/3696933.3696946(171-187)Online publication date: 12-Aug-2024
      • (2024)Bitmap-Based Security Monitoring for Deeply Embedded SystemsACM Transactions on Software Engineering and Methodology10.1145/367246033:7(1-31)Online publication date: 18-Jun-2024
      • (2024)Kaleidoscope: Precise Invariant-Guided Pointer AnalysisProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3620666.3651340(561-576)Online publication date: 27-Apr-2024
      • (2024)Randomize the Running Function When It Is DisclosedIEEE Transactions on Computers10.1109/TC.2024.337177673:6(1516-1530)Online publication date: Jun-2024
      • (2024)Optimized Data-Flow Integrity for Modern CompilersIEEE Access10.1109/ACCESS.2024.345455112(124171-124182)Online publication date: 2024
      • (2024)A Hardware-Based Correct Execution Environment Supporting Virtual MemoryIEEE Access10.1109/ACCESS.2024.344350912(114008-114022)Online publication date: 2024
      • (2024)mShield: Protecting In-process Sensitive Data Against Vulnerable Third-Party LibrariesSecurity and Privacy in Communication Networks10.1007/978-3-031-64948-6_25(496-513)Online publication date: 13-Oct-2024
      • (2023)RegKey: A Register-based Implementation of ECC Signature Algorithms Against One-shot Memory DisclosureACM Transactions on Embedded Computing Systems10.1145/360480522:6(1-22)Online publication date: 9-Nov-2023
      • (2023)Protect the System Call, Protect (Most of) the World with BASTIONProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3582016.3582066(528-541)Online publication date: 25-Mar-2023
      • Show More Cited By

      View Options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Login options

      Media

      Figures

      Other

      Tables

      Share

      Share

      Share this Publication link

      Share on social media