conf-hpca-2006

8/6/2019 conf-hpca-2006

1/28

1

InfoShield: A Security Architecture forProtecting Information Usage in Memory

Weidong ShiGeorgia Tech

Josh FrymanGeorgia Tech (now at Intel Corporation)

Guofei Gu

Georgia TechHsienHsin LeeGeorgia Tech

Youtao Zhang University of Pittsburgh

Jun YangUniversity of California, Riverside

8/6/2019 conf-hpca-2006

2/28

InfoShield 2

Overview

Information Theft Information Protection Mechanisms

InfoShield Architecture

Characterization of Network Applications

Conclusion

8/6/2019 conf-hpca-2006

3/28

InfoShield 3

Information Theft Example - Overflow

Array BufferSecret Key

ReadBuffer(offset, size, buf)Crypto Functions

Data

Code

Kernel Space

offset offset+size

During normal operation

offset offset+size

When an attack is launched

8/6/2019 conf-hpca-2006

4/28

InfoShield 4

Information Theft

Invalid Input induce victim applications todisclose secrets (in)voluntarily

integer, pointer, array index overflow

Information Theft Trojanintercept, snoop security keys, passwords

Memory Scan

keyword, fixed offset

Buffer Overflow - similar to invalid input, but

through format string attacks

8/6/2019 conf-hpca-2006

5/28

InfoShield 5

Against Information Theft Prior Art

Ad-hoc Solutions Approaches: boundary checking, modelchecking, stack guard, etc.

Issues: indirect solution, passive solution Access Control [Hydra, 75]

Approaches: process space isolation,

user/kernel isolation, etc. Issues: high level, coverage too broad,imprecise, insecure

8/6/2019 conf-hpca-2006

6/28

InfoShield 6

Information Flow Analysis - Prior Art

Information Flow (IF) Analysis Classic IF model [Denning & Denning,77]

Runtime IF analysis/tracking [RIFLE, 04]

Restrict Flow of Information Information with high security level cannot be disclosedto output channel with low security level

Issues Over-protection, too restrictive, every piece of derived

information carries private information.

8/6/2019 conf-hpca-2006

7/28InfoShield 7

InfoShield: Protecting Information Usage

Runtime Check of Usage of SensitiveInformation

password, cryptographic keys,

Restrict Information UsageWho can access: sensitive data must be accessedand operated by functions who are entitled to use them.

How can be accessed: sensitive data guaranteed to

be used in the way defined by application semantic

Require ISA Extension and ArchitecturalSupport

Our Idea

8/6/2019 conf-hpca-2006

8/28InfoShield 8

InfoShield Basics

Form Authorization Chain for Protecting Usage

inst1:

inst2:inst3:inst4:

inst define secret usageSecret

inst X: ld r5, (secret)

inst S: ld r4, (secret) inst define secret usage

inst X: st r5, (secret)

Shield usage Memory

8/6/2019 conf-hpca-2006

9/28InfoShield 9

InfoShield Basics

inst1:

inst2:inst3:inst4:

inst define secret usageSecret

inst X: ld r5, (secret)

inst S: ld r4, (secret) inst define secret usage

inst X: st r5, (secret)

Memory

Hackers instructions

Inst H: ld r4, (secret)

Inst H is not in the protection chain

Mallory

8/6/2019 conf-hpca-2006

10/28InfoShield 10

InfoShield: Information Usage Safety

Concept of Information Usage Safety Given That Application Is Properly Designed,

Guarantee that information is used in the

way it is meant to be used. Ensure that private data is not misused orillegally accessed.

Protect the integrity of dynamic usage ofuser private data based on the program

semantic. Or in another word

Authenticates the Usage of Information

8/6/2019 conf-hpca-2006

11/28InfoShield 11

InfoShield: Safeguard Sensitive Data

Read/write to sensitive data is dynamicallychecked throughout the program executionto guarantee they are used,

in the order as defined by the application

by only the instructions that are supposed to use it

Architectural Model

ISA Extension sensitive data declaration,

runtime usage control

Architectural support security-aware register table

and runtime checking

8/6/2019 conf-hpca-2006

12/28InfoShield12

InfoShield: Architectural Support

Security-aware Register (SR) Table

where sensitive data are stored

who can access the sensitive data

After a code region completes, modify SR Table

ISA Support

SR Table management instructions

sensitive data clear, copy

8/6/2019 conf-hpca-2006

13/28InfoShield13

InfoShield Illustrationsensitive data

SR Table

Addrlow

Addrhigh

PClow

PChigh

Code Region 1

Code Region 2

Code Region 3

Define Next Region

Define Sensitive Data

Define Next Region

Access Sensitive Data


8/6/2019 conf-hpca-2006

14/28InfoShield14

sensitive data

SR Table

Addrlow

Addrhigh

PClow

PChigh

Code Region 1

Code Region 2

Code Region 3

InfoShield Illustration

Define Next Region


Test Branch

True: Define Region 3


8/6/2019 conf-hpca-2006

15/28InfoShield15

sensitive data

SR Table

Addrlow

Addrhigh

PClow

PChigh

Code Region 1

Code Region 2

Code Region 4

InfoShield Illustration


Test Branch

False: Define Region 4


8/6/2019 conf-hpca-2006

16/28InfoShield 16

ISA Extension Example

R10x200R20x208

R30xB00CR40xB014

SAG R0

SAP R0,R1,R2,R3,R4

0xB00C

0xB014

200 208 B00C B014

sensitive data

AddrlowAddrhighPClowPChigh

0x200

0x208

SR Table

R0 1

SAG: Set Address Guard

SAP: Set Address Protection

8/6/2019 conf-hpca-2006

17/28InfoShield 17

ISA Extension Example

R2 0xC008R3 0xC00C

Ld Rx, [0x200]

SAS R0, R2,R30xB010

0xB00C

0xC008

0xC00C

200 208 B00C B014200 208 C008 C00C

sensitive data

0x200

0x208

AddrlowAddrhighPClowPChigh

SR Table

SAS: Secure Address Shift

8/6/2019 conf-hpca-2006

18/28InfoShield 18

Other ISA Extension

Sensitive Data Copy. Definition: copy a block of sensitive data

(memory to memory DMA)

Purpose: garbage collection

Sensitive Data Clear.

Definition: reclaim dead sensitive data region. Purpose: program fault handling, garbagecollection.

8/6/2019 conf-hpca-2006

19/28InfoShield 19

Is not on thecritical path

Concurrent Lookup/Checking

ROB(or architectural equivalent)

SRTable

Cache andMemory

Hierarchy

Load/Store Queue

Addr, ROB slot

Addr, ROB slot, PC

Data/Exceptions

8/6/2019 conf-hpca-2006

20/28InfoShield 20

Application Profile

Emulation environment

x86 full system emulator, Bochs. Linux Server(RH6.0 distribution)

Profiled applications

openssh server,sftp server, apache serverwu-ftp server, imap server, ftp client, pine client,and lynx web browser.

Sensitive information

Password

Openssh/sftp private key

AES encryption/decryption key

8/6/2019 conf-hpca-2006

21/28InfoShield 21

Bochs Hack

Profiled applicationsInstrument applications (memory tainting) to expose

where the sensitive data are stored

when they are created and when they aredestroyed

Bochs: For each process (identified viaprocess unique CR3 value in x86)

number of memory reads that fetch sensitive data

number of instructions that directly manipulateloaded sensitive data

8/6/2019 conf-hpca-2006

22/28

InfoShield 22

Dynamic Sensitive Data Loads/All Data Loads

Percentage of Sensitive Data Loads/All Loads

0.00001

0.0001

0.001

0.01

0.1

1

10

o

penssh sf

tp

http

dftpd

imap

dftp

pine ly

nx

Percentage

%

8/6/2019 conf-hpca-2006

23/28

InfoShield 23

Dynamic Instructions Operating On SensitiveData/All Instructions

Percentage of Dynamic Inst Operating OnSensitive Data/All Instrutions

0.00001

0.0001

0.001

0.01

0.1

1

open

ssh

sftp

http

dftpd

imap

dftp

pine ly

nx

Percentage%

8/6/2019 conf-hpca-2006

24/28

InfoShield 24

Conclusions

Many documented real-world informationthefts steal sensitive data via violation ofinformation usage.

InfoShield enforces runtime sensitive data

to be accessed or used the way as definedby program semantic.

For real-world applications, accesses topassword or security keys are relatively

small.

8/6/2019 conf-hpca-2006

25/28

25

Backup Foil

8/6/2019 conf-hpca-2006

26/28

InfoShield 26

InfoShield: Assumptions

Computing platform itself is physicallysecured.

Integrity of software guaranteed.

Dynamic libraries certified and signed withdigital signatures.

Software running in non-debug mode.

8/6/2019 conf-hpca-2006

27/28

InfoShield 27

Information flow safety Computational safety Information use safety

Encrypted resultscarry info of the

key and consideredun-safe to be disclosed.

Encrypted result iscomputationally safe to

be disclosed. It isnot feasible to extract

key from the encrypteddata.

Encrypted results aresafe to be disclosed if it

is based on correct

execution of the functionand there is no miss-use

of the key.

A Crypto Function That Encrypts Input Data Using AKey.

The key is considered as private data

The encrypted data considered as non-secret.

Comparisons

8/6/2019 conf-hpca-2006

28/28

28

Information Theft Example -Trojan

ApplicationSocket DLL

Socket DLL

Trojan

conf-hpca-2006

Documents

Transcript of conf-hpca-2006