From speculation to security: Practical and efficient information flow tracking using speculative hardware

Haibo Chen, Xi Wu, Liwei Yuan, Binyu Zang, Pen Chung Yew, Frederic T. Chong

Research output: Chapter in Book/Report/Conference proceedingConference contribution

34 Scopus citations

Abstract

Dynamic information flow tracking (also known as taint tracking) is an appealing approach to combat various security attacks. However, the performance of applications can severely degrade without hardware support for tracking taints. This paper observes that information flow tracking can be efficiently emulated using deferred exception tracking in microprocessors supporting speculative execution. Based on this observation, we propose SHIFT, a low-overhead, software-based dynamic information flow tracking system to detect a wide range of attacks. The key idea is to treat tainted state (describing untrusted data) as speculative state (describing deferred exceptions). SHIFT leverages existing architectural support for speculative execution to track tainted state in registers and needs to instrument only load and store instructions to track tainted state in memory using a bitmap, which results in significant performance advantages. Moreover, by decoupling mechanisms for taint tracking from security policies, SHIFT can detect a wide range of exploits, including high-level semantic attacks. We have implemented SHIFT using the Itanium processor, which has support for deferred exceptions, and by modifying GCC to instrument loads and stores. A security assessment shows that SHIFT can detect both low-level memory corruption exploits as well as high-level semantic attacks with no false positives. Performance measurements show that SHIFT incurs about 1% overhead for server applications. The performance slowdown for SPEC-INT2000 is 2.81X and 2.27X for tracking at byte-level and word-level respectively. Minor architectural improvements to the Itanium processor (adding three simple instructions) can reduce the performance slowdown down to 2.32X and 1.8X for byte-level and word-level tracking, respectively.

Original languageEnglish (US)
Title of host publicationISCA 2008, Proceedings - 35th International Symposium on Computer Architecture
Pages401-412
Number of pages12
DOIs
StatePublished - Oct 1 2008
EventISCA 2008, 35th International Symposium on Computer Architecture - Beijing, China
Duration: Jun 21 2008Jun 25 2008

Publication series

NameProceedings - International Symposium on Computer Architecture
ISSN (Print)1063-6897

Other

OtherISCA 2008, 35th International Symposium on Computer Architecture
CountryChina
CityBeijing
Period6/21/086/25/08

Fingerprint Dive into the research topics of 'From speculation to security: Practical and efficient information flow tracking using speculative hardware'. Together they form a unique fingerprint.

Cite this