Hardware Assisted Randomization of Data

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11050)


Data-oriented attacks are gaining traction thanks to advances in code-centric mitigation techniques for memory corruption vulnerabilities. Previous work on mitigating data-oriented attacks includes Data Space Randomization (DSR). DSR classifies program variables into a set of equivalence classes, and encrypts variables with a key randomly chosen for each equivalence class. This thwarts memory corruption attacks that introduce illegitimate data flows. However, existing implementations of DSR trade precision for better run-time performance, which leaves attackers sufficient leeway to mount attacks. In this paper, we show that high precision and good run-time performance are not mutually exclusive. We present HARD, a precise and efficient hardware-assisted implementation of DSR. HARD distinguishes a larger number of equivalence classes, and incurs lower run-time overhead than software-only DSR. Our implementation achieves run-time overheads of just 6.61% on average, while the software version with the same protection costs 40.96%.


  1. 1.
    Akritidis, P., Cadar, C., Raiciu, C., Costa, M., Castro, M.: Preventing memory error exploits with wit. In: IEEE Symposium on Security and Privacy (S&P) (2008)Google Scholar
  2. 2.
    Asanovi, K., et al.: The rocket chip generator. Technical report, University of California, Berkeley, April 2016Google Scholar
  3. 3.
    Bhatkar, S., Sekar, R.: Data space randomization. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 1–22. Springer, Heidelberg (2008). Scholar
  4. 4.
    Cadar, C., Akritidis, P., Costa, M., Martin, J.P., Castro, M.: Data randomization. Technical report MSR-TR-2008-120, Microsoft Research (2008)Google Scholar
  5. 5.
    Castro, M., Costa, M., Harris, T.: Securing software by enforcing data-flow integrity. In: USENIX Symposium on Operating Systems Design and Implementation (OSDI) (2006)Google Scholar
  6. 6.
    Chen, S., et al.: Flexible hardware acceleration for instruction-grain program monitoring. In: Annual International Symposium on Computer Architecture (ISCA) (2008)Google Scholar
  7. 7.
    Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: USENIX Security Symposium (2005)Google Scholar
  8. 8.
    Mehta, N.: The Heartbleed Bug, Codenomicon (2014).
  9. 9.
    Cook, K.: Introduce struct layout randomization plugin (2017).
  10. 10.
    Dang, T.H., Maniatis, P., Wagner, D.: Oscar: a practical page-permissions-based scheme for thwarting dangling pointers. In: USENIX Security Symposium (2017)Google Scholar
  11. 11.
    Dhurjati, D., Adve, V.: Backwards-compatible array bounds checking for C with very low overhead. In: International Conference on Software Engineering (ICSE) (2006)Google Scholar
  12. 12.
    Ghose, S., Gilgeous, L., Dudnik, P., Aggarwal, A., Waxman, C.: Architectural support for low overhead detection of memory violations. In: Design, Automation Test in Europe Conference Exhibition (DATE) (2009)Google Scholar
  13. 13.
    Hu, H., Chua, Z.L., Adrian, S., Saxena, P., Liang, Z.: Automatic generation of data-oriented exploits. In: USENIX Security Symposium (2015)Google Scholar
  14. 14.
    Hu, H., Shinde, S., Adrian, S., Chua, Z.L., Saxena, P., Liang, Z.: Data-oriented programming: on the expressiveness of non-control data attacks. In: IEEE Symposium on Security and Privacy (S&P) (2016)Google Scholar
  15. 15.
    Intel Inc.: Intel 64 and IA-32 Architectures Software Developer’s Manual (2013)Google Scholar
  16. 16.
    Intel R. Corporation: Control-flow enforcement technology preview (2016)Google Scholar
  17. 17.
    van der Kouwe, E., Nigade, V., Giuffrida, C.: DangSan: scalable use-after-free detection. In: European Conference on Computer Systems (EuroSys) (2017)Google Scholar
  18. 18.
    Kuvaiskii, D., et al.: SGXBounds: memory safety for shielded execution. In: European Conference on Computer Systems (EuroSys) (2017)Google Scholar
  19. 19.
    Kwon, A., Dhawan, U., Smith, J.M., Knight Jr., T.F., DeHon, A.: Low-fat pointers: compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security. In: ACM Conference on Computer and Communications Security (CCS) (2013)Google Scholar
  20. 20.
    Lattner, C., Adve, V.: Automatic pool allocation: improving performance by controlling data structure layout in the heap. In: ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI) (2005)Google Scholar
  21. 21.
    Lattner, C., Lenharth, A., Adve, V.: Making context-sensitive points-to analysis with heap cloning practical for the real world. In: ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI) (2007)Google Scholar
  22. 22.
    Lea, D.: A memory allocator (1996)Google Scholar
  23. 23.
    Lee, B., et al.: Preventing use-after-free with dangling pointers nullification. In: Network and Distributed System Security Symposium (NDSS) (2015)Google Scholar
  24. 24.
    Lee, Y., et al.: A 45nm 1.3GHz 16.7 double-precision GFLOPS/W RISC-V processor with vector accelerators. In: European Solid State Circuits Conference (ESSCIRC) (2014)Google Scholar
  25. 25.
    Liu, Y., Zhou, T., Chen, K., Chen, H., Xia, Y.: Thwarting memory disclosure with efficient hypervisor-enforced intra-domain isolation. In: ACM Conference on Computer and Communications Security (CCS) (2015)Google Scholar
  26. 26.
    Nagarakatte, S., Martin, M.M., Zdancewic, S.: Watchdog: hardware for safe and secure manual memory management and full memory safety. ACM SIGARCH Comput. Arch. News 40(3), 189–200 (2012)CrossRefGoogle Scholar
  27. 27.
    Nagarakatte, S., Zhao, J., Martin, M.M., Zdancewic, S.: SoftBound: highly compatible and complete spatial memory safety for C. In: ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI) (2009)Google Scholar
  28. 28.
    Nagarakatte, S., Zhao, J., Martin, M.M., Zdancewic, S.: CETS: compiler enforced temporal safety for C. In: International Symposium on Memory Management (ISMM) (2010)Google Scholar
  29. 29.
    Patil, H., Fischer, C.: Low-cost, concurrent checking of pointer and array accesses in C programs. Softw. Pract. Exp. 27(1), 87–110 (1997)CrossRefGoogle Scholar
  30. 30.
    Rains, T., Miller, M., Weston, D.: Exploitation trends: from potential risk to actual risk. In: RSA Conference (2015)Google Scholar
  31. 31.
    Ramakesavan, R., et al.: Intel memory protection extensions enabling guide (2016)Google Scholar
  32. 32.
    Schoeberl, M.: Design and implementation of an efficient stack machine. In: IEEE International Parallel and Distributed Processing Symposium (2005)Google Scholar
  33. 33.
    Song, C., et al.: HDFI: hardware-assisted data-flow isolation. In: IEEE Symposium on Security and Privacy (S&P) (2016)Google Scholar
  34. 34.
    Venkataramani, G., Roemer, B., Solihin, Y., Prvulovic, M.: MemTracker: efficient and programmable support for memory access monitoring and debugging. In: IEEE International Symposium on High Performance Computer Architecture (HPCA) (2007)Google Scholar
  35. 35.
    Xu, W., DuVarney, D.C., Sekar, R.: An efficient and backwards-compatible transformation to ensure memory safety of C programs. In: ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE) (2004)Google Scholar
  36. 36.
    Yang, J., Shin, K.G.: Using hypervisor to provide data secrecy for user applications on a per-page basis. In: Proceedings of the Fourth ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (2008)Google Scholar
  37. 37.
    Younan, Y.: FreeSentry: protecting against use-after-free vulnerabilities due to dangling pointers. In: Network and Distributed System Security Symposium (NDSS) (2015)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.University of California, IrvineIrvineUSA
  2. 2.ECE and ISRCSeoul National UniversitySeoulSouth Korea

Personalised recommendations