research-article

No Need to Hide: Protecting Safe Regions on Commodity Hardware

Authors:

Cristiano Giuffrida,

Elias AthanasopoulosAuthors Info & Claims

EuroSys '17: Proceedings of the Twelfth European Conference on Computer Systems

Pages 437 - 452

https://doi.org/10.1145/3064176.3064217

Published: 23 April 2017 Publication History

Abstract

As modern 64-bit x86 processors no longer support the segmentation capabilities of their 32-bit predecessors, most research projects assume that strong in-process memory isolation is no longer an affordable option. Instead of strong, deterministic isolation, new defense systems therefore rely on the probabilistic pseudo-isolation provided by randomization to "hide" sensitive (or safe) regions. However, recent attacks have shown that such protection is insufficient; attackers can leak these safe regions in a variety of ways.

In this paper, we revisit isolation for x86-64 and argue that hardware features enabling efficient deterministic isolation do exist. We first present a comprehensive study on commodity hardware features that can be repurposed to isolate safe regions in the same address space (e.g., Intel MPX and MPK). We then introduce MemSentry, a framework to harden modern defense systems with commodity hardware features instead of information hiding. Our results show that some hardware features are more effective than others in hardening such defenses in each scenario and that features originally conceived for other purposes (e.g., Intel MPX for bounds checking) are surprisingly efficient at isolating safe regions compared to their software equivalent (i.e., SFI).

References

[1]

M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity. In CCS, 2005.

Digital Library

[2]

A. M. Azab, P. Ning, J. Shah, Q. Chen, R. Bhutkar, G. Ganesh, J. Ma, and W. Shen. Hypervision across worlds: Real-time kernel protection from the ARM TrustZone secure world. In CCS, 2014.

[3]

M. Backes and S. Nürnberger. Oxymoron: Making fine-grained memory randomization practical by allowing code sharing. In USENIX SEC, 2014.

[4]

A. Baumann, M. Peinado, and G. Hunt. Shielding applications from an untrusted cloud with Haven. In OSDI, 2014.

Digital Library

[5]

A. Belay, A. Bittau, A. Mashtizadeh, D. Terei, D. Mazières, and C. Kozyrakis. Dune: Safe user-level access to privileged CPU features. In OSDI, 2012.

Digital Library

[6]

E. D. Berger and B. G. Zorn. DieHard: Probabilistic memory safety for unsafe languages. In PLDI, 2006.

Digital Library

[7]

D. Bigelow, T. Hobson, R. Rudd, W. Streilein, and H. Okhravi. Timely rerandomization for mitigating memory disclosures. In CCS, 2015.

Digital Library

[8]

E. Bosman, K. Razavi, H. Bos, and C. Giuffrida. Dedup Est Machina: Memory deduplication as an advanced exploitation vector. In S&P, 2016.

[9]

K. Braden, S. Crane, L. Davi, M. Franz, P. Larsen, C. Liebchen, and A. R. Sadeghi. Leakage-resilient layout randomization for mobile devices. In NDSS, 2016.

[10]

N. Carlini and D. Wagner. ROP is still dangerous: Breaking modern defenses. In USENIX SEC, 2014.

Digital Library

[11]

H. Chen, J. Chen, W. Mao, and F. Yan. Daonity - grid security from two levels of virtualization. Inf. Secur. Tech. Rep., 12(3), 2007.

Digital Library

[12]

S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer. Non-control-data attacks are realistic threats. In USENIX SEC, 2005.

[13]

X. Chen, T. Garfinkel, E. C. Lewis, P. Subrahmanyam, C. A. Waldspurger, D. Boneh, J. Dwoskin, and D. R. Ports. Overshadow: A virtualization-based approach to retrofitting protection in commodity operating systems. In ASPLOS, 2008.

Digital Library

[14]

X. Chen, A. Slowinska, D. Andriesse, H. Bos, and C. Giuffrida. StackArmor: Comprehensive protection from stack-based memory error vulnerabilities for binaries. In NDSS, 2015.

[15]

X. Chen, H. Bos, and C. Giuffrida. CodeArmor: Virtualizing the code space to counter disclosure attacks. In EuroS&P, 2017.

[16]

V. Costan, I. Lebedev, and S. Devadas. Sanctum: Minimal hardware extensions for strong software isolation. In USENIX SEC, 2016.

[17]

C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointGuard: Protecting pointers from buffer overflow vulnerabilities. In USENIX SEC, 2003.

[18]

S. Crane, C. Liebchen, A. Homescu, L. Davi, P. Larsen, A. R. Sadeghi, S. Brunthaler, and M. Franz. Readactor: Practical code randomization resilient to memory disclosure. In S&P, 2015.

[19]

T. H. Dang, P. Maniatis, and D. Wagner. The performance cost of shadow stacks and stack canaries. In ASIACCS, 2015.

Digital Library

[20]

L. Davi, R. Dmitrienko, M. Egele, T. Fischer, T. Holz, R. Hund, S. Nürnberger, and A. R. Sadeghi. MoCFI: A framework to mitigate control-flow attacks on smartphones. In NDSS, 2012.

[21]

L. Davi, A. R. Sadeghi, D. Lehmann, and F. Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In USENIX SEC, 2014.

Digital Library

[22]

L. Davi, C. Liebchen, A. R. Sadeghi, K. Z. Snow, and F. Monrose. Isomeron: Code randomization resilient to (just-in-time) return-oriented programming. In NDSS, 2015.

[23]

L. Deng, Q. Zeng, and Y. Liu. ISboxing: An instruction substitution based data sandboxing for x86 untrusted libraries. In IFIP SEC, 2015.

[24]

Z. Durumeric, J. Kasten, D. Adrian, J. A. Halderman, M. Bailey, F. Li, N. Weaver, J. Amann, J. Beekman, M. Payer, and V. Paxson. The matter of heartbleed. In IMC, 2014.

Digital Library

[25]

U. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. C. Necula. XFI: Software guards for system address spaces. In OSDI, 2006.

Digital Library

[26]

I. Evans, S. Fingeret, J. Gonzalez, U. Otgonbaatar, T. Tang, H. Shrobe, S. Sidiroglou-Douskos, M. Rinard, and H. Okhravi. Missing the Point(er): On the Effectiveness of Code Pointer Integrity. In S&P, 2015.

[27]

A. Fog. Instruction tables: Lists of instruction latencies, throughputs and micro-operation breakdowns for Intel, AMD and VIA CPUs. Copenhagen University College of Engineering, 2016.

[28]

B. Ford and R. Cox. Vx32: Lightweight user-level sandboxing on the x86. In USENIX ATC, 2008.

Digital Library

[29]

R. Gawlik, B. Kollenda, P. Koppe, B. Garmany, and T. Holz. Enabling client-side crash-resistance to overcome diversification and information hiding. In NDSS, 2016.

[30]

C. Giuffrida, A. Kuijsten, and A. S. Tanenbaum. Enhanced operating system security through efficient and fine-grained address space randomization. In USENIX SEC, 2012.

[31]

E. Goktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In S&P, 2014.

[32]

E. Göktaş, R. Gawlik, B. Kollenda, E. Athanasopoulos, G. Portokalidis, C. Giuffrida, and H. Bos. Undermining entropy-based information hiding (and what to do about it). In USENIX SEC, 2016.

[33]

B. Gras, K. Razavi, E. Bosman, H. Bos, and C. Giuffrida. ASLR on the line: Practical cache attacks on the MMU. In NDSS, 2017.

[34]

L. Guan, J. Lin, B. Luo, J. Jing, and J. Wang. Protecting private keys against memory disclosure attacks using hardware transactional memory. In S&P, 2015.

Digital Library

[35]

J. Hiser, A. Nguyen-Tuong, M. Co, M. Hall, and J. W. Davidson. ILR: Where'd my gadgets go? In S&P, 2012.

[36]

R. Hund, C. Willems, and T. Holz. Practical timing side channel attacks against kernel space ASLR. In S&P, 2013.

Digital Library

[37]

Intel Corporation. Intel 64 and IA-32 Architectures Software Developer's Manual. April 2016.

[38]

Intel Corporation. Intel 64 and IA-32 Architectures Optimization Reference Manual. January 2016.

[39]

D. Kaplan, J. Powell, and T. Woller. AMD memory encryption. Technical report, AMD, April 2016. URL http://bit.ly/2gr5hQM.

[40]

V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-pointer integrity. In OSDI, 2014.

Digital Library

[41]

Y. Liu, T. Zhou, K. Chen, H. Chen, and Y. Xia. Thwarting memory disclosure with efficient hypervisor-enforced intradomain isolation. In CCS, 2015.

Digital Library

[42]

K. Lu, C. Song, B. Lee, S. P. Chung, T. Kim, and W. Lee. ASLR-Guard: Stopping address space leakage for code reuse attacks. In CCS, 2015.

Digital Library

[43]

C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. Pin: Building customized program analysis tools with dynamic instrumentation. In PLDI, 2005.

Digital Library

[44]

A. J. Mashtizadeh, A. Bittau, D. Boneh, and D. Mazières. CCFI: Cryptographically enforced control flow integrity. In CCS, 2015.

Digital Library

[45]

S. McCamant and G. Morrisett. Evaluating SFI for a CISC architecture. In USENIX SEC, 2006.

[46]

J. M. McCune, B. J. Parno, A. Perrig, M. K. Reiter, and H. Isozaki. Flicker: An execution infrastructure for TCB minimization. In EuroSys, 2008.

Digital Library

[47]

J. M. McCune, Y. Li, N. Qu, Z. Zhou, A. Datta, V. Gligor, and A. Perrig. TrustVisor: Efficient TCB reduction and attestation. In S&P, 2010.

Digital Library

[48]

V. Mohan, P. Larsen, S. Brunthaler, K. W. Hamlen, and M. Franz. Opaque control-flow integrity. In NDSS, 2015.

[49]

B. Niu and G. Tan. Monitor integrity protection with space efficiency and separate compilation. In CCS, 2013.

Digital Library

[50]

B. Niu and G. Tan. Per-input control-flow integrity. In CCS, 2015.

Digital Library

[51]

G. Novark and E. D. Berger. DieHarder: Securing the heap. In CCS, 2010.

[52]

A. Oikonomopoulos, C. Giuffrida, E. Athanasopoulos, and H. Bos. Poking holes into information hiding. In USENIX SEC, 2016.

[53]

O. Oleksenko, D. Kuvaiskii, P. Bhatotia, P. Felber, and C. Fetzer. Intel MPX explained: An empirical study of Intel MPX and software-based bounds checking approaches. arXiv, 2017.

[54]

V. Pappas, M. Polychronakis, and A. D. Keromytis. Smashing the gadgets: Hindering return-oriented programming using inplace code randomization. In S&P, 2012.

[55]

T. P. Parker and S. Xu. A method for safekeeping cryptographic keys from memory disclosure attacks. In INTRUST, 2009.

[56]

D. Sehr, R. Muth, C. Biffle, V. Khimenko, E. Pasko, K. Schimpf, B. Yee, and B. Chen. Adapting software fault isolation to contemporary CPU architectures. In USENIX SEC, 2010.

[57]

M. I. Sharif, W. Lee, W. Cui, and A. Lanzi. Secure in-VM monitoring using hardware virtualization. In CCS, 2009.

Digital Library

[58]

K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A. R. Sadeghi. Just-In-Time code reuse: On the effectiveness of fine-grained address space layout randomization. In S&P, 2013.

[59]

C. Song, B. Lee, K. Lu, W. R. Harris, T. Kim, and W. Lee. Enforcing kernel security invariants with data flow integrity. In NDSS, 2016.

[60]

A. Tang, S. Sethumadhavan, and S. Stolfo. Heisenbyte: Thwarting memory disclosure attacks using destructive code reads. In CCS, 2015.

Digital Library

[61]

The Clang Team. Clang 5 documentation: SafeStack. http://clang.llvm.org/docs/SafeStack.html, 2017.

[62]

V. van der Veen, D. Andriesse, E. Göktaş, B. Gras, L. Sambuc, A. Slowinska, H. Bos, and C. Giuffrida. Practical context-sensitive CFI. In CCS, 2015.

Digital Library

[63]

V. van der Veen, E. Göktaş, M. Contag, A. Pawloski, X. Chen, S. Rawat, H. Bos, T. Holz, E. Athanasopoulos, and C. Giuffrida. A tough call: Mitigating advanced code-reuse attacks at the binary level. In S&P, 2016.

[64]

L. Vilanova, M. Ben-Yehuda, N. Navarro, Y. Etsion, and M. Valero. CODOMs: Protecting software with code-centric memory domains. In ISCA, 2014.

Digital Library

[65]

R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient software-based fault isolation. In SOSP, 1993.

Digital Library

[66]

R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin. Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code. In CCS, 2012.

Digital Library

[67]

D. Williams-King, G. Gobieski, K. Williams-King, J. P. Blake, X. Yuan, P. Colp, M. Zheng, V. P. Kemerlis, J. Yang, and W. Aiello. Shuffler: Fast and deployable continuous code re-randomization. In OSDI, 2016.

[68]

J. Woodruff, R. N. Watson, D. Chisnall, S. W. Moore, J. Anderson, B. Davis, B. Laurie, P. G. Neumann, R. Norton, and M. Roe. The CHERI capability model: Revisiting RISC in an age of risk. In ISCA, 2014.

Digital Library

[69]

J. Yang and K. G. Shin. Using hypervisor to provide data secrecy for user applications on a per-page basis. In VEE, 2008.

Digital Library

[70]

B. Yee, D. Sehr, G. Dardyk, B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native client: A sandbox for portable, untrusted x86 native code. In S&P, 2009.

Digital Library

[71]

C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical control flow integrity and randomization for binary executables. In S&P, 2013.

[72]

F. Zhang and H. Zhang. SoK: A study of using hardware-assisted isolated execution environments for security. In HASP, 2016.

Digital Library

[73]

M. Zhang and R. Sekar. Control flow integrity for COTS binaries. In USENIX SEC, 2013.

[74]

Y. Zhou, X. Wang, Y. Chen, and Z. Wang. ARMlock: Hardware-based fault isolation for ARM. In CCS, 2014.

Cited By

Narayan SGarfinkel TJohnson EYedidia ZWang YBrown AVahldiek-Oberwagner ALeMay MHuang WWang XSun MTullsen DStefan DEeckhout LSmaragdakis GLiang KSampson AKim MRossbach C(2025)Segue & ColorGuard: Optimizing SFI Performance and Scalability on Modern ArchitecturesProceedings of the 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 110.1145/3669940.3707249(987-1002)Online publication date: 30-Mar-2025
https://dl.acm.org/doi/10.1145/3669940.3707249
Jin HYang SCho HLee D(2025)Enhancing in-process isolation for robust defense against information disclosure attacksComputers & Security10.1016/j.cose.2025.104370(104370)Online publication date: Feb-2025
https://doi.org/10.1016/j.cose.2025.104370
Kayondo MBang IKwak YMoon HPaek YBalzarotti DXu W(2024)METASAFEProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699108(3711-3728)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699108
Show More Cited By

No Need to Hide: Protecting Safe Regions on Commodity Hardware
1. Security and privacy
  1. Systems security

Recommendations

Isolating commodity hosted hypervisors with HyperLock
EuroSys '12: Proceedings of the 7th ACM european conference on Computer Systems

Hosted hypervisors (e.g., KVM) are being widely deployed. One key reason is that they can effectively take advantage of the mature features and broad user bases of commodity operating systems. However, they are not immune to exploitable software bugs. ...
Performance comparison of hardware virtualization platforms
NETWORKING'11: Proceedings of the 10th international IFIP TC 6 conference on Networking - Volume Part I

Hosting virtual servers on a shared physical hardware by means of hardware virtualization is common use at data centers, web hosters, and research facilities. All platforms include isolation techniques that restrict resource consumption of the virtual ...
SICE: a hardware-level strongly isolated computing environment for x86 multi-core platforms
CCS '11: Proceedings of the 18th ACM conference on Computer and communications security

SICE is a novel framework to provide hardware-level isolation and protection for sensitive workloads running on x86 platforms in compute clouds. Unlike existing isolation techniques, SICE does not rely on any software component in the host environment (...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

EuroSys '17: Proceedings of the Twelfth European Conference on Computer Systems

April 2017

648 pages

ISBN:9781450349383

DOI:10.1145/3064176

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGOPS: ACM Special Interest Group on Operating Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 April 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

EuroSys '17

Sponsor:

SIGOPS

EuroSys '17: Twelfth EuroSys Conference 2017

April 23 - 26, 2017

Belgrade, Serbia

Acceptance Rates

Overall Acceptance Rate 241 of 1,308 submissions, 18%

Upcoming Conference

EuroSys '25

Sponsor:
sigops

Twentieth European Conference on Computer Systems

March 30 - April 3, 2025

Rotterdam , Netherlands

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

106
Total Citations
View Citations
1,269
Total Downloads

Downloads (Last 12 months)130
Downloads (Last 6 weeks)7

Reflects downloads up to 01 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Narayan SGarfinkel TJohnson EYedidia ZWang YBrown AVahldiek-Oberwagner ALeMay MHuang WWang XSun MTullsen DStefan DEeckhout LSmaragdakis GLiang KSampson AKim MRossbach C(2025)Segue & ColorGuard: Optimizing SFI Performance and Scalability on Modern ArchitecturesProceedings of the 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 110.1145/3669940.3707249(987-1002)Online publication date: 30-Mar-2025
https://dl.acm.org/doi/10.1145/3669940.3707249
Jin HYang SCho HLee D(2025)Enhancing in-process isolation for robust defense against information disclosure attacksComputers & Security10.1016/j.cose.2025.104370(104370)Online publication date: Feb-2025
https://doi.org/10.1016/j.cose.2025.104370
Kayondo MBang IKwak YMoon HPaek YBalzarotti DXu W(2024)METASAFEProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699108(3711-3728)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699108
Chen XLi ZJain TNarayanan VBurtsev ABagchi SZhang Y(2024)Limitations and opportunities of modern hardware isolation mechanismsProceedings of the 2024 USENIX Conference on Usenix Annual Technical Conference10.5555/3691992.3692013(349-368)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.5555/3691992.3692013
Xu SZhou QZhang ZJia XLiu DHuang HDu HSong Z(2024)ConMonitor: Lightweight Container Protection with Virtualization and VM FunctionsProceedings of the 2024 ACM Symposium on Cloud Computing10.1145/3698038.3698520(755-773)Online publication date: 20-Nov-2024
https://dl.acm.org/doi/10.1145/3698038.3698520
Lim SPrasad THan XPasquier TFournaris APalmieri P(2024)SafeBPF: Hardware-assisted Defense-in-depth for eBPF Kernel ExtensionsProceedings of the 2024 on Cloud Computing Security Workshop10.1145/3689938.3694781(80-94)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689938.3694781
Lim HKim JLee HLuo BLiao XXu JKirda ELie D(2024)uMMU: Securing Data Confidentiality with Unobservable Memory SubsystemProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690340(2993-3007)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690340
Yedidia ZTsafrir DMusuvathi MGupta RAbu-Ghazaleh N(2024)Lightweight Fault Isolation: Practical, Efficient, and Secure Software SandboxingProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 210.1145/3620665.3640408(649-665)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3620665.3640408
Li YBao YChung Y(2024)Randomize the Running Function When It Is DisclosedIEEE Transactions on Computers10.1109/TC.2024.337177673:6(1516-1530)Online publication date: Jun-2024
https://doi.org/10.1109/TC.2024.3371776
Jin HYang SPark MCho HLee D(2024)Satellite: Effective and Efficient Stack Memory Protection Scheme for Unsafe Programming LanguagesICT Systems Security and Privacy Protection10.1007/978-3-031-65175-5_16(221-235)Online publication date: 26-Jul-2024
https://doi.org/10.1007/978-3-031-65175-5_16
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten