Description
Low-level languages such as C and C++ are inherently memory unsafe.
This allows for exploitation using techniques such as return oriented
programming. In this work, we aim to close these attack vectors by
providing memory safety. An extension implementing policy-based
metadata processing is made to the RISC-V architecture.
Each 64-bit wide word held in memory, registers, and caches is
associated with a tag. These tags are processed in parallel to the
execution flow, based on an underlying ruleset. This user-defined
globally static ruleset defines which instructions are allowed in the
context of the present tags. Execution continues normally as long as no
rules are violated. On rule violation, an exception is raised, and a
handler executed, e.g. terminating the offending process.
We implement our a proof-of-concept for the RISC-V RV64G ISA by
extending the gem5 CPU simulator. A policy engine handles all metadata
related operations. We evaluate our design and implementation based on
two policies enforcing control flow integrity and heap memory safety.
The results show that our approach offers protection of stack metadata
as well as heap allocations while introducing an 8.25% to 31.52%
overhead, depending on the workload.
|
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching