This was my second AsiaCCS. After an interesting experience in China last year, this year's AsiaCCS was in the United Arab Emirates (UAE) in Abu Dhabi. My program for this conference was quite packed. Two of my students had presentations, Daniele Midi's nesCheck work and Scott Carr's selective memory safety work was presented. In addition, I gave an invited talk about Control-Flow Integrity with detailed metrics and measurements that we conducted on a large set of open-source mechanisms. After serving in the program committee, I already knew some of the interesting papers that will be presented and I'll only highlight a few of them here.
Software Guard Extension
Detecting Privileged Side-Channel Attacks in Shielded Execution with Déjà Vu. The paper presents how one can detect AEX (asynchronous enclave exists) through side channels. Whenever the number of AEX raises past a certain threshold, an attack is against the SGX container is taking place. The proposed solution requires a specification of this threshold which may allow the attacker to tune the attack towards but just below this threshold.
SGX-Log: Securing System Logs With SGX. Log files are targets for attackers as the initial states of the attack may be shown in those log files and they could be used for forensic purposes. To protect log files from attackers, this project moves them into an SGX enclave. The SGX container provides confidentiality and integrity, protecting the log files against tampering. Enclaves may be deleted if the attacker gains access on the machine. The solution therefore does not protect against deleting log files but focuses on tamper resistance. The enclave can therefore serve as a trusted third party without the need to send the log data over the network.
The Circle Game: Scalable Private Membership Test Using Trusted Hardware. SGX is used for a local secure set test. Consumers send hashes to the cloud and the cloud then checks for matches (e.g., for malware), making sure that no information leaks about the hashes sent as input.
Memory safety
Strict Virtual Call Integrity Checking for C++ Binaries. This paper is very similar to the NDSS MARX paper, extending the analysis with some form of CFI. The binary analysis reverse engineers C++ binaries and recovers indirect call sites and class hierarchies. After recovering this information, the indirect dispatches in the binary are protected through a type-based lookup similar to VTrust but for binaries. The results are great: precision is high and overhead is low. This work has been developed concurrently to MARX.
Our papers
Memory Safety for Embedded Devices with nesCheck. nesCheck is a compiler-based approach that enforces a CCured-style type system on top of C source code for embedded systems. Based on a compiler-based analysis, pointers are classified as safe (no pointer arithmetic), sequence (only iteration, e.g., ++ or --), and dynamic (arbitrary pointer arithmetic. Pointers classified as safe do not need any instrumentation. For sequence and dynamic pointers our compiler pass adds corresponding instrumentation to protect any accesses. Main differences to CCured are the port to embedded systems and using a modern compiler that allows fine-grained optimizations. See the paper for details.
DataShield: Configurable Data Confidentiality and Integrity. DataShield allows the programmer to specify what data of a program is sensitive. Based on annotations these sensitive types are protected against memory safety vulnerabilities, enforcing integrity and confidentiality. All classic data cannot interfere with the protected data. To support such a system, all data (heap, globals, and stack) has to be split into safe and unsafe data. The runtime layout of a DataShield process is separated into safe and classic views with no interaction between classic and safe. Two case studies protect an SSL library and the SPEC benchmarks.
Conclusion
Visiting the UAE was interesting and I had time to explore both Dubai and Abu Dhabi. The NYU campus in Abu Dhabi is a modern, open campus and the conference was well organized. The memory safety and embedded sessions were very interesting as were the extensive social events which included dinners and a city tour.