Visible to the public CRII: SaTC: Lockdown: Guarded Control-Flow and Data Privacy for Sensitive DataConflict Detection Enabled

Project Details

Lead PI

Performance Period

Jul 01, 2015 - Jun 30, 2017


Purdue University

Award Number

Outcomes Report URL

Software systems are under constant attack: extracting sensitive data from running computer systems is a prime and highly lucrative target for attackers. Yet, current defense mechanisms fail to protect confidential or private data along with the integrity and availability of the underlying system. While it is important to find and fix vulnerabilities, it is unlikely that all vulnerabilities will ever be discovered. Therefore, there is an argument to be had for stronger defense mechanisms that protect software systems even in the presence of vulnerabilities. The research in this project will improve the security of legacy and newly developed source code by enforcing both integrity and confidentiality for a well-defined sub-set of identified sensitive data. The project proposes new security policies that increase the resilience of legacy software against attacks, protecting running programs against attacker-imposed deviations and and protecting a subset of important data even if the application is compromised.

The majority of software that runs on today's systems is written in memory unsafe languages. Memory safety vulnerabilities are abundant and are often used to compromise systems. Existing techniques that retrofit memory safety on top of C/C++ often result in prohibitive overhead, are not compatible with legacy code, or only provide partial protection. Building on Code-Pointer Integrity (CPI), a compiler-based technique that enforces memory safety for code pointers, this project proposes to guard the control-flow and to enforce data confidentiality for sensitive data. Both techniques will be implemented as compiler-passes. Guarded control-flow will leverage a compiler-based static analysis to identify all data that may be used in conditional control-flow decisions. In a second step, the compiler instruments the program with guards to protect this data alongside code pointers, thereby protecting from any attacker-induced control-flow deviation. Data confidentiality will introduce a static compiler-based analysis that identifies and tags sensitive data like passwords, cryptographic keys, or authentication tokens. An instrumentation pass will then add guards to enforce confidentiality guarantees at runtime. These guards keep the subset of sensitive data private and secure from attackers. Data confidentiality enforces integrity and confidentiality even if the attacker has full memory read access. In addition, this project will develop metrics and benchmarks to evaluate the effectiveness of these security policies in the context of different programs.