HyperSpace: Data-Value Integrity for Securing Software

dc.contributor.authorYom, Jinwooen
dc.contributor.committeechairMin, Chang Wooen
dc.contributor.committeememberTront, Joseph G.en
dc.contributor.committeememberMarchany, Randolph Carlosen
dc.contributor.committeememberRaymond, David Richarden
dc.contributor.departmentElectrical and Computer Engineeringen
dc.date.accessioned2021-11-11T07:00:10Zen
dc.date.available2021-11-11T07:00:10Zen
dc.date.issued2020-05-19en
dc.description.abstractMost modern software attacks are rooted in memory corruption vulnerabilities. They redirect security-sensitive data values (e.g., return address, function pointer, and heap metadata) to an unintended value. Current state-of-the-art policies, such as Data-Flow Integrity (DFI) and Control-Flow Integrity (CFI), are effective but often struggle to balance precision, generality, and runtime overhead. In this thesis, we propose Data-Value Integrity (DVI), a new defense policy that enforces the integrity of "data value" for security-sensitive control and non-control data. DVI breaks an essential step of memory corruption based attacks by asserting the compromised security-sensitive data value. To show the efficacy of DVI, we present HyperSpace, a prototype that enforces DVI to provide four representative security mechanisms. These include Code Pointer Separation (DVI-CPS) and Code Pointer Integrity (DVI-CPI) based on HyperSpace. We evaluate HyperSpace with SPEC CPU2006 and real-world servers. We also test HyperSpace against memory corruption based attacks, including three real-world exploits and six attacks that bypass existing defenses. Our evaluation shows that HyperSpace successfully detects all attacks and introduces low runtime performance and memory overhead: 1.02% and 6.35% performance overhead for DVI-CPS and DVI-CPI, respectively, and overall approximately 15% memory overhead.en
dc.description.abstractgeneralMany modern attacks originate from memory corruption vulnerabilities. These attacks, such as buffer overflow, allow an adversary to compromise a system by executing arbitrary code or escalating their access privilege for malicious actions. Unfortunately, this is due to today's common programming languages such as C/C++ being especially prone to memory corruption. These languages build the foundation of our software stack thus, many applications such as web browsers and database servers that are written using these vulnerable programming languages inherit these shortcomings. There have been numerous security mechanisms that are widely adopted to address this issue but they all fall short in providing complete memory security. Since then, security researchers have proposed various solutions to mitigate these ever-growing shortcomings of memory safety techniques. Nonetheless, these defense techniques are either too narrow-scoped, incur high runtime overhead, or require significant additional hardware resources. This results in them being unscalable for bigger applications or requiring it to be used in combination with other techniques to provide a stronger security guarantee. This thesis presents Data Value Integrity (DVI), a new defense policy that enforces the integrity of "data value" for sensitive C/C++ data which includes, function pointers, virtual function table pointers, and inline heap metadata. DVI can offer wide-scoped security while being able to scale, making it a versatile and elegant solution to address various memory corruption vulnerabilities. This thesis also introduces HyperSpace, a prototype that enforces DVI. The evaluation shows that HyperSpace performs better than state-of-the-art defense mechanisms while having less performance and memory overhead and also providing stronger and more general security guarantees.en
dc.description.degreeMaster of Scienceen
dc.format.mediumETDen
dc.identifier.othervt_gsexam:25731en
dc.identifier.urihttp://hdl.handle.net/10919/106593en
dc.publisherVirginia Techen
dc.rightsIn Copyrighten
dc.rights.urihttp://rightsstatements.org/vocab/InC/1.0/en
dc.subjectData Value Integrityen
dc.subjectValue Invarianten
dc.subjectSecurity Policyen
dc.titleHyperSpace: Data-Value Integrity for Securing Softwareen
dc.typeThesisen
thesis.degree.disciplineComputer Engineeringen
thesis.degree.grantorVirginia Polytechnic Institute and State Universityen
thesis.degree.levelmastersen
thesis.degree.nameMaster of Scienceen

Files

Original bundle
Now showing 1 - 1 of 1
Loading...
Thumbnail Image
Name:
Yom_J_T_2020.pdf
Size:
292.46 KB
Format:
Adobe Portable Document Format

Collections