Abstract

Dynamic Information Flow Tracking (DIFT) is a promising security technique. With hardware support, DIFT prevents a wide range of attacks on vulnerable software with minimal performance impact. DIFT architectures, however, require significant changes in the processor pipeline that increase design and verification complexity and may affect clock frequency. These complications deter hardware vendors from supporting DIFT. This paper makes hardware support for DIFT cost-effective by decoupling DIFT functionality onto a simple, separate coprocessor. Decoupling is possible because DIFT operations and regular computation need only synchronize on system calls. The coprocessor is a small hardware engine that performs logical operations and caches 4-bit tags. It introduces no changes to the design or layout of the main processor's logic, pipeline, or caches, and can be combined with various processors. Using a full-system hardware prototype and realistic Linux workloads, we show that the DIFT coprocessor provides the same security guarantees as current DIFT architectures with low runtime overheads.


Original document

The different versions of the original document can be found in:

https://dblp.uni-trier.de/db/conf/dsn/dsn2009.html#KannanDK09,
http://yadda.icm.edu.pl/yadda/element/bwmeta1.element.ieee-000005270347,
https://ieeexplore.ieee.org/document/5270347,
https://academic.microsoft.com/#/detail/2115996698
http://dx.doi.org/10.1109/dsn.2009.5270347
Back to Top

Document information

Published on 01/01/2009

Volume 2009, 2009
DOI: 10.1109/dsn.2009.5270347
Licence: CC BY-NC-SA license

Document Score

0

Views 0
Recommendations 0

Share this document

Keywords

claim authorship

Are you one of the authors of this document?