article

From Speculation to Security: Practical and Efficient Information Flow Tracking Using Speculative Hardware

Authors:

Frederic T. ChongAuthors Info & Claims

ACM SIGARCH Computer Architecture News, Volume 36, Issue 3

Pages 401 - 412

https://doi.org/10.1145/1394608.1382156

Published: 01 June 2008 Publication History

Abstract

Dynamic information flow tracking (also known as taint tracking) is an appealing approach to combat various security attacks. However, the performance of applications can severely degrade without hardware support for tracking taints. This paper observes that information flow tracking can be efficiently emulated using deferred exception tracking in microprocessors supporting speculative execution. Based on this observation, we propose SHIFT, a low-overhead, software-based dynamic information flow tracking system to detect a wide range of attacks. The key idea is to treat tainted state (describing untrusted data) as speculative state (describing deferred exceptions). SHIFT leverages existing architectural support for speculative execution to track tainted state in registers and needs to instrument only load and store instructions to track tainted state in memory using a bitmap, which results in significant performance advantages. Moreover, by decoupling mechanisms for taint tracking from security policies, SHIFT can detect a wide range of exploits, including high-level semantic attacks. We have implemented SHIFT using the Itanium processor, which has support for deferred exceptions, and by modifying GCC to instrument loads and stores. A security assessment shows that SHIFT can detect both low-level memory corruption exploits as well as high-level semantic attacks with no false positives. Performance measurements show that SHIFT incurs about 1% overhead for server applications. The performance slowdown for SPEC-INT2000 is 2.81X and 2.27X for tracking at byte-level and wordlevel respectively. Minor architectural improvements to the Itanium processor (adding three simple instructions) can reduce the performance slowdown down to 2.32X and 1.8X for byte-level and word-level tracking, respectively.

References

[1]

Cybersecurity: A crisis of prioritization. Technical report, Presidents Information Technology Advisory Committee (PITAC), Feb. 2005.

[2]

M. Bailey, E. Cooke, D. Watson, F. Jahanian, and J. Nazario. The Blaster Worm: Then and Now. IEEE Security & Privacy , 3(4):26-31, 2005.

Digital Library

[3]

W. Cheng, Q. Zhao, B. Yu, and S. Hiroshige. TaintTrace: Efficient Flow Tracing with Dynamic Binary Rewriting. In Proc. ISCC, 2006.

Digital Library

[4]

S. Christey and R. A. Martin. Vulnerability type distributions in cve. http://cwe.mitre.org/documents/vulntrends/index.html, May 2007.

[5]

J. Clause, W. Li, and A. Orso. Dytan: a generic dynamic taint analysis framework. In Proc. ISSTA, pages 196-206, 2007.

Digital Library

[6]

M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: end-to-end containment of internet worms. In Proc. SOSP, pages 133-147, 2005.

Digital Library

[7]

J. Crandall and F. Chong. Minos: Control Data Attack Prevention Orthogonal to Memory Model. Proc. Micro, pages 221-232, 2004.

Digital Library

[8]

M. Dalton, H. Kannan, and C. Kozyrakis. Raksha: a flexible information flow architecture for software security. In Proc. ISCA, pages 482-493, 2007.

Digital Library

[9]

C. Dulong. The IA-64 architecture at work. Computer, 31(7):24-32, 1998.

Digital Library

[10]

J. Huck, D. Morris, J. Ross, A. Knies, H. Mulder, and R. Zahir. Introducing the IA-64 architecture. Micro, IEEE, 20(5):12-23, 2000.

Digital Library

[11]

V. Kathail, R. Gupta, B. Rau, M. Schlansker, W. Worley Jr, and F. Amerson. Method and system for deferring exceptions generated during speculative execution, Nov. 25 1997. US Patent 5,692,169.

[12]

L. C. Lam and T. cker Chiueh. A general dynamic information flow tracking framework for security applications. In Proc. ACSAC, 2006.

Digital Library

[13]

T. Leek, G. Baker, R. Brown, M. Zhivich, and R. Lippmann. Coverage Maximization Using Dynamic Taint Tracing. Technical Report 112, MIT Lincoln Laboratory, 2007.

[14]

J. Lin, T. Chen, W. Hsu, P. Yew, R. Ju, T. Ngai, and S. Chan. A compiler framework for speculative analysis and optimizations. In Proc. PLDI, pages 289-299, 2003.

Digital Library

[15]

C. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. Reddi, and K. Hazelwood. Pin: building customized program analysis tools with dynamic instrumentation. In Proc. PLDI, pages 190-200, 2005.

Digital Library

[16]

S. Mahlke, W. Chen, R. Bringmann, R. Hank, W. Hwu, B. Rau, and M. Schlansker. Sentinel scheduling: a model for compiler-controlled speculative execution. TOCS, 11(4):376-408, 1993.

Digital Library

[17]

W. Masri, A. Podgurski, and D. Leon. Detecting and Debugging Insecure Information Flows. In Proc. ISSRE, pages 198-209, 2004.

Digital Library

[18]

J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proc. NDSS, 2005.

[19]

A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In Proc. ISC, 2005.

[20]

E. B. Nightingale, D. Peek, P. M. Chen, and J. Flinn. Parallelizing security checks on commodity hardware. In Proc. ASPLOS, pages 308-318, 2008.

Digital Library

[21]

T. Pietraszek and C. V. Berghe. Defending against injection attacks through context-sensitive string evaluation. In Proc. RAID, 2005.

Digital Library

[22]

F. Qin, C. Wang, Z. Li, H. Kim, Y. Zhou, and Y. Wu. LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks. In Proc. Micro, pages 135- 148, 2006.

Digital Library

[23]

Z. Su and G. Wassermann. The essence of command injection attacks in web applications. In Proc. POPL, 2006.

Digital Library

[24]

G. Suh, J. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. In Proc. ASPLOS, pages 85-96, 2004.

Digital Library

[25]

N. Vachharajani, M. Bridges, J. Chang, R. Rangan, G. Ottoni, J. Blome, G. Reis, M. Vachharajani, and D. August. RIFLE: An Architectural Framework for User-Centric Information-Flow Security. In Proc. Micro, pages 243-254, 2004.

Digital Library

[26]

G. Venkataramani, I. Doudalis, Y. Solihin, and M. Prvulovic. FlexiTaint: Programmable Architectural Support for Efficient Dynamic Taint Propagation. In Proc. HPCA, 2008.

[27]

W. Xu, S. Bhatkar, and R. Sekar. Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks. In Proc. Usenix Security, 2006.

Digital Library

Cited By

Chen KArias ODeng QOliveira DGuo XJin Y(2022)FineDIFT: Fine-Grained Dynamic Information Flow Tracking for Data-Flow Integrity Using CoprocessorIEEE Transactions on Information Forensics and Security10.1109/TIFS.2022.314486817(559-573)Online publication date: 2022
https://doi.org/10.1109/TIFS.2022.3144868
Nicholas GThakar BSaqib F(2021)Multi granular level-based IFT model for RISC-VSecond iiScience International Conference 2021: Recent Advances in Photonics and Physical Sciences10.1117/12.2601036(21)Online publication date: 1-Jul-2021
https://doi.org/10.1117/12.2601036
Skarlatos DChen QChen JXu TTorrellas J(2020)Draco: Architectural and Operating System Support for System Call Security2020 53rd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO)10.1109/MICRO50266.2020.00017(42-57)Online publication date: Oct-2020
https://doi.org/10.1109/MICRO50266.2020.00017
Show More Cited By

Index Terms

From Speculation to Security: Practical and Efficient Information Flow Tracking Using Speculative Hardware

Recommendations

From Speculation to Security: Practical and Efficient Information Flow Tracking Using Speculative Hardware
ISCA '08: Proceedings of the 35th Annual International Symposium on Computer Architecture

Dynamic information flow tracking (also known as taint tracking) is an appealing approach to combat various security attacks. However, the performance of applications can severely degrade without hardware support for tracking taints. This paper observes ...
Context-Sensitive Fencing: Securing Speculative Execution via Microcode Customization
ASPLOS '19: Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems

This paper describes context-sensitive fencing (CSF), a microcode-level defense against multiple variants of Spectre. CSF leverages the ability to dynamically alter the decoding of the instruction stream, to seamlessly inject new micro-ops, including ...
Exploiting instruction level parallelism in the presence of conditional branches

Comments

Information & Contributors

Information

Published In

cover image ACM SIGARCH Computer Architecture News

ACM SIGARCH Computer Architecture News Volume 36, Issue 3

June 2008

449 pages

ISSN:0163-5964

DOI:10.1145/1394608

Issue’s Table of Contents

ISCA '08: Proceedings of the 35th Annual International Symposium on Computer Architecture
June 2008
449 pages
ISBN:9780769531748

Copyright © 2008 Authors.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 June 2008

Published in SIGARCH Volume 36, Issue 3

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

31
Total Citations
View Citations
562
Total Downloads

Downloads (Last 12 months)14
Downloads (Last 6 weeks)4

Reflects downloads up to 17 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Chen KArias ODeng QOliveira DGuo XJin Y(2022)FineDIFT: Fine-Grained Dynamic Information Flow Tracking for Data-Flow Integrity Using CoprocessorIEEE Transactions on Information Forensics and Security10.1109/TIFS.2022.314486817(559-573)Online publication date: 2022
https://doi.org/10.1109/TIFS.2022.3144868
Nicholas GThakar BSaqib F(2021)Multi granular level-based IFT model for RISC-VSecond iiScience International Conference 2021: Recent Advances in Photonics and Physical Sciences10.1117/12.2601036(21)Online publication date: 1-Jul-2021
https://doi.org/10.1117/12.2601036
Skarlatos DChen QChen JXu TTorrellas J(2020)Draco: Architectural and Operating System Support for System Call Security2020 53rd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO)10.1109/MICRO50266.2020.00017(42-57)Online publication date: Oct-2020
https://doi.org/10.1109/MICRO50266.2020.00017
Sharifi RVenkat A(2020)CHEx86: Context-Sensitive Enforcement of Memory Safety via Microcode-Enabled Capabilities2020 ACM/IEEE 47th Annual International Symposium on Computer Architecture (ISCA)10.1109/ISCA45697.2020.00068(762-775)Online publication date: May-2020
https://doi.org/10.1109/ISCA45697.2020.00068
Piccolboni LDi Guglielmo GCarloni L(2018)PAGURUS: Low-Overhead Dynamic Information Flow Tracking on Loosely Coupled AcceleratorsIEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems10.1109/TCAD.2018.285732137:11(2685-2696)Online publication date: Nov-2018
https://doi.org/10.1109/TCAD.2018.2857321
Liu YShi PWang XChen HZang BGuan H(2017)Transparent and Efficient CFI Enforcement with Intel Processor Trace2017 IEEE International Symposium on High Performance Computer Architecture (HPCA)10.1109/HPCA.2017.18(529-540)Online publication date: Feb-2017
https://doi.org/10.1109/HPCA.2017.18
Le TDi JTehranipoor MForte DWang LCoskun AMargala MBehjat LHan J(2016)Tracking Data Flow at Gate-Level through Structural CheckingProceedings of the 26th edition on Great Lakes Symposium on VLSI10.1145/2902961.2903040(185-189)Online publication date: 18-May-2016
https://dl.acm.org/doi/10.1145/2902961.2903040
Chen YZhang SGuo QLi LWu RChen T(2015)Deterministic ReplayACM Computing Surveys10.1145/279007748:2(1-47)Online publication date: 24-Sep-2015
https://dl.acm.org/doi/10.1145/2790077
Ozsoy MPonomarev DAbu-Ghazaleh NSuri T(2014)SIFTIEEE Transactions on Computers10.1109/TC.2012.18963:2(484-496)Online publication date: 1-Feb-2014
https://dl.acm.org/doi/10.1109/TC.2012.189
Porquet JSethumadhavan SMarculescu RPanda P(2013)WHISKProceedings of the Ninth IEEE/ACM/IFIP International Conference on Hardware/Software Codesign and System Synthesis10.5555/2555692.2555696(1-9)Online publication date: 29-Sep-2013
https://dl.acm.org/doi/10.5555/2555692.2555696
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents