Secure Program Execution via Dynamic Information Flow Tracking [abstract] (ACM DL, PDF)
G. Edward Suh, Jae W. Lee, David Zhang, and Srinivas Devadas
Proceedings of the 11th ACM Architectural Support for Programming Languages and Operating Systems (ASPLOS), October 2004.
We present a simple architectural mechanism called dynamic information
flow tracking that can significantly improve the security of computing
systems with negligible performance overhead. Dynamic information flow
tracking protects programs against malicious software attacks by
identifying spurious information flows from untrusted I/O and
restricting the usage of the spurious information.
Every security attack to take control of a program needs to transfer
the program's control to malevolent code. In our approach, the
operating system identifies a set of input channels as spurious, and
the processor tracks all information flows from those inputs. A
broad range of attacks are effectively defeated by checking the use of
the spurious values as instructions and pointers.
Our protection is transparent to users or application programmers;
the executables can be used without any modification. Also, our
scheme only incurs, on average, a memory overhead of 1.4% and a
performance overhead of 1.1%.