Doctor of Philosophy (Ph.D.)
Degree Granting Department
Computer Science and Engineering
Srinivas Katkoori, Ph.D.
Hao Zheng, Ph.D.
Swaroop Ghosh, Ph.D.
Andrew Hoff, Ph.D.
Kandethody Ramachandran, Ph.D.
Run-time Buffer Overflow Check, Embedded Processors, Cyber Security, Spectre, Meltdown
Embedded system applications in diverse sectors such as transportation, healthcare, homeautomation, etc., have been gathering, processing, and transporting data using embedded computers connected to vast networks. As the usage of these embedded devices in daily life is increasing exponentially, security of these devices is a growing concern amongst the users. An alarming rise in recent cyber-attacks has deepened such concern. In the recent past, software-based attacks are more sophisticated and larger in scale than previously known. An embedded processor depends on a compiler to use the architecture efficiently. The compiler generates object code to efficiently utilize the micro-architecture for storage and computing. While software-only solutions such as code patches can provide quick and customized solution, they come at the cost of additional lines of code as well as significant performance overheads. To overcome these drawbacks, micro-architectural support based solutions have become popular which can be a significant game-changer in overall embedded system security. This dissertation proposes novel micro-architectural based research solutions to three predominantly software-based attacks, namely, buffer overflow attacks, control flow violation based attacks, and misspeculation based cache probe attacks. The overarching theme of this dissertation is to augment underlying micro-architecture with additional hardware to aid in defending the above mentioned software based attacks in a transparent manner. The proposed research solutions are described as follows: Stack/heap based buffer overflow attacks: we propose a novel hardware based approach to detect the attacks during runtime. The base and bound information of the static variables in a program are automatically extracted, stored in Variable Recort Table (VRT), and compared with the object code in real time without any support from the compiler. Such an approach is transparent to the programmer. Given a traditional five-stage pipeline (fetch, decode, execute, memory, and write back), we modify the decode and execute stage of the pipeline. Compared to previous work, which requires compiler support and incurs 7.3% instruction overhead, the proposed technique detects buffer overflows with 0% additional instruction overhead. We validate the approach with Sim-outorder simulator in the SimpleScalar toolset and test with NIST benchmark suite (5 C programs) and MIT Static Corpus (270 C programs). Our approach can detect 92.78% of test cases in MIT static Corpus. In addition, the average execution time per test case is five or more orders of magnitude less. The memory space requirement is up to 13Kb to maintain VRT for a program with 324 variables. • Control flow based attacks: Modern control flow attacks circumvent existing defense mechanisms to transfer the program control to attacker chosen malicious code in the program, leaving application vulnerable to attack. Advanced attacks such as Return-Oriented Programming (ROP) attack and its variants, transfer program execution to gadgets (code-snippet that ends with return instruction). The code space to generate gadgets is large and attacks using these gadgets are Turing-complete. One big challenge to harden the program against ROP attack is to confine gadget selection to a limited locations, thus leaving the attacker to search entire code space according to payload criteria. We propose a novel approach to label the nodes of the Control Flow Graph (CFG) of a program such that labels of the nodes on a valid control flow edge satisfy a Hamming distance property. The newly encoded CFG enables detection of illegal control flow transitions during the runtime in the processor pipeline. Experimentally, we have demonstrated that the proposed Control Flow Integrity (CFI) implementation is effective against control-flow hijacking and the technique can reduce the search space of the ROP gadgets up to 99.28%. We have also validated the technique on seven applications from MiBench and the proposed labeling mechanism incurs no instruction count overhead while,on average, it increases instruction width to a maximum of 12.13%. • Misspeculation based cache probe attacks: Meltdown and Spectre attacks exploit speculative execution in a processor to leak sensitive data that would otherwise be inaccessible. Existing countermeasures based on temporary patches come at the cost of significant performance overhead. We propose a novel approach to detect misspeculation based cache probe attacks. For a given function call, our approach keeps track of the misspeculative cache accesses and flags any accesses outside of the function. A variable record table (VRT) which is inaccessible to the programmer, is employed for such purpose. We validate our approach with SimpleScalar/PISA toolset for six (6) benchmarks chosen from MiBench benchmark suite. Experimental results demonstrate that our approach detects illegal misspeculative accesses with zero additional instruction overhead. The VRT with 512 entries (25Kb) incurs an area overhead of 1.98%.
Scholar Commons Citation
Sah, Love Kumar, "Micro-architectural Countermeasures for Control Flow and Misspeculation Based Software Attacks" (2020). USF Tampa Graduate Theses and Dissertations.