Koustubha Bhat

Gabriel Ryan, Abhishek Shah, Dongdong She et al.

Dataflow tracking with Dynamic Taint Analysis (DTA) is an important method in systems security with many applications, including exploit analysis, guided fuzzing, and side-channel information leak detection. However, DTA is fundamentally limited by the Boolean nature of taint labels, which provide no information about the significance of detected dataflows and lead to false positives/negatives on complex real world programs. We introduce proximal gradient analysis (PGA), a novel, theoretically grounded approach that can track more accurate and fine-grained dataflow information. PGA uses proximal gradients, a generalization of gradients for non-differentiable functions, to precisely compose gradients over non-differentiable operations in programs. Composing gradients over programs eliminates many of the dataflow propagation errors that occur in DTA and provides richer information about how each measured dataflow effects a program. We compare our prototype PGA implementation to three state of the art DTA implementations on 7 real-world programs. Our results show that PGA can improve the F1 accuracy of data flow tracking by up to 33% over taint tracking (20% on average) without introducing any significant overhead (<5% on average). We further demonstrate the effectiveness of PGA by discovering 22 bugs (20 confirmed by developers) and 2 side-channel leaks, and identifying exploitable dataflows in 19 existing CVEs in the tested programs.

Hiroshi Sasaki, Miguel A. Arroyo, M. Tarek Ibn Ziad et al.

Recent rapid strides in memory safety tools and hardware have improved software quality and security. While coarse-grained memory safety has improved, achieving memory safety at the granularity of individual objects remains a challenge due to high performance overheads which can be between ~1.7x-2.2x. In this paper, we present a novel idea called Califorms, and associated program observations, to obtain a low overhead security solution for practical, byte-granular memory safety. The idea we build on is called memory blacklisting, which prohibits a program from accessing certain memory regions based on program semantics. State of the art hardware-supported memory blacklisting while much faster than software blacklisting creates memory fragmentation (of the order of few bytes) for each use of the blacklisted location. In this paper, we observe that metadata used for blacklisting can be stored in dead spaces in a program's data memory and that this metadata can be integrated into microarchitecture by changing the cache line format. Using these observations, Califorms based system proposed in this paper reduces the performance overheads of memory safety to ~1.02x-1.16x while providing byte-granular protection and maintaining very low hardware overheads. The low overhead offered by Califorms enables always on, memory safety for small and large objects alike, and the fundamental idea of storing metadata in empty spaces, and microarchitecture can be used for other security and performance applications.