Sharing is Caring: Secure and Efcient Shared Memory Support for MVEEs

Jonas Vinck, Bert Abrath, Bart Coppens, VOULIMENEAS ALEXIOS, Bjorn De Sutter, Stijn Volckaert

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

2 Citations (Scopus)

Abstract

Multi-Variant Execution Environments (MVEEs) are a powerful tool for protecting legacy software against memory corruption attacks. MVEEs employ software diversity to run multiple variants of the same program in lockstep, whilst providing them with the same inputs and comparing their behavior. Well-constructed variants will behave equivalently under normal operating conditions but diverge when under attack. The MVEE detects these divergences and takes action before compromised variants can damage the host system. Existing MVEEs replicate inputs at the system call boundary, and therefore do not support programs that use shared-memory IPC with other processes, since shared memory pages can be read from and written to directly without system calls. We analyzed modern applications, ranging from web servers, over media players, to browsers, and observe that they rely heavily on shared memory, in some cases for their basic functioning and in other cases for enabling more advanced functionality. It follows that modern applications cannot enjoy the security provided by MVEEs unless those MVEEs support shared-memory IPC. This paper first identifies the requirements for supporting shared-memory IPC in an MVEE. We propose a design that involves techniques to identify and instrument accesses to shared memory pages, as well as techniques to replicate I/O through shared-memory IPC. We implemented these techniques in a prototype MVEE and report our findings through an evaluation of a range of benchmark programs. Our contributions enable the use of MVEEs on a far wider range of programs than previously supported. By overcoming one of the major remaining limitations of MVEEs, our contributions can help to bolster their real-world adoption.

Original languageEnglish
Title of host publicationEuroSys 2022 - Proceedings of the 17th European Conference on Computer Systems
Pages99-116
Number of pages18
ISBN (Electronic)9781450391627
DOIs
Publication statusPublished - 2022
Externally publishedYes

Fingerprint

Dive into the research topics of 'Sharing is Caring: Secure and Efcient Shared Memory Support for MVEEs'. Together they form a unique fingerprint.

Cite this