research-article

ConfLLVM: A Compiler for Enforcing Data Confidentiality in Low-Level Code

Authors:

Ajay Brahmakshatriya,

Derrick P. McKee,

Pratik BhatuAuthors Info & Claims

EuroSys '19: Proceedings of the Fourteenth EuroSys Conference 2019

Article No.: 4, Pages 1 - 15

https://doi.org/10.1145/3302424.3303952

Published: 25 March 2019 Publication History

Abstract

We present a compiler-based scheme to protect the confidentiality of sensitive data in low-level applications (e.g. those written in C) in the presence of an active adversary. In our scheme, the programmer marks sensitive data by lightweight annotations on the top-level definitions in the source code. The compiler then uses a combination of static dataflow analysis, runtime instrumentation, and a novel taint-aware form of control-flow integrity to prevent data leaks even in the presence of low-level attacks. To reduce runtime overheads, the compiler uses a novel memory layout.

We implement our scheme within the LLVM framework and evaluate it on the standard SPEC-CPU benchmarks, and on larger, real-world applications, including the NGINX webserver and the OpenLDAP directory server. We find that the performance overheads introduced by our instrumentation are moderate (average 12% on SPEC), and the programmer effort to port the applications is minimal.

References

[1]

2011 CWE/SANS Top 25 Most Dangerous Software Errors. http://cwe.mitre.org/top25/.

[2]

Chrome owned by exploits in hacker contests, but Google's $1M purse still safe. https://www.wired.com/2012/03/pwnium-and-pwn2own/.

[3]

Clang: A C language family frontend for LLVM. http://clang.llvm.org.

[4]

Cve-2012-0769, the case of the perfect info leak. http://zhodiac.hispahack.com/my-stuff/security/Flash_ASLR_bypass.pdf.

[5]

dlmalloc: A Memory Allocator. http://g.oswego.edu/dl/html/malloc.html.

[6]

The heartbleed bug. http://heartbleed.com/.

[7]

Intel Memory Protection Extensions (Intel MPX). https://software.intel.com/en-us/isa-extensions/intel-mpx.

[8]

Minizip. https://github.com/nmoinvaz/minizip.

[9]

Mongoose. https://github.com/cesanta/mongoose.

[10]

NGINX web server. https://www.nginx.com/.

[11]

Smashing the stack for fun and profit. insecure.org/stf/smashstack.html.

[12]

SPEC CPU 2006. https://www.spec.org/cpu2006/.

[13]

Torch TH library. https://github.com/torch/TH.

[14]

Torch THNN library. https://github.com/torch/nn/tree/master/lib/THNN.

[15]

wrk2: A constant throughput, correct latency recording variant of wrk. https://github.com/giltene/wrk2.

[16]

Martín Abadi, Mihai Budiu, Ulfar Erlingsson, and Jay Ligatti. Control-flow integrity. In Proceedings of the 12th ACM conference on Computer and communications security, pages 340--353. ACM, 2005.

Digital Library

[17]

Alfred V. Aho, Ravi Sethi, and Jeffrey D. Ullman. Compilers: Principles, Techniques, and Tools. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 1986.

Digital Library

[18]

Anindya Banerjee and David A. Naumann. Stack-based access control and secure information flow. Journal of Functional Programming, 15(2):131--177, 2005.

Digital Library

[19]

Ken Biba. Integrity considerations for secure computer systems. Technical report, 1977.

[20]

Priyam Biswas, Alessandro Di Federico, Scott A. Carr, Prabhu Rajasekaran, Stijn Volckaert, Yeoul Na, Michael Franz, and Mathias Payer. Venerable variadic vulnerabilities vanquished. In 26th USENIX Security Symposium (USENIX Security 17), Vancouver, BC, 2017. USENIX Association.

Digital Library

[21]

Ajay Brahmakshatriya, Piyus Kedia, Derrick Paul McKee, Deepak Garg, Akash Lal, Aseem Rastogi, Hamed Nemati, Anmol Panda, and Pratik Bhatu. ConfLLVM: A compiler for enforcing data confidentiality in low-level code. CoRR, abs/1711.11396, 2019.

Digital Library

[22]

Fraser Brown, Andres Nötzli, and Dawson Engler. How to build static checking systems using orders of magnitude less code. SIGPLAN Not., 51(4):143--157, March 2016.

Digital Library

[23]

Scott A. Carr and Mathias Payer. Datashield: Configurable data confidentiality and integrity. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, ASIA CCS '17, pages 193--204, New York, NY, USA, 2017. ACM.

Digital Library

[24]

Miguel Castro, Manuel Costa, Jean-Philippe Martin, Marcus Peinado, Periklis Akritidis, Austin Donnelly, Paul Barham, and Richard Black. Fast byte-granularity software fault isolation. In Symposium on Operating Systems Principles (SOSP), 2009.

Digital Library

[25]

Jeremy Condit, Matthew Harren, Zachary Anderson, David Gay, and George C. Necula. Dependent types for low-level programming. In Proceedings of the 16th European Symposium on Programming, ESOP'07, pages 520--535, Berlin, Heidelberg, 2007. Springer-Verlag.

[26]

Victor Costan and Srinivas Devadas. Intel SGX explained. Cryptology ePrint Archive, Report 2016/086, 2016. https://eprint.iacr.org/2016/086.

[27]

Thurston H.Y. Dang, Petros Maniatis, and David Wagner. The performance cost of shadow stacks and stack canaries. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, ASIA CCS '15, pages 555--566, New York, NY, USA, 2015. ACM.

Digital Library

[28]

Leonardo De Moura and Nikolaj Bjørner. Z3: An efficient smt solver. In Proceedings of the Theory and Practice of Software, 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, TACAS'08/ETAPS'08, pages 337--340, Berlin, Heidelberg, 2008. Springer-Verlag.

Digital Library

[29]

Dorothy E. Denning. A lattice model of secure information flow. Commun. ACM, 19(5):236--243, May 1976.

Digital Library

[30]

Jeffrey S. Foster, Manuel Fähndrich, and Alexander Aiken. A Theory of Type Qualifiers. In Proceedings of the 1999 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pages 192--203, Atlanta, Georgia, May 1999.

Digital Library

[31]

Dan Grossman, Greg Morrisett, Trevor Jim, Michael Hicks, Yanling Wang, and James Cheney. Region-based memory management in cyclone. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation, PLDI '02, pages 282--293, New York, NY, USA, 2002. ACM.

Digital Library

[32]

Istvan Haller, Yuseok Jeon, Hui Peng, Mathias Payer, Cristiano Giuffrida, Herbert Bos, and Erik van der Kouwe. Typesan: Practical type confusion detection. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS '16, pages 517--528, New York, NY, USA, 2016. ACM.

Digital Library

[33]

Nevin Heintze and Jon G. Riecke. The slam calculus: Programming with secrecy and integrity. In Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL '98, pages 365--377, New York, NY, USA, 1998. ACM.

Digital Library

[34]

A. Henderson, L. K. Yan, X. Hu, A. Prakash, H. Yin, and S. McCamant. Decaf: A platform-neutral whole-system dynamic binary analysis platform. IEEE Transactions on Software Engineering, 43(2):164--184, Feb 2017.

Digital Library

[35]

Volodymyr Kuznetsov, László Szekeres, Mathias Payer, George Candea, R. Sekar, and Dawn Song. Code-pointer integrity. In Proceedings of the 11th USENIX Conference on Operating Systems Design and Implementation, OSDI'14, pages 147--163, Berkeley, CA, USA, 2014. USENIX Association.

Digital Library

[36]

Chris Lattner and Vikram Adve. LLVM: A compilation framework for lifelong program analysis & transformation. In Proceedings of the International Symposium on Code Generation and Optimization: Feedback-directed and Runtime Optimization, CGO '04, pages 75--, Washington, DC, USA, 2004. IEEE Computer Society.

Digital Library

[37]

Jed Liu, Michael D. George, K. Vikram, Xin Qi, Lucas Waye, and Andrew C. Myers. Fabric: a platform for secure distributed computation and storage. In Proceedings of the 22nd ACM Symposium on Operating Systems Principles (SOSP), pages 321--334, 2009.

Digital Library

[38]

Shan Lu, Zhenmin Li, Feng Qin, Lin Tan, Pin Zhou, and Yuanyuan Zhou. Bugbench: Benchmarks for evaluating bug detection tools. In In Workshop on the Evaluation of Software Defect Detection Tools, 2005.

[39]

Jiang Ming, Dinghao Wu, Jun Wang, Gaoyao Xiao, and Peng Liu. Straighttaint: Decoupled offline symbolic taint analysis. In Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering, ASE 2016, pages 308--319, New York, NY, USA, 2016. ACM.

Digital Library

[40]

Andrew C. Myers. Jflow: Practical mostly-static information flow control. In Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), pages 228--241, 1999.

Digital Library

[41]

Santosh Nagarakatte, Jianzhou Zhao, Milo M. K. Martin, and Steve Zdancewic. SoftBound: highly compatible and complete spatial memory safety for C. In Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2009, Dublin, Ireland, June 15-21, 2009, pages 245--258, 2009.

Digital Library

[42]

George C. Necula, Jeremy Condit, Matthew Harren, Scott McPeak, and Westley Weimer. Ccured: type-safe retrofitting of legacy software. ACM Trans. Program. Lang. Syst., 27(3):477--526, 2005.

Digital Library

[43]

Nicholas Nethercote and Julian Seward. Valgrind: A framework for heavyweight dynamic binary instrumentation. SIGPLAN Not., 42(6):89--100, June 2007.

Digital Library

[44]

James Newsome and Dawn Xiaodong Song. Dynamic taint analysis for automatic detection, analysis, and signaturegeneration of exploits on commodity software. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2005, San Diego, California, USA, 2005.

[45]

OpenLDAP Project. Openldap. http://www.openldap.org/.

[46]

François Pottier and Vincent Simonet. Information flow inference for ML. In The 29th SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), pages 319--330, 2002.

Digital Library

[47]

Vaibhav Rastogi, Drew Davidson, Lorenzo De Carli, Somesh Jha, and Patrick McDaniel. Cimplifier: automatically debloating containers. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering, ESEC/FSE 2017.

Digital Library

[48]

B. P. S. Rocha, M. Conti, S. Etalle, and B. Crispo. Hybrid static-runtime information flow and declassification enforcement. IEEE Transactions on Information Forensics and Security, 8(8):1294--1305, Aug 2013.

Digital Library

[49]

Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan Savage. Return-oriented programming: Systems, languages, and applications. ACM Trans. Inf. Syst. Secur., 15(1):2:1--2:34, March 2012.

Digital Library

[50]

A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE J.Sel. A. Commun., 21(1):5--19, September 2006.

Digital Library

[51]

D. Schoepe, M. Balliu, B. C. Pierce, and A. Sabelfeld. Explicit secrecy: A policy for taint tracking. In 2016 IEEE European Symposium on Security and Privacy (EuroS P), pages 15--30, March 2016.

[52]

Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitry Vyukov. Addresssanitizer: A fast address sanity checker. In Proceedings of the 2012 USENIX Conference on Annual Technical Conference, USENIX ATC'12, pages 28--28, Berkeley, CA, USA, 2012. USENIX Association.

Digital Library

[53]

J. Sermersheim. Lightweight Directory Access Protocol (LDAP): The Protocol. RFC 4511, June 2006.

[54]

Hovav Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS '07, pages 552--561, New York, NY, USA, 2007. ACM.

Digital Library

[55]

Zhiyong Shan. Suspicious-taint-based access control for protecting OS from network attacks. CoRR, abs/1609.00100, 2016.

[56]

Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, and David Wagner. Detecting format string vulnerabilities with type qualifiers. In Proceedings of the 10th Conference on USENIX Security Symposium - Volume 10, SSYM'01, Berkeley, CA, USA, 2001. USENIX Association.

Digital Library

[57]

Rohit Sinha, Manuel Costa, Akash Lal, Nuno P. Lopes, Sriram K. Rajamani, Sanjit A. Seshia, and Kapil Vaswani. A design and verification methodology for secure isolated regions. In Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2016, Santa Barbara, CA, USA, June 13-17, 2016, pages 665--681, 2016.

Digital Library

[58]

G. Edward Suh, Jae W. Lee, David Zhang, and Srinivas Devadas. Secure program execution via dynamic information flow tracking. In Proceedings of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS XI, pages 85--96, New York, NY, USA, 2004. ACM.

Digital Library

[59]

Mads Tofte and Jean-Pierre Talpin. Region-based memory management. Inf. Comput., 132(2):109--176, February 1997.

Digital Library

[60]

Shruti Tople, Karan Grover, Shweta Shinde, Ranjita Bhagwan, and Ramachandran Ramjee. Privado: Practical and secure DNN inference. CoRR, abs/1810.00602, 2018.

[61]

Bin Zeng, Gang Tan, and Greg Morrisett. Combining control-flow integrity and static analysis for efficient and validated data sandboxing. In Proceedings of the 18th ACM conference on Computer and communications security, pages 29--40. ACM, 2011.

Digital Library

Cited By

Li YBao YChung Y(2024)Randomize the Running Function When It Is DisclosedIEEE Transactions on Computers10.1109/TC.2024.337177673:6(1516-1530)Online publication date: Jun-2024
https://doi.org/10.1109/TC.2024.3371776
Ahad AWang GKim CJana SLin ZKwon YAamodt TSwift MJerger N(2023)FreePart: Hardening Data Processing Software via Framework-based Partitioning and IsolationProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 410.1145/3623278.3624760(169-188)Online publication date: 25-Mar-2023
https://dl.acm.org/doi/10.1145/3623278.3624760
Lee HSong CKang B(2023)Harnessing the x86 Intermediate Rings for Intra-Process IsolationIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.319252420:4(3251-3268)Online publication date: 1-Jul-2023
https://doi.org/10.1109/TDSC.2022.3192524
Show More Cited By

ConfLLVM: A Compiler for Enforcing Data Confidentiality in Low-Level Code
1. Security and privacy
  1. Systems security

Recommendations

Efficient Java exception handling in just-in-time compilation
Research Articles

Java uses exceptions to provide elegant error handling capabilities during program execution. However, the presence of exception handlers complicates the job of the just-in-time (JIT) compiler, while exceptions are rarely used in most programs. This ...
Personalised anonymity for microdata release

Individual privacy protection in the released data sets has become an important issue in recent years. The release of microdata provides a significant information resource for researchers, whereas the release of person‐specific data poses a threat to ...
A new unpredictability-based radio frequency identification forward privacy model and a provably secure construction

The privacy model of radio frequency identification RFID systems is for formalizing the adversarial capabilities and the security requirements of RFID anonymity and untraceability. Existing unpredictability-based privacy models such as unp-privacy, eunp-...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

EuroSys '19: Proceedings of the Fourteenth EuroSys Conference 2019

March 2019

714 pages

ISBN:9781450362818

DOI:10.1145/3302424

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGOPS: ACM Special Interest Group on Operating Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 March 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Conference

EuroSys '19

Sponsor:

SIGOPS

EuroSys '19: Fourteenth EuroSys Conference 2019

March 25 - 28, 2019

Dresden, Germany

Acceptance Rates

Overall Acceptance Rate 241 of 1,308 submissions, 18%

Upcoming Conference

EuroSys '25

Sponsor:
sigops

Twentieth European Conference on Computer Systems

March 30 - April 3, 2025

Rotterdam , Netherlands

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
578
Total Downloads

Downloads (Last 12 months)46
Downloads (Last 6 weeks)6

Reflects downloads up to 04 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Li YBao YChung Y(2024)Randomize the Running Function When It Is DisclosedIEEE Transactions on Computers10.1109/TC.2024.337177673:6(1516-1530)Online publication date: Jun-2024
https://doi.org/10.1109/TC.2024.3371776
Ahad AWang GKim CJana SLin ZKwon YAamodt TSwift MJerger N(2023)FreePart: Hardening Data Processing Software via Framework-based Partitioning and IsolationProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 410.1145/3623278.3624760(169-188)Online publication date: 25-Mar-2023
https://dl.acm.org/doi/10.1145/3623278.3624760
Lee HSong CKang B(2023)Harnessing the x86 Intermediate Rings for Intra-Process IsolationIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.319252420:4(3251-3268)Online publication date: 1-Jul-2023
https://doi.org/10.1109/TDSC.2022.3192524
Sultana NZhu HZhong KZheng ZMao RChauhan DCarrasquillo SZhao JShi LVasilakis NLoo B(2022)Towards Practical Application-level Support for Privilege SeparationProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3564664(71-87)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3564664
Milburn AVan Der Kouwe EGiuffrida C(2022)Mitigating Information Leakage Vulnerabilities with Type-based Data Isolation2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833675(1049-1065)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833675
Jin XXiao XJia SGao WGu DZhang HMa SQian ZLi J(2022)Annotating, Tracking, and Protecting Cryptographic Secrets with CryptoMPK2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833650(650-665)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833650
Ma LXu JSun JZhou YXie XShen WChang RRen KGunawi HMa X(2021)Revisiting challenges for selective data protection of real applicationsProceedings of the 12th ACM SIGOPS Asia-Pacific Workshop on Systems10.1145/3476886.3477504(138-145)Online publication date: 24-Aug-2021
https://dl.acm.org/doi/10.1145/3476886.3477504
Sartakov VO'Keeffe DEyers DVilanova LPietzuch PTitzer BXu HZhang I(2021)Spons & Shields: practical isolation for trusted executionProceedings of the 17th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments10.1145/3453933.3454024(186-200)Online publication date: 7-Apr-2021
https://dl.acm.org/doi/10.1145/3453933.3454024
Palit TFirose Moon JMonrose FPolychronakis M(2021)DynPTA: Combining Static and Dynamic Analysis for Practical Selective Data Protection2021 IEEE Symposium on Security and Privacy (SP)10.1109/SP40001.2021.00082(1919-1937)Online publication date: May-2021
https://doi.org/10.1109/SP40001.2021.00082

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents