WO2021148134A1 - Apparatus and method for software security - Google Patents

Apparatus and method for software security Download PDF

Info

Publication number
WO2021148134A1
WO2021148134A1 PCT/EP2020/051773 EP2020051773W WO2021148134A1 WO 2021148134 A1 WO2021148134 A1 WO 2021148134A1 EP 2020051773 W EP2020051773 W EP 2020051773W WO 2021148134 A1 WO2021148134 A1 WO 2021148134A1
Authority
WO
WIPO (PCT)
Prior art keywords
read
memory
processor
load
value
Prior art date
Application number
PCT/EP2020/051773
Other languages
French (fr)
Inventor
Rémi Robert Michel DENIS-COURMONT
Carlos CHINEA PEREZ
Jan-Erik Ekberg
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Priority to PCT/EP2020/051773 priority Critical patent/WO2021148134A1/en
Priority to CN202080094081.XA priority patent/CN114981811A/en
Publication of WO2021148134A1 publication Critical patent/WO2021148134A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/02Addressing or allocation; Relocation
    • G06F12/08Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1458Protection against unauthorised use of memory or access to memory by checking the subject access rights
    • G06F12/1466Key-lock mechanism
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/54Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • G06F21/79Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/10Providing a specific technical effect
    • G06F2212/1016Performance improvement
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/10Providing a specific technical effect
    • G06F2212/1052Security improvement

Definitions

  • the aspects of the disclosed embodiments relate generally to computer security and more particularly to preventing exploitation of coding weaknesses.
  • the aspects of the disclosed embodiments are directed to apparatus and methods adapted to provide deterministic protections against software exploitation without adding complexity or increased resource usage.
  • the disclosed embodiments are configured to provide improved deterministic detection of pointer tampering and attack avoidance.
  • the apparatus includes a processor and a memory coupled to the processor.
  • the processor is configured to load a pointer value into a first processor register.
  • the pointer value includes an address of the target memory location.
  • the processor then executes a load from read-only memory operation which causes the processor to verify that the target memory location is marked as read-only, and when the target memory location is marked as read-only, the processor loads the target data value into a second processor register.
  • the processor is configured to generate a memory fault.
  • an attacker may attempt to replace valid target data with their own data as a way to divert program flow or trigger other unauthorized behaviour. To accomplish this the attacker may modify a pointer with a different memory address that contains the attacker’s data. Because it is difficult to modify read-only memory mappings it is likely that the attacker’s data is stored in a writable memory location. Thus, by verifying the target data is stored in a location married as read-only, an attack that attempts to load data from a writeable memory location can be detected and a fault may be generated to alter program flow and allow the attack to be avoided.
  • the processor includes memory tagging extensions, and the target memory location is associated with a target tag.
  • the processor is configured to load the pointer value into the first processor register, wherein the pointer value further comprises an associated tag.
  • the load from read-only memory operation causes the processor to set the associated tag to a first tag value, where the first tag value corresponds to a read-only tag value, and to verify the target tag is equal to the first tag value.
  • the processor loads the data value into the second processor register.
  • the processor When the target tag is not equal to the first tag value, the processor generates a memory fault. Exploiting memory tag extensions to perform the load from read-only memory operation allows deterministic security benefits to be enjoyed without incurring the costs associated with extending the instruction set architecture of a processor to include additional special purpose load instructions.
  • the processor includes a pointer authentication feature, and the processor is configured to load the pointer value into the first processor register.
  • the pointer value comprises a pointer authentication code, and the pointer authentication code is based on a read-only modifier.
  • the processor executes the load from read-only memory operation, where the load from read-only memory operation causes the processor to verify the pointer authentication code based on the read-only modifier.
  • the processor loads the data value into the second processor register, or when the pointer authentication code is not valid, the processor generates a memory fault. Exploiting pointer authentication features to perform the load from read-only memory operation allows the improved security benefits of the disclosed embodiments to be enjoyed without incurring the costs associated with extending an instruction set architecture to include additional special purpose load instructions.
  • the apparatus further comprises a memory management unit and the processor is configured to verify that the target memory location is marked as read-only based on cached values and a translation look-aside buffer. Verifying the read-only marking using memory management hardware such as an MMU improves overall performance of the computing apparatus.
  • the memory fault causes the processor to alter program flow and perform corrective action. Altering program flow when pointer tampering is detected allows an attack to be avoided through corrective action, such as aborting execution of the program.
  • the method includes loading a pointer value into a first processor register.
  • the pointer value includes an address of a target memory location.
  • the method includes executing a load from read-only memory operation, wherein the load from read-only memory operation includes verifying that the target memory location is marked as read-only, and when the target memory location is marked as read-only, loading the data value into a second processor register.
  • the method When the target memory location is not marked as read-only, the method generates a memory fault.
  • an attacker may attempt to replace valid target data with their own data as a way to divert program flow or trigger other unauthorized behaviour.
  • the attacker may modify a pointer to point to the attacker’s data which is likely in a writable memory location. Because the described embodiment verifies the read-only property of the target data, an attack that attempts to load data from a writeable memory location is detected and a fault is generated to alter program flow and providing an opportunity for the attack to be avoided.
  • the target memory location is associated with a target tag
  • the method includes loading the pointer value into the first processor register, wherein the pointer value further comprises an associated tag.
  • the method executes the load from read-only memory operation, where the load from read-only memory operation includes setting the associated tag to a first tag value, wherein the first tag value corresponds to a read only tag value, and verifying the target tag is equal to the first tag value.
  • the method loads the data value into the second processor register, or when the target tag is not equal to the first tag value a memory fault is generated. Exploiting memory tag extensions to perform the load from read-only memory operation allows the improved security benefits of the disclosed embodiments to be enjoyed without incurring the costs associated with extending an instruction set architecture to include additional special purpose load instructions.
  • the method includes loading the pointer value into a first processor register, where the pointer value further comprises a pointer authentication code, and the pointer authentication code is based on a read-only modifier; and executing the load from read-only memory operation.
  • the load from read-only memory operation includes validating the pointer authentication code based on the read only modifier, and when the pointer authentication code is valid, loading the data value into the second processor register.
  • a memory fault is generated.
  • the memory fault allows a computing apparatus to recover from an invalid pointer condition, such as by aborting the executing program thereby avoiding any attack that may have been initiated. Exploiting pointer authentication features to perform the load from read-only memory operation allows the improved security benefits of the disclosed embodiments to be enjoyed without incurring the costs associated with extending an instruction set architecture to include additional special purpose load instructions.
  • a non-transitory computer readable media having stored thereon program instructions that when executed by a processor cause the processor to perform the method according to any one of claims 6 to 8.
  • a non-transitory computer readable media provides a means for distribution and reuse of the method on the same or other processors.
  • Figure 1 illustrates a schematic block diagram of an exemplary apparatus depicting a protected load from read-only memory operation incorporating aspects of the disclosed embodiments
  • Figure 2 illustrates a schematic block diagram of the exemplary apparatus depicting an attack on an unprotected load operation incorporating aspects of the disclosed embodiments
  • Figure 3 illustrates a schematic block diagram of the exemplary apparatus depicting a detected attack incorporating aspects of the disclosed embodiments
  • Figure 4 illustrates a flow chart of an exemplary method incorporating aspects of the disclosed embodiments
  • Figure 5 illustrates a flow chart of an exemplary method for executing a load from read-only memory operation incorporating aspects of the disclosed embodiments.
  • Figure 6 illustrates a flow chart of an exemplary method for executing a load from read-only memory operation incorporating aspects of the disclosed embodiments.
  • FIG. 1 a schematic block diagram of an exemplary apparatus 100 incorporating aspects of the disclosed embodiments is illustrated.
  • the aspects of the disclosed embodiments are directed to preventing exploitation of programming weaknesses in memory unsafe computing languages such as C and its derivatives C++ and Objective C.
  • an apparatus 100 which may also be referred to as a computing apparatus, includes a processor 102 communicatively coupled to a memory 104. Although only one memory 104 is illustrated in Figure 1, it will be understood that the memory 104 can comprise one or more memory blocks or modules.
  • the memory 104 may be a combination of various types of volatile and non-volatile computer memory such as for example read-only memory (ROM), random access memory (RAM), magnetic or optical disk, flash, or other appropriate types of computer memory.
  • the processor 102 is configured to load a pointer value 120 into a first processor register 112.
  • the pointer value 120 comprises an address of a target memory location 108.
  • the processor 102 is configured to execute a load from read-only memory operation.
  • the load from read-only memory operation causes the processor 102 to verify that the target memory location 108 is marked as read-only.
  • the processor 102 is configured to load the data value 118 into a second processor register 114. If the target memory location 108 is not marked as read-only, the processor is configured to generate a memory fault 310.
  • the aspects of the disclosed embodiments are configured to provide improved deterministic detection of pointer tampering and attack avoidance.
  • the processor 102 may be any appropriate type of computer processing apparatus.
  • the processor 102 may be a single processing device or may comprise a plurality of processing devices including special purpose devices, such as digital signal processing (DSP) devices, microprocessors, specialized processing devices, parallel processing cores, or general purpose computer processors.
  • DSP digital signal processing
  • the processor 102 and memory 104 may be incorporated into a system on a chip (SoC) device or chipset.
  • SoC system on a chip
  • the processor 102 is configured to read program instructions from the memory 104 and perform any of the methods and processes described herein.
  • the processor 102 may also include a CPU working in tandem with a graphics processing unit (GPU) which may include a digital signal processor (DSP) or other specialized graphics processing hardware.
  • GPU graphics processing unit
  • DSP digital signal processor
  • the processor 102 incorporates a load-store architecture or instruction set architecture (ISA) where processor instructions are organized in two categories: memory access instructions used to load and store data between memory 104 and processor registers 112, 114, and arithmetic logic unit (ALU) operations performed between one or more processor registers 112, 114.
  • ISA instruction-store architecture or instruction set architecture
  • ALU arithmetic logic unit
  • the processor 102 When preparing a computer program for execution the processor 102 populates a plurality of memory locations 106 with desired data and/or program instructions. Each memory location may be associated or marked with access restrictions 116, where the access restrictions 116 control what types of access is allowed during execution of the computer program. Certain locations will be marked as read-only (READ), which means the data cannot be written or otherwise modified during program execution, while other memory locations may be marked as both readable and writeable (READ & WRITE). Writeable data refers to data or memory locations where the value may be modified during program execution.
  • READ read-only
  • Writeable data refers to data or memory locations where the value may be modified during program execution.
  • a data value 118 that will be required during program execution may be loaded into a memory location 108.
  • the memory location 108 may then be marked 116 as read- only (READ).
  • This read-only marking (READ) may be done for example when the data value 118 is known to remain constant throughout execution of the computer program, or when the data value is of critical importance to operation of the program and modification could lead to undesired behaviour.
  • the desired data value 118 is retrieved from memory 104 by loading 122 a pointer value 120 into a first processor register 112.
  • the pointer value 120 includes a memory address.
  • the memory address corresponds to a memory location of the target data value 118.
  • the pointer may also include an indication of the expected access restrictions that should be associated with the target data value 118, such as an indication that the target data value 118 is marked as read-only (READ).
  • READ read-only
  • a special load operation is then executed by the processor 102 to retrieve the target data value 118 from the target memory location 108 and load the data value 118 into a processor register 114.
  • the special load operation referred to herein as a load from read-only memory operation, is configured to verify that access restrictions (READ) associated with the target memory location 108 are in fact read-only, and to load the data value 118 only when the target memory location 108 is determined 124 to be read-only (READ).
  • READ access restrictions
  • the load from read-only memory operation is configured to generate a memory fault.
  • the target memory location 108 When the target memory location 108 is read-only, the target data value 118 is loaded 126 into a processor register 114 where it may be used or operated on during subsequent operations by the processor 102.
  • the target memory location 108 When the target memory location 108 is not read-only, i.e. the target memory location is writeable, a memory fault is generated allowing the processor 102 to alter program flow and appropriately handle or recover from the memory fault.
  • the processor 102 may infer, when the target memory location 108 is not read-only (READ), that an attack is under way and the processor 102 can take appropriate action to terminate the currently executing program or otherwise protect the apparatus 100 from unauthorized access.
  • READ read-only
  • the apparatus 100 may include specialized hardware such as a memory management unit (MMU) or memory protection unit (MPU) to facilitate and accelerate memory access.
  • MMU memory management unit
  • MPU memory protection unit
  • an MMU is used to cache the read only property or read-only marking associated with the target memory location 108.
  • the read only marking (READ) can then be checked within translation look aside buffers (TLB) that exist in many conventional processor architectures that include an MMU.
  • TLB translation look aside buffers
  • FIG. 2 a schematic block diagram of the exemplary apparatus 100 incorporating aspects of the disclosed embodiments is illustrated.
  • the processor 102 incorporates both conventional load operations as well as the newly disclosed load from read-only memory operation described above and with reference to Figure 1.
  • FIG. 2 depicts a scenario where conventional load instructions are exploited to replace a read-only data value 118 with an attacker data 204.
  • the attacker desires to replace the read-only data 118 with a different attacker data 202.
  • the attacker places the attacker data 204 in a writeable memory location and modifies the pointer 202 with the memory location 212 of the attacker data 204.
  • the processor 102 will, in the course of execution of a computer program, load 206 the modified pointer 202 into a processor register 112. The processor 102 will then use the modified pointer value 202 to access 208 a new memory location 212 which contains the attacker data 204.
  • the conventional load operation does not check the read and write (READ & WRITE) access properties associated with the memory location 212 and will therefore load 210 the attacker data 204 into the second processor register 114. After execution of the conventional load operation the attacker has successfully replaced the original read-only program data 118 with their own attacker data 204.
  • Figure 3 illustrates a schematic block diagram of the same apparatusl 00 as illustrated in Figure 2.
  • the scenario depicted in Figure 3 employs a load from read-only memory operation when loading the read-only data 118.
  • the attacker desires to replace the read-only data 118 with their own attacker data 304.
  • the attacker places the attacker data 304 in a writeable memory location 312 and modifies the pointer value 302 with the memory address of the attacker data 304.
  • the modified pointer 302 is then loaded into a first processor register 112.
  • the newly disclosed load from read-only operation is used when loading the data.
  • the load from read-only operation accesses the memory location 312 identified by the modified pointer 302, and in contrast to the conventional load operation, the load form read only memory operation verifies that the target memory location 312 is marked as read-only.
  • the read-only verification fails, and a memory fault is generated 310, and the attacker data 304 is not loaded into the second processor register.
  • the generated memory fault 310 causes the processor 102 to alter program flow thereby allowing the processor 102 an opportunity to appropriately recover from the attack.
  • the existing instruction set architecture may be extended to include a new set of load instructions based on the above disclosed load from read-only memory operation.
  • the new set of instructions may be adapted to load data only from memory locations or addresses marked as read-only.
  • the new set of load from read-only memory instructions may be advantageously added to conventional instruction set architectures such as instruction sets provided by the ARMv8 architecture designed by ARM HOLDINGS, and the RISC-V architecture designed by the UNIVERSITY OF CALIFORNIA, BERKELEY.
  • the load from read-only memory operation described above may be achieved incorporating novel design patterns within the program code during compilation and building of the computer program.
  • a compiler may be adapted to employ memory colouring, or memory tagging features, such as the memory tag extension (MTE) feature available in some ARMv8 processor architectures, to create a load from read-only memory operation while compiling source code of a program.
  • MTE memory tag extension
  • one or more distinct tag values may be reserved for read-only data.
  • the load from read-only memory operation may then set the tag associated with a memory location known to be read-only to the reserved tag value prior to accessing the target memory location.
  • the processor or memory subsystem used to access the target memory location will then generate a memory fault when the target memory location is not associated with the reserved tag value.
  • pointer authentication features such as the pointer authentication extensions provided by the ARMv8 architecture or similar instruction set architecture extension, may be employed to provide the herein disclosed load from read-only memory operation protections.
  • a compiler can be adapted to mark read-only memory locations by employing a distinct set of modifiers during generation of pointer authentication codes for read only memory locations. This may be accomplished by generating a pointer authentication code (PAC) and associating the PAC or including the PAC in each pointer value along with the memory address.
  • PAC corresponding to a read-only memory location is generated based on a read-only modified value and a PAC corresponding to a writeable memory location will be generated based on a different or normal modifier value.
  • the read-only modifier value may be determined by inverting one or more bits in the normal modifier value.
  • the load from read-only memory operations should be incorporated into a computer program at compile time.
  • the compiler can determine when memory accesses are statistically known to target read-only memory, and mark these known read-only accesses.
  • the read-only accesses may be marked and protected using any of the exemplary embodiments described above or using a combination of the above disclosed embodiments as desired.
  • the processor 102 will enforce that memory locations marked as read-only (READ) are mapped to read-only memory areas. These read-only memory areas may be managed or enforced through use of a MMU or MPU or other suitable memory management approach as desired.
  • the read-only property associated with a target memory location may be cached and checked from within a translation look-aside buffer (TLB) available in most conventional MMUs.
  • TLB translation look-aside buffer
  • FIG. 4 a flow chart of an exemplary method 400 incorporating aspects of the disclosed embodiments is illustrated.
  • the aspects of the disclosed embodiments are directed to preventing exploitation of programming weaknesses in memory unsafe computing languages such as C and its derivatives C++ and Objective C.
  • the exemplary method 400 provides significant security related advantages not previously available in computing apparatus such as computing apparatus employing processors based on load-store instruction set architectures.
  • Popular load-store processor architectures include the popular ARMv8 and RISC-V processor architectures.
  • the exemplary method 400 begins during loading and preparation of a program for execution.
  • the processor loads 402 a target data value into memory and marks 404 the associated target memory location as read-only.
  • target data or target data value refers to the data value being loaded into the processor registers and the term target memory location refers to the memory location or memory address in which the target data value is stored. Marking the target memory location as read-only may be accomplished in any suitable fashion and allows the read-only property of a memory location to be detected while accessing the memory location and without actually loading the target data value into a processor register.
  • the target memory location may be mapped as read-only through a memory subsystem such as an MMU or MPU.
  • the target memory location may be marked as read-only based on a memory colouring or memory tagging methodology, or through a pointer authentication mechanism.
  • the processor will load 406 a pointer value into a first processor register.
  • the loaded pointer value includes a memory address of the target data value, and when desired may include an indication of the read-only property of the target memory location.
  • the processor then performs a load from read-only memory operation or procedure
  • This load from read-only memory operation 414 ensures that the target data being loaded into a processor register is in fact a read-only value and has not been replaced with an attacker supplied value.
  • the processor Prior to loading the target data value, the processor verifies 408 that the target memory location is marked as read-only.
  • the target memory location may be marked as read-only by mapping within the processor or a suitable memory management sub system, such as an MMU or MPU, as being read-only and not modifiable during execution of the associated program.
  • the target memory location When the target memory location is marked as read-only, the target data value will be loaded 410 into the desired processor register where it is available for use by subsequent portions of the executing computer program. Once the target data is loaded 410, program execution may continue 416 in accordance with normal program flow.
  • the verification 408 fails and a memory fault is generated412.
  • Generation 412 of the memory fault alters normal flow of the executing program and allows the fault to be appropriately handled 418.
  • the verification fails it is likely that an attack is under way and it may be desirable to handle the fault 418 by terminating execution of the program and unloading its contents from memory.
  • the method 400 may be performed by extending an existing instruction set architecture, such as the ARMv8 or RISC-V architectures described above, to include a new set of load instructions configured to load exclusively from memory locations or memory addresses marked as read-only.
  • the new set of load instructions referred to herein as load from read-only instructions, are adapted to generate a memory fault when the memory location being referenced is writeable or not read-only, and to load the contained data value only when the referenced memory location is marked as read-only.
  • a compiler is adapted to exploit memory tagging features to provide a load from read-only operation without extending the processor architecture to include specialized instructions.
  • An example of a suitable memory colouring or tagging feature is the memory tag extension (MTE) provided by the ARMv8 architecture.
  • MTE adds a tag, such as four bits, to each memory address and assigns a tag value to each granule of memory.
  • the tag value added to the memory address must match the tag value assigned to the corresponding memory location.
  • the tag values do not match a memory fault is generated, or when the tag values match the read or write operation is allowed to proceed normally.
  • one or more distinct tag values may be reserved for read-only memory locations. These reserved tag values are referred to herein as read only tag values. Read-only memory locations will be assigned a read-only tag value while writeable memory locations will be assigned one of the remaining unreserved tag values. The compiler will ensure that the tag value associated with a memory address or pointer value being used to load data from a read-only location is set to the desired read-only tag value. While loading and preparing the compiled program for execution, the read-only memory locations will be marked as read-only by assigning the appropriate read-only tag value to the corresponding memory location.
  • the exemplary method 500 performs a load from read-only memory operation configured to thwart software attacks, such as attacks based on modification of pointer values.
  • the exemplary method 500 begins after a pointer value has been loaded 406 into a first processor register.
  • the loaded pointer value includes a memory address of the target data value that is to be loaded into a second processor register, and also includes an associated tag.
  • the associated tag is a binary value, such as a four bit binary value, configured to control reading and writing of memory locations. While a four bit binary value is used as an example, those skilled in the art will readily recognize that more or less than four bits may be advantageously employed without straying from the spirit and scope of the disclosed embodiments.
  • the associated tag is set 502 to a read-only tag value.
  • the read-only tag value used to set the associated tag is the same tag value assigned to the target memory location during loading of the program.
  • the tag value assigned to the target memory location Prior to loading the target data value, the tag value assigned to the target memory location is compared 504 to the read-only tag value set in the loaded pointer. When the tag values match 510, the target data value is loaded 506 into a second processor register, and when the tag values do not match 512, a memory fault is generated 508. Generation 508 of the memory fault alters control flow of the executing program thereby providing an opportunity to avoid the attack.
  • a pointer authentication mechanism is processor extension that includes a pointer authentication code, PAC, within memory pointers that are stored in memory locations.
  • the PAC is generated based on a secret key, a context value, and the pointer value or memory address.
  • the keys are meant to be ephemeral and may be generated per boot or per process.
  • a modifier, or salt may optionally be determined at compile time and included when generating the PAC.
  • Authentication/verification requires knowledge of the modifier, thus by using a special modifier that is reserved for read-only memory locations, verification of the PAC based on the read-only modifier also provides verification that the target memory location is marked as read- only.
  • the term read-only modifier or read-only modifier value refers to the special modifier value that is reserved for generation of the PAC for read-only memory locations.
  • the compiler is responsible for generating the appropriate signing and authentication instructions and for determining the read-only modifier value and other modifier values.
  • FIG. 6 there can be seen a flow chart of an exemplary method 600 for executing a load from read-only memory operation incorporating aspects of the disclosed embodiments.
  • the exemplary method 600 illustrates a load from read-only memory operation appropriate for use as the load from read-only memory operation 414 in the exemplary method 400 described above and with reference to Figure 4.
  • the exemplary load from read-only memory operation 600 will be described in the context of the exemplary method 400 described above.
  • the exemplary method 400 is employed on a processor that incorporates a pointer authentication mechanisms.
  • the one embodiment loads 402 a target data value into memory and marked 404 as read-only. Marking of the memory as read-only may be accomplished as described above by mapping the target memory location as read-only based on an MMU, MPU, or other suitable memory management scheme.
  • a pointer is then loaded 406 into a first processor register.
  • the loaded pointer includes a memory address and further includes a PAC, where the PAC is based on a read-only modifier.
  • modifiers used when generating a PAC for memory locations known to be read-only are computed differently than modifiers used for other memory locations, such as for writeable memory locations. For example a bit may be inverted in modifiers used to generate a PAC for read-only memory addresses, and not inverted when the modifier is used to generate a PAC for a writeable memory location.
  • Use of different modifiers, such as modifiers with an inverted bit ensures that the PAC corresponding to a writeable memory address will not, at least statistically, match the PAC corresponding to a legitimate pointer to a read-only memory location.
  • the exemplary load from read-only memory method 600 verifies 608 that the PAC was generated based on the read-only modifier. Use of the read-only modifier during PAC verification 608 ensures that the target memory location is marked as read-only. Thus a successful PAC authentication may be used to verify that the target memory location is read-only.
  • a valid pointer authentication code means that the PAC, included in the loaded pointer, was generated based on the read-only modifier. Thus validating the PAC included in the loaded pointer based on the read-only modifier provides an indication that the target memory location is read-only.
  • the PAC is valid 620 the data value is loaded 610 into a second processor register.
  • the target memory location may not be read-only.
  • the invalid PAC results in an invalid memory pointer which generates 612 a memory fault when used to access memory.
  • the memory fault alters control flow of the executing program allowing an alternate set of operations or steps to be performed to ensure the fault is handled in a suitable manner. For example, a memory fault caused by an attempt to load a known read-only value from a writeable memory location likely indicates an attack is in process and the executing program can be aborted. Handling of the generated memory fault, such as the handling performed in step 418, may for example include recording of information related to the cause of the memory fault in an audit or other appropriate log, followed by flushing the executing program from memory.
  • a load from writeable memory operation it may be desirable to include an additional specialized load operation referred to herein as a load from writeable memory operation.
  • the load from writeable memory operation is similar to the load from read-only memory operation described above, but verifies instead a different memory access property.
  • the load from writeable memory operation will load the target data value when the target memory location is marked as writeable, and will generate a memory fault when the target memory location is marked as read-only.

Abstract

An apparatus includes a processor and a memory coupled to the processor. The processor is configured to load a pointer value into a first processor register. The pointer value includes an address of the target memory location. The processor then executes a load from read-only memory operation. The load from read-only memory operation causes the processor to verify that the target memory location is marked as read-only, and when the target memory location is marked as read- only, the processor loads the target data value into a second processor register. When the target memory location is not marked as read-only, the processor is configured to generate a memory fault.

Description

APPARATUS AND METHOD FOR SOFTWARE SECURITY
TECHNICAL FIELD
[0001] The aspects of the disclosed embodiments relate generally to computer security and more particularly to preventing exploitation of coding weaknesses.
BACKGROUND
[0002] Many conventional computing apparatus, such as mobile phone, personal computers, automobiles, etc. execute highly sensitive computer applications such as financial applications, online stores, and critical system controls, where software security is of critical importance. Memory unsafe programming languages, such as C and C++, can combine with unsecure programming practices and coding defects to provide an attacker with opportunities for code exploitation. By exploiting weaknesses in the code an attacker can overwrite values in the computer memory and gain full or partial control of the software program and possibly gain access to the underlying computing system itself.
[0003] Conventional techniques for preventing these types of attacks are available, such as stack canaries, address space layout randomization (ASLR), etc. Unfortunately, these methods provide only statistical protections and do not provide a deterministic protection. Further, techniques such as stack canaries also increase memory usage and programing complexity which often lead to increased execution times.
[0004] Thus there is a need for improved methods and apparatus that can provide deterministic protections against software exploitation without adding complexity or increased resource usage. Accordingly, it would be desirable to provide methods and apparatus that address at least some of the problems described above.
SUMMARY
[0005] The aspects of the disclosed embodiments are directed to apparatus and methods adapted to provide deterministic protections against software exploitation without adding complexity or increased resource usage. The disclosed embodiments are configured to provide improved deterministic detection of pointer tampering and attack avoidance. This and other objects are solved by the subject matter of the independent claims. Further advantageous modifications can be found in the dependent claims.
[0006] According to a first aspect the above and further objects and advantages are obtained by an apparatus. In one embodiment, the apparatus includes a processor and a memory coupled to the processor. The processor is configured to load a pointer value into a first processor register. The pointer value includes an address of the target memory location. The processor then executes a load from read-only memory operation which causes the processor to verify that the target memory location is marked as read-only, and when the target memory location is marked as read-only, the processor loads the target data value into a second processor register. When the target memory location is not marked as read-only, the processor is configured to generate a memory fault.
[0007] During a programming attack, an attacker may attempt to replace valid target data with their own data as a way to divert program flow or trigger other unauthorized behaviour. To accomplish this the attacker may modify a pointer with a different memory address that contains the attacker’s data. Because it is difficult to modify read-only memory mappings it is likely that the attacker’s data is stored in a writable memory location. Thus, by verifying the target data is stored in a location married as read-only, an attack that attempts to load data from a writeable memory location can be detected and a fault may be generated to alter program flow and allow the attack to be avoided.
[0008] In a possible implementation form of the apparatus according to the first aspect the processor includes memory tagging extensions, and the target memory location is associated with a target tag. The processor is configured to load the pointer value into the first processor register, wherein the pointer value further comprises an associated tag. The load from read-only memory operation causes the processor to set the associated tag to a first tag value, where the first tag value corresponds to a read-only tag value, and to verify the target tag is equal to the first tag value. When the target tag is equal to the first tag value, the processor loads the data value into the second processor register. When the target tag is not equal to the first tag value, the processor generates a memory fault. Exploiting memory tag extensions to perform the load from read-only memory operation allows deterministic security benefits to be enjoyed without incurring the costs associated with extending the instruction set architecture of a processor to include additional special purpose load instructions.
[0009] In a possible implementation form of the apparatus according to the first aspect the processor includes a pointer authentication feature, and the processor is configured to load the pointer value into the first processor register. The pointer value comprises a pointer authentication code, and the pointer authentication code is based on a read-only modifier. The processor executes the load from read-only memory operation, where the load from read-only memory operation causes the processor to verify the pointer authentication code based on the read-only modifier. When the pointer authentication code is valid, the processor loads the data value into the second processor register, or when the pointer authentication code is not valid, the processor generates a memory fault. Exploiting pointer authentication features to perform the load from read-only memory operation allows the improved security benefits of the disclosed embodiments to be enjoyed without incurring the costs associated with extending an instruction set architecture to include additional special purpose load instructions.
[0010] In a possible implementation form of the apparatus according to the first aspect, the apparatus further comprises a memory management unit and the processor is configured to verify that the target memory location is marked as read-only based on cached values and a translation look-aside buffer. Verifying the read-only marking using memory management hardware such as an MMU improves overall performance of the computing apparatus.
[0011] In a possible implementation form of the apparatus according to the first aspect, the memory fault causes the processor to alter program flow and perform corrective action. Altering program flow when pointer tampering is detected allows an attack to be avoided through corrective action, such as aborting execution of the program.
[0012] According to a second aspect, the above and further objects and advantages are obtained by a method. In one embodiment, the method includes loading a pointer value into a first processor register. The pointer value includes an address of a target memory location. The method includes executing a load from read-only memory operation, wherein the load from read-only memory operation includes verifying that the target memory location is marked as read-only, and when the target memory location is marked as read-only, loading the data value into a second processor register. When the target memory location is not marked as read-only, the method generates a memory fault. [0013] During a programming attack, an attacker may attempt to replace valid target data with their own data as a way to divert program flow or trigger other unauthorized behaviour. To accomplish this the attacker may modify a pointer to point to the attacker’s data which is likely in a writable memory location. Because the described embodiment verifies the read-only property of the target data, an attack that attempts to load data from a writeable memory location is detected and a fault is generated to alter program flow and providing an opportunity for the attack to be avoided.
[0014] In a possible implementation form of the apparatus according to the second aspect the target memory location is associated with a target tag, and the method includes loading the pointer value into the first processor register, wherein the pointer value further comprises an associated tag. The method executes the load from read-only memory operation, where the load from read-only memory operation includes setting the associated tag to a first tag value, wherein the first tag value corresponds to a read only tag value, and verifying the target tag is equal to the first tag value. When the target tag is equal to the first tag value, the method loads the data value into the second processor register, or when the target tag is not equal to the first tag value a memory fault is generated. Exploiting memory tag extensions to perform the load from read-only memory operation allows the improved security benefits of the disclosed embodiments to be enjoyed without incurring the costs associated with extending an instruction set architecture to include additional special purpose load instructions.
[0015] In a possible implementation form of the apparatus according to the second aspect the method includes loading the pointer value into a first processor register, where the pointer value further comprises a pointer authentication code, and the pointer authentication code is based on a read-only modifier; and executing the load from read-only memory operation. The load from read-only memory operation includes validating the pointer authentication code based on the read only modifier, and when the pointer authentication code is valid, loading the data value into the second processor register. When the pointer authentication code is not valid, a memory fault is generated. The memory fault allows a computing apparatus to recover from an invalid pointer condition, such as by aborting the executing program thereby avoiding any attack that may have been initiated. Exploiting pointer authentication features to perform the load from read-only memory operation allows the improved security benefits of the disclosed embodiments to be enjoyed without incurring the costs associated with extending an instruction set architecture to include additional special purpose load instructions.
[0016] According to a third aspect, the above and further objects and advantages are obtained by a non-transitory computer readable media having stored thereon program instructions that when executed by a processor cause the processor to perform the method according to any one of claims 6 to 8. A non-transitory computer readable media provides a means for distribution and reuse of the method on the same or other processors.
[0017] These and other aspects, implementation forms, and advantages of the exemplary embodiments will become apparent from the embodiments described herein considered in conjunction with the accompanying drawings. It is to be understood, however, that the description and drawings are designed solely for purposes of illustration and not as a definition of the limits of the disclosed invention, for which reference should be made to the appended claims. Additional aspects and advantages of the invention will be set forth in the description that follows, and in part will be obvious from the description, or may be learned by practice of the invention. Moreover, the aspects and advantages of the invention may be realized and obtained by means of the instrumentalities and combinations particularly pointed out in the appended claims. BRIEF DESCRIPTION OF THE DRAWINGS
[0018] In the following detailed portion of the present disclosure, the invention will be explained in more detail with reference to the example embodiments shown in the drawings, in which:
[0019] Figure 1 illustrates a schematic block diagram of an exemplary apparatus depicting a protected load from read-only memory operation incorporating aspects of the disclosed embodiments;
[0020] Figure 2 illustrates a schematic block diagram of the exemplary apparatus depicting an attack on an unprotected load operation incorporating aspects of the disclosed embodiments;
[0021] Figure 3 illustrates a schematic block diagram of the exemplary apparatus depicting a detected attack incorporating aspects of the disclosed embodiments;
[0022] Figure 4 illustrates a flow chart of an exemplary method incorporating aspects of the disclosed embodiments;
[0023] Figure 5 illustrates a flow chart of an exemplary method for executing a load from read-only memory operation incorporating aspects of the disclosed embodiments; and
[0024] Figure 6 illustrates a flow chart of an exemplary method for executing a load from read-only memory operation incorporating aspects of the disclosed embodiments.
DETAILED DESCRIPTION OF THE DISCLOSED EMBODIMENTS
[0025] Referring to Figure 1, a schematic block diagram of an exemplary apparatus 100 incorporating aspects of the disclosed embodiments is illustrated. The aspects of the disclosed embodiments are directed to preventing exploitation of programming weaknesses in memory unsafe computing languages such as C and its derivatives C++ and Objective C.
[0026] As shown in Figure 1, an apparatus 100, which may also be referred to as a computing apparatus, includes a processor 102 communicatively coupled to a memory 104. Although only one memory 104 is illustrated in Figure 1, it will be understood that the memory 104 can comprise one or more memory blocks or modules. The memory 104 may be a combination of various types of volatile and non-volatile computer memory such as for example read-only memory (ROM), random access memory (RAM), magnetic or optical disk, flash, or other appropriate types of computer memory.
[0027] In one embodiment, the processor 102 is configured to load a pointer value 120 into a first processor register 112. In this example, the pointer value 120 comprises an address of a target memory location 108. The processor 102 is configured to execute a load from read-only memory operation. The load from read-only memory operation causes the processor 102 to verify that the target memory location 108 is marked as read-only. When the target memory location 108 is marked as read-only, the processor 102 is configured to load the data value 118 into a second processor register 114. If the target memory location 108 is not marked as read-only, the processor is configured to generate a memory fault 310. In this manner, the aspects of the disclosed embodiments are configured to provide improved deterministic detection of pointer tampering and attack avoidance.
[0028] The processor 102 may be any appropriate type of computer processing apparatus.
For example the processor 102 may be a single processing device or may comprise a plurality of processing devices including special purpose devices, such as digital signal processing (DSP) devices, microprocessors, specialized processing devices, parallel processing cores, or general purpose computer processors. In certain embodiments the processor 102 and memory 104 may be incorporated into a system on a chip (SoC) device or chipset. The processor 102 is configured to read program instructions from the memory 104 and perform any of the methods and processes described herein. The processor 102 may also include a CPU working in tandem with a graphics processing unit (GPU) which may include a digital signal processor (DSP) or other specialized graphics processing hardware.
[0029] In the illustrated embodiment the processor 102 incorporates a load-store architecture or instruction set architecture (ISA) where processor instructions are organized in two categories: memory access instructions used to load and store data between memory 104 and processor registers 112, 114, and arithmetic logic unit (ALU) operations performed between one or more processor registers 112, 114.
[0030] When preparing a computer program for execution the processor 102 populates a plurality of memory locations 106 with desired data and/or program instructions. Each memory location may be associated or marked with access restrictions 116, where the access restrictions 116 control what types of access is allowed during execution of the computer program. Certain locations will be marked as read-only (READ), which means the data cannot be written or otherwise modified during program execution, while other memory locations may be marked as both readable and writeable (READ & WRITE). Writeable data refers to data or memory locations where the value may be modified during program execution.
[0031] For example a data value 118 that will be required during program execution may be loaded into a memory location 108. The memory location 108 may then be marked 116 as read- only (READ). This read-only marking (READ) may be done for example when the data value 118 is known to remain constant throughout execution of the computer program, or when the data value is of critical importance to operation of the program and modification could lead to undesired behaviour.
[0032] During execution of the computer program the desired data value 118 is retrieved from memory 104 by loading 122 a pointer value 120 into a first processor register 112. The pointer value 120 includes a memory address. During normal execution of the program the memory address corresponds to a memory location of the target data value 118. The pointer may also include an indication of the expected access restrictions that should be associated with the target data value 118, such as an indication that the target data value 118 is marked as read-only (READ).
[0033] A special load operation is then executed by the processor 102 to retrieve the target data value 118 from the target memory location 108 and load the data value 118 into a processor register 114. The special load operation, referred to herein as a load from read-only memory operation, is configured to verify that access restrictions (READ) associated with the target memory location 108 are in fact read-only, and to load the data value 118 only when the target memory location 108 is determined 124 to be read-only (READ). When the target memory location 108 is not read-only the load from read-only memory operation is configured to generate a memory fault. When the target memory location 108 is read-only, the target data value 118 is loaded 126 into a processor register 114 where it may be used or operated on during subsequent operations by the processor 102. When the target memory location 108 is not read-only, i.e. the target memory location is writeable, a memory fault is generated allowing the processor 102 to alter program flow and appropriately handle or recover from the memory fault. [0034] In the exemplary embodiment of Figure 1, the processor 102 may infer, when the target memory location 108 is not read-only (READ), that an attack is under way and the processor 102 can take appropriate action to terminate the currently executing program or otherwise protect the apparatus 100 from unauthorized access.
[0035] In certain embodiments, the apparatus 100 may include specialized hardware such as a memory management unit (MMU) or memory protection unit (MPU) to facilitate and accelerate memory access. For example, in one embodiment an MMU is used to cache the read only property or read-only marking associated with the target memory location 108. The read only marking (READ) can then be checked within translation look aside buffers (TLB) that exist in many conventional processor architectures that include an MMU.
[0036] Referring to Figure 2, a schematic block diagram of the exemplary apparatus 100 incorporating aspects of the disclosed embodiments is illustrated. In the exemplary apparatus 100 the processor 102 incorporates both conventional load operations as well as the newly disclosed load from read-only memory operation described above and with reference to Figure 1.
[0037] It is instructive to consider how conventional load operations can be exploited by an attacker to gain access to unauthorized resources. Figure 2 depicts a scenario where conventional load instructions are exploited to replace a read-only data value 118 with an attacker data 204. In the depicted scenario the attacker desires to replace the read-only data 118 with a different attacker data 202. To accomplish this replacement, the attacker places the attacker data 204 in a writeable memory location and modifies the pointer 202 with the memory location 212 of the attacker data 204. The processor 102 will, in the course of execution of a computer program, load 206 the modified pointer 202 into a processor register 112. The processor 102 will then use the modified pointer value 202 to access 208 a new memory location 212 which contains the attacker data 204.
[0038] In contrast with the load from read-only memory operation described above, the conventional load operation does not check the read and write (READ & WRITE) access properties associated with the memory location 212 and will therefore load 210 the attacker data 204 into the second processor register 114. After execution of the conventional load operation the attacker has successfully replaced the original read-only program data 118 with their own attacker data 204.
[0039] Referring now to Figure 3, there can be seen a depiction of how the newly disclosed load from read-only memory operation can be used in the apparatus 100 to detect and recover from the attack described above and with reference to Figure 2. Figure 3 illustrates a schematic block diagram of the same apparatusl 00 as illustrated in Figure 2. In contrast to the scenario depicted in Figure 2, the scenario depicted in Figure 3 employs a load from read-only memory operation when loading the read-only data 118.
[0040] As described above, the attacker desires to replace the read-only data 118 with their own attacker data 304. To achieve this, the attacker places the attacker data 304 in a writeable memory location 312 and modifies the pointer value 302 with the memory address of the attacker data 304. The modified pointer 302 is then loaded into a first processor register 112. In the scenario depicted in Figure 3, the newly disclosed load from read-only operation is used when loading the data. The load from read-only operation accesses the memory location 312 identified by the modified pointer 302, and in contrast to the conventional load operation, the load form read only memory operation verifies that the target memory location 312 is marked as read-only. Since the attacker data is in a writeable memory location 312, the read-only verification fails, and a memory fault is generated 310, and the attacker data 304 is not loaded into the second processor register. The generated memory fault 310 causes the processor 102 to alter program flow thereby allowing the processor 102 an opportunity to appropriately recover from the attack.
[0041] Several implementation forms of the exemplary embodiment described above and with reference to the apparatus 100 may be advantageously employed to provide improved software security within a variety of computing apparatus. In one embodiment, the existing instruction set architecture may be extended to include a new set of load instructions based on the above disclosed load from read-only memory operation. The new set of instructions may be adapted to load data only from memory locations or addresses marked as read-only. The new set of load from read-only memory instructions may be advantageously added to conventional instruction set architectures such as instruction sets provided by the ARMv8 architecture designed by ARM HOLDINGS, and the RISC-V architecture designed by the UNIVERSITY OF CALIFORNIA, BERKELEY.
[0042] Alternatively, in certain embodiments, the load from read-only memory operation described above may be achieved incorporating novel design patterns within the program code during compilation and building of the computer program.
[0043] In one embodiment a compiler may be adapted to employ memory colouring, or memory tagging features, such as the memory tag extension (MTE) feature available in some ARMv8 processor architectures, to create a load from read-only memory operation while compiling source code of a program. For example, one or more distinct tag values may be reserved for read-only data. The load from read-only memory operation may then set the tag associated with a memory location known to be read-only to the reserved tag value prior to accessing the target memory location. The processor or memory subsystem used to access the target memory location will then generate a memory fault when the target memory location is not associated with the reserved tag value.
[0044] In an exemplary embodiment, pointer authentication features, such as the pointer authentication extensions provided by the ARMv8 architecture or similar instruction set architecture extension, may be employed to provide the herein disclosed load from read-only memory operation protections. A compiler can be adapted to mark read-only memory locations by employing a distinct set of modifiers during generation of pointer authentication codes for read only memory locations. This may be accomplished by generating a pointer authentication code (PAC) and associating the PAC or including the PAC in each pointer value along with the memory address. A PAC corresponding to a read-only memory location is generated based on a read-only modified value and a PAC corresponding to a writeable memory location will be generated based on a different or normal modifier value. For example, the read-only modifier value may be determined by inverting one or more bits in the normal modifier value.
[0045] To advantageously employ the security advantages described above, the load from read-only memory operations should be incorporated into a computer program at compile time. The compiler can determine when memory accesses are statistically known to target read-only memory, and mark these known read-only accesses. The read-only accesses may be marked and protected using any of the exemplary embodiments described above or using a combination of the above disclosed embodiments as desired. [0046] When the compiled program is run, the processor 102 will enforce that memory locations marked as read-only (READ) are mapped to read-only memory areas. These read-only memory areas may be managed or enforced through use of a MMU or MPU or other suitable memory management approach as desired.
[0047] For example, when a MMU is employed, the read-only property associated with a target memory location may be cached and checked from within a translation look-aside buffer (TLB) available in most conventional MMUs. Thus the novel load from read-only memory operations may be included without significant performance costs.
[0048] Referring to Figure 4, a flow chart of an exemplary method 400 incorporating aspects of the disclosed embodiments is illustrated. The aspects of the disclosed embodiments are directed to preventing exploitation of programming weaknesses in memory unsafe computing languages such as C and its derivatives C++ and Objective C. The exemplary method 400 provides significant security related advantages not previously available in computing apparatus such as computing apparatus employing processors based on load-store instruction set architectures. Popular load-store processor architectures include the popular ARMv8 and RISC-V processor architectures.
[0049] The exemplary method 400 begins during loading and preparation of a program for execution. The processor loads 402 a target data value into memory and marks 404 the associated target memory location as read-only. As used herein the term target data or target data value refers to the data value being loaded into the processor registers and the term target memory location refers to the memory location or memory address in which the target data value is stored. Marking the target memory location as read-only may be accomplished in any suitable fashion and allows the read-only property of a memory location to be detected while accessing the memory location and without actually loading the target data value into a processor register. For example, the target memory location may be mapped as read-only through a memory subsystem such as an MMU or MPU. Alternatively, as will be described in more detail below, the target memory location may be marked as read-only based on a memory colouring or memory tagging methodology, or through a pointer authentication mechanism.
[0050] During execution of the program, when the processor needs to use the target data value, the processor will load 406 a pointer value into a first processor register. The loaded pointer value includes a memory address of the target data value, and when desired may include an indication of the read-only property of the target memory location.
[0051] The processor then performs a load from read-only memory operation or procedure
414. This load from read-only memory operation 414 ensures that the target data being loaded into a processor register is in fact a read-only value and has not been replaced with an attacker supplied value.
[0052] Prior to loading the target data value, the processor verifies 408 that the target memory location is marked as read-only. In one embodiment the target memory location may be marked as read-only by mapping within the processor or a suitable memory management sub system, such as an MMU or MPU, as being read-only and not modifiable during execution of the associated program.
[0053] When the target memory location is marked as read-only, the target data value will be loaded 410 into the desired processor register where it is available for use by subsequent portions of the executing computer program. Once the target data is loaded 410, program execution may continue 416 in accordance with normal program flow.
[0054] When the target memory location is not marked as read-only, the verification 408 fails and a memory fault is generated412. Generation 412 of the memory fault alters normal flow of the executing program and allows the fault to be appropriately handled 418. For example, when the verification fails it is likely that an attack is under way and it may be desirable to handle the fault 418 by terminating execution of the program and unloading its contents from memory. In certain embodiments it may be advantageous to handle the fault 418 by recording information about the fault to facilitate identification of the source of the attack and to mitigate its effects.
[0055] In certain embodiments the method 400 may be performed by extending an existing instruction set architecture, such as the ARMv8 or RISC-V architectures described above, to include a new set of load instructions configured to load exclusively from memory locations or memory addresses marked as read-only. The new set of load instructions, referred to herein as load from read-only instructions, are adapted to generate a memory fault when the memory location being referenced is writeable or not read-only, and to load the contained data value only when the referenced memory location is marked as read-only.
[0056] In one embodiment a compiler is adapted to exploit memory tagging features to provide a load from read-only operation without extending the processor architecture to include specialized instructions. An example of a suitable memory colouring or tagging feature is the memory tag extension (MTE) provided by the ARMv8 architecture. For example, MTE adds a tag, such as four bits, to each memory address and assigns a tag value to each granule of memory. When reading or writing a memory location, the tag value added to the memory address must match the tag value assigned to the corresponding memory location. When the tag values do not match a memory fault is generated, or when the tag values match the read or write operation is allowed to proceed normally.
[0057] During compilation of a computer program, one or more distinct tag values may be reserved for read-only memory locations. These reserved tag values are referred to herein as read only tag values. Read-only memory locations will be assigned a read-only tag value while writeable memory locations will be assigned one of the remaining unreserved tag values. The compiler will ensure that the tag value associated with a memory address or pointer value being used to load data from a read-only location is set to the desired read-only tag value. While loading and preparing the compiled program for execution, the read-only memory locations will be marked as read-only by assigning the appropriate read-only tag value to the corresponding memory location.
[0058] Referring now to Figure 5 there can be seen a flow chart of an exemplary method
500 incorporating aspects of the disclosed embodiments. The exemplary method 500 performs a load from read-only memory operation configured to thwart software attacks, such as attacks based on modification of pointer values.
[0059] The exemplary method 500 begins after a pointer value has been loaded 406 into a first processor register. In the exemplary embodiment the loaded pointer value includes a memory address of the target data value that is to be loaded into a second processor register, and also includes an associated tag. As described above the associated tag is a binary value, such as a four bit binary value, configured to control reading and writing of memory locations. While a four bit binary value is used as an example, those skilled in the art will readily recognize that more or less than four bits may be advantageously employed without straying from the spirit and scope of the disclosed embodiments.
[0060] In the exemplary embodiment, the associated tag is set 502 to a read-only tag value.
The read-only tag value used to set the associated tag is the same tag value assigned to the target memory location during loading of the program. Prior to loading the target data value, the tag value assigned to the target memory location is compared 504 to the read-only tag value set in the loaded pointer. When the tag values match 510, the target data value is loaded 506 into a second processor register, and when the tag values do not match 512, a memory fault is generated 508. Generation 508 of the memory fault alters control flow of the executing program thereby providing an opportunity to avoid the attack.
[0061] In one embodiment of the exemplary method 400 it may be advantageous to employ a pointer authentication mechanisms to help perform the load from read-only memory operation 414.
[0062] A pointer authentication mechanism, is processor extension that includes a pointer authentication code, PAC, within memory pointers that are stored in memory locations. The PAC is generated based on a secret key, a context value, and the pointer value or memory address. The keys are meant to be ephemeral and may be generated per boot or per process. A modifier, or salt, may optionally be determined at compile time and included when generating the PAC. When a pointer is loaded from memory, the PAC can be authenticated/verified to protect against tampering. Authentication/verification requires knowledge of the modifier, thus by using a special modifier that is reserved for read-only memory locations, verification of the PAC based on the read-only modifier also provides verification that the target memory location is marked as read- only. As used herein the term read-only modifier or read-only modifier value refers to the special modifier value that is reserved for generation of the PAC for read-only memory locations. The compiler is responsible for generating the appropriate signing and authentication instructions and for determining the read-only modifier value and other modifier values.
[0063] Referring to Figure 6 there can be seen a flow chart of an exemplary method 600 for executing a load from read-only memory operation incorporating aspects of the disclosed embodiments. The exemplary method 600 illustrates a load from read-only memory operation appropriate for use as the load from read-only memory operation 414 in the exemplary method 400 described above and with reference to Figure 4. As an aid to understanding the exemplary load from read-only memory operation 600 will be described in the context of the exemplary method 400 described above.
[0064] In one embodiment the exemplary method 400 is employed on a processor that incorporates a pointer authentication mechanisms. The one embodiment loads 402 a target data value into memory and marked 404 as read-only. Marking of the memory as read-only may be accomplished as described above by mapping the target memory location as read-only based on an MMU, MPU, or other suitable memory management scheme. A pointer is then loaded 406 into a first processor register.
[0065] The loaded pointer includes a memory address and further includes a PAC, where the PAC is based on a read-only modifier. In the exemplary embodiment, modifiers used when generating a PAC for memory locations known to be read-only are computed differently than modifiers used for other memory locations, such as for writeable memory locations. For example a bit may be inverted in modifiers used to generate a PAC for read-only memory addresses, and not inverted when the modifier is used to generate a PAC for a writeable memory location. Use of different modifiers, such as modifiers with an inverted bit, ensures that the PAC corresponding to a writeable memory address will not, at least statistically, match the PAC corresponding to a legitimate pointer to a read-only memory location.
[0066] The exemplary load from read-only memory method 600 verifies 608 that the PAC was generated based on the read-only modifier. Use of the read-only modifier during PAC verification 608 ensures that the target memory location is marked as read-only. Thus a successful PAC authentication may be used to verify that the target memory location is read-only.
[0067] A valid pointer authentication code means that the PAC, included in the loaded pointer, was generated based on the read-only modifier. Thus validating the PAC included in the loaded pointer based on the read-only modifier provides an indication that the target memory location is read-only. When the PAC is valid 620 the data value is loaded 610 into a second processor register.
[0068] When the pointer authentication code is invalid 622, the target memory location may not be read-only. The invalid PAC results in an invalid memory pointer which generates 612 a memory fault when used to access memory. The memory fault alters control flow of the executing program allowing an alternate set of operations or steps to be performed to ensure the fault is handled in a suitable manner. For example, a memory fault caused by an attempt to load a known read-only value from a writeable memory location likely indicates an attack is in process and the executing program can be aborted. Handling of the generated memory fault, such as the handling performed in step 418, may for example include recording of information related to the cause of the memory fault in an audit or other appropriate log, followed by flushing the executing program from memory.
[0069] In certain embodiments it may be desirable to include an additional specialized load operation referred to herein as a load from writeable memory operation. The load from writeable memory operation is similar to the load from read-only memory operation described above, but verifies instead a different memory access property. In contrast with the load from read-only memory operation, the load from writeable memory operation will load the target data value when the target memory location is marked as writeable, and will generate a memory fault when the target memory location is marked as read-only.
[0070] Thus, while there have been shown, described and pointed out, fundamental novel features of the invention as applied to the exemplary embodiments thereof, it will be understood that various omissions, substitutions and changes in the form and details of devices and methods illustrated, and in their operation, may be made by those skilled in the art without departing from the spirit and scope of the presently disclosed invention. Further, it is expressly intended that all combinations of those elements, which perform substantially the same function in substantially the same way to achieve the same results, are within the scope of the invention. Moreover, it should be recognized that structures and/or elements shown and/or described in connection with any disclosed form or embodiment of the invention may be incorporated in any other disclosed or described or suggested form or embodiment as a general matter of design choice. It is the intention, therefore, to be limited only as indicated by the scope of the claims appended hereto.

Claims

CLAIMS What is claimed is:
1. An apparatus (100) comprising a processor (102) communicatively coupled to a memory (104), wherein the processor (102) is configured to: load a pointer value (120) into a first processor register (112), wherein the pointer value (120) comprises an address of a target memory location (108); and execute a load from read-only memory operation, wherein the load from read-only memory operation causes the processor (102) to: verify that the target memory location (108) is marked as read-only; and when the target memory location (108) is marked as read-only, load the data value (118) into a second processor register (114), or when the target memory location (108) is not marked as read-only, generate a memory fault (310).
2. The apparatus (100) of claim 1 wherein the processor (102) comprises memory tagging extensions, and the target memory location (108) is associated with a target tag, and wherein the processor (102) is configured to: load the pointer value (120) into the first processor register (112), wherein the pointer value further comprises an associated tag; execute the load from read-only memory operation, wherein the load from read-only memory operation causes the processor (102) to: set the associated tag to the first tag value, wherein the first tag value corresponds to a read only tag value; verify the target tag is equal to the first tag value; and when the target tag is equal to the first tag value, load the data value (118) into the second processor register (114); or when the target tag is not equal to the first tag value, generate a memory fault.
3. The apparatus (100) of claim 1 wherein the processor (102) comprises a pointer authentication feature and, and the processor (102) is configured to: load the pointer value (120) into a first processor register (112), wherein the pointer value (120) comprises a pointer authentication code, and wherein the pointer authentication code is based on a read-only modifier; execute the load from read-only memory operation, wherein the load from read-only memory operation causes the processor (102) to: verify the pointer authentication code based on the read-only modifier; and when the pointer authentication code is valid, load the data value (118) into the second processor register (114); or when the pointer authentication code is not valid, generate a memory fault.
4. The apparatus (100) according to any one of the preceding claims wherein the apparatus (100) further comprises a memory management unit (128) and the processor (102) is configured to verify that the target memory location (108) is marked as read-only based on cached values and a translation look-aside buffer.
5. The apparatus (100) according to any one of the preceding claims wherein the memory fault causes the processor (102) to alter program flow and perform corrective action.
6. A method (400) comprising: loading (406) a pointer value into a first processor register, wherein the pointer value comprises an address of a target memory location; and executing (414) a load from read-only memory operation, wherein the load from read-only memory operation comprises: verifying (408) that the target memory location is marked as read-only; and when the target memory location is marked as read-only (420), loading (410) the data value into a second processor register; or when the target memory location is not marked as read-only (422), generating (412) a memory fault.
7. The method (400) according to claim 6 wherein the target memory location is associated with a target tag, the pointer value further comprises an associated tag; and the method (400) further comprises: executing (414) the load from read-only memory operation, wherein the load from read only memory operation (414) comprises: setting (502) the associated tag to a first tag value, wherein the first tag value corresponds to a read only tag value; verifying (504) the target tag is equal to the first tag value; and when the target tag is equal to the first tag value (510), load (506) the data value into the second processor register; or when the target tag is not equal to the first tag value (512), generate (508) a memory fault.
8. The method (400) according to claim 6 wherein the pointer value further comprises a pointer authentication code, and wherein the pointer authentication code is based on a read-only modifier; and the method (400) further comprises executing (414) the load from read-only memory operation, wherein the load from read only memory operation comprises: validating (608) the pointer authentication code based on the read-only modifier; and when the pointer authentication code is valid (620), load (610) the data value into the second processor register; or when the pointer authentication code is not valid (622), generate (612) a memory fault.
9. A non-transitory computer readable media having stored thereon program instructions that when executed by a processor cause the processor to perform the method (400) according to any one of claims 6 to 8.
PCT/EP2020/051773 2020-01-24 2020-01-24 Apparatus and method for software security WO2021148134A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/EP2020/051773 WO2021148134A1 (en) 2020-01-24 2020-01-24 Apparatus and method for software security
CN202080094081.XA CN114981811A (en) 2020-01-24 2020-01-24 Apparatus and method for software security

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2020/051773 WO2021148134A1 (en) 2020-01-24 2020-01-24 Apparatus and method for software security

Publications (1)

Publication Number Publication Date
WO2021148134A1 true WO2021148134A1 (en) 2021-07-29

Family

ID=69192085

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2020/051773 WO2021148134A1 (en) 2020-01-24 2020-01-24 Apparatus and method for software security

Country Status (2)

Country Link
CN (1) CN114981811A (en)
WO (1) WO2021148134A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023043543A1 (en) * 2021-09-17 2023-03-23 Microsoft Technology Licensing, Llc Pointer authentication failure detection

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100106929A1 (en) * 2008-10-27 2010-04-29 Advanced Micro Devices, Inc. Method and Apparatus for Providing Secure Register Access
WO2016060817A1 (en) * 2014-10-17 2016-04-21 Qualcomm Incorporated Code pointer authentication for hardware flow control
US20190213322A1 (en) * 2015-12-17 2019-07-11 The Charles Stark Draper Laboratory, Inc. Techniques for metadata processing

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100106929A1 (en) * 2008-10-27 2010-04-29 Advanced Micro Devices, Inc. Method and Apparatus for Providing Secure Register Access
WO2016060817A1 (en) * 2014-10-17 2016-04-21 Qualcomm Incorporated Code pointer authentication for hardware flow control
US20190213322A1 (en) * 2015-12-17 2019-07-11 The Charles Stark Draper Laboratory, Inc. Techniques for metadata processing

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023043543A1 (en) * 2021-09-17 2023-03-23 Microsoft Technology Licensing, Llc Pointer authentication failure detection

Also Published As

Publication number Publication date
CN114981811A (en) 2022-08-30

Similar Documents

Publication Publication Date Title
US11784786B2 (en) Mitigating security vulnerabilities with memory allocation markers in cryptographic computing systems
JP2022514803A (en) Defense against speculative side-channel analysis of computer systems
US9514305B2 (en) Code pointer authentication for hardware flow control
US7565509B2 (en) Using limits on address translation to control access to an addressable entity
US8028341B2 (en) Providing extended memory protection
US9536111B2 (en) Secure processing unit systems and methods
EP2854066B1 (en) System and method for firmware integrity verification using multiple keys and OTP memory
JP4785808B2 (en) Data processing apparatus and system control register protection method
US20120216281A1 (en) Systems and Methods for Providing a Computing Device Having a Secure Operating System Kernel
CN107003936B (en) Memory protection with non-readable pages
CN105637486B (en) memory integrity checking
KR20180111918A (en) Apparatus and method for generating signed bounded pointers
JP5467271B2 (en) Information processing apparatus and program, information processing method, and recording medium
CN111837111A (en) Apparatus and method for storing bounded pointers
CN112149114A (en) Memory protection with hidden inline metadata for indicating data type
KR20180111919A (en) Apparatus and method for controlling use of bound pointer
CN113220225B (en) Memory data read-write method and device for RISC-V processor, processor and storage medium
Liljestrand et al. Protecting the stack with PACed canaries
US7774587B2 (en) Dynamic redundancy checker against fault injection
JP2021512400A (en) Controlling protected tag checking in memory access
WO2021148134A1 (en) Apparatus and method for software security
Unterguggenberger et al. Multi-tag: A hardware-software co-design for memory safety based on multi-granular memory tagging
US20230236925A1 (en) Tag checking apparatus and method
CN112948863B (en) Sensitive data reading method and device, electronic equipment and storage medium
US11914522B2 (en) Verifying address translation integrity

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20701999

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20701999

Country of ref document: EP

Kind code of ref document: A1