Strato: A Retargetable Framework for Low-level Inlined Reference Monitors
Venue
Proceedings of the 22nd USENIX Conference on Security, USENIX Association, Berkeley, CA, USA (2013), pp. 369-382
Publication Year
2013
Authors
Bin Zeng, Gang Tan, Úlfar Erlingsson
BibTeX
Abstract
Low-level Inlined Reference Monitors (IRM) such as control-flow integrity and
software-based fault isolation can foil numerous software attacks. Conventionally,
those IRMs are implemented through binary rewriting or transformation on equivalent
low-level programs that are tightly coupled with a specific Instruction Set
Architecture (ISA). Resulting implementations have poor retargetability to
different ISAs. This paper introduces an IRM-implementation framework at a compiler
intermediate-representation (IR) level. The IR-level framework enables easy
retargetability to different ISAs, but raises the challenge of how to preserve
security at the low level, as the compiler backend might invalidate the assumptions
at the IR level. We propose a constraint language to encode the assumptions and
check whether they still hold after the backend transformations and optimizations.
Furthermore, an independent verifier is implemented to validate the security of
low-level code. We have implemented the framework inside LLVM to enforce the policy
of control-flow integrity and data sandboxing for both reads and writes.
Experimental results demonstrate that it incurs modest runtime overhead of 19.90%
and 25.34% on SPECint2000 programs for ×86- 32 and ×86-64, respectively.
