使用Arm記憶體標籤擴充隔離原始型別來增進堆安全性

陳昱暢; Yu-Chang Chen

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/91239

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	黎士瑋	zh_TW
dc.contributor.advisor	Shih-Wei Li	en
dc.contributor.author	陳昱暢	zh_TW
dc.contributor.author	Yu-Chang Chen	en
dc.date.accessioned	2023-12-12T16:21:27Z	-
dc.date.available	2023-12-13	-
dc.date.copyright	2023-12-12	-
dc.date.issued	2023	-
dc.date.submitted	2023-10-18	-
dc.identifier.citation	[1] Arm. “Arm Cortex-X2 Core Software Optimization Guide r2p1”. In: Arm (Jan.2022). URL: https://developer.arm.com/documentation/PJDOC-466751330-14955/latest. [2] Arm Memory Tagging Extension. May 2023. URL: https://source.android.com/docs/security/test/memory-safety/arm-mte. [3] Attributes in Clang — Clang 17.0.0git documentation. June 2023. URL: https://clang.llvm.org/docs/AttributeReference.html#amd-gpu-attributes. [4] Jacob Baines. “Exploiting an 18 Year Old Bug”. In: Medium (Dec. 2021). URL:https://medium.com/tenable-techblog/exploiting-an-18-year-old-bug-b47afe54172. [5] CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit) \| Qualys Security Blog. URL: https://blog.qualys.com/vulnerabilities-threat-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit. [6] CWE - 2022 CWE Top 25 Most Dangerous Software Weaknesses. May 2023. URL:https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html. [7] Joe Devietti et al. “Hardbound: Architectural support for spatial safety of the Cprogramming language”. In: ACM SIGOPS Operating Systems Review 42.2 (2008),pp. 103–114. [8] Duasynt. Linux Kernel universal heap spray - Vitaly Nikolenko. Sept. 2023. URL:https://duasynt.com/blog/linux-kernel-heap-spray. [9] Matthew R Guthaus et al. “MiBench: A free, commercially representative embedded benchmark suite”. In: Proceedings of the fourth annual IEEE international workshop on workload characterization. WWC-4 (Cat. No. 01EX538). IEEE. 2001, pp. 3–14. [10] Niranjan Hasabnis, Ashish Misra, and R Sekar. “Light-weight bounds checking”. In: Proceedings of the Tenth International Symposium on Code Generation and Optimization. 2012, pp. 135–144. [11] Paul Kocher et al. “Spectre attacks: Exploiting speculative execution”. In: Communications of the ACM 63.7 (2020), pp. 93–101. [12] Hans Liljestrand et al. “{PAC} it up: Towards pointer integrity using {ARM} pointer authentication”. In: 28th USENIX Security Symposium (USENIX Security 19). 2019, pp. 177–194. [13] Hans Liljestrand et al. Color My World: Deterministic Tagging for Memory Safety.2022. arXiv: 2204.03781 [cs.CR]. [14] m4drat. CVE-2013-2028-Exploit. May 2023. URL: https://github.com/m4drat/CVE-2013-2028-Exploit. [15] Derrick McKee et al. “Preventing kernel hacks with HAKC”. In: Proceedings 2022 Network and Distributed System Security Symposium. NDSS. Vol. 22. 2022, pp. 1– 17. [16] Memory safety. May 2023. URL: https://www.chromium.org/Home/chromium-security/memory-safety. [17] MemTagSanitizer — LLVM 18.0.0git documentation. Oct. 2023. URL: https://llvm.org/docs/MemTagSanitizer.html. [18] Microsoft. SSTIC2020 - Pursuing Durably Safe Systems Software. May 2023. URL:https://github.com/microsoft/MSRC-Security-Research/blob/master/presentations/2020_06_SSTIC/SSTIC2020%20-%20Pursuing%20Durably%20Safe%20Systems%20Software.pdf. [19] Santosh Nagarakatte et al. “CETS: compiler enforced temporal safety for C”. In:Proceedings of the 2010 international symposium on Memory management. 2010,pp. 31–40. [20] Santosh Nagarakatte et al. “SoftBound: Highly compatible and complete spatial memory safety for C”. In: Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation. 2009, pp. 245–258. [21] Aditi Partap and Dan Boneh. Memory Tagging: A Memory Efficient Design. 2022. arXiv: 2209.00307 [cs.CR]. [22] PartitionAlloc Design. July 2023. URL: https://chromium.googlesource.com/chromium/src/+/master/base/allocator/partition_allocator/PartitionAlloc.md. [23] Pointer Authentication on ARMv8.3. Apr. 2023. URL: https://www.qualcomm.com/content/dam/qcomm-martech/dm-assets/documents/pointer-auth-v7.pdf. [24] Ptmalloc2. July 2023. URL: https://sourceware.org/git/?p=glibc.git%5C%3Ba=blob%5C%3Bf=malloc/malloc.c%5C%3Bh=bd3c76ed310c4c2cbf8f141eb6b76182926cf24a%5C%3Bhb=refs/heads/release/2.36/master. [25] Ryan Roemer et al. “Return-oriented programming: Systems, languages, and applications”. In: ACM Transactions on Information and System Security (TISSEC) 15.1(2012), pp. 1–34. [26] Scudo. Jan. 2023. URL: https://source.android.com/docs/security/test/scudo. [27] Security Based on Intel Hardware Strengthens Software. Feb. 2022. URL: https://www.intel.com/content/www/us/en/developer/articles/news/security-based-on-hardware-strengthens-software.html. [28] Konstantin Serebryany et al. “AddressSanitizer: A Fast Address Sanity Checker”. In: Proceedings of the 2012 USENIX Conference on Annual Technical Conference. USENIX ATC’12. Boston, MA: USENIX Association, 2012, p. 28. [29] Kostya Serebryany. ARM Memory Tagging Extension and How It Improves C/C++ Memory Safety. [30] Stack Safety Analysis — LLVM 11 documentation. Oct. 2020. URL: https://releases.llvm.org/11.0.0/docs/StackSafetyAnalysis.html. [31] Raoul Strackx et al. “Breaking the memory secrecy assumption”. In: Proceedingsof the Second European Workshop on System Security. 2009, pp. 1–8. [32] Survey of security mitigations and architectures, December 2022. Jan. 2023. URL:https://saaramar.github.io/memory_safety_blogpost_2022. [33] The LLVM Compiler Infrastructure Project. May 2023. URL: https://llvm.org. [34] Towards the next generation of XNU memory safety: kalloc_type. Dec. 2022. URL:https://security.apple.com/blog/towards-the-next-generation-of-xnu-memory-safety. [35] Martin Unterguggenberger et al. “Multi-Tag: A Hardware-Software Co-Design forMemory Safety Based on Multi-Granular Memory Tagging”. In: Proceedings ofthe 2023 ACM Asia Conference on Computer and Communications Security. ASIACCS ’23. Melbourne, VIC, Australia: Association for Computing Machinery, 2023,pp. 177–189. ISBN: 9798400700989. DOI:10.1145/3579856.3590331. URL: https://doi.org/10.1145/3579856.3590331. [36] Stephan Van Schaik et al. “RIDL: Rogue in-flight data load”. In: 2019 IEEE Symposium on Security and Privacy (SP). IEEE. 2019, pp. 88–105. [37] Guru Venkataramani et al. “MemTracker: Efficient and Programmable Support for Memory Access Monitoring and Debugging”. In: 2007 IEEE 13th International Symposium on High Performance Computer Architecture. 2007, pp. 273–284. DOI:10.1109/HPCA.2007.346205. [38] Virtually Unlimited Memory: Escaping the Chrome Sandbox. Sept. 2023. URL: https://googleprojectzero.blogspot.com/2019/04/virtually-unlimited-memory-escaping.html. [39] Robert N.M. Watson et al. “CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization”. In: 2015 IEEE Symposium on Security and Privacy. 2015, pp. 20–37. DOI: 10.1109/SP.2015.9. [40] Nathaniel Wesley Filardo et al. “Cornucopia: Temporal Safety for CHERI Heaps”. In: 2020 IEEE Symposium on Security and Privacy (SP). 2020, pp. 608–625. DOI: 10.1109/SP40000.2020.00098. [41] Hongyan Xia et al. “CHERIvoke: Characterising Pointer Revocation Using CHERI Capabilities for Temporal Memory Safety”. In: Proceedings of the 52nd Annual IEEE/ACM International Symposium on Microarchitecture. MICRO ’52. Columbus, OH, USA: Association for Computing Machinery, 2019, pp. 545–557. ISBN: 9781450369381. DOI: 10.1145/3352460 . 3358288. URL: https://doi.org/10.1145/3352460.3358288. [42] Wei Xu, Daniel C DuVarney, and R Sekar. “An efficient and backwards-compatible transformation to ensure memory safety of C programs”. In: Proceedings of the 12th ACM SIGSOFT twelfth international symposium on Foundations of software engineering. 2004, pp. 117–126.	-
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/91239	-
dc.description.abstract	記憶體安全漏洞對 C 與 C++ 等記憶體不安全的程式語言帶來了巨大的挑戰。在這些漏洞中，基於堆的安全問題在近年來變得相當盛行，透過利用漏洞，攻擊者可以達成記憶體任意讀寫甚至是執行任意指令。因此，許多嘗試試圖在減輕漏洞。在近幾年 CPU 架構引入了許多安全相關的功能，可以用於設計不同的保護。其中一個例子是 Arm v8.5-A 架構中引入的記憶體標籤擴充 (MTE)。在現代軟體中，記憶體標籤擴充已被用於對基於堆的記憶體安全漏洞，如:釋放後使用以及緩衝區溢位，提供機率性的保護。然而，現有基於 MTE 的方法提供的是機率性保護，可能會受到暴力攻擊。此外現有的方法提供了不同分配間的隔離，然而對於相同分配內的物件內溢出沒有提供防護。這些不足之處留給了攻擊者利用漏洞的機會。在漏洞利用中，攻擊者往往會將記憶體上的資料混淆為與其預期不同的類型，例如將儲存指標的記憶體視為數據。攻擊者可以利用這種混淆來操縱或洩漏指標，最終導致任意記憶體讀寫與執行任意指令。針對這一觀察的結果，我們提出了一種新穎的 MTE 使用方法，用於隔離堆上儲存不同類型資料的記憶體，以防止此類利用，從而為漏洞利用提供非機率性的保護性質。我們基於 LLVM 為 C 語言程式時做了一個編譯器原型。我們的研究對以往 MTE 的使用方法無法防範到的暴力攻擊與物件內溢出提供了保護。	zh_TW
dc.description.abstract	Memory safety vulnerabilities pose a significant challenge for memory-unsafe programming languages like C and C++. Among these vulnerabilities, heap-based issues have become prevalent in recent years. Exploiting vulnerabilities grants adversaries the ability to execute arbitrary memory reads, writes, and even code execution. Therefore, numerous attempts have been made to mitigate vulnerabilities. Recently, CPU architectures have introduced security features that can be utilized to design various protections. An example is the Memory Tagging Extension (MTE), introduced in the Arm v8.5-A processor architecture. MTE has been utilized in modern software to implement probabilistic protection for heap-based memory safety vulnerabilities, including use-after-free and heap-based buffer overflow. Nevertheless, the existing MTE-based approaches offer probabilistic protection and are vulnerable to brute-force attacks. Further, these approaches offers inter-object isolation but are vulnerable to intra-object overflow. These insufficiencies leave opportunities for adversaries to exploit vulnerabilities. In the general exploitation, adversaries tend to leverage the confusion of memory as a type other than its intended type, such as treating memory storing pointers as data. Adversaries can leverage this confusion to manipulate or leak pointers, ultimately leading to arbitrary memory read/write and code execution. In response to this observation, we propose a novel usage of MTE to isolate memory storing different types of data on the heap to prevent such exploitation, thereby providing a non-probabilistic constraint on the vulnerability exploitation. We have implemented a prototype compiler for C language programs based on the LLVM framework. We show that our approach effectively leverages MTE to protect against intra-object overflow vulnerabilities and brute-force attacks that previous approaches offer no protection.	en
dc.description.provenance	Submitted by admin ntu (admin@lib.ntu.edu.tw) on 2023-12-12T16:21:27Z No. of bitstreams: 0	en
dc.description.provenance	Made available in DSpace on 2023-12-12T16:21:27Z (GMT). No. of bitstreams: 0	en
dc.description.tableofcontents	口試委員審定書 i Acknowledgements ii 摘要 iii Abstract v Chapter 1 Introduction 1 Chapter 2 Background 6 2.1 Memory safety vulnerabilities . . . . . . . . . . . . . . . . . . . . . 6 2.2 Mitigating memory safety vulnerabilities . . . . . . . . . . . . . . . 8 2.3 Memory Tagging Extension . . . . . . . . . . . . . . . . . . . . . . 10 2.4 How modern software systems use MTE . . . . . . . . . . . . . . . 11 2.5 Limitations of current scheme . . . . . . . . . . . . . . . . . . . . . 13 Chapter 3 Threat Model and Assumptions 14 Chapter 4 Motivation 16 4.1 Exploiting a memory safety vulnerabilities . . . . . . . . . . . . . . 16 4.2 Protecting pointer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 4.3 Protecting data within the same compartment . . . . . . . . . . . . . 19 Chapter 5 Design 20 5.1 Design Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 5.2 Hybrid Tag Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 5.3 Grouping primitive types . . . . . . . . . . . . . . . . . . . . . . . . 25 5.4 Tagging memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 5.5 Semantic load / store . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Chapter 6 Implementation 30 6.1 Aligning structure layout with MTE granularity . . . . . . . . . . . . 31 6.2 Detecting memory allocation functions . . . . . . . . . . . . . . . . 31 6.3 Instrumentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 6.3.1 Allocation Site Instrumentation . . . . . . . . . . . . . . . . . . . . 32 6.3.2 Usage Site Instrumentation . . . . . . . . . . . . . . . . . . . . . . 33 Chapter 7 Evaluation 36 7.1 Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 7.1.1 Q1: Can the tag be forged to break isolation? . . . . . . . . . . . . 36 7.1.2 Q2: What protection do we provide for objects in the untyped group? 37 7.2 Security Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . 38 7.2.1 Heap-based buffer overflow . . . . . . . . . . . . . . . . . . . . . 38 7.2.2 Use after Free . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 7.3 Functional Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . 41 7.4 Performance Evaluation . . . . . . . . . . . . . . . . . . . . . . . . 42 Chapter 8 Limitations 48 8.1 Classifying type as untyped . . . . . . . . . . . . . . . . . . . . . . 48 8.1.1 Missing type at allocation site . . . . . . . . . . . . . . . . . . . . . 48 8.1.2 Mixed use of multiple types . . . . . . . . . . . . . . . . . . . . . . 49 8.2 Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 8.2.1 Compatibility with external functions . . . . . . . . . . . . . . . . 50 8.2.2 Compatibility with incompatible code . . . . . . . . . . . . . . . . 51 8.3 Development efforts caused by untyped . . . . . . . . . . . . . . . . 53 Chapter 9 Future Work 55 Chapter 10 Related Work 57 10.1 MTE-related work . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 10.2 Software mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 10.3 Hardware mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Chapter 11 Conclusion 61 References 62	-
dc.language.iso	en	-
dc.title	使用Arm記憶體標籤擴充隔離原始型別來增進堆安全性	zh_TW
dc.title	Enhancing Heap Security through Isolating Primitive Types with Arm Memory Tagging Extension	en
dc.type	Thesis	-
dc.date.schoolyear	112-1	-
dc.description.degree	碩士	-
dc.contributor.oralexamcommittee	黃俊穎;陳君朋;廖世偉	zh_TW
dc.contributor.oralexamcommittee	Chun-Ying Huang;Jiun-Peng Chen;Shih-wei Liao	en
dc.subject.keyword	記憶體安全,漏洞緩解,記憶體標籤,	zh_TW
dc.subject.keyword	memory safety,vulnerability mitigation,memory tagging,	en
dc.relation.page	66	-
dc.identifier.doi	10.6342/NTU202304273	-
dc.rights.note	同意授權(限校園內公開)	-
dc.date.accepted	2023-10-19	-
dc.contributor.author-college	電機資訊學院	-
dc.contributor.author-dept	資訊網路與多媒體研究所	-
顯示於系所單位：	資訊網路與多媒體研究所

文件中的檔案：

檔案	大小	格式
ntu-112-1.pdf 授權僅限NTU校內IP使用（校園外請利用VPN校外連線服務）	1.09 MB	Adobe PDF	檢視/開啟

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。