In this paper, we propose the Stateless Permutation of Application Memory (SPAM), a software defense that enables fine-grained data permutation for C programs. The key benefits include resilience against attacks that directly exploit software errors (i.e., spatial and temporal memory safety violations) in addition to attacks that exploit hardware vulnerabilities such as ColdBoot, RowHammer or hardware side-channels to disclose or corrupt memory using a single cohesive technique. Unlike prior work, SPAM is stateless by design making it automatically applicable to multi-threaded applications. We implement SPAM as an LLVM compiler pass with an extension to the compiler-rt runtime. We evaluate it on the C subset of the SPEC2017 benchmark suite and three real-world applications: the Nginx web server, the Duktape Javascript interpreter, and the WolfSSL cryptographic library. We further show SPAM's scalability by running a multi-threaded benchmark suite. SPAM has greater security coverage and comparable performance overheads to state-of-the-art software techniques for memory safety on contemporary x86_64 processors. Our security evaluation confirms SPAM's effectiveness in preventing intra/inter spatial/temporal memory violations by making the attacker success chances as low as 1/16!.
翻译:在本文中,我们提出“应用记忆的无国籍变换(SPAM) ”, 这是一种软件防御,使C程序能够进行细微测值数据变换。 关键的好处包括:除了利用ColdBoot、RowHammer或硬件侧通道等硬件弱点使用单一凝固技术披露或腐蚀记忆的攻击外,还针对直接利用软件错误(即空间和时间内存安全违规)进行攻击。 与以前的工作不同, SPAM是无国籍的, 其设计使它自动适用于多轨应用程序。 我们把SPAM作为LVM编译员通过, 延伸至编译员- 运行时间。 我们用SPEC2017基准套和三种真实世界应用程序的C子集来评价它。 Nginx网络服务器、 Duktape Javascampe 解释器和 WolfSSL 加密图书馆。 我们进一步通过运行多读基准套, 来显示SPAM的可缩缩略性。 SPAM拥有更大的安全覆盖范围和可比较性操作器, 用于当代x-86_64年期间空间攻击中进行内空域安全攻击的状态。