Policy implementation and engineering for tagged architectures / Nick Roessler.

Format:

Book

Thesis/Dissertation

Author/Creator:

Roessler, Nick, author.

Contributor:

DeHon, André, degree supervisor.

Smith, Jonathan M., degree supervisor.

University of Pennsylvania. Department of Computer and Information Science, degree granting institution.

Language:

English

Subjects (All):

Computer science.

Computer and Information Science--Penn dissertations.

Penn dissertations--Computer and Information Science.

Local Subjects:

Computer science.

Computer and Information Science--Penn dissertations.

Penn dissertations--Computer and Information Science.

Genre:

Academic theses.

Physical Description:

1 online resource (143 pages)

Contained In:

Dissertations Abstracts International 82-12B.

Place of Publication:

[Philadelphia, Pennsylvania] : University of Pennsylvania ; Ann Arbor : ProQuest Dissertations & Theses, 2021.

Language Note:

English

System Details:

Mode of access: World Wide Web.

text file

Summary:

Tagged architectures have seen renewed interest as a means to improve the security and reliability of computing systems. Rich, programmable tag-based hardware security monitors like the PUMP allow software-defined security policies to benefit from hardware acceleration. The thesis of this work is that policies for programmable tagged architectures (1) can be engineered to enforce critical security properties at low cost, (2) can protect real programs running on real ISAs, and (3) can be applied automatically to programs-that is with compilation passes or automatic analysis-so that the benefits of such an architecture can be brought to existing and new software with minimal human intervention. To support this claim, I have constructed a range of security policies that run on real workloads automatically, modeled their overheads using architectural simulations, explored tradeoffs in policy design and engineering to reduce their costs, and finally characterized them by their security properties. As examplar policies, I have created stack and heap memory protection policies that can thwart traditional memory corruption vulnerabilities. Additionally, I have built a compartmentalization framework that allows a security engineer to automatically generate and evaluate a wide range of tag-based compartmentalization strategies. To generate compartments automatically, the framework includes algorithms for quantitatively minimizing overprivilege and packing the rules required for those policies into manageable sets that can be cached favorably for high performance. Across these three categories of policies, I present the following policy engineering contributions: (1) lazy tagging, an optimization that reduces the cost of tagging memory objects, (2) rule packing, a technique for relaxing policies in key ways to improve their performance, and (3) rule prefetching, a technique that can exploit predictable rule sequences by preemptively fetching and installing rules before they are needed.

Notes:

Source: Dissertations Abstracts International, Volume: 82-12, Section: B.

Advisors: DeHon, Andre; Smith, Jonathan M.; Committee members: Benjamin Pierce; Joseph Devietti; Greg Sullivan.

Department: Computer and Information Science.

Ph.D. University of Pennsylvania 2021.

Local Notes:

School code: 0175

ISBN:

9798738648717

Access Restriction:

Restricted for use by site license.

This item must not be sold to any third party vendors.