Latest COVID-19 Information for Purdue University

The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Scott Carr - Purdue University

Students: Spring 2022, unless noted otherwise, sessions will be virtual on Zoom.

DataShield: Configurable Data Confidentiality and Integrity

Mar 29, 2017

Download: Video Icon MP4 Video Size: 140.3MB  
Watch on Youtube Watch on YouTube

Abstract

Applications written in C/C++ are prone to memory corruption, which allows attackers to extract secrets or gain control of the system. With the rise of strong control-flow hijacking defenses, non-control data attacks have become the dominant threat. As vulnerabilities like HeartBleed have shown, such attacks are equally devastating.

Data Confidentiality and Integrity (DCI) is a low-overhead non-control-data protection mechanism for systems software. DCI augments the C/C++ programming languages with annotations, allowing the programmer to protect selected data types. The DCI compiler and runtime system prevent illegal reads (confidentiality) and writes (integrity) to instances of these types. The programmer selects types that contain security critical information such as passwords, cryptographic keys, or identification tokens. Protecting only this critical data greatly reduces performance overhead relative to complete memory safety.

Our prototype implementation of DCI, DataShield, shows the applicability and efficiency of our approach. For SPEC CPU2006, the performance overhead is at most 16.34%. For our case studies, we instrumented mbedTLS, astar, and libquantum to show that our annotation approach is prac- tical. The overhead of our SSL/TLS server is 35.7% with critical data structures protected at all times. Our security evaluation shows DataShield mitigates a recently discovered vulnerability in mbedTLS.

About the Speaker

Scott A. Carr is a PhD Candidate in Computer Science at Purdue University, where he works with his advisor Mathias Payer in the HexHive research group. His research interests are security, programming languages, and program analysis. Scott’s thesis topic is mitigating vulnerabilities in systems software written in C/C++ using compiler-based techniques. His work has appeared (or will soon appear) in ACM AsiaCCS, NDSS, IEEE TSE, and ACM CSUR.


Ways to Watch

YouTube

Watch Now!

Over 500 videos of our weekly seminar and symposia keynotes are available on our YouTube Channel. Also check out Spaf's YouTube Channel. Subscribe today!