請用此 Handle URI 來引用此文件:
http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/91239
標題: | 使用Arm記憶體標籤擴充隔離原始型別來增進堆安全性 Enhancing Heap Security through Isolating Primitive Types with Arm Memory Tagging Extension |
作者: | 陳昱暢 Yu-Chang Chen |
指導教授: | 黎士瑋 Shih-Wei Li |
關鍵字: | 記憶體安全,漏洞緩解,記憶體標籤, memory safety,vulnerability mitigation,memory tagging, |
出版年 : | 2023 |
學位: | 碩士 |
摘要: | 記憶體安全漏洞對 C 與 C++ 等記憶體不安全的程式語言帶來了巨大的挑戰。在這些漏洞中,基於堆的安全問題在近年來變得相當盛行,透過利用漏洞,攻擊者可以達成記憶體任意讀寫甚至是執行任意指令。因此,許多嘗試試圖在減輕漏洞。在近幾年 CPU 架構引入了許多安全相關的功能,可以用於設計不同的保護。其中一個例子是 Arm v8.5-A 架構中引入的記憶體標籤擴充 (MTE)。在現代軟體中,記憶體標籤擴充已被用於對基於堆的記憶體安全漏洞,如:釋放後使用以及緩衝區溢位,提供機率性的保護。然而,現有基於 MTE 的方法提供的是機率性保護,可能會受到暴力攻擊。此外現有的方法提供了不同分配間的隔離,然而對於相同分配內的物件內溢出沒有提供防護。這些不足之處留給了攻擊者利用漏洞的機會。
在漏洞利用中,攻擊者往往會將記憶體上的資料混淆為與其預期不同的類型,例如將儲存指標的記憶體視為數據。攻擊者可以利用這種混淆來操縱或洩漏指標,最終導致任意記憶體讀寫與執行任意指令。針對這一觀察的結果,我們提出了一種新穎的 MTE 使用方法,用於隔離堆上儲存不同類型資料的記憶體,以防止此類利用,從而為漏洞利用提供非機率性的保護性質。我們基於 LLVM 為 C 語言程式時做了一個編譯器原型。我們的研究對以往 MTE 的使用方法無法防範到的暴力攻擊與物件內溢出提供了保護。 Memory safety vulnerabilities pose a significant challenge for memory-unsafe programming languages like C and C++. Among these vulnerabilities, heap-based issues have become prevalent in recent years. Exploiting vulnerabilities grants adversaries the ability to execute arbitrary memory reads, writes, and even code execution. Therefore, numerous attempts have been made to mitigate vulnerabilities. Recently, CPU architectures have introduced security features that can be utilized to design various protections. An example is the Memory Tagging Extension (MTE), introduced in the Arm v8.5-A processor architecture. MTE has been utilized in modern software to implement probabilistic protection for heap-based memory safety vulnerabilities, including use-after-free and heap-based buffer overflow. Nevertheless, the existing MTE-based approaches offer probabilistic protection and are vulnerable to brute-force attacks. Further, these approaches offers inter-object isolation but are vulnerable to intra-object overflow. These insufficiencies leave opportunities for adversaries to exploit vulnerabilities. In the general exploitation, adversaries tend to leverage the confusion of memory as a type other than its intended type, such as treating memory storing pointers as data. Adversaries can leverage this confusion to manipulate or leak pointers, ultimately leading to arbitrary memory read/write and code execution. In response to this observation, we propose a novel usage of MTE to isolate memory storing different types of data on the heap to prevent such exploitation, thereby providing a non-probabilistic constraint on the vulnerability exploitation. We have implemented a prototype compiler for C language programs based on the LLVM framework. We show that our approach effectively leverages MTE to protect against intra-object overflow vulnerabilities and brute-force attacks that previous approaches offer no protection. |
URI: | http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/91239 |
DOI: | 10.6342/NTU202304273 |
全文授權: | 同意授權(限校園內公開) |
顯示於系所單位: | 資訊網路與多媒體研究所 |
文件中的檔案:
檔案 | 大小 | 格式 | |
---|---|---|---|
ntu-112-1.pdf 授權僅限NTU校內IP使用(校園外請利用VPN校外連線服務) | 1.09 MB | Adobe PDF | 檢視/開啟 |
系統中的文件,除了特別指名其著作權條款之外,均受到著作權保護,並且保留所有的權利。