StackVault: Protection from Untrusted Functions

07/08/2019
by   Qi Zhang, et al.
0

Data exfiltration attacks have led to huge data breaches. Recently, the Equifax attack affected 147M users and a third-party library - Apache Struts - was alleged to be responsible for it. These attacks often exploit the fact that sensitive data are stored unencrypted in process memory and can be accessed by any function executing within the same process, including untrusted third-party library functions. This paper presents StackVault, a kernel-based system to prevent sensitive stack-based data from being accessed in an unauthorized manner by intra-process functions. Stack-based data includes data on stack as well as data pointed to by pointer variables on stack. StackVault consists of three components: (1) a set of programming APIs to allow users to specify which data needs to be protected, (2) a kernel module which uses unforgeable function identities to reliably carry out the sensitive data protection, and (3) an LLVM compiler extension that enables transparent placement of stack protection operations. The StackVault system automatically enforces stack protection through spatial and temporal access monitoring and control over both sensitive stack data and untrusted functions. We implemented StackVault and evaluated it using a number of popular real-world applications, including gRPC. The results show that StackVault is effective and efficient, incurring only up to 2.4 runtime overhead.

READ FULL TEXT
10/20/2021

RegGuard: Leveraging CPU Registers for Mitigation of Control- and Data-Oriented Attacks

CPU registers are small discrete storage units, used to hold temporary d...
09/12/2019

Protecting the stack with PACed canaries

Stack canaries remain a widely deployed defense against memory corruptio...
03/05/2019

Pyronia: Redesigning Least Privilege and Isolation for the Age of IoT

Third-party modules play a critical role in IoT applications, which gene...
09/10/2019

Selfie: User-defined Sensitive Memory Protection and Recovery

Different users always have different requirement for sensitive memory d...
03/05/2019

Pyronia: Intra-Process Access Control for IoT Applications

Third-party code plays a critical role in IoT applications, which genera...
07/27/2020

SPAM: Stateless Permutation of Application Memory

In this paper, we propose the Stateless Permutation of Application Memor...
03/17/2019

NetKernel: Making Network Stack Part of the Virtualized Infrastructure

This paper presents a system called NetKernel that decouples the network...