conf-hpca-2006
Transcript of conf-hpca-2006
-
8/6/2019 conf-hpca-2006
1/28
1
InfoShield: A Security Architecture forProtecting Information Usage in Memory
Weidong ShiGeorgia Tech
Josh FrymanGeorgia Tech (now at Intel Corporation)
Guofei Gu
Georgia TechHsienHsin LeeGeorgia Tech
Youtao Zhang University of Pittsburgh
Jun YangUniversity of California, Riverside
-
8/6/2019 conf-hpca-2006
2/28
InfoShield 2
Overview
Information Theft Information Protection Mechanisms
InfoShield Architecture
Characterization of Network Applications
Conclusion
-
8/6/2019 conf-hpca-2006
3/28
InfoShield 3
Information Theft Example - Overflow
Array BufferSecret Key
ReadBuffer(offset, size, buf)Crypto Functions
Data
Code
Kernel Space
offset offset+size
During normal operation
offset offset+size
When an attack is launched
-
8/6/2019 conf-hpca-2006
4/28
InfoShield 4
Information Theft
Invalid Input induce victim applications todisclose secrets (in)voluntarily
integer, pointer, array index overflow
Information Theft Trojanintercept, snoop security keys, passwords
Memory Scan
keyword, fixed offset
Buffer Overflow - similar to invalid input, but
through format string attacks
-
8/6/2019 conf-hpca-2006
5/28
InfoShield 5
Against Information Theft Prior Art
Ad-hoc Solutions Approaches: boundary checking, modelchecking, stack guard, etc.
Issues: indirect solution, passive solution Access Control [Hydra, 75]
Approaches: process space isolation,
user/kernel isolation, etc. Issues: high level, coverage too broad,imprecise, insecure
-
8/6/2019 conf-hpca-2006
6/28
InfoShield 6
Information Flow Analysis - Prior Art
Information Flow (IF) Analysis Classic IF model [Denning & Denning,77]
Runtime IF analysis/tracking [RIFLE, 04]
Restrict Flow of Information Information with high security level cannot be disclosedto output channel with low security level
Issues Over-protection, too restrictive, every piece of derived
information carries private information.
-
8/6/2019 conf-hpca-2006
7/28InfoShield 7
InfoShield: Protecting Information Usage
Runtime Check of Usage of SensitiveInformation
password, cryptographic keys,
Restrict Information UsageWho can access: sensitive data must be accessedand operated by functions who are entitled to use them.
How can be accessed: sensitive data guaranteed to
be used in the way defined by application semantic
Require ISA Extension and ArchitecturalSupport
Our Idea
-
8/6/2019 conf-hpca-2006
8/28InfoShield 8
InfoShield Basics
Form Authorization Chain for Protecting Usage
inst1:
inst2:inst3:inst4:
inst define secret usageSecret
inst X: ld r5, (secret)
inst S: ld r4, (secret) inst define secret usage
inst X: st r5, (secret)
Shield usage Memory
-
8/6/2019 conf-hpca-2006
9/28InfoShield 9
InfoShield Basics
inst1:
inst2:inst3:inst4:
inst define secret usageSecret
inst X: ld r5, (secret)
inst S: ld r4, (secret) inst define secret usage
inst X: st r5, (secret)
Memory
Hackers instructions
Inst H: ld r4, (secret)
Inst H is not in the protection chain
Mallory
-
8/6/2019 conf-hpca-2006
10/28InfoShield 10
InfoShield: Information Usage Safety
Concept of Information Usage Safety Given That Application Is Properly Designed,
Guarantee that information is used in the
way it is meant to be used. Ensure that private data is not misused orillegally accessed.
Protect the integrity of dynamic usage ofuser private data based on the program
semantic. Or in another word
Authenticates the Usage of Information
-
8/6/2019 conf-hpca-2006
11/28InfoShield 11
InfoShield: Safeguard Sensitive Data
Read/write to sensitive data is dynamicallychecked throughout the program executionto guarantee they are used,
in the order as defined by the application
by only the instructions that are supposed to use it
Architectural Model
ISA Extension sensitive data declaration,
runtime usage control
Architectural support security-aware register table
and runtime checking
-
8/6/2019 conf-hpca-2006
12/28InfoShield12
InfoShield: Architectural Support
Security-aware Register (SR) Table
where sensitive data are stored
who can access the sensitive data
After a code region completes, modify SR Table
ISA Support
SR Table management instructions
sensitive data clear, copy
-
8/6/2019 conf-hpca-2006
13/28InfoShield13
InfoShield Illustrationsensitive data
SR Table
Addrlow
Addrhigh
PClow
PChigh
Code Region 1
Code Region 2
Code Region 3
Define Next Region
Define Sensitive Data
Define Next Region
Access Sensitive Data
Access Sensitive Data
-
8/6/2019 conf-hpca-2006
14/28InfoShield14
sensitive data
SR Table
Addrlow
Addrhigh
PClow
PChigh
Code Region 1
Code Region 2
Code Region 3
InfoShield Illustration
Define Next Region
Access Sensitive Data
Test Branch
True: Define Region 3
Access Sensitive Data
-
8/6/2019 conf-hpca-2006
15/28InfoShield15
sensitive data
SR Table
Addrlow
Addrhigh
PClow
PChigh
Code Region 1
Code Region 2
Code Region 4
InfoShield Illustration
Access Sensitive Data
Test Branch
False: Define Region 4
Access Sensitive Data
-
8/6/2019 conf-hpca-2006
16/28InfoShield 16
ISA Extension Example
R10x200R20x208
R30xB00CR40xB014
SAG R0
SAP R0,R1,R2,R3,R4
0xB00C
0xB014
200 208 B00C B014
sensitive data
AddrlowAddrhighPClowPChigh
0x200
0x208
SR Table
R0 1
SAG: Set Address Guard
SAP: Set Address Protection
-
8/6/2019 conf-hpca-2006
17/28InfoShield 17
ISA Extension Example
R2 0xC008R3 0xC00C
Ld Rx, [0x200]
SAS R0, R2,R30xB010
0xB00C
0xC008
0xC00C
200 208 B00C B014200 208 C008 C00C
sensitive data
0x200
0x208
AddrlowAddrhighPClowPChigh
SR Table
SAS: Secure Address Shift
-
8/6/2019 conf-hpca-2006
18/28InfoShield 18
Other ISA Extension
Sensitive Data Copy. Definition: copy a block of sensitive data
(memory to memory DMA)
Purpose: garbage collection
Sensitive Data Clear.
Definition: reclaim dead sensitive data region. Purpose: program fault handling, garbagecollection.
-
8/6/2019 conf-hpca-2006
19/28InfoShield 19
Is not on thecritical path
Concurrent Lookup/Checking
ROB(or architectural equivalent)
SRTable
Cache andMemory
Hierarchy
Load/Store Queue
Addr, ROB slot
Addr, ROB slot, PC
Data/Exceptions
-
8/6/2019 conf-hpca-2006
20/28InfoShield 20
Application Profile
Emulation environment
x86 full system emulator, Bochs. Linux Server(RH6.0 distribution)
Profiled applications
openssh server,sftp server, apache serverwu-ftp server, imap server, ftp client, pine client,and lynx web browser.
Sensitive information
Password
Openssh/sftp private key
AES encryption/decryption key
-
8/6/2019 conf-hpca-2006
21/28InfoShield 21
Bochs Hack
Profiled applicationsInstrument applications (memory tainting) to expose
where the sensitive data are stored
when they are created and when they aredestroyed
Bochs: For each process (identified viaprocess unique CR3 value in x86)
number of memory reads that fetch sensitive data
number of instructions that directly manipulateloaded sensitive data
-
8/6/2019 conf-hpca-2006
22/28
InfoShield 22
Dynamic Sensitive Data Loads/All Data Loads
Percentage of Sensitive Data Loads/All Loads
0.00001
0.0001
0.001
0.01
0.1
1
10
o
penssh sf
tp
http
dftpd
imap
dftp
pine ly
nx
Percentage
%
-
8/6/2019 conf-hpca-2006
23/28
InfoShield 23
Dynamic Instructions Operating On SensitiveData/All Instructions
Percentage of Dynamic Inst Operating OnSensitive Data/All Instrutions
0.00001
0.0001
0.001
0.01
0.1
1
open
ssh
sftp
http
dftpd
imap
dftp
pine ly
nx
Percentage%
-
8/6/2019 conf-hpca-2006
24/28
InfoShield 24
Conclusions
Many documented real-world informationthefts steal sensitive data via violation ofinformation usage.
InfoShield enforces runtime sensitive data
to be accessed or used the way as definedby program semantic.
For real-world applications, accesses topassword or security keys are relatively
small.
-
8/6/2019 conf-hpca-2006
25/28
25
Backup Foil
-
8/6/2019 conf-hpca-2006
26/28
InfoShield 26
InfoShield: Assumptions
Computing platform itself is physicallysecured.
Integrity of software guaranteed.
Dynamic libraries certified and signed withdigital signatures.
Software running in non-debug mode.
-
8/6/2019 conf-hpca-2006
27/28
InfoShield 27
Information flow safety Computational safety Information use safety
Encrypted resultscarry info of the
key and consideredun-safe to be disclosed.
Encrypted result iscomputationally safe to
be disclosed. It isnot feasible to extract
key from the encrypteddata.
Encrypted results aresafe to be disclosed if it
is based on correct
execution of the functionand there is no miss-use
of the key.
A Crypto Function That Encrypts Input Data Using AKey.
The key is considered as private data
The encrypted data considered as non-secret.
Comparisons
-
8/6/2019 conf-hpca-2006
28/28
28
Information Theft Example -Trojan
ApplicationSocket DLL
Socket DLL
Trojan