Scott Carr - Purdue University
Students: Spring 2022, unless noted otherwise, sessions will be virtual on Zoom.
DataShield: Configurable Data Confidentiality and Integrity
Mar 29, 2017Download: MP4 Video Size: 140.3MB
Watch on YouTube
AbstractApplications written in C/C++ are prone to memory corruption, which allows attackers to extract secrets or gain control of the system. With the rise of strong control-flow hijacking defenses, non-control data attacks have become the dominant threat. As vulnerabilities like HeartBleed have shown, such attacks are equally devastating.
Data Confidentiality and Integrity (DCI) is a low-overhead non-control-data protection mechanism for systems software. DCI augments the C/C++ programming languages with annotations, allowing the programmer to protect selected data types. The DCI compiler and runtime system prevent illegal reads (confidentiality) and writes (integrity) to instances of these types. The programmer selects types that contain security critical information such as passwords, cryptographic keys, or identification tokens. Protecting only this critical data greatly reduces performance overhead relative to complete memory safety.
Our prototype implementation of DCI, DataShield, shows the applicability and efficiency of our approach. For SPEC CPU2006, the performance overhead is at most 16.34%. For our case studies, we instrumented mbedTLS, astar, and libquantum to show that our annotation approach is prac- tical. The overhead of our SSL/TLS server is 35.7% with critical data structures protected at all times. Our security evaluation shows DataShield mitigates a recently discovered vulnerability in mbedTLS.
About the Speaker
Scott A. Carr is a PhD Candidate in Computer Science at Purdue University, where he works with his advisor Mathias Payer in the HexHive research group. His research interests are security, programming languages, and program analysis. Scott’s thesis topic is mitigating vulnerabilities in systems software written in C/C++ using compiler-based techniques. His work has appeared (or will soon appear) in ACM AsiaCCS, NDSS, IEEE TSE, and ACM CSUR.