| NSF Org: |
CNS Division Of Computer and Network Systems |
| Recipient: |
|
| Initial Amendment Date: | July 18, 2011 |
| Latest Amendment Date: | March 31, 2016 |
| Award Number: | 1116682 |
| Award Instrument: | Standard Grant |
| Program Manager: |
Sol Greenspan
sgreensp@nsf.gov (703)292-7841 CNS Division Of Computer and Network Systems CSE Directorate for Computer and Information Science and Engineering |
| Start Date: | August 1, 2011 |
| End Date: | July 31, 2017 (Estimated) |
| Total Intended Award Amount: | $499,961.00 |
| Total Awarded Amount to Date: | $499,961.00 |
| Funds Obligated to Date: |
|
| History of Investigator: |
|
| Recipient Sponsored Research Office: |
3451 WALNUT ST STE 440A PHILADELPHIA PA US 19104-6205 (215)898-7293 |
| Sponsor Congressional District: |
|
| Primary Place of Performance: |
3451 WALNUT ST STE 440A PHILADELPHIA PA US 19104-6205 |
| Primary Place of
Performance Congressional District: |
|
| Unique Entity Identifier (UEI): |
|
| Parent UEI: |
|
| NSF Program(s): | TRUSTWORTHY COMPUTING |
| Primary Program Source: |
|
| Program Reference Code(s): |
|
| Program Element Code(s): |
|
| Award Agency Code: | 4900 |
| Fund Agency Code: | 4900 |
| Assistance Listing Number(s): | 47.070 |
ABSTRACT
A use-after-free error is a software flaw that potentially allows an attacker to remotely inject malicious software or corrupt memory values. Such attacks can result in the theft of private data, propagation of worms and viruses, or the creation of botnet nodes that can be programmed to spew spam or disrupt Internet traffic. Recently, use-after-free vulnerabilities have been found in crucial software such as Microsoft's Internet Explorer, Adobe Acrobat Reader, and Firefox among others. The goal of the Watchdog project is to devise hardware and software mechanisms to prevent all such vulnerabilities.
To prevent use-after-free vulnerabilities, the researchers will develop hardware for enforcing safe manual memory management, without compromising system performance. They will study a formal model of their designs to establish the correctness of the techniques. The hardware designs will be prototyped using detailed micro-architectural simulations. The researchers will evaluate correctness and performance by using a suite of benchmark tests and off-the-shelf software. The tools and prototypes will be openly distributed for others to build upon, and the research findings will be integrated into the security and hardware courses taught by the researchers. If successful, the technology developed by this research will have significant societal impacts, improving the security of our computing ecosystem by eliminating an important class of vulnerabilities that is actively being exploited to compromise systems and spread malware.
PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH
Note:
When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external
site maintained by the publisher. Some full text articles may not yet be available without a
charge during the embargo (administrative interval).
Some links on this page may take you to non-federal websites. Their policies may differ from
this site.
PROJECT OUTCOMES REPORT
Disclaimer
This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.
The lack of memory safety in languages such as C and C++ is a root source of exploitable security vulnerabilities prevalent in more computing infrastructure. This project explored both hardware and software techniques toeliminate such vulnerabilities by enforcing comprehensive memory safety. In bothcases, the technical approach is to associate space bounds and identifiermetadata with pointers, propagate them on pointer operations, and check them onpointer dereferences. Checking the bounds and identifier metadata provides bothprecise, byte-granularity buffer-overflow protection and protection fromuse-after-free errors, even in the presence of reallocations.
This project explored the effectiveness of storing pointer metadata in a disjoint metadata space to provide both comprehensive protection and enhance compatibility with existing code. Our implementations reduce the runtime overhead with hardware extensions that use micro-operations to implement metadata access and checking and a dedicated identifier cache to reduce checking overhead. The hardware extension also eliminates metadata copies via register renaming in the out-of-order core.
Subsequently, we have proposed a set of ISA extensions called WatchdogLite that provides hardware acceleration for a compiler implementation of pointer-based checking. This division of labor between the compiler and the hardware allows for hardware acceleration while using only preexisting architectural registers. By leveraging the compiler to identify pointers, perform check elimination, and insert the new instructions, this approach attains performance similar to prior hardware-intensive approaches without adding any hardware structures for tracking metadata.
During the course of this project, Intel developed Memory Protection Extensions(MPX) and released the ISA specification in 2013. Intel’s MPX extensions are similar to WatchdogLite. Intel’s software implementation---PointerChecker---is similar to SoftBoundCETS. Intel MPX uses pointer-based checking with disjoint metadata, adding new instructions for efficiently accessing the metadata shadowspace, and adding instruction for accelerating bounds checking. In contrast with WatchdogLite, MPX does not include support for accelerating use-after-freechecking. PI Santosh Nagarakatte has collaborated with Intel to explore the addition of use-after-free checking support to Intel MPX.
We also discovered that Intel MPX’s support for incremental deployment of bounds checking results in the loss of comprehensiveness in the presence of insidious type casts from integers to pointers either directly or indirectly through memory. Particularly, any arbitrary pointer manufactured through type casts will be allowed to access any location in memory (even with MPX protection) because(1) the pointer in the metadata space is not updated during integer operations,(2) the pointer loaded and the pointer in the metadata space would mismatch on a metadata load, and (3) the result is an un-bounded pointer. The compiler can identify the occurrence of such type casts either implicitly or explicitly and warn the programmer about them.
During the course of this project, we also explored various other extensions to memory safety. First, we have investigated the impact of compiler optimizations on instrumentation added for memory safety. We have also developed methods tocheck if compiler optimizations can erroneously remove instrumentation added by memory safety transformation. Second, we have also developed a suite of micro-optimizations to reduce the overhead of memory safety checks. Third,enforcing atomicity and race freedom for memory safety instrumentation with multithreaded programs.
Last Modified: 10/24/2017
Modified by: Stephan A Zdancewic
Please report errors in award information by writing to: awardsearch@nsf.gov.
