当前位置:
X-MOL 学术
›
J. Comput. Sci. Tech.
›
论文详情
Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)
IMPULP: A Hardware Approach for In-Process Memory Protection via User-Level Partitioning
Journal of Computer Science and Technology ( IF 1.9 ) Pub Date : 2020-03-01 , DOI: 10.1007/s11390-020-9703-2 Yang-Yang Zhao , Ming-Yu Chen , Yu-Hang Liu , Zong-Hao Yang , Xiao-Jing Zhu , Zong-Hui Hong , Yun-Ge Guo
Journal of Computer Science and Technology ( IF 1.9 ) Pub Date : 2020-03-01 , DOI: 10.1007/s11390-020-9703-2 Yang-Yang Zhao , Ming-Yu Chen , Yu-Hang Liu , Zong-Hao Yang , Xiao-Jing Zhu , Zong-Hui Hong , Yun-Ge Guo
In recent years many security attacks occur when malicious codes abuse in-process memory resources. Due to the increasing complexity, an application program may call third-party code which cannot be controlled by programmers but may contain security vulnerabilities. As a result, the users have the risk of suffering information leakage and control flow hijacking. However, current solutions like Intel memory protection extensions (MPX) severely degrade performance, while other approaches like Intel memory protection keys (MPK) lack flexibility in dividing security domains. In this paper, we propose IMPULP, an effective and efficient hardware approach for in-process memory protection. The rationale of IMPULP is user-level partitioning that user code segments are divided into different security domains according to their instruction addresses, and accessible memory spaces are specified dynamically for each domain via a set of boundary registers. Each instruction related to memory access will be checked according to its security domain and the corresponding boundaries, and illegal in-process memory access of untrusted code segments will be prevented. IMPULP can be leveraged to prevent a wide range of in-process memory abuse attacks, such as buffer overflows and memory leakages. For verification, an FPGA prototype based on RISC-V instruction set architecture has been developed. We present eight tests to verify the effectiveness of IMPULP, including five memory protection function tests, a test to defense typical buffer overflow, a test to defense famous memory leakage attack named Heartbleed, and a test for security benchmark. We execute the SPEC CPU2006 benchmark programs to evaluate the efficiency of IMPULP. The performance overhead of IMPULP is less than 0.2% runtime on average, which is negligible. Moreover, the resource overhead is less than 5.5% for hardware modification of IMPULP.
中文翻译:
IMPULP:通过用户级分区进行进程内内存保护的硬件方法
近年来,当恶意代码滥用进程内存资源时,发生了许多安全攻击。由于复杂性的增加,应用程序可能会调用第三方代码,这些代码不受程序员控制,但可能存在安全漏洞。因此,用户面临信息泄露和控制流劫持的风险。然而,英特尔内存保护扩展 (MPX) 等当前解决方案严重降低了性能,而英特尔内存保护密钥 (MPK) 等其他方法在划分安全域方面缺乏灵活性。在本文中,我们提出了 IMPULP,这是一种用于进程内内存保护的有效且高效的硬件方法。IMPULP 的基本原理是用户级分区,即用户代码段根据其指令地址分为不同的安全域,并且通过一组边界寄存器为每个域动态指定可访问的内存空间。每条与内存访问相关的指令都会根据其安全域和相应的边界进行检查,防止不可信代码段的非法进程内内存访问。可以利用 IMPULP 来防止各种进程内内存滥用攻击,例如缓冲区溢出和内存泄漏。为了验证,开发了基于 RISC-V 指令集架构的 FPGA 原型。我们提供了八项测试来验证 IMPULP 的有效性,包括五项内存保护功能测试、一项防御典型缓冲区溢出的测试、一项防御名为 Heartbleed 的著名内存泄漏攻击的测试以及一项安全基准测试。我们执行 SPEC CPU2006 基准程序来评估 IMPULP 的效率。IMPULP 的性能开销平均不到 0.2% 运行时,可以忽略不计。此外,IMPULP 硬件修改的资源开销小于 5.5%。
更新日期:2020-03-01
中文翻译:
IMPULP:通过用户级分区进行进程内内存保护的硬件方法
近年来,当恶意代码滥用进程内存资源时,发生了许多安全攻击。由于复杂性的增加,应用程序可能会调用第三方代码,这些代码不受程序员控制,但可能存在安全漏洞。因此,用户面临信息泄露和控制流劫持的风险。然而,英特尔内存保护扩展 (MPX) 等当前解决方案严重降低了性能,而英特尔内存保护密钥 (MPK) 等其他方法在划分安全域方面缺乏灵活性。在本文中,我们提出了 IMPULP,这是一种用于进程内内存保护的有效且高效的硬件方法。IMPULP 的基本原理是用户级分区,即用户代码段根据其指令地址分为不同的安全域,并且通过一组边界寄存器为每个域动态指定可访问的内存空间。每条与内存访问相关的指令都会根据其安全域和相应的边界进行检查,防止不可信代码段的非法进程内内存访问。可以利用 IMPULP 来防止各种进程内内存滥用攻击,例如缓冲区溢出和内存泄漏。为了验证,开发了基于 RISC-V 指令集架构的 FPGA 原型。我们提供了八项测试来验证 IMPULP 的有效性,包括五项内存保护功能测试、一项防御典型缓冲区溢出的测试、一项防御名为 Heartbleed 的著名内存泄漏攻击的测试以及一项安全基准测试。我们执行 SPEC CPU2006 基准程序来评估 IMPULP 的效率。IMPULP 的性能开销平均不到 0.2% 运行时,可以忽略不计。此外,IMPULP 硬件修改的资源开销小于 5.5%。
京公网安备 11010802027423号