메모리 보호를 위한 보안 정책을 시행하기 위한 코드 변환 기술

학위논문(박사)--서울대학교 대학원 :공과대학 전기·컴퓨터공학부,2020. 2. 백윤흥.Computer memory is a critical component in computer systems that needs to be protected to ensure the security of computer systems. It contains security sensitive data that should not be disclosed to adversaries. Also, it contains the important data for operating the system that should not be manipulated by the attackers. Thus, many security solutions focus on protecting memory so that sensitive data cannot be leaked out of the computer system or on preventing illegal access to computer data. In this thesis, I will present various code transformation techniques for enforcing security policies for memory protection. First, I will present a code transformation technique to track implicit data flows so that security sensitive data cannot leak through implicit data flow channels (i.e., conditional branches). Then I will present a compiler technique to instrument C/C++ program to mitigate use-after-free errors, which is a type of vulnerability that allow illegal access to stale memory location. Finally, I will present a code transformation technique for low-end embedded devices to enable execute-only memory, which is a strong security policy to protect secrets and harden the computing device against code reuse attacks.컴퓨터 메모리는 컴퓨터 시스템의 보안을 위해 보호되어야 하는 중요한 컴포넌트이다. 컴퓨터 메모리는 보안상 중요한 데이터를 담고 있을 뿐만 아니라, 시스템의 올바른 동작을 위해 공격자에 의해 조작되어서는 안되는 중요한 데이터 값들을 저장한다. 따라서 많은 보안 솔루션은 메모리를 보호하여 컴퓨터 시스템에서 중요한 데이터가 유출되거나 컴퓨터 데이터에 대한 불법적인 접근을 방지하는 데 중점을 둔다. 본 논문에서는 메모리 보호를 위한 보안 정책을 시행하기 위한 다양한 코드 변환 기술을 제시한다. 먼저, 프로그램에서 분기문을 통해 보안에 민감한 데이터가 유출되지 않도록 암시적 데이터 흐름을 추적하는 코드 변환 기술을 제시한다. 그 다음으로 C / C ++ 프로그램을 변환하여 use-after-free 오류를 완화하는 컴파일러 기술을 제시한다. 마지막으로, 중요 데이터를 보호하고 코드 재사용 공격으로부터 디바이스를 강화할 수 있는 강력한 보안 정책인 실행 전용 메모리(execute-only memory)를 저사양 임베디드 디바이스에 구현하기 위한 코드 변환 기술을 제시한다.1 Introduction 1 2 Background 4 3 A Hardware-based Technique for Efficient Implicit Information Flow Tracking 8 3.1 Introduction 8 3.2 Related Work 10 3.3 Our Approach for Implicit Flow Tracking 12 3.3.1 Implicit Flow Tracking Scheme with Program Counter Tag 12 3.3.2 tP C Management Technique 15 3.3.3 Compensation for the Untaken Path 20 3.4 Architecture Design of IFTU 22 3.4.1 Overall System 22 3.4.2 Tag Computing Core 24 3.5 Performance and Area Analysis 26 3.6 Security Analysis 28 3.7 Summary 30 4 CRCount: Pointer Invalidation with Reference Counting to Mitigate Useafter-free in Legacy C/C++ 31 4.1 Introduction 31 4.2 Related Work 36 4.3 Threat Model 40 4.4 Implicit Pointer Invalidation 40 4.4.1 Invalidation with Reference Counting 40 4.4.2 Reference Counting in C/C++ 42 4.5 Design 44 4.5.1 Overview 45 4.5.2 Pointer Footprinting 46 4.5.3 Delayed Object Free 50 4.6 Implementation 53 4.7 Evaluation 56 4.7.1 Statistics 56 4.7.2 Performance Overhead 58 4.7.3 Memory Overhead 62 4.8 Security Analysis 67 4.8.1 Attack Prevention 68 4.8.2 Security considerations 69 4.9 Limitations 69 4.10 Summary 71 5 uXOM: Efficient eXecute-Only Memory on ARM Cortex-M 73 5.1 Introduction 73 5.2 Background 78 5.2.1 ARMv7-M Address Map and the Private Peripheral Bus (PPB) 78 5.2.2 Memory Protection Unit (MPU) 79 5.2.3 Unprivileged Loads/Stores 80 5.2.4 Exception Entry and Return 80 5.3 Threat Model and Assumptions 81 5.4 Approach and Challenges 82 5.5 uXOM 85 5.5.1 Basic Design 85 5.5.2 Solving the Challenges 89 5.5.3 Optimizations 98 5.5.4 Security Analysis 99 5.6 Evaluation 100 5.6.1 Runtime Overhead 103 5.6.2 Code Size Overhead 106 5.6.3 Energy Overhead 107 5.6.4 Security and Usability 107 5.6.5 Use Cases 108 5.7 Discussion 110 5.8 Related Work 111 5.9 Summary 113 6 Conclusion and Future Work 114 6.1 Future Work 115 Abstract (In Korean) 132 Acknowlegement 133Docto

Virtual Machine-Assisted Collaborative Junk Object Detection

Memory leak is unrecoverable software bug that causes performance degradation and re- liability issues to software applications. Although memory management systems exist in modern Object Oriented Language to reclaim unused memory store, memory leak can still happen, and continue to exhaust memory resource. In Java, where there is garbage col- lection for releasing unused objects, memory leaks manifest itself in the form of unused object retention. Since Java Programming language allocates objects on heap, the lifetime of an object deviates from the stack discipline, which can be a challenge in detecting Java memory leak. In this thesis, we propose a collaborative approach in detecting Java memory leaks through verifying Object Lifetime Specification at runtime. We designed a runtime verifier that leverages Java Virtual Machine technologies to monitor and extract annotated infor- mation from the user application, and use that information to verify against Java Virtual Machine events to detect unintentional object retention in the Java application under test. We implemented our runtime verifier with Maxine Virtual Machine, an open source, meta-circular virtual machine developed by Oracle Lab, and conducted experiments and DaCapo benchmark to evaluate its accuracy and performance efficiency. The results show that the runtime verification tool successfully identifies junk objects for different semantic cases proposed in this thesis with certain runtime overhead. Through the research and experimental results, we further make implications on how to improve the performance overhead associated with current design and implementation methods in detecting unused object retention, which in the long term constitute memory leak and performance bug

Software Techniques for Energy Efficient Memories

Ph.DDOCTOR OF PHILOSOPH

Collected software engineering papers, volume 8

A collection of selected technical papers produced by participants in the Software Engineering Laboratory (SEL) during the period November 1989 through October 1990 is presented. The purpose of the document is to make available, in one reference, some results of SEL research that originally appeared in a number of different forums. Although these papers cover several topics related to software engineering, they do not encompass the entire scope of SEL activities and interests. Additional information about the SEL and its research efforts may be obtained from the sources listed in the bibliography. The seven presented papers are grouped into four major categories: (1) experimental research and evaluation of software measurement; (2) studies on models for software reuse; (3) a software tool evaluation; and (4) Ada technology and studies in the areas of reuse and specification

Techniques for Constructing Efficient Lock-free Data Structures

Building a library of concurrent data structures is an essential way to simplify the difficult task of developing concurrent software. Lock-free data structures, in which processes can help one another to complete operations, offer the following progress guarantee: If processes take infinitely many steps, then infinitely many operations are performed. Handcrafted lock-free data structures can be very efficient, but are notoriously difficult to implement. We introduce numerous tools that support the development of efficient lock-free data structures, and especially trees.Comment: PhD thesis, Univ Toronto (2017

Practical Control-Flow Integrity

Control-Flow Integrity (CFI) is effective at defending against prevalent control-flow hijacking attacks. CFI extracts a control-flow graph (CFG) for a given program and instruments the program to respect the CFG. Specifically, checks are inserted before indirect branch instructions. Before these instructions are executed during runtime, the checks consult the CFG to ensure that the indirect branch is allowed to reach the intended target. Hence, any sort of control-flow hijacking would be prevented.However, CFI traditionally suffered from several problems that thwarted its practicality. The first problem is about precise CFG generation. CFI’s security squarely relies on the CFG, therefore the more precise the CFG is, the more security CFI improves, but precise CFG generation was considered hard. The second problem is modularity, or support for dynamic linking. When two CFI modules are linked together dynamically, their CFGs also need to be merged. However, the merge process has to be thread-safe to avoid concurrency issues. The third problem is efficiency. CFI instrumentation adds extra instructions to programs, so it is critical to minimize the performance impact of the CFI checks. Fourth, interoperability is required for CFI solutions to enable gradual adoption in practice, which means that CFI-instrumented modules can be linked with uninstrumented modules without breaking the program.In this dissertation, we propose several practical solutions to the above problems. To generate a precise CFG, we compile the program being protected using a modified compilation toolchain, which can propagate source-level information such as type information to the binary level. At runtime, such information is gathered to generate a relatively precise CFG. On top of this CFG, we further instrument the code so that only if a function’s address is dynamically taken can it be reachable. This approach results in lazily computed per-input CFGs, which provide better precision. To address modularity, we design a lightweight Software Transactional Memory (STM) algorithm to synchronize accesses to the CFG’s data structure at runtime. To minimize the performance overhead, we optimize the CFG representation and access operations so that no heavy buslockinginstructions are needed. For interoperability, we consider addresses in uninstrumented modules as special targets and make the CFI instrumentation aware of them. Finally, we propose a new architecture for Just-In-Time compilers to adopt our proposed CFI schemes

Efficient Precise Dynamic Data Race Detection For Cpu And Gpu

Data races are notorious bugs. They introduce non-determinism in programs behavior, complicate programs semantics, making it challenging to debug parallel programs. To make parallel programming easier, efficient data race detection has been a research topic in the last decades. However, existing data race detectors either sacrifice precision or incur high overhead, limiting their application to real-world applications and scenarios. This dissertation proposes approaches to improve the performance of dynamic data race detection without undermining precision, by identifying and removing metadata redundancy dynamically. This dissertation also explores ways to make it practical to detect data races dynamically for GPU programs, which has a disparate programming and execution model from CPU workloads. Further, this dissertation shows how the structured synchronization model in GPU programs can simplify the algorithm design of data race detection for GPU, and how the unique patterns in GPU workloads enable an efficient implementation of the algorithm, yielding a high-performance dynamic data race detector for GPU programs