DOCSLIB.ORG

Hardware-Based Always-On Heap Memory Safety

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

2020 53rd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO) Hardware-based Always-On Heap Memory Safety Yonghae Kim Jaekyu Lee Hyesoon Kim Georgia Institute of Technology Arm Research Georgia Institute of Technology [email protected] [email protected] [email protected] Abstract—Memory safety violations, caused by illegal use of of memory objects as redzones and prohibit their access to pointers in unsafe programming languages such as C and C++, prevent over/underflow attacks. Such an approach is efficient have been a major threat to modern computer systems. However, since monitoring could be performed in parallel with normal implementing a low-overhead yet robust runtime memory safety solution is still challenging. Various hardware-based mechanisms operations, as in REST [8]. However, they cannot prevent non- have been proposed, but their significant hardware requirements adjacent illegal accesses that jump over the redzones. Given have limited their feasibility, and their performance overhead is the upward trend of non-adjacent spatial safety violations (over too high to be an always-on solution. 60% since 2014) [2], we expect that their effectiveness will In this paper, we propose AOS, a low-overhead always-on be increasingly limited. heap memory safety solution that implements a novel bounds- checking mechanism. We identify that the major challenges of Whitelisting mechanisms enforce memory operations to existing bounds-checking approaches are 1) the extra instruction only access allowed memory locations, providing stronger overhead for memory checking and metadata propagation and security capabilities. For example, bounds-checking mecha- 2) the complex metadata addressing. To address these challenges, nisms [10]–[13] associate bounds metadata with pointers to using Arm PA primitives, we leverage unused upper bits of protect and perform address range checking. Despite more a pointer to store a key and have it propagated along with the pointer address, eliminating propagation overhead. Then, powerful security guarantees, they incur significant hardware we use the embedded key to index a hashed bounds table to changes and design complexity. Their performance overhead achieve efficient metadata management. We also introduce a is also too high to be an always-on solution. micro-architectural unit to remove the need for memory checking We observe that the major challenges of existing bounds- instructions. We show that AOS overcomes all the aforementioned checking approaches are 1) the extra instruction overhead challenges and demonstrate its feasibility as an efficient runtime memory safety solution. Our evaluation for SPEC 2006 workloads for memory checking and metadata propagation and 2) the shows an 8.4% performance overhead on average. complex metadata addressing. For instance, Watchdog [11], Index Terms—Security; software and system safety; pointer a prior hardware-based bounds-checking mechanism, showed authentication; 44% more dynamic instruction counts, causing significant performance degradation. It also requires register extensions I. INTRODUCTION (up to 256-bit) to propagate the metadata and use it inside a Memory safety violations have been a conventional but CPU core, which significantly increases power consumption. persistent problem in computer systems. Memory safety issues Moreover, prior approaches often require a complex address- have inherently existed in unsafe programming languages such ing scheme for metadata accesses. For example, Intel Memory as C and C++ because of the illicit use of pointers. Recent Protection Extensions (MPX) [12] requires approximately industry reports [1], [2] revealed that memory safety errors three register-to-register moves, three shifts, and two memory addressed in their products accounted for more than 70% of all loads to access its hierarchical bounds table. security issues. This demonstrates that memory safety errors To tackle these challenges, we propose AOS, a low- are still prevalent and exploitable by attackers. overhead Always-On memory Safety solution for heap pro- Researchers have proposed extensive amounts of software- tection that implements a novel bounds-checking mechanism. and hardware-based work to prevent such vulnerabilities. Soft- We utilize Arm pointer authentication (PA) primitives [14] to ware techniques [3]–[7] provide strong security guarantees, but store a pointer authentication code (PAC) into the unused high- they are not suitable runtime solutions because of their sig- order bits of a pointer for memory safety. By doing so, we nificant performance overhead. Instead, their primary purpose allow the embedded PAC to be passed along with the pointer is for testing and debugging. For example, AddressSanitizer address, removing extra instructions for metadata propagation. (ASan), one of the most popular memory error detectors, Furthermore, we sign all data pointers returned by dynamic showed a 73% slowdown [3]. memory allocation, i.e., placing a PAC into the pointer, and Hardware-based mechanisms typically achieve less per- use the PAC to index a hashed bounds table that stores bounds formance overhead, but they do not attain desired proper- metadata. This scheme enables efficient metadata management ties altogether, such as broad security coverage, high per- since the addressing becomes simplified using the base address formance, and low hardware overhead. Instead, they trade of the table and the PAC as an offset. off one property for another. For example, hardware-based To remove additional instructions required by prior blacklisting mechanisms [8], [9] set the surrounding regions work [10]–[12] for bounds checking, we introduce a new 978-1-7281-7383-2/20/$31.00 ©2020 IEEE 1153 DOI 10.1109/MICRO50266.2020.00095 micro-architectural structure, a memory check unit (MCU). In 1 struct fast_chunk { AOS, every memory instruction is enqueued in the MCU when 2 size_t prev_size, size; it is issued to the load-store unit (LSU). If a pointer address 3 struct fast_chunk *fd, *bk; 4 char buf[0x20]; is signed, i.e., has an embedded PAC, we perform bounds 5 }; checking to validate the access, which enables an efficient 6 selective memory safety checking mechanism. 7 struct fast_chunk fchunk[2]; 8 void *ptr, *victim; AOS achieves efficient yet complete spatial and temporal 9 memory safety for a heap region. AOS prevents spatial safety 10 // Craft chunks to pass security tests violations (e.g., out-of-bounds access) by checking bounds 11 fchunk[0].size = sizeof(struct fast_chunk); 12 fchunk[1].size = sizeof(struct fast_chunk); for all signed memory accesses. Moreover, AOS can detect 13 temporal errors, such as the use of a dangling pointer, use- 14 // Attacker overwrites a pointer after-free (UAF), and double free. When a signed data pointer 15 ptr = (void *) &fchunk[0].fd; 16 is freed, AOS clears the associated bounds information while 17 // fchunk[0] gets inserted into fastbin leaving the pointer as being signed. Because of the absence 18 free(ptr); of its bounds metadata, subsequent use of the pointer will 19 20 // Returns 16 bytes ahead of fchunk[0] fail in bounds checking. With the prevalence of heap memory 21 victim = malloc(0x30); vulnerabilities, AOS provides robust protection against the Fig. 1. Heap exploitation example: House of Spirit. most prevailing attack vectors. We also discuss how AOS can be extended to support pointer integrity by utilizing Arm PA primitives and achieve practical defenses against runtime control-flow attacks, such as Stack Corruption Heap OOB Read Type Confusion Other Heap Corruption Use After Free Uninitialized Use return-oriented programming (ROP) [15] and jump-oriented 100% 59 90% 30 41 59 programming (JOP) [16], and data-oriented attacks by cor- 44 44 159 139 197 80% 61 120 9 221 103 25 rupted data pointers. AOS also provides precise exception 4 8 11 70% 4 6 8 21 22 19 handling by delaying architectural state updates until an 30 82 4 16 13 5 6 25 36 60% 7 15 61 12 6 instruction retires with a successful bounds checking. This 1 1 18 44 71 50% 22 14 81 2 186 87 4 9 39 183 enables AOS to prevent leakage of secret data by an illegal 40% 36 35 113 81 57 99 30% 43 7 read and memory corruption by an illegal write. 45 64 76 88 5 20% 13 39 55 Given the limited PAC size (11 to 32 bits) under typical 32 30 36 17 10% 24 35 71 104 21 22 26 61 79 virtual address schemes in a processor, some memory objects 13 28 0% 4 11 4 1 3 7 8 may have the same PAC value, causing PAC collisions. To address this issue, we develop a multi-way bounds-table struc- 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 ture with gradual resizing to accommodate multiple bounds Fig. 2. The root cause trend of memory safety issues. metadata for each PAC. A process begins its execution with a modest-size table and increases the associativity of the table upon an insertion failure due to insufficient capacity. This approach enables efficient and scalable bounds-table exploitation, House of Spirit, which is a data-oriented attack management. on glibc. The attack crafts a data pointer controlled by an This paper claims the following contributions: attacker so it can bypass the security tests of free(). Once • We propose AOS, which overcomes the main challenges of freed, the pointer is inserted into a fastbin, which is one of existing bounds-checking approaches and realizes a practi- the linked lists holding free chunks. Then, the next malloc() cal bounds-checking mechanism for heap protection. returns the address 16 bytes ahead of the crafted data pointer • We implement the AOS design and present performance and ends up allowing subsequent malicious operations on the evaluation for SPEC 2006 workloads. Our results show a attacker-controlled memory locations. marginal 8.4% performance overhead on average. • We describe how AOS can cooperate with pointer integrity Fig. 2 shows a root cause trend of memory safety vul- solutions, which demonstrates that the security capabilities nerabilities reported by Microsoft [2].
Recommended publications
  • Deciding Memory Safety for Single-Pass Heap-Manipulating Programs

    Deciding Memory Safety for Single-Pass Heap-Manipulating Programs

    Deciding Memory Safety for Single-Pass Heap-Manipulating Programs UMANG MATHUR, University of Illinois, Urbana-Champaign, USA ADITHYA MURALI, University of Illinois, Urbana-Champaign, USA PAUL KROGMEIER, University of Illinois, Urbana-Champaign, USA P. MADHUSUDAN, University of Illinois, Urbana-Champaign, USA MAHESH VISWANATHAN, University of Illinois, Urbana-Champaign, USA We investigate the decidability of automatic program verification for programs that manipulate heaps, andin particular, decision procedures for proving memory safety for them. We extend recent work that identified a decidable subclass of uninterpreted programs to a class of alias-aware programs that can update maps. We 35 apply this theory to develop verification algorithms for memory safetyÐ determining if a heap-manipulating program that allocates and frees memory locations and manipulates heap pointers does not dereference an unallocated memory location. We show that this problem is decidable when the initial allocated heap forms a forest data-structure and when programs are streaming-coherent, which intuitively restricts programs to make a single pass over a data-structure. Our experimental evaluation on a set of library routines that manipulate forest data-structures shows that common single-pass algorithms on data-structures often fall in the decidable class, and that our decision procedure is efficient in verifying them. CCS Concepts: • Theory of computation → Logic and verification; Automated reasoning. Additional Key Words and Phrases: Memory Safety, Program Verification, Aliasing, Decidability, Uninterpreted Programs, Streaming-Coherence, Forest Data-Structures ACM Reference Format: Umang Mathur, Adithya Murali, Paul Krogmeier, P. Madhusudan, and Mahesh Viswanathan. 2020. Deciding Memory Safety for Single-Pass Heap-Manipulating Programs. Proc. ACM Program.
  • An In-Depth Study with All Rust Cves

    An In-Depth Study with All Rust Cves

    Memory-Safety Challenge Considered Solved? An In-Depth Study with All Rust CVEs HUI XU, School of Computer Science, Fudan University ZHUANGBIN CHEN, Dept. of CSE, The Chinese University of Hong Kong MINGSHEN SUN, Baidu Security YANGFAN ZHOU, School of Computer Science, Fudan University MICHAEL R. LYU, Dept. of CSE, The Chinese University of Hong Kong Rust is an emerging programing language that aims at preventing memory-safety bugs without sacrificing much efficiency. The claimed property is very attractive to developers, and many projects start usingthe language. However, can Rust achieve the memory-safety promise? This paper studies the question by surveying 186 real-world bug reports collected from several origins which contain all existing Rust CVEs (common vulnerability and exposures) of memory-safety issues by 2020-12-31. We manually analyze each bug and extract their culprit patterns. Our analysis result shows that Rust can keep its promise that all memory-safety bugs require unsafe code, and many memory-safety bugs in our dataset are mild soundness issues that only leave a possibility to write memory-safety bugs without unsafe code. Furthermore, we summarize three typical categories of memory-safety bugs, including automatic memory reclaim, unsound function, and unsound generic or trait. While automatic memory claim bugs are related to the side effect of Rust newly-adopted ownership-based resource management scheme, unsound function reveals the essential challenge of Rust development for avoiding unsound code, and unsound generic or trait intensifies the risk of introducing unsoundness. Based on these findings, we propose two promising directions towards improving the security of Rust development, including several best practices of using specific APIs and methods to detect particular bugs involving unsafe code.
  • Project Snowflake: Non-Blocking Safe Manual Memory Management in .NET

    Project Snowflake: Non-Blocking Safe Manual Memory Management in .NET

    Project Snowflake: Non-blocking Safe Manual Memory Management in .NET Matthew Parkinson Dimitrios Vytiniotis Kapil Vaswani Manuel Costa Pantazis Deligiannis Microsoft Research Dylan McDermott Aaron Blankstein Jonathan Balkind University of Cambridge Princeton University July 26, 2017 Abstract Garbage collection greatly improves programmer productivity and ensures memory safety. Manual memory management on the other hand often delivers better performance but is typically unsafe and can lead to system crashes or security vulnerabilities. We propose integrating safe manual memory management with garbage collection in the .NET runtime to get the best of both worlds. In our design, programmers can choose between allocating objects in the garbage collected heap or the manual heap. All existing applications run unmodified, and without any performance degradation, using the garbage collected heap. Our programming model for manual memory management is flexible: although objects in the manual heap can have a single owning pointer, we allow deallocation at any program point and concurrent sharing of these objects amongst all the threads in the program. Experimental results from our .NET CoreCLR implementation on real-world applications show substantial performance gains especially in multithreaded scenarios: up to 3x savings in peak working sets and 2x improvements in runtime. 1 Introduction The importance of garbage collection (GC) in modern software cannot be overstated. GC greatly improves programmer productivity because it frees programmers from the burden of thinking about object lifetimes and freeing memory. Even more importantly, GC prevents temporal memory safety errors, i.e., uses of memory after it has been freed, which often lead to security breaches. Modern generational collectors, such as the .NET GC, deliver great throughput through a combination of fast thread-local bump allocation and cheap collection of young objects [63, 18, 61].
  • Ensuring the Spatial and Temporal Memory Safety of C at Runtime

    Ensuring the Spatial and Temporal Memory Safety of C at Runtime

    MemSafe: Ensuring the Spatial and Temporal Memory Safety of C at Runtime Matthew S. Simpson, Rajeev K. Barua Department of Electrical & Computer Engineering University of Maryland, College Park College Park, MD 20742-3256, USA fsimpsom, [email protected] Abstract—Memory access violations are a leading source of dereferencing pointers obtained from invalid pointer arith- unreliability in C programs. As evidence of this problem, a vari- metic; and dereferencing uninitialized, NULL or “manufac- ety of methods exist that retrofit C with software checks to detect tured” pointers.1 A temporal error is a violation caused by memory errors at runtime. However, these methods generally suffer from one or more drawbacks including the inability to using a pointer whose referent has been deallocated (e.g. with detect all errors, the use of incompatible metadata, the need for free) and is no longer a valid object. The most well-known manual code modifications, and high runtime overheads. temporal violations include dereferencing “dangling” point- In this paper, we present a compiler analysis and transforma- ers to dynamically allocated memory and freeing a pointer tion for ensuring the memory safety of C called MemSafe. Mem- more than once. Dereferencing pointers to automatically allo- Safe makes several novel contributions that improve upon previ- ous work and lower the cost of safety. These include (1) a method cated memory (stack variables) is also a concern if the address for modeling temporal errors as spatial errors, (2) a compati- of the referent “escapes” and is made available outside the ble metadata representation combining features of object- and function in which it was defined.
  • Intra-Unikernel Isolation with Intel Memory Protection Keys

    Intra-Unikernel Isolation with Intel Memory Protection Keys

    Intra-Unikernel Isolation with Intel Memory Protection Keys Mincheol Sung Pierre Olivier∗ Virginia Tech, USA The University of Manchester, United Kingdom [email protected] [email protected] Stefan Lankes Binoy Ravindran RWTH Aachen University, Germany Virginia Tech, USA [email protected] [email protected] Abstract ACM Reference Format: Mincheol Sung, Pierre Olivier, Stefan Lankes, and Binoy Ravin- Unikernels are minimal, single-purpose virtual machines. dran. 2020. Intra-Unikernel Isolation with Intel Memory Protec- This new operating system model promises numerous bene- tion Keys. In 16th ACM SIGPLAN/SIGOPS International Conference fits within many application domains in terms of lightweight- on Virtual Execution Environments (VEE ’20), March 17, 2020, Lau- ness, performance, and security. Although the isolation be- sanne, Switzerland. ACM, New York, NY, USA, 14 pages. https: tween unikernels is generally recognized as strong, there //doi.org/10.1145/3381052.3381326 is no isolation within a unikernel itself. This is due to the use of a single, unprotected address space, a basic principle 1 Introduction of unikernels that provide their lightweightness and perfor- Unikernels have gained attention in the academic research mance benefits. In this paper, we propose a new design that community, offering multiple benefits in terms of improved brings memory isolation inside a unikernel instance while performance, increased security, reduced costs, etc. As a keeping a single address space. We leverage Intel’s Memory result,
  • Memory Tagging and How It Improves C/C++ Memory Safety Kostya Serebryany, Evgenii Stepanov, Aleksey Shlyapnikov, Vlad Tsyrklevich, Dmitry Vyukov Google February 2018

    Memory Tagging and How It Improves C/C++ Memory Safety Kostya Serebryany, Evgenii Stepanov, Aleksey Shlyapnikov, Vlad Tsyrklevich, Dmitry Vyukov Google February 2018

    Memory Tagging and how it improves C/C++ memory safety Kostya Serebryany, Evgenii Stepanov, Aleksey Shlyapnikov, Vlad Tsyrklevich, Dmitry Vyukov Google February 2018 Introduction 2 Memory Safety in C/C++ 2 AddressSanitizer 2 Memory Tagging 3 SPARC ADI 4 AArch64 HWASAN 4 Compiler And Run-time Support 5 Overhead 5 RAM 5 CPU 6 Code Size 8 Usage Modes 8 Testing 9 Always-on Bug Detection In Production 9 Sampling In Production 10 Security Hardening 11 Strengths 11 Weaknesses 12 Legacy Code 12 Kernel 12 Uninitialized Memory 13 Possible Improvements 13 Precision Of Buffer Overflow Detection 13 Probability Of Bug Detection 14 Conclusion 14 Introduction Memory safety in C and C++ remains largely unresolved. A technique usually called “memory tagging” may dramatically improve the situation if implemented in hardware with reasonable overhead. This paper describes two existing implementations of memory tagging: one is the full hardware implementation in SPARC; the other is a partially hardware-assisted compiler-based tool for AArch64. We describe the basic idea, evaluate the two implementations, and explain how they improve memory safety. This paper is intended to initiate a wider discussion of memory tagging and to motivate the CPU and OS vendors to add support for it in the near future. Memory Safety in C/C++ C and C++ are well known for their performance and flexibility, but perhaps even more for their extreme memory unsafety. This year we are celebrating the 30th anniversary of the Morris Worm, one of the first known exploitations of a memory safety bug, and the problem is still not solved.
  • Memory Management with Explicit Regions by David Edward Gay

    Memory Management with Explicit Regions by David Edward Gay

    Memory Management with Explicit Regions by David Edward Gay Engineering Diploma (Ecole Polytechnique F´ed´erale de Lausanne, Switzerland) 1992 M.S. (University of California, Berkeley) 1997 A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy in Computer Science in the GRADUATE DIVISION of the UNIVERSITY of CALIFORNIA at BERKELEY Committee in charge: Professor Alex Aiken, Chair Professor Susan L. Graham Professor Gregory L. Fenves Fall 2001 The dissertation of David Edward Gay is approved: Chair Date Date Date University of California at Berkeley Fall 2001 Memory Management with Explicit Regions Copyright 2001 by David Edward Gay 1 Abstract Memory Management with Explicit Regions by David Edward Gay Doctor of Philosophy in Computer Science University of California at Berkeley Professor Alex Aiken, Chair Region-based memory management systems structure memory by grouping objects in regions under program control. Memory is reclaimed by deleting regions, freeing all objects stored therein. Our compiler for C with regions, RC, prevents unsafe region deletions by keeping a count of references to each region. RC's regions have advantages over explicit allocation and deallocation (safety) and traditional garbage collection (better control over memory), and its performance is competitive with both|from 6% slower to 55% faster on a collection of realistic benchmarks. Experience with these benchmarks suggests that modifying many existing programs to use regions is not difficult. An important innovation in RC is the use of type annotations that make the structure of a program's regions more explicit. These annotations also help reduce the overhead of reference counting from a maximum of 25% to a maximum of 12.6% on our benchmarks.
  • “Sok: Eternal War in Memory”

    “Sok: Eternal War in Memory”

    “SoK: Eternal War in Memory” Presented by Mengjia Yan MIT 6.888 Fall 2020 Overview • Discuss the paper “SoK: Eternal War in Memory” with concrete examples • Recent progress on memory safety • With a focus on hardware/architecture 2 Motivation • C/C++ is unsafe • EveryboDy runs C/C++ coDe • They surely have exploitable vulnerabilities 3 Low-level Language Basics (C/C++/Assembly) 0x00..0000 • Programmers have more control + Efficient OS memory - Bugs - Programming productivity TEXT (code) Global/Static • Pointers DATA • Address of variables (uint64): index of memory location where variable is stored Heap • Programmers need to do pointer check, e.g. NULL, out-of-bound, use-after-free Stack 0xFF..FFFF 4 Low-level Language Basics 0x00..0000 TEXT (code) Heap Stack 0xFF..FFFF 5 Low-level Language Basics TEXT (code) stack 6 Attacks Code Injection Attack Example TEXT (code) int func (char *str) { Shell code: char buffer[12]; strncpy(buffer, str, len(str)); PUSH “/bin/sh” CALL system stack return 1; } int main() { …. func (input); … } 8 Code Injection Attack TEXT (code) TEXT (code) stack stack buffer Shell code … … Return addr Return addr 9 Attacks 10 Return-Oriented Programming (ROP) int func (char *str) { TEXT (code) TEXT (code) char buffer[12]; strncpy(buffer, str, len(str)); stack stack return 1; } …. int main() { buffer …. … … func (input); Return addr Return addr … } 11 Attacks 12 HeartBleed Vulnerability • Publicly DiscloseD in April 2014 • Bug in the OpenSSL cryptographic software library heartbeat extension • Missing a bound check 13 Attacks
  • MPTEE: Bringing Flexible and Efficient Memory Protection to Intel

    MPTEE: Bringing Flexible and Efficient Memory Protection to Intel

    MPTEE: Bringing Flexible and Efficient Memory Protection to Intel SGX Wenjia Zhao Kangjie Lu* Yong Qi* Saiyu Qi Xi’an Jiaotong University University of Minnesota Xi’an Jiaotong University Xidian University University of Minnesota Abstract code, emerge in today’s market. In particular, Intel has pro- Intel Software Guard eXtensions (SGX), a hardware-based vided SGX in its commodity processors, which supports a se- Trusted Execution Environment (TEE), has become a promis- cure region, namely enclave, to protect the internally loaded ing solution to stopping critical threats such as insider attacks code and data. Given its important and practical protection, and remote exploits. SGX has recently drawn extensive re- SGX has been extensively studied and used in practice. For search in two directions—using it to protect the confidentiality example, SCONE [1] uses it to effectively enhance the secu- and integrity of sensitive data, and protecting itself from at- rity of containers with low overhead. JITGuard [17] leverages tacks. Both the applications and defense mechanisms of SGX it to protect the security-critical just-in-time compiler oper- have a fundamental need—flexible memory protection that ations. SGXCrypter[49] utilizes it to securely unpack and updates memory-page permissions dynamically and enforces execute Windows binaries. There are many other useful appli- the least-privilege principle. Unfortunately, SGX does not pro- cations [35], [34], [31],[6], which confirm the practical and vide such a memory-protection mechanism due to the lack of promising applications of SGX. hardware support and the untrustedness of operating systems. Another line of research is to protect SGX itself from at- This paper proposes MPTEE, a memory-protection mech- tacks.
  • Intel® Xeon® E3-1200 V5 Processor Family

    Intel® Xeon® E3-1200 V5 Processor Family

    Intel® Xeon® E3-1200 v5 Processor Family Specification Update May 2020 Revision 033 Reference Number: 333133-033US Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Learn more at Intel.com, or from the OEM or retailer. No computer system can be absolutely secure. Intel does not assume any liability for lost or stolen data or systems or any damages resulting from such losses. You may not use or facilitate the use of this document in connection with any infringement or other legal analysis concerning Intel products described herein. You agree to grant Intel a non-exclusive, royalty-free license to any patent claim thereafter drafted which includes subject matter disclosed herein. No license (express or implied, by estoppel or otherwise) to any intellectual property rights is granted by this document. The products described may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade. Intel® Turbo Boost Technology requires a PC with a processor with Intel Turbo Boost Technology capability. Intel Turbo Boost Technology performance varies depending on hardware, software and overall system configuration. Check with your PC manufacturer on whether your system delivers Intel Turbo Boost Technology. For more information, see http://www.intel.com/ content/www/us/en/architecture-and-technology/turbo-boost/turbo-boost-technology.html Copies of documents which have an order number and are referenced in this document may be obtained by calling 1-800-548- 4725 or by visiting www.intel.com/design/literature.htm.
  • An Evolutionary Study of Linux Memory Management for Fun and Profit Jian Huang, Moinuddin K

    An Evolutionary Study of Linux Memory Management for Fun and Profit Jian Huang, Moinuddin K

    An Evolutionary Study of Linux Memory Management for Fun and Profit Jian Huang, Moinuddin K. Qureshi, and Karsten Schwan, Georgia Institute of Technology https://www.usenix.org/conference/atc16/technical-sessions/presentation/huang This paper is included in the Proceedings of the 2016 USENIX Annual Technical Conference (USENIX ATC ’16). June 22–24, 2016 • Denver, CO, USA 978-1-931971-30-0 Open access to the Proceedings of the 2016 USENIX Annual Technical Conference (USENIX ATC ’16) is sponsored by USENIX. An Evolutionary Study of inu emory anagement for Fun and rofit Jian Huang, Moinuddin K. ureshi, Karsten Schwan Georgia Institute of Technology Astract the patches committed over the last five years from 2009 to 2015. The study covers 4587 patches across Linux We present a comprehensive and uantitative study on versions from 2.6.32.1 to 4.0-rc4. We manually label the development of the Linux memory manager. The each patch after carefully checking the patch, its descrip- study examines 4587 committed patches over the last tions, and follow-up discussions posted by developers. five years (2009-2015) since Linux version 2.6.32. In- To further understand patch distribution over memory se- sights derived from this study concern the development mantics, we build a tool called MChecker to identify the process of the virtual memory system, including its patch changes to the key functions in mm. MChecker matches distribution and patterns, and techniues for memory op- the patches with the source code to track the hot func- timizations and semantics. Specifically, we find that tions that have been updated intensively.
  • Sok: Hardware Security Support for Trustworthy Execution

    Sok: Hardware Security Support for Trustworthy Execution

    SoK: Hardware Security Support for Trustworthy Execution Lianying Zhao1, He Shuang2, Shengjie Xu2, Wei Huang2, Rongzhen Cui2, Pushkar Bettadpur2, and David Lie2 1Carleton Universityz, Ottawa, ON, Canada 2University of Toronto, Toronto, ON, Canada Abstract—In recent years, there have emerged many new hard- contribute to lowering power consumption, which is critical ware mechanisms for improving the security of our computer for resource-constrained devices. systems. Hardware offers many advantages over pure software Furthermore, hardware is the Root of Trust (RoT) [48], as approaches: immutability of mechanisms to software attacks, better execution and power efficiency and a smaller interface it bridges the physical world (where human users reside) and allowing it to better maintain secrets. This has given birth to the digital world (where tasks run as software). To securely a plethora of hardware mechanisms providing trusted execution perform a task or store a secret, the user trusts at least part of environments (TEEs), support for integrity checking and memory the computer hardware. safety and widespread uses of hardware roots of trust. Dedicated hardware security support has seen its prolif- In this paper, we systematize these approaches through the lens eration since the early days of computers. It can take a of abstraction. Abstraction is key to computing systems, and the interface between hardware and software contains many abstrac- straightforward form as discrete components to assist the tions. We find that these abstractions, when poorly designed, can CPU, ranging from the industrial-grade tamper-responding both obscure information that is needed for security enforcement, IBM Cryptocards (e.g., 4758 [37]), Apple’s proprietary secure as well as reveal information that needs to be kept secret, leading enclave processor (SEP [84]) for consumer electronics, to the to vulnerabilities.