Policy Implementation And Engineering For Tagged Architectures
Tagged architectures have seen renewed interest as a means to improve the security and reliability of computing systems. Rich, programmable tag-based hardware security monitors like the PUMP allow software-defined security policies to benefit from hardware acceleration. The thesis of this work is that policies for programmable tagged architectures (1) can be engineered to enforce critical security properties at low cost, (2) can protect real programs running on real ISAs, and (3) can be applied automatically to programs—that is with compilation passes or automatic analysis—so that the benefits of such an architecture can be brought to existing and new software with minimal human intervention. To support this claim, I have constructed a range of security policies that run on real workloads automatically, modeled their overheads using architectural simulations, explored tradeoffs in policy design and engineering to reduce their costs, and finally characterized them by their security properties. As examplar policies, I have created stack and heap memory protection policies that can thwart traditional memory corruption vulnerabilities. Additionally, I have built a compartmentalization framework that allows a security engineer to automatically generate and evaluate a wide range of tag-based compartmentalization strategies. To generate compartments automatically, the framework includes algorithms for quantitatively minimizing overprivilege and packing the rules required for those policies into manageable sets that can be cached favorably for high performance. Across these three categories of policies, I present the following policy engineering contributions: (1) lazy tagging, an optimization that reduces the cost of tagging memory objects, (2) rule packing, a technique for relaxing policies in key ways to improve their performance, and (3) rule prefetching, a technique that can exploit predictable rule sequences by preemptively fetching and installing rules before they are needed.
Jonathan M. Smith