GANDALF: A fine-grained hardware-software co-design for preventing memory attacks
This addresses security vulnerabilities for systems using OpenRISC processors, though it is incremental as it builds on existing capability-based protection methods.
The authors tackled the problem of memory-based security vulnerabilities like buffer overflows by developing Gandalf, a hardware-software co-design that associates base and bound capabilities to pointers for runtime checks, resulting in small performance penalties while preventing all forms of such attacks.
Reading or writing outside the bounds of a buffer is a serious security vulnerability that has been exploited in numerous occasions. These attacks can be prevented by ensuring that every buffer is only accessed within its specified bounds. In this paper we present Gandalf, a compiler-assisted hardware extension for the OpenRISC processor that thwarts all forms of memory based attacks including buffer overflows and over-reads.The feature associates lightweight base and bound capabilities to all pointer variables, which are checked at run time by the hardware. Gandalf is transparent to the user and does not require significant OS modifications. Moreover, it achieves locality, thus resulting in small performance penalties.