To keep hardware safe, new ‘Oreo’ method cuts out the code’s clues

Celebrity Gig
Caption:Oreo’s “masked address space” re-maps code from randomized virtual addresses to fixed locations before it’s executed within the hardware, making it difficult for hackers to trace the program’s original locations through hardware attacks. Credit: Alex Shipps/MIT CSAIL, with elements from Pixabay

Imagine you’re a chef with a highly sought-after recipe. You write your top-secret instructions in a journal to ensure you remember them, but its location within the book is evident from the folds and tears on the edges of that often-referenced page.

Much like recipes in a cookbook, the instructions to execute programs are stored in specific locations within a computer’s physical memory. The standard security method—referred to as “address space layout randomization” (ASLR)—scatters this precious code to different places, but hackers can now find their new locations.

Instead of hacking the software directly, they use approaches called microarchitectural side attacks that exploit hardware, identifying which memory areas are most frequently used. From there, they can use code to reveal passwords and make critical administrative changes in the system (also known as code-reuse attacks).

To enhance ASLR’s effectiveness, researchers from the MIT Computer Science and Artificial Intelligence Laboratory (CSAIL) have found a way to make these footprints vanish. Their “Oreo” method mitigates hardware attacks by removing randomized bits of addresses that lead to a program’s instructions before they’re translated to a physical location. It scrubs away traces of where code gadgets (or short sequences of instructions for specific tasks) are located before hackers can find them, efficiently enhancing security for operating systems like Linux.

The findings are published on the arXiv preprint server.

READ ALSO:  IBEDC to upgrade metering system

Oreo has three layers, much like its tasty namesake. Between the virtual address space (which is used to reference program instructions) and the physical address space (where the code is located), Oreo adds a new “masked address space.” This re-maps code from randomized virtual addresses to fixed locations before it is executed within the hardware, making it difficult for hackers to trace the program’s original locations in the virtual address space through hardware attacks.

“We got the idea to structure it in three layers from Oreo cookies,” says Shixin Song, an MIT Ph.D. student in electrical engineering and computer science (EECS) and CSAIL affiliate who is the lead author of a paper about the work. “Think of the white filling in the middle of that treat—our version of that is a layer that essentially whites out traces of gadget locations before they end up in the wrong hands.”

Senior author Mengjia Yan, an MIT associate professor of EECS and CSAIL principal investigator, believes Oreo’s masking abilities could make address space layout randomization more secure and reliable.

“ASLR was deployed in operating systems like Windows and Linux, but within the last decade, its security flaws have rendered it almost broken,” says Yan. “Our goal is to revive this mechanism in modern systems to defend microarchitecture attacks, so we’ve developed a software-hardware co-design mechanism that prevents leaking secret offsets that tell hackers where the gadgets are.”

READ ALSO:  Sam Altman returns to OpenAI board months after crisis

The CSAIL researchers will present their findings about Oreo at the Network and Distributed System Security Symposium later this month.

Song and her co-authors evaluated how well Oreo could protect Linux by simulating hardware attacks in gem5, a platform commonly used to study computer architecture. The team found that it could prevent microarchitectural side attacks without hampering the software it protects.

Song observes that these experiments demonstrate how Oreo is a lightweight security upgrade for operating systems.

“Our method introduces marginal hardware changes by only requiring a few extra storage units to store some metadata,” she says. “Luckily, it also has a minimal impact on software performance.”

While Oreo adds an extra step to program execution by scrubbing away revealing bits of data, it doesn’t slow down applications. This efficiency makes it a worthwhile security boost to ASLR for page-table-based virtual memory systems beyond Linux, such as those commonly found in major platforms such as Intel, AMD, and Arm.

In the future, the team will look to address speculative execution attacks—where hackers fool computers into predicting their next tasks, then steal the hidden data it leaves behind. Case in point: the infamous Meltdown/Spectre attacks in 2018.

READ ALSO:  DOJ sues eBay for ‘rolling coal’ devices; fines could hit $2 billion

To defend against speculative execution attacks, the team emphasizes that Oreo must be coupled with other security mechanisms (such as Spectre mitigations). This potential limitation extends to applying Oreo to larger systems.

“We think Oreo could be a useful software-hardware co-design platform for a broader type of applications,” says Yan. “In addition to targeting ASLR, we’re working on new methods that can help safeguard the critical crypto libraries widely used to safeguard information across people’s network communication and cloud storage.”

Song and Yan wrote the paper with MIT EECS undergraduate researcher Joseph Zhang.

More information:
Shixin Song et al, Oreo: Protecting ASLR Against Microarchitectural Attacks (Extended Version), arXiv (2024). DOI: 10.48550/arxiv.2412.07135

Journal information:
arXiv


Provided by
Massachusetts Institute of Technology


This story is republished courtesy of MIT News (web.mit.edu/newsoffice/), a popular site that covers news about MIT research, innovation and teaching.

Citation:
To keep hardware safe, new ‘Oreo’ method cuts out the code’s clues (2025, February 11)
retrieved 12 February 2025
from

This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no
part may be reproduced without the written permission. The content is provided for information purposes only.

Categories

Share This Article
Leave a comment