Low-fat pointers: compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security
Albert Kwon,Udit Dhawan,Jonathan M. Smith,Thomas F. Knight,André DeHon +4 more
- pp 721-732
Reads0
Chats0
TLDR
To achieve the safety of fat pointers without increasing program state, this work compactly encode approximate base and bound pointers along with exact address pointers for a 46b address space into one 64-bit word with a worst-case memory overhead of 3%.Abstract:
Referencing outside the bounds of an array or buffer is a common source of bugs and security vulnerabilities in today's software. We can enforce spatial safety and eliminate these violations by inseparably associating bounds with every pointer (fat pointer) and checking these bounds on every memory access. By further adding hardware-managed tags to the pointer, we make them unforgeable. This, in turn, allows the pointers to be used as capabilities to facilitate fine-grained access control and fast security domain crossing. Dedicated checking hardware runs in parallel with the processor's normal datapath so that the checks do not slow down processor operation (0% runtime overhead). To achieve the safety of fat pointers without increasing program state, we compactly encode approximate base and bound pointers along with exact address pointers for a 46b address space into one 64-bit word with a worst-case memory overhead of 3%. We develop gate-level implementations of the logic for updating and validating these compact fat pointers and show that the hardware requirements are low and the critical paths for common operations are smaller than processor ALU operations. Specifically, we show that the fat-pointer check and update operations can run in a 4 ns clock cycle on a Virtex 6 (40nm) implementation while only using 1100 6-LUTs or about the area of a double-precision, floating-point adder.read more
Citations
More filters
Journal ArticleDOI
The CHERI capability model: revisiting RISC in an age of risk
Jonathan Woodruff,Robert N. M. Watson,David Chisnall,Simon W. Moore,Jonathan Anderson,Brooks Davis,Ben Laurie,Peter G. Neumann,Robert Norton,Michael Roe +9 more
TL;DR: CHERI, a hybrid capability model that extends the 64-bit MIPS ISA with byte-granularity memory protection, is presented, demonstrating that it enables language memory model enforcement and fault isolation in hardware rather than software, and that the CHERI mechanisms are easily adopted by existing programs for efficient in-program memory safety.
Proceedings ArticleDOI
Control Jujutsu: On the Weaknesses of Fine-Grained Control Flow Integrity
Isaac Evans,Fan Long,Ulziibayar Otgonbaatar,Howard Shrobe,Martin Rinard,Hamed Okhravi,Stelios Sidiroglou-Douskos +6 more
TL;DR: It is shown that many popular code bases such as Apache and Nginx use coding practices that create flexibility in their intended control flow graph (CFG) even when a strong static analyzer is used to construct the CFG, which allows an attacker to gain control of the execution while strictly adhering to a fine-grained CFI.
Proceedings ArticleDOI
CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization
Robert N. M. Watson,Jonathan Woodruff,Peter G. Neumann,Simon W. Moore,Jonathan Anderson,David Chisnall,Nirav Dave,Brooks Davis,Khilan Gudka,Ben Laurie,Steven J. Murdoch,Robert Norton,Michael Roe,Stacey Son,Munraj Vadera +14 more
TL;DR: This work demonstrates multiple orders-of-magnitude improvement in scalability, simplified programmability, and resulting tangible security benefits as compared to compartmentalization based on pure Memory-Management Unit (MMU) designs.
Proceedings ArticleDOI
Missing the Point(er): On the Effectiveness of Code Pointer Integrity
Isaac Evans,Sam Fingeret,Julian Gonzalez,Ulziibayar Otgonbaatar,Tiffany Y. Tang,Howard Shrobe,Stelios Sidiroglou-Douskos,Martin Rinard,Hamed Okhravi +8 more
TL;DR: It is shown that, for architectures that do not support segmentation in which CPI relies on information hiding, CPI's safe region can be leaked and then maliciously modified by using data pointer overwrites.
Proceedings ArticleDOI
SGXBOUNDS: Memory Safety for Shielded Execution
Dmitrii Kuvaiskii,Oleksii Oleksenko,Sergei Arnautov,Bohdan Trach,Pramod Bhatotia,Pascal Felber,Christof Fetzer +6 more
TL;DR: SGXBounds is an efficient memory-safety approach for shielded execution exploiting the architectural features of Intel SGX based on the LLVM compiler framework targeting unmodified multithreaded applications and has performance and memory overheads similar to AddressSanitizer and Intel MPX.
References
More filters
Proceedings ArticleDOI
IBM System/38 support for capability-based addressing
TL;DR: The IBM System/38 provides capability-based addressing and support is divided among architectural definition, microcode, and hardware to minimize overhead for this function.
Journal ArticleDOI
Performance effects of architectural complexity in the Intel 432
TL;DR: The results indicate that the Intel 432 could have been speeded up very significantly if a small number of implementation decisions had been made differently, and if incrementally better technology had been used in its construction.
Proceedings ArticleDOI
PrORAM: dynamic prefetcher for oblivious RAM
Xiangyao Yu,Syed Kamran Haider,Ling Ren,Christopher W. Fletcher,Albert Kwon,Marten van Dijk,Srinivas Devadas +6 more
TL;DR: A dynamic ORAM prefetching technique called PrORAM (Dynamic Prefetcher for ORAM), which detects data locality in programs at runtime, and exploits the locality without leaking any information on the access pattern in ORAM.
Proceedings ArticleDOI
High-performance parallel accelerator for flexible and efficient run-time monitoring
Daniel Y. Deng,G. Edward Suh +1 more
TL;DR: This paper implemented an RTL prototype of Harmoni, a high performance hardware accelerator architecture that can support a broad range of run-time monitoring and bookkeeping functions, and evaluated it with several example monitoring functions for security and programmability.
Journal ArticleDOI
The Intel 432: A VLSI Architecture for Fault-Tolerant Computer Systems
TL;DR: A wide choice of multiprocessor systems featuring hardware fault tolerance is now available from a growing number of commercial suppliers; fault-tolerant software design remains a problem.