DynPTA: Combining Static and Dynamic Analysis for Practical Selective Data Protection
- 1 May 2021
- conference paper
- conference paper
- Published by Institute of Electrical and Electronics Engineers (IEEE)
- p. 1919-1937
- https://doi.org/10.1109/sp40001.2021.00082
Abstract
As control flow hijacking attacks become more challenging due to the deployment of various exploit mitigation technologies, the leakage of sensitive process data through the exploitation of memory disclosure vulnerabilities is becoming an increasingly important threat. To make matters worse, recently introduced transient execution attacks provide a new avenue for leaking confidential process data. As a response, various approaches for selectively protecting subsets of critical in-memory data have been proposed, which though either require a significant code refactoring effort, or do not scale for large applications.In this paper we present DynPTA, a selective data protection approach that combines static analysis with scoped dynamic data flow tracking (DFT) to keep a subset of manually annotated sensitive data always encrypted in memory. DynPTA ameliorates the inherent overapproximation of pointer analysis—a significant challenge that has prevented previous approaches from supporting large applications—by relying on lightweight label lookups to determine if potentially sensitive data is actually sensitive. Labeled objects are tracked only within the subset of value flows that may carry potentially sensitive data, requiring only a fraction of the program’s code to be instrumented for DFT. We experimentally evaluated DynPTA with real-world applications and demonstrate that it can prevent memory disclosure (Heartbleed) and transient execution (Spectre) attacks from leaking the protected data, while incurring a modest runtime overhead of up to 19.2% when protecting the private TLS key of Nginx with OpenSSL.Keywords
Funding Information
- Office of Naval Research
- National Science Foundation
- Defense Advanced Research Projects Agency
This publication has 47 references indexed in Scilit:
- FlowDroidACM SIGPLAN Notices, 2014
- Hybrid context-sensitivity for points-to analysisACM SIGPLAN Notices, 2013
- On-demand dynamic summary-based points-to analysisPublished by Association for Computing Machinery (ACM) ,2012
- TaintEraserACM SIGOPS Operating Systems Review, 2011
- Using hypervisor to provide data secrecy for user applications on a per-page basisPublished by Association for Computing Machinery (ACM) ,2008
- Refinement-based context-sensitive points-to analysis for JavaACM SIGPLAN Notices, 2006
- CCured: type-safe retrofitting of legacy softwareACM Transactions on Programming Languages and Systems, 2005
- Which pointer analysis should I use?Published by Association for Computing Machinery (ACM) ,2000
- Efficient context-sensitive pointer analysis for C programsACM SIGPLAN Notices, 1995
- Efficient software-based fault isolationPublished by Association for Computing Machinery (ACM) ,1993