TY - GEN
T1 - Record-Replay Architecture as a General Security Framework
AU - Shalabi, Yasser
AU - Yan, Mengjia
AU - Honarmand, Nima
AU - Lee, Ruby B.
AU - Torrellas, Josep
N1 - Publisher Copyright:
© 2018 IEEE.
PY - 2018/3/27
Y1 - 2018/3/27
N2 - Hardware security features need to strike a careful balance between design intrusiveness and completeness of methods. In addition, they need to be flexible, as security threats continuously evolve. To help address these requirements, this paper proposes a novel framework where Record and Deterministic Replay (RnR) is used to complement hardware security features. We call the framework RnR-Safe. RnR-Safe reduces the cost of security hardware by allowing it to be less precise at detecting attacks, potentially reporting false positives. This is because it relies on on-the-fly replay that transparently verifies whether the alarm is a real attack or a false positive. RnR-Safe uses two replayers: an always-on, fast Checkpoint replayer that periodically creates checkpoints, and a detailed-analysis Alarm replayer that is triggered when there is a threat alarm. As an example application, we use RnR-Safe to thwart Return Oriented Programming (ROP) attacks, including on the Linux kernel. Our design augments the Return Address Stack (RAS) with relatively inexpensive hardware. We evaluate RnR-Safe using a variety of workloads on virtual machines running Linux. We find that RnR-Safe is very effective. Thanks to the judicious RAS hardware extensions and hypervisor changes, the checkpointing replayer has an execution speed comparable to the recorded execution. Also, the alarm replayer needs to handle very few false positives.
AB - Hardware security features need to strike a careful balance between design intrusiveness and completeness of methods. In addition, they need to be flexible, as security threats continuously evolve. To help address these requirements, this paper proposes a novel framework where Record and Deterministic Replay (RnR) is used to complement hardware security features. We call the framework RnR-Safe. RnR-Safe reduces the cost of security hardware by allowing it to be less precise at detecting attacks, potentially reporting false positives. This is because it relies on on-the-fly replay that transparently verifies whether the alarm is a real attack or a false positive. RnR-Safe uses two replayers: an always-on, fast Checkpoint replayer that periodically creates checkpoints, and a detailed-analysis Alarm replayer that is triggered when there is a threat alarm. As an example application, we use RnR-Safe to thwart Return Oriented Programming (ROP) attacks, including on the Linux kernel. Our design augments the Return Address Stack (RAS) with relatively inexpensive hardware. We evaluate RnR-Safe using a variety of workloads on virtual machines running Linux. We find that RnR-Safe is very effective. Thanks to the judicious RAS hardware extensions and hypervisor changes, the checkpointing replayer has an execution speed comparable to the recorded execution. Also, the alarm replayer needs to handle very few false positives.
KW - Hardware Security
KW - Record and Deterministic Replay
KW - Return Oriented Programming
UR - http://www.scopus.com/inward/record.url?scp=85046793217&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85046793217&partnerID=8YFLogxK
U2 - 10.1109/HPCA.2018.00025
DO - 10.1109/HPCA.2018.00025
M3 - Conference contribution
AN - SCOPUS:85046793217
T3 - Proceedings - International Symposium on High-Performance Computer Architecture
SP - 180
EP - 193
BT - Proceedings - 24th IEEE International Symposium on High Performance Computer Architecture, HPCA 2018
PB - IEEE Computer Society
T2 - 24th IEEE International Symposium on High Performance Computer Architecture, HPCA 2018
Y2 - 24 February 2018 through 28 February 2018
ER -