Michael LeMay
Joydeep Rakshit
ABSTRACT
Capability architectures for memory safety have traditionally required expanding pointers and radically changing microarchitectural structures throughout processors, while only providing superficial hardening. We hence propose Cryptographic Capability Computing (C3) - the first memory safety mechanism that is stateless to avoid requiring extra metadata storage. C3 retains 64-bit pointer sizes providing legacy binary compatibility while imposing minimal touchpoints. Pointers are encrypted to unforgeably (within cryptographic bounds) reference each object. Data is encrypted even in caches and entangled with pointers for both spatial and temporal object-granular protection. Pointers become like unique keys for each allocation. C3 deploys a novel form of prediction for address translation that mitigates performance overheads even when addresses are partially encrypted. Use of a low-latency, low-area cipher from the NIST Lightweight Cryptography project avoids delaying loads by readying a data keystream by the time data is returned from the L1 cache. C3 is compatible with legacy binaries. Simulated performance overhead on SPEC CPU2006 is negligible with no memory overhead, which is a big leap forward compared to the overheads imposed by past memory safety approaches. C3 effectively replaces inefficient metadata with efficient cryptography.
- Sam Ainsworth and Timothy M. Jones. 2020. MarkUs: Drop-in use-after-free prevention for low-level languages. In Proceedings of the 2020 IEEE Symposium on Security and Privacy. 578–591. https://doi.org/10.1109/SP40000.2020.00058Google Scholar
Cross Ref
- Ray Beaulieu, Douglas Shors, Jason Smith, Stefan Treatman-Clark, Bryan Weeks, and Louis Wingers. 2013. The SIMON and SPECK Families of Lightweight Block Ciphers. Cryptology ePrint Archive, Report 2013/404. https://eprint.iacr.org/2013/404.Google Scholar
- Joe Bialek, Ken Johnson, Matt Miller, and Tony Chen. 2020. Security Analysis of Memory Tagging. Technical Report. Microsoft. https://github.com/microsoft/MSRC-Security-Research/blob/master/papers/2020/Security%20analysis%20of%20memory%20tagging.pdfGoogle Scholar
- Tim Boland and Paul E. Black. 2012. Juliet 1.1 C/C++ and Java Test Suite. Computer 45, 10 (2012), 88–90.Google ScholarDigital Library
- Nathan Burow, Derrick McKee, Scott A. Carr, and Mathias Payer. 2018. CUP: Comprehensive User-Space Protection for C/C++. In Proceedings of the 2018 Asia Conference on Computer and Communications Security(ASIACCS ’18). Incheon, Republic of Korea, 381–392. https://doi.org/10.1145/3196494.3196540Google ScholarDigital Library
- Tony Chen and David Chisnall. 2019. Pointer Tagging for Memory Safety. Technical Report. Microsoft. 23 pages. https://www.microsoft.com/en-us/research/uploads/prod/2019/07/Pointer-Tagging-for-Memory-Safety.pdfGoogle Scholar
- Chromium Project. 2020. Memory safety - The Chromium Projects. https://www.chromium.org/Home/chromium-security/memory-safetyGoogle Scholar
- Peter Collingbourne. 2019. Add arm64 string.h function implementations for use with hardware supporting MTE. https://android.googlesource.com/platform/bionic/+/900d07d6a1f3e1eca8cdbb3b1db1ceeec0acc9e2Google Scholar
- Crispin Cowan, Steve Beattie, John Johansen, and Perry Wagle. 2003. PointGuardTM: Protecting Pointers From Buffer Overflow Vulnerabilities. In Proceedings of the 12th USENIX Security Symposium. Washington, DC, USA. https://www.usenix.org/legacy/event/sec03/tech/full_papers/cowan/cowan_html/Google Scholar
- Ian Cutress. 2019. Examining Intel’s Ice Lake Processors: Taking a Bite of the Sunny Cove Microarchitecture. AnandTech (July 2019). https://www.anandtech.com/show/14514/examining-intels-ice-lake-microarchitecture-and-sunny-cove/3Google Scholar
- Ian Cutress. 2019. The Ice Lake Benchmark Preview: Inside Intel’s 10nm. AnandTech (Aug. 2019). https://www.anandtech.com/show/14664/testing-intel-ice-lake-10nm/2Google Scholar
- Joan Daemen, Seth Hoffert, Michaël Peeters, Gilles Van Assche, and Ronny Van Keer. 2019. Xoodyak, a lightweight cryptographic scheme. In NIST Lightweight Cryptography Project. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/Xoodyak-spec-round2.pdfGoogle Scholar
- Joan Daemen, Pedro Maat Costa Massolino, and Yann Rotella. 2019. The Subterranean 2.0 cipher suite. In NIST Lightweight Cryptography Project. https://csrc.nist.gov/CSRC/media/Projects/lightweight-cryptography/documents/round-2/spec-doc-rnd2/subterranean-spec-round2.pdfGoogle Scholar
- Joe Devietti, Colin Blundell, Milo M. K. Martin, and Steve Zdancewic. 2008. Hardbound: Architectural Support for Spatial Safety of the C Programming Language. In Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems(ASPLOS XIII). New York, NY, USA, 103–114. https://doi.org/10.1145/1346281.1346295Google ScholarDigital Library
- Gregory J. Duck and Roland H. C. Yap. 2016. Heap Bounds Protection with Low Fat Pointers. In Proceedings of the 25th International Conference on Compiler Construction(CC ’16). ACM, New York, NY, USA, 132–142. https://doi.org/10.1145/2892208.2892212Google ScholarDigital Library
- Gregory J. Duck, Roland H. C. Yap, and Lorenzo Cavallaro. 2017. Stack Bounds Protection with Low Fat Pointers. In Proceedings of the NDSS Symposium 2017. https://doi.org/10.14722/ndss.2017.23287Google ScholarCross Ref
- Zakir Durumeric, Frank Li, James Kasten, Johanna Amann, Jethro Beekman, Mathias Payer, Nicolas Weaver, David Adrian, Vern Paxson, Michael Bailey, and J. Alex Halderman. 2014. The Matter of Heartbleed. In Proceedings of the 2014 Internet Measurement Conference(IMC ’14). Association for Computing Machinery, New York, NY, USA, 475–488. https://doi.org/10.1145/2663716.2663755Google ScholarDigital Library
- Reza Mirzazade Farkhani, Mansour Ahmadi, and Long Lu. 2021. PTAuth: Temporal Memory Safety via Robust Points-to Authentication. In Proceedings of the 30th USENIX Security Symposium. https://www.usenix.org/conference/usenixsecurity21/presentation/mirzazadeGoogle Scholar
- Adrienne Porter Felt, Richard Barnes, April King, Chris Palmer, Chris Bentzel, and Parisa Tabriz. 2017. Measuring HTTPS adoption on the web. In Proceedings of the 26th USENIX Conference on Security Symposium(SEC’17). USA, 1323–1338.Google ScholarDigital Library
- Nathaniel Wesley Filardo, Brett F. Gutstein, Jonathan Woodruff, Sam Ainsworth, Lucian Paul-Trifu, Brooks Davis, Hongyan Xia, Edward Tomasz Napierala, Alexander Richardson, John Baldwin, David Chisnall, Jessica Clarke, Khilan Gudka, Alexandre Joannou, A. Theodore Markettos, Alfredo Mazzinghi, Robert M. Norton, Michael Roe, Peter Sewell, Stacey Son, Timothy M. Jones, Simon W. Moore, Peter G. Neumann, and Robert N. M. Watson. 2020. Cornucopia: Temporal Safety for CHERI Heaps. In Proceedings of the 2020 IEEE Symposium on Security and Privacy.Google Scholar
- Santosh Ghosh, Michael Kounavis, and Sergej Deutsch. 2020. Gimli Encryption in 715.9 psec. Cryptology ePrint Archive, Report 2020/336. https://eprint.iacr.org/2020/336Google Scholar
- haraken. 2020. CheckedPtr2 and CheckedPtr3. https://docs.google.com/document/d/14TsvTgswPUOQuQoI9TmkFQnuSaFD8ZLHRvzapNwl5vsGoogle Scholar
- John L Hennessy and David A Patterson. 2011. Computer architecture: a quantitative approach. Elsevier.Google ScholarDigital Library
- Nicolas Joly, Saif ElSherei, and Saar Amar. 2020. SECURITY ANALYSIS OF CHERI ISA. Technical Report. Microsoft. https://github.com/microsoft/MSRC-Security-Research/blob/master/papers/2020/Security%20analysis%20of%20CHERI%20ISA.pdfGoogle Scholar
- Y. Kim, J. Lee, and H. Kim. 2020. Hardware-based Always-On Heap Memory Safety. In 53rd Annual IEEE/ACM International Symposium on Microarchitecture(MICRO ’20). Los Alamitos, CA, USA, 1153–1166. https://doi.org/10.1109/MICRO50266.2020.00095Google Scholar
- Andrey Konovalov. 2019. LKML: Andrey Konovalov: [PATCH v19 00/15] arm64: untag user pointers passed to the kernel. https://lkml.org/lkml/2019/7/23/728Google Scholar
- M. Kounavis, S. Deutsch, S. Ghosh, and D. Durham. 2020. K-Cipher: A Low Latency, Bit Length Parameterizable Cipher. In 2020 IEEE Symposium on Computers and Communications(ISCC ’20). https://doi.org/10.1109/ISCC50000.2020.9219582 ISSN: 2642-7389.Google Scholar
- Michael E. Kounavis, Xiaozhu Kang, Ken Grewal, Mathew Eszenyi, Shay Gueron, and David Durham. 2010. Encrypting the internet. ACM SIGCOMM Computer Communication Review 40, 4 (Aug. 2010), 135–146. https://doi.org/10.1145/1851275.1851200Google ScholarDigital Library
- Albert Kwon, Udit Dhawan, Jonathan M. Smith, Thomas F. Knight, Jr., and Andre DeHon. 2013. Low-fat Pointers: Compact Encoding and Efficient Gate-level Implementation of Fat Pointers for Spatial Safety and Capability-based Security. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security(CCS ’13). New York, NY, USA, 721–732. https://doi.org/10.1145/2508859.2516713Google ScholarDigital Library
- Byoungyoung Lee, Chengyu Song, Yeongjin Jang, Tielei Wang, Taesoo Kim, Long Lu, and Wenke Lee. 2015. Preventing Use-after-free with Dangling Pointers Nullification. In Proceedings of the NDSS Symposium 2015. ISOC. https://www.ndss-symposium.org/ndss2015/ndss-2015-programme/preventing-use-after-free-dangling-pointers-nullification/Google ScholarCross Ref
- Jongmin Lee and Soontae Kim. 2012. Adopting TLB index-based tagging to data caches for tag energy reduction. In Proceedings of the 2012 ACM/IEEE International Symposium on Low Power Electronics and Design. 231–236.Google ScholarDigital Library
- Henry M. Levy. 1984. Capability-based Computer Systems. Digital Press. https://homes.cs.washington.edu/~levy/capabook/Google ScholarDigital Library
- Hans Liljestrand, Thomas Nyman, Kui Wang, Carlos Chinea Perez, Jan-Erik Ekberg, and N. Asokan. 2019. PAC it up: Towards Pointer Integrity using ARM Pointer Authentication. In Proceedings of the 28th USENIX Security Symposium. 177–194. https://www.usenix.org/conference/usenixsecurity19/presentation/liljestrandGoogle Scholar
- Moritz Lipp, Vedad Hažić, Michael Schwarz, Arthur Perais, Clémentine Maurice, and Daniel Gruss. 2020. Take A Way: Exploring the Security Implications of AMD’s Cache Way Predictors. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security. 813–825.Google ScholarDigital Library
- Daiping Liu, Mingwei Zhang, and Haining Wang. 2018. A Robust and Efficient Defense against Use-after-Free Exploits via Concurrent Pointer Sweeping. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security(CCS ’18). Toronto, Canada, 1635–1648. https://doi.org/10.1145/3243734.3243826Google ScholarDigital Library
- Peter S. Magnusson, Magnus Christensson, Jesper Eskilson, Daniel Forsgren, Gustav Hållberg, Johan Högberg, Fredrik Larsson, Andreas Moestedt, and Bengt Werner. 2002. Simics: A full system simulation platform. Computer 35, 2 (Feb. 2002), 50–58. https://doi.org/10.1109/2.982916Google ScholarDigital Library
- Matt Miller. 2019. Trends, Challenges, and Strategic Shifts in the Software Vulnerability Mitigation Landscape. https://www.youtube.com/watch?v=PjbGojjnBZQ.Google Scholar
- Santosh Nagarakatte, Milo M. K. Martin, and Steve Zdancewic. 2012. Watchdog: hardware for safe and secure manual memory management and full memory safety. SIGARCH Comput. Archit. News 40, 3 (June 2012), 189–200. https://doi.org/10.1145/2366231.2337181Google ScholarDigital Library
- Santosh Nagarakatte, Jianzhou Zhao, Milo M.K. Martin, and Steve Zdancewic. 2010. CETS: Compiler Enforced Temporal Safety for C. In Proceedings of the 2010 International Symposium on Memory Management(ISMM ’10). New York, NY, USA, 31–40. https://doi.org/10.1145/1806651.1806657Google ScholarDigital Library
- Intel® Newsroom. 2020. Intel Launches World’s Best Processor for Thin-and-Light Laptops: 11th Gen Intel Core. https://newsroom.intel.com/news-releases/11th-gen-tiger-lake-evo/Google Scholar
- NIST Information Technology Laboratory Computer Security Resource Center. [n. d.]. Lightweight Cryptography. https://csrc.nist.gov/projects/lightweight-cryptographyGoogle Scholar
- Oleksii Oleksenko, Dmitrii Kuvaiskii, Pramod Bhatotia, Pascal Felber, and Christof Fetzer. 2018. Intel MPX Explained: A Cross-Layer Analysis of the Intel MPX System Stack. Proceedings of the ACM on Measurement and Analysis of Computing Systems 2, 2, Article 28 (June 2018). https://doi.org/10.1145/3224423Google ScholarDigital Library
- Hiroshi Sasaki, Miguel A. Arroyo, M. Tarek Ibn Ziad, Koustubha Bhat, Kanad Sinha, and Simha Sethumadhavan. 2019. Practical Byte-Granular Memory Blacklisting using Califorms. In Proceedings of the 52nd Annual IEEE/ACM International Symposium on Microarchitecture. Columbus OH USA, 558–571. https://doi.org/10.1145/3352460.3358299Google ScholarDigital Library
- Kostya Serebryany. 2019. ARM Memory Tagging Extension and How It Improves C/C++ Memory Safety. USENIX ;login: 44, 2 (2019), 5. https://www.usenix.org/publications/login/summer2019/serebryanyGoogle Scholar
- Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. 2012. AddressSanitizer: A Fast Address Sanity Checker. In Proceedings of the 2012 USENIX Annual Technical Conference(USENIX ATC ’12). Boston, MA, 309–318. https://www.usenix.org/conference/atc12/technical-sessions/presentation/serebryanyGoogle Scholar
- Kostya Serebryany, Evgenii Stepanov, Aleksey Shlyapnikov, Vlad Tsyrklevich, and Dmitry Vyukov. 2018. Memory Tagging and how it improves C/C++ memory safety. arXiv (Feb. 2018). http://arxiv.org/abs/1802.09517Google Scholar
- André Seznec. 2011. A new case for the TAGE branch predictor. In Proceedings of the 44th Annual IEEE/ACM International Symposium on Microarchitecture. 117–127.Google ScholarDigital Library
- Rasool Sharifi and Ashish Venkat. 2020. CHEx86: Context-Sensitive Enforcement of Memory Safety via Microcode-Enabled Capabilities. In ACM/IEEE 47th Annual International Symposium on Computer Architecture (ISCA). Valencia, Spain, 762–775. https://doi.org/10.1109/ISCA45697.2020.00068Google ScholarDigital Library
- Etienne Sicard. 2017. Introducing 7-nm FinFET technology in Microwind. https://hal.archives-ouvertes.fr/hal-01558775Google Scholar
- K. Sinha and S. Sethumadhavan. 2018. Practical Memory Safety with REST. In ACM/IEEE 45th Annual International Symposium on Computer Architecture (ISCA). 600–611. https://doi.org/10.1109/ISCA.2018.00056Google ScholarDigital Library
- Nathan Tuck, Brad Calder, and George Varghese. 2004. Hardware and Binary Modification Support for Code Pointer Protection From Buffer Overflow. In 37th International Symposium on Microarchitecture(MICRO-37). 209–220. https://doi.org/10.1109/MICRO.2004.20 ISSN: 1072-4451.Google ScholarDigital Library
- Erik van der Kouwe, Vinod Nigade, and Cristiano Giuffrida. 2017. DangSan: Scalable Use-after-free Detection. In Proceedings of the Twelfth European Conference on Computer Systems(EuroSys ’17). Belgrade, Serbia, 405–419. https://doi.org/10.1145/3064176.3064211Google ScholarDigital Library
- G. Venkataramani, B. Roemer, Y. Solihin, and M. Prvulovic. 2007. MemTracker: Efficient and Programmable Support for Memory Access Monitoring and Debugging. In IEEE 13th International Symposium on High Performance Computer Architecture (HPCA). http://dx.doi.org/10.1109/HPCA.2007.346205Google ScholarDigital Library
- Robert NM Watson, Jonathan Woodruff, Peter G. Neumann, Simon W. Moore, Jonathan Anderson, David Chisnall, Nirav Dave, Brooks Davis, Khilan Gudka, Ben Laurie, and others. 2015. Cheri: A hybrid capability-system architecture for scalable software compartmentalization. In IEEE Symposium on Security and Privacy. https://www.ieee-security.org/TC/SP2015/papers/6949a020.pdfGoogle ScholarDigital Library
- WikiChip [n. d.]. Ice Lake (client) - Microarchitectures - Intel. WikiChip. https://en.wikichip.org/wiki/intel/microarchitectures/sunny_coveGoogle Scholar
- Hongyan Xia, Jonathan Woodruff, Sam Ainsworth, Nathaniel W. Filardo, Michael Roe, Alexander Richardson, Peter Rugg, Peter G. Neumann, Simon W. Moore, Robert N. M. Watson, and Timothy M. Jones. 2019. CHERIvoke: Characterising Pointer Revocation using CHERI Capabilities for Temporal Memory Safety. In Proceedings of the 52nd Annual IEEE/ACM International Symposium on Microarchitecture. Columbus OH USA, 545–557. https://doi.org/10.1145/3352460.3358288Google ScholarDigital Library
- Tong Zhang, Dongyoon Lee, and Changhee Jung. 2019. BOGO: Buy Spatial Memory Safety, Get Temporal Memory Safety (Almost) Free. In Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems(ASPLOS ’19). Providence, RI, USA, 631–644. https://doi.org/10.1145/3297858.3304017Google ScholarDigital Library
- Tianhao Zheng, Haishan Zhu, and Mattan Erez. 2018. SIPT: Speculatively indexed, physically tagged caches. In 2018 IEEE International Symposium on High Performance Computer Architecture (HPCA). IEEE, 118–130.Google ScholarCross Ref
Recommendations
CrypTag: Thwarting Physical and Logical Memory Vulnerabilities using Cryptographically Colored Memory
ASIA CCS '21: Proceedings of the 2021 ACM Asia Conference on Computer and Communications SecurityMemory vulnerabilities are a major threat to many computing systems. To effectively thwart spatial and temporal memory vulnerabilities, full logical memory safety is required. However, current mitigation techniques for memory safety are either too ...
A secure and authenticated host-to-memory communication interface
CF '19: Proceedings of the 16th ACM International Conference on Computing FrontiersEmerging non-volatile memories (NVMs) have the potential to change the memory-storage hierarchy in computing devices, and even to replace DRAM as main memories. In fact NVMs, beside offering byte-addressability and data persistence, promise better ...
DynaPoMP: dynamic policy-driven memory protection for SPM-based embedded systems
WESS '11: Proceedings of the Workshop on Embedded Systems SecurityToday's embedded systems are often used to access, store, manipulate, and communicate sensitive data. Embedded system security risks are exacerbated by emerging trends (e.g., network connectivity, application download service, migration to ...
Comments