Protecting the Stack with Metadata Policies and Tagged
Hardware.
Nick Roessler
and
André DeHon
IEEE Symposium on Security and Privacy,
pp. 1072--1089, (May 21--23, 2018)
The program call stack is a major source of exploitable security
vulnerabilities in low-level, unsafe languages like C. In conventional
runtime implementations, the underlying stack data is exposed and
unprotected, allowing programming errors to turn into security
violations. In this work, we design novel metadata-tag based,
stack-protection security policies for a general-purpose tagged
architecture. Our policies specifically exploit the natural locality of
dynamic program call graphs to achieve cacheability of the metadata rules
that they require. Our simple Return Address Protection policy has a
performance overhead of 1.2% but just protects return addresses. The two
richer policies we present, Static Authorities and Depth Isola- tion,
provide object-level protection for all stack objects. When enforcing
memory safety, our Static Authorities policy has a performance overhead of
5.7% and our Depth Isolation policy has a performance overhead of
4.5%. When enforcing data-flow integrity (DFI), in which we only detect a
violation when a corrupted value is read, our Static Authorities policy has
a performance overhead of 3.6% and our Depth Isolation policy has a
performance overhead of 2.4%. To characterize our policies, we provide a
stack threat taxonomy and show which threats are prevented by both prior
work protection mechanisms and our policies.
© 2018 IEEE.
|
