skip to main content
10.1145/3485832.3488019acmotherconferencesArticle/Chapter ViewAbstractPublication PagesacsacConference Proceedingsconference-collections
research-article
Public Access

FlexFilt: Towards Flexible Instruction Filtering for Security

Published: 06 December 2021 Publication History

Abstract

As the complexity of software applications increases, there has been a growing demand for intra-process memory isolation. The commercially available intra-process memory isolation mechanisms in modern processors, e.g., Intel’s memory protection keys, trade-off between efficiency and security guarantees. Recently, researchers have tended to leverage the features with low security guarantees for intra-process memory isolation. Subsequently, they have relied on binary scanning and runtime binary rewriting to prevent the execution of unsafe instructions, which improves the security guarantees. Such intra-process memory isolation mechanisms are not the only security solutions that have to prevent the execution of unsafe instructions in untrusted parts of the code. In fact, we identify a similar requirement in a variety of other security solutions. Although binary scanning and runtime binary rewriting approaches can be leveraged to address this requirement, it is challenging to efficiently implement these approaches.
In this paper, we propose an efficient and flexible hardware-assisted feature for runtime filtering of user-specified instructions. This flexible feature, called FlexFilt, assists with securing various isolation-based mechanisms. FlexFilt enables the software developer to create up to 16 instruction domains, where each instruction domain can be configured to filter the execution of user-specified instructions. In addition to filtering unprivileged instructions, FlexFilt is capable of filtering privileged instructions. To illustrate the effectiveness of FlexFilt compared to binary scanning approaches, we measure the overhead caused by scanning the JIT compiled code while browsing various webpages. We demonstrate the feasibility of FlexFilt by implementing our design on the RISC-V Rocket core, providing the Linux kernel support for it, and prototyping our full design on an FPGA.

References

[1]
Amazon. 2020. The top 500 sites on the web. [online] https://www.alexa.com/topsites.
[2]
Krste Asanovic, Rimas Avizienis, Jonathan Bachrach, Scott Beamer, David Biancolin, Christopher Celio, Henry Cook, Daniel Dabbelt, John Hauser, Adam Izraelevitz, 2016. The Rocket Chip generator. EECS Department, UCB, Tech. Rep. UCB/EECS-2016-17 (2016).
[3]
Ahmed M Azab, Peng Ning, Jitesh Shah, Quan Chen, Rohan Bhutkar, Guruprasad Ganesh, Jia Ma, and Wenbo Shen. 2014. Hypervision across worlds: Real-time kernel protection from the arm trustzone secure world. In Proceedings of the ACM Conference on Computer and Communications Security (CCS). 90–102.
[4]
Ahmed M Azab, Kirk Swidowski, Rohan Bhutkar, Jia Ma, Wenbo Shen, Ruowen Wang, and Peng Ning. 2016. SKEE: A lightweight Secure Kernel-level Execution Environment for ARM. In Proceedings of Network & Distributed System Security Symposium (NDSS). 21–24.
[5]
Jonathan Bachrach, Huy Vo, Brian Richards, Yunsup Lee, Andrew Waterman, Rimas Avižienis, John Wawrzynek, and Krste Asanović. 2012. Chisel: constructing hardware in a scala embedded language. In Proceedings of ACM Design Automation Conference (DAC). 1212–1221.
[6]
Erick Bauman, Zhiqiang Lin, Kevin W Hamlen, 2018. Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics. In Proceedings of Network & Distributed System Security Symposium (NDSS).
[7]
Adam Belay, Andrea Bittau, Ali Mashtizadeh, David Terei, David Mazières, and Christos Kozyrakis. 2012. Dune: Safe user-level access to privileged CPU features. In Proceedings of USENIX Symposium on Operating Systems Design and Implementation (OSDI). 335–348.
[8]
Darrell Boggs, Gary Brown, Nathan Tuck, and KS Venkatraman. 2015. Denver: Nvidia’s first 64-bit ARM processor. IEEE Micro 35, 2 (2015), 46–55.
[9]
BU-ICSG. 2020. PHMon. [online] https://github.com/bu-icsg/PHMon.
[10]
Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, and Long Lu. 2016. Shreds: Fine-grained execution units with private memory. In Proceedings of IEEE Symposium on Security and Privacy (S&P). 56–71.
[11]
Marc L Corliss, E Christopher Lewis, and Amir Roth. 2003. DISE: A programmable macro engine for customizing applications. In Proceedings of Annual International Symposium on Computer Architecture (ISCA). 362–373.
[12]
Arthur Azevedo De Amorim, Maxime Dénès, Nick Giannarakis, Catalin Hritcu, Benjamin C Pierce, Antal Spector-Zabusky, and Andrew Tolmach. 2015. Micro-policies: Formally verified, tag-based security monitors. In Proceedings of the IEEE Symposium on Security and Privacy (S&P). 813–830.
[13]
James C Dehnert, Brian K Grant, John P Banning, Richard Johnson, Thomas Kistler, Alexander Klaiber, and Jim Mattson. 2003. The Transmeta code morphing software: using speculation, recovery, and adaptive retranslation to address real-life challenges. In Proceedings of International Symposium on Code Generation and Optimization (CGO). 15–24.
[14]
Leila Delshadtehrani, Sadullah Canakci, Manuel Egele, and Ajay Joshi. 2020. Sealable Protection Keys for RISC-V. arXiv preprint arXiv:2012.02715(2020).
[15]
Leila Delshadtehrani, Sadullah Canakci, Manuel Egele, and Ajay Joshi. 2021. SealPK: Sealable Protection Keys for RISC-V. In Proceedings of Design, Automation and Test in Europe (DATE). 1–4.
[16]
Leila Delshadtehrani, Sadullah Canakci, Boyou Zhou, Schuyler Eldridge, Ajay Joshi, and Manuel Egele. 2020. PHMon: A programmable hardware monitor and its security use cases. In Proceedings of USENIX Security Symposium (Security). 807–824.
[17]
Leila Delshadtehrani, Schuyler Eldridge, Sadullah Canakci, Manuel Egele, and Ajay Joshi. 2017. Nile: A programmable monitoring coprocessor. IEEE Computer Architecture Letters 17, 1 (2017), 92–95.
[18]
Daniel Y Deng, Daniel Lo, Greg Malysa, Skyler Schneider, and G Edward Suh. 2010. Flexible and efficient instruction-grained run-time monitoring using on-chip reconfigurable fabric. In Proceedings of the International Symposium on Microarchitecture (MICRO). 137–148.
[19]
Daniel Y Deng and G Edward Suh. 2012. High-performance parallel accelerator for flexible and efficient run-time monitoring. In Proceedings of the International Conference on Dependable Systems and Networks (DSN). 1–12.
[20]
Udit Dhawan, Catalin Hritcu, Raphael Rubin, Nikos Vasilakis, Silviu Chiricescu, Jonathan M Smith, Thomas F Knight Jr, Benjamin C Pierce, and Andre DeHon. 2015. Architectural support for software-defined metadata processing. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS). 487–502.
[21]
Ren Ding, Chenxiong Qian, Chengyu Song, Bill Harris, Taesoo Kim, and Wenke Lee. 2017. Efficient protection of path-sensitive control security. In Proceedings of USENIX Security Symposium (Security). 131–148.
[22]
Kemal Ebcioglu, Erik Altman, Michael Gschwind, and Sumedh Sathaye. 2001. Dynamic binary translation and optimization. IEEE Trans. Comput. 50, 6 (2001), 529–548.
[23]
Tommaso Frassetto, David Gens, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2017. Jitguard: hardening just-in-time compilers with SGX. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS). 2405–2419.
[24]
Tommaso Frassetto, Patrick Jauernig, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2018. IMIX: In-Process Memory Isolation EXtension. In Proceedings of USENIX Security Symposium (Security). 83–97.
[25]
Xinyang Ge, Weidong Cui, and Trent Jaeger. 2017. Griffin: Guarding control flows using intel processor trace. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS). 585–598.
[26]
Google. 2020. The Chromium Projects. [online] https://www.chromium.org/Home.
[27]
Google. 2020. What is V8?[online] https://v8.dev/.
[28]
Cosmin Gorgovan, Amanieu d’Antras, and Mikel Luján. 2016. MAMBO: A low-overhead dynamic binary modification tool for ARM. ACM Transactions on Architecture and Code Optimization (TACO) 13, 1(2016), 1–26.
[29]
Joseph L Greathouse, Hongyi Xin, Yixin Luo, and Todd Austin. 2012. A case for unlimited watchpoints. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS). 159–172.
[30]
Jinyu Gu, Xinyue Wu, Wentai Li, Nian Liu, Zeyu Mi, Yubin Xia, and Haibo Chen. 2020. Harmonizing performance and isolation in Microkernels with efficient intra-kernel isolation and communication. In Proceedings of USENIX Annual Technical Conference (ATC). 401–417.
[31]
Yufei Gu, Qingchuan Zhao, Yinqian Zhang, and Zhiqiang Lin. 2017. PT-CFI: Transparent backward-edge control flow violation detection using Intel processor trace. In Proceedings of the ACM Conference on Data and Application Security and Privacy (CODASPY). 173–184.
[32]
Mohammad Hedayati, Spyridoula Gravani, Ethan Johnson, John Criswell, Michael L Scott, Kai Shen, and Mike Marty. 2019. Hodor: Intra-process isolation for high-throughput data plane libraries. In Proceedings of USENIX Annual Technical Conference (ATC). 489–504.
[33]
John L Henning. 2000. SPEC CPU2000: measuring CPU performance in the new millennium. Computer 33, 7 (2000).
[34]
John L Henning. 2006. SPEC CPU2006 benchmark descriptions. ACM SIGARCH Computer Architecture News 34, 4 (2006), 1–17.
[35]
Hong Hu, Chenxiong Qian, Carter Yagemann, Simon Pak Ho Chung, William R Harris, Taesoo Kim, and Wenke Lee. 2018. Enforcing unique code target property for control-flow integrity. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS). 1470–1486.
[36]
Yannis Juglaret, Catalin Hritcu, Arthur Azevedo de Amorim, Benjamin C Pierce, Antal Spector-Zabusky, and Andrew Tolmach. 2015. Towards a fully abstract compiler using Micro-Policies: Secure compilation for mutually distrustful components. arXiv preprint arXiv:1510.00697(2015).
[37]
Henrik Karlsson. 2020. OpenMZ: a C implementation of the MultiZone API. Master’s thesis. School of Electrical Engineering and Computer Science (EECS), KTH Royal Institute of Technology.
[38]
Haeyoung Kim, Jinjae Lee, Derry Pratama, Asep Muhamad Awaludin, Howon Kim, and Donghyun Kwon. 2020. RIMI: instruction-level memory isolation for embedded systems on RISC-V. In Proceedings of the International Conference on Computer-Aided Design (ICCAD). 1–9.
[39]
Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, 2019. Spectre attacks: Exploiting speculative execution. In Proceedings of IEEE Symposium on Security and Privacy (S&P). 1–19.
[40]
Koen Koning, Xi Chen, Herbert Bos, Cristiano Giuffrida, and Elias Athanasopoulos. 2017. No need to hide: Protecting safe regions on commodity hardware. In Proceedings of the European Conference on Computer Systems (EuroSys). 437–452.
[41]
Volodymyr Kuznetsov, Laszlo Szekeres, Mathias Payer, George Candea, R. Sekar, and Dawn Song. 2014. Code-Pointer Integrity. In Proceedings of USENIX Symposium on Operating Systems Design and Implementation (OSDI). 147–163.
[42]
Dayeol Lee, David Kohlbrenner, Shweta Shinde, Krste Asanović, and Dawn Song. 2020. Keystone: An open framework for architecting trusted execution environments. In Proceedings of the European Conference on Computer Systems (EuroSys). 1–16.
[43]
Samuel Lindemer, Gustav Midéus, and Shahid Raza. 2020. Real-time Thread Isolation and Trusted Execution on Embedded RISC-V. In Proceedings of the International Workshop on Secure RISC-V Architecture Design Exploration (SECRISC-V).
[44]
James Litton, Anjo Vahldiek-Oberwagner, Eslam Elnikety, Deepak Garg, Bobby Bhattacharjee, and Peter Druschel. 2016. Light-weight contexts: An OS abstraction for safety and performance. In Proceedings of USENIX Symposium on Operating Systems Design and Implementation (OSDI). 49–64.
[45]
Yutao Liu, Peitao Shi, Xinran Wang, Haibo Chen, Binyu Zang, and Haibing Guan. 2017. Transparent and efficient CFI enforcement with intel processor trace. In Proceedings of the IEEE International Symposium on High performance computer architecture (HPCA). 529–540.
[46]
Yutao Liu, Tianyu Zhou, Kexin Chen, Haibo Chen, and Yubin Xia. 2015. Thwarting memory disclosure with efficient hypervisor-enforced intra-domain isolation. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS). 1607–1619.
[47]
Microsoft. 2020. ChakraCore. [online] https://github.com/Microsoft/ChakraCore.
[48]
Mozilla. 2020. SpiderMonkey: The Mozilla JavaScript runtime. [online] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey.
[49]
Soyeon Park, Sangho Lee, Wen Xu, HyunGon Moon, and Taesoo Kim. 2019. libmpk: Software abstraction for Intel Memory Protection Keys (Intel MPK). In Proceedings of USENIX Annual Technical Conference (ATC). 241–254.
[50]
ARM. 2009. ARM security technology, building a secure system using TrustZone technology. [online] http://infocenter.arm.com/help/topic/com.arm.doc.prd29-genc-009492c/PRD29-GENC-009492C_trustzone_security_whitepaper.pdf.
[51]
ARM. 2018. ARM Architecture Reference Manual ARMv7-A and ARMv7-R edition. (2018).
[52]
Digilent’s ZedBoard Zynq FPGA. 2020. Development board documentation. [online] http://www.digilentinc.com/Products/Detail.cfm?Prod=ZEDBOARD/.
[53]
Hex-Five. 2020. MultiZone Hex Five Security. [online] https://hex-five.com/.
[54]
IBM Corporation. 2017. Power ISA version 3.0b. (2017).
[55]
Intel Corporation. 2019. Intel 64 and IA-32 Architectures Software Developers Manual. (2019).
[56]
RISC-V. 2021. RISC-V Proxy Kernel and Boot Loader. [online] https://github.com/riscv/riscv-pk.
[57]
Nick Roessler and André DeHon. 2018. Protecting the stack with metadata policies and tagged hardware. In Proceedings of the IEEE Symposium on Security and Privacy (S&P). 478–495.
[58]
David Schrammel, Samuel Weiser, Stefan Steinegger, Martin Schwarzl, Michael Schwarz, Stefan Mangard, and Daniel Gruss. 2020. Donky: Domain Keys–Efficient In-Process Isolation for RISC-V and x86. In Proceedings of USENIX Security Symposium (Security). 1677–1694.
[59]
Mohammadkazem Taram, Ashish Venkat, and Dean Tullsen. 2018. Mobilizing the micro-ops: Exploiting context sensitive decoding for security and energy efficiency. In Proceedings of the ACM/IEEE Annual International Symposium on Computer Architecture (ISCA). 624–637.
[60]
Mohammadkazem Taram, Ashish Venkat, and Dean Tullsen. 2019. Context-sensitive fencing: Securing speculative execution via microcode customization. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS). 395–410.
[61]
Anjo Vahldiek-Oberwagner, Eslam Elnikety, Nuno O. Duarte, Michael Sammler, Peter Druschel, and Deepak Garg. 2019. ERIM: Secure, Efficient In-process Isolation with Protection Keys (MPK). In Proceedings of USENIX Security Symposium (Security). 1221–1238.
[62]
Andrew Waterman, Krste Asanovic, and SiFive Inc.2019. The RISC-V instruction set manual, volume i: unprivileged ISA, Document Version 20191213. Technical Report.
[63]
Andrew Waterman, Krste Asanovic, and SiFive Inc.2019. The RISC-V Instruction Set Manual Volume II: Privileged Architecture, Document Version 20190608-Priv-MSU-Ratified. Technical Report.
[64]
Andrew Waterman, Yunsup Lee, David A Patterson, and Krste Asanovic. 2011. The RISC-V instruction set manual, volume i: Base user-level ISA. UCB, Tech. Rep. UCB/EECS-2011-62(2011).
[65]
Yuming Wu, Yutao Liu, Ruifeng Liu, Haibo Chen, Binyu Zang, and Haibing Guan. 2018. Comprehensive VM protection against untrusted hypervisor through retrofitted AMD memory encryption. In Proceedings of the International Symposium on High Performance Computer Architecture (HPCA). 441–453.
[66]
Yuanchao Xu, ChenCheng Ye, Yan Solihin, and Xipeng Shen. 2020. Hardware-Based Domain Virtualization for Intra-Process Isolation of Persistent Memory Objects. In Proceedings of the International Symposium on Computer Architecture (ISCA). 680–692.
[67]
Jie Zhou, Yufei Du, Zhuojia Shen, Lele Ma, John Criswell, and Robert J Walls. 2020. Silhouette: Efficient protected shadow stacks for embedded systems. In Proceedings of USENIX Security Symposium (Security). 1219–1236.
[68]
Pin Zhou, Feng Qin, Wei Liu, Yuanyuan Zhou, and Josep Torrellas. 2004. iWatcher: efficient architectural support for software debugging. In Proceedings of the International Symposium on Computer Architecture (ISCA). 224–235.

Cited By

View all
  • (2024)Cabin: Confining Untrusted Programs Within Confidential VMsInformation and Communications Security10.1007/978-981-97-8798-2_9(165-184)Online publication date: 25-Dec-2024
  • (2023)μSwitch: Fast Kernel Context Isolation with Implicit Context Switches2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179284(2956-2973)Online publication date: May-2023
  • (2023)JIT Compiler Security through Low-Cost RISC-V Extension2023 IEEE International Parallel and Distributed Processing Symposium Workshops (IPDPSW)10.1109/IPDPSW59300.2023.00032(125-128)Online publication date: May-2023
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
ACSAC '21: Proceedings of the 37th Annual Computer Security Applications Conference
December 2021
1077 pages
ISBN:9781450385794
DOI:10.1145/3485832
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 December 2021

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Hardware security
  2. OS security
  3. memory protection domains

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Funding Sources

Conference

ACSAC '21

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)202
  • Downloads (Last 6 weeks)20
Reflects downloads up to 16 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Cabin: Confining Untrusted Programs Within Confidential VMsInformation and Communications Security10.1007/978-981-97-8798-2_9(165-184)Online publication date: 25-Dec-2024
  • (2023)μSwitch: Fast Kernel Context Isolation with Implicit Context Switches2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179284(2956-2973)Online publication date: May-2023
  • (2023)JIT Compiler Security through Low-Cost RISC-V Extension2023 IEEE International Parallel and Distributed Processing Symposium Workshops (IPDPSW)10.1109/IPDPSW59300.2023.00032(125-128)Online publication date: May-2023
  • (2022)MPKAlloc: Efficient Heap Meta-data Integrity Through Hardware Memory Protection KeysDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-031-09484-2_8(136-155)Online publication date: 29-Jun-2022

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format.

HTML Format

Login options

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media