Mitigating Information Leakage Vulnerabilities with Type-based Data Isolation
| Autor: | Alyssa Milburn, Erik Van Der Kouwe, Cristiano Giuffrida |
|---|---|
| Přispěvatelé: | Computer Systems, Network Institute, Systems and Network Security |
| Jazyk: | angličtina |
| Rok vydání: | 2022 |
| Zdroj: | Milburn, A, Van Der Kouwe, E & Giuffrida, C 2022, Mitigating Information Leakage Vulnerabilities with Type-based Data Isolation . in 2022 IEEE Symposium on Security and Privacy (SP) : [Proceedings] . Proceedings-IEEE Symposium on Security and Privacy, no. May, vol. 2022, Institute of Electrical and Electronics Engineers Inc., pp. 1049-1065, 43rd IEEE Symposium on Security and Privacy, SP 2022, San Francisco, United States, 23/05/22 . https://doi.org/10.1109/SP46214.2022.9833675 2022 IEEE Symposium on Security and Privacy (SP): [Proceedings], 1049-1065 STARTPAGE=1049;ENDPAGE=1065;TITLE=2022 IEEE Symposium on Security and Privacy (SP) |
| DOI: | 10.1109/SP46214.2022.9833675 |
| Popis: | Information leakage vulnerabilities (or simply info leaks) such as out-of-bounds/uninitialized reads in the architectural or speculative domain pose a significant security threat, allowing attackers to leak sensitive data such as crypto keys. At the same time, such vulnerabilities are hard to efficiently mitigate, as every (even speculative) memory load operation needs to be potentially instrumented against unauthorized reads. Existing confidentiality-preserving solutions based on data isolation label memory objects with different (e.g., sensitive vs. nonsensitive) colors, color load operations accordingly using static pointsto analysis, and instrument them to enforce color-matching invariants at run time. Unfortunately, the reliance on conservative points-to analysis introduces overapproximations that are detrimental to security (or further degrade performance). In this paper, we propose Type-based Data Isolation (TDI), a new practical design point in the data isolation space to mitigate info leaks. TDI isolates memory objects of different colors in separate memory arenas and uses efficient compiler instrumentation to constrain loads to the arena of the intended color by construction. TDI's arena-based design moves the instrumentation from loads to pointer arithmetic operations, enabling new aggressive speculation-aware performance optimizations and eliminating the need for points-to analysis. Moreover, TDI's color management is flexible. TDI can support a few-color scheme with sensitive data annotations similar to prior work (e.g., 2 colors) or a many-color scheme based on basic type analysis (i.e., one color per object type). The latter approach provides fine-grained data isolation, eliminates the need for annotations, and enforces strong color-matching invariants equivalent to ideal (context-sensitive) type-based points-to analysis. Our results show that TDI can efficiently support such strong security invariants, at average performance overheads of |
| Databáze: | OpenAIRE |
| Externí odkaz: |
|