Hardware-assisted memory safety

Abstract

Computers today are ubiquitous and closely integrated into our everyday lives. But computers are fickle in nature. Programs are written by fallible humans and run on imperfect hardware. As a result, computer systems are plagued by memory vulnerabilities. Many remedies exist; from defensive programming techniques to memory-safe languages. But these approaches require security-expertise and costly porting of existing code. To achieve wide-spread use, we must integrate security into existing tools and languages. Moreover, this must be done with minimal performance and deployment costs. New security features are being rolled out in commodity hardware. They hold the promise of security, but are non-trivial to use effectively. In this dissertation, I show how compile-time instrumentation can use such hardware for performant memory-safety solutions. We explore the recently introduced ARMv8.3-A PA and Intel MPX extensions. PA supports hardware-accelerated signing and verification of pointers. Not only do we address weaknesses in prior PA-based defenses, but we also present novel solutions for memory safety. In particular, we demonstrate how PA can be used for run-time type checking, precise return address protection, and stack safety. Userspace MPX-instrumentation is well-known and uses in-memory metadata to provide bounds checking of memory accesses. The kernel is paramount for security, but using MPX to protect is not straightforward. Because the kernel must manage its own memory, the MPX metadata is not feasible to use. We show how to avoid this issue using kernel-specific MPX instrumentation. But security hardware—such as the Intel SGX—can itself be vulnerable. We investigate Intel SGX side-channels, and show how compile-time instrumentation can be used to mitigate a branch-shadowing attack on SGX. This dissertation presents security schemes that achieve minimal performance overheads by using features in off-the-shelf hardware. Our compile-time instrumentation integrates these features into existing code, without developer intervention. Together, hardware-assistance and compile-time instrumentation paves the way towards security solutions that offer optimal trade-offs in terms of development, deployment and performance costs. Yet, there are many roads ahead. Future work should explore compatibility with real code-bases, for instance, when common programming patterns rely on undefined behavior. Support should also be extended to C++ and other languages; this requires support for new language constructs such as exceptions and polymorphic types. Memory-safe languages could also benefit from hardware-assisted security, for instance, by providing fault isolation or improving performance of existing checks. Together, these directions will allow deployable security along a broad spectrum of projects and developers.