THE DESIGN AND IMPLEMENTATION OF HARDWARE SYSTEMS FOR INFORMATION FLOW TRACKING

ABSTRACT

Computer security is a critical problem impacting every segment of social life. Recent research has shown that Dynamic Information Flow Tracking DIFT is a promising technique for detecting a wide range of security attacks. With hardware support, DIFT can provide comprehensive protection to unmodified application binaries against input validation attacks such as SQL injection, with minimal performance overhead. This dissertation presents Raksha, the first flexible hardware platform for DIFT that protects both unmodified applications, and the operating system from both lowlevel memory corruption exploits such as buffer overflows, and highlevel semantic vulnerabilities such as SQL injections and crosssite scripting. Raksha uses tagged memory to support multiple, programmable security policies that can protect the system against concurrent attacks. It also describes the fullsystem prototype of Raksha constructed using a synthesizable SPARC V8 core and an FPGA board. This prototype provides comprehensive security protection with no falsepositives and minimal performance, and area overheads. Traditional DIFT architectures require significant changes to the processors and caches, and are not portable across different processor designs. This dissertation addresses this practicality issue of hardware DIFT and proposes an offcore coprocessor approach that greatly reduces the design and validation costs associated with hardware DIFT systems. Observing that DIFT operations and regular computation need only synchronize on system calls to maintain security guarantees, the coprocessor decouples all DIFT functionality from the main core. Using a fullsystem prototype based on a synthesizable SPARC core, it shows that the coprocessor approach to DIFT provides the same security guarantees as Raksha, with low performance and hardware overheads. It also provides a practical and fast hardware solution to the problem of inconsistency between data and metadata in multiprocessor systems, when DIFT functionality is decoupled from the main core. This dissertation also explores the use of tagged memory architectures for solving security problems other than DIFT. Recent work has shown that application policies can be expressed in terms of information flow restrictions and enforced in an OS kernel, providing a strong assurance of security. This thesis shows that enforcement of these policies can be pushed largely into the processor itself, by using tagged memory support, which can provide stronger security guarantees by enforcing application security even if the OS kernel is compromised. It presents the Loki architecture that uses tagged memory to directly enforce application security policies in hardware. Using a fullsystem prototype, it shows that such an architecture can help reduce the amount of code that must be trusted by the operating system kernel.

Introduction

It is widely recognized that computer security is a critical problem with farreaching financial and social implications 72. Despite significant development efforts, existing security tools do not provide reliable protection against an everincreasing set of attacks, worms, and viruses that target vulnerabilities in deployed software. Apart from memory corruption bugs such as buffer overflows, attackers are now focusing on highlevel exploits such as SQL injections, command injections, crosssite scripting and directory traversals. Worms that target multiple vulnerabilities in an orchestrated manner are also becoming increasingly common 11, 83. Hence, research on computer system security is timely. The root of the computer security problem is that existing protection mechanisms do not exhibit many of the desired characteristics of an ideal security technique. They should be safe: provide defense against vulnerabilities with no false positives or negatives; flexible: adapt to cover evolving threats; practical: work with realworld code including legacy binaries, dynamically generated code, or operating system code without assumptions about compilers or libraries; and fast: have small impact on application performance. Additionally, they must offer clean abstractions for expressing security policies, in order to be implementable in practice.

Recent research has established Dynamic Information Flow Tracking DIFT as a promising platform for detecting a wide range of security attacks. The idea behind

DIFT is to tag taint untrusted data and track its propagation through the system. DIFT associates a tag with every word of memory in the system. Any new data derived from untrusted data is also tainted. If tainted data is used in a potentially unsafe manner, such as the execution of a tagged SQL command or the dereferencing of a tagged pointer, a security exception is raised.