Data Confidentiality and Integrity
Project Members
Scott Carr, Mathias Payer
Scott Carr, Mathias Payer
Abstract
The root cause of most security vulnerabilities is memory corruption. Previous research focused on preventing memory corruptions attackers use to change the program’s intended control-flow. As these protections become more refined and widely deployed, attackers will resort to non-control data attacks. Non-control data attacks do not divert the intended control-flow, but simply read or write data in unintended ways by abusing a temporal or spatial memory safety error or a type error. A recent example of this is the HeartBleed bug where a buffer overflow allows an attacker to read the server’s private key. This example shows that non-control data attacks can be just as damaging as control-flow hijack attacks.
Data Confidentiality and Integrity (DCI) augments the C programming language with a small set of annotations which allow the programmer to select protected data types. The compiler and runtime system prevent illegal reads and writes to variables of these types. The programmer selects types that contain information such as password lists, cryptographic keys, or identification tokens. Allowing the programmer to choose the protected data reduces overhead. Total memory protection mechanisms have been proposed, but have not been widely adopted due to prohibitively high overhead. With DCI, the programmer can specify the subset of security critical data and only pay the protection overhead cost of that subset – rather than all the data in the program.
Our prototype shows the practicality of our approach. It effectively protects benchmarks and large programs.