Preventing malicious data harvesting from deallocated memory areas

Anikeev, Maxim; Freiling, Felix C.

doi:10.1145/2523514.2527022

Cited by 5 publications

(7 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This extension to Android encrypts sensitive data objects in place, and then when the object is no longer needed or it's idle, the key is securely deallocated. However, when considering server-side changes, re-engineering the JVM should also consider dealing with sensitive native IO operations, shared variables in applications [8], and incorporating explicit data lifetimes into the programming language [7,9].…”

Section: Discussion and Future Workmentioning

confidence: 99%

“…However, Chow et al's techniques cannot address the latent secrets found in the HotSpot, because the JVM uses it's own memory management primitives. Additional work has been done to help reduce latent secrets due to shared program variables with static analysis [8]; Anikeev et al [9] proposed introducing keywords into managed languages hinting at how to securely manage object instances.…”

Section: Prior Workmentioning

confidence: 99%

See 1 more Smart Citation

Present but Unreachable: Reducing Persistentlatent Secrets in HotSpot JVM

Pridgen

Garfinkel

Wallach

2017

Proceedings of the 50th Hawaii International Conference on System Sciences (2017)

View full text Add to dashboard Cite

Applications that manage sensitive secrets, including cryptographic keys, are typically engineered to overwrite the secrets in memory once they're no longer necessary, offering an important defense against forensic attacks against the computer. In a modern garbagecollected memory system, however, live objects will be copied and compacted into new memory pages, with the user program being unable to reach and zero out obsolete copies in old memory pages that have not yet been reused. This paper considers this problem in the HotSpot JVM, the default JVM used by the Oracle and OpenJDK Java platforms. We analyze the SerialGC and Garbage First Garbage Collector (G1GC) implementations, showing that sensitive data such as TLS keys are easily extracted from the garbage. To mitigate this issue, we implemented techniques to sanitize older heap pages and we measure the performance impactsometimes good, sometimes unacceptable. We also discuss how future garbage collectors might be designed from scratch with efficient heap sanitation in mind.

show abstract

Section: Discussion and Future Workmentioning

confidence: 99%

Section: Prior Workmentioning

confidence: 99%

Present but Unreachable: Reducing Persistentlatent Secrets in HotSpot JVM

Pridgen

Garfinkel

Wallach

2017

Proceedings of the 50th Hawaii International Conference on System Sciences (2017)

View full text Add to dashboard Cite

show abstract

“…CODIC can also be used to accelerate secure deallocation mechanisms [10,34,45,59,140]. Secure deallocation is a technique that sets the data to zero at the moment of deallocation, or as soon as the data is not needed anymore, which reduces the time that critical data is exposed to attacks.…”

Section: Other Applicationsmentioning

confidence: 99%

“…We conclude that our zero-runtime-overhead proposal is a very power-and areaefficient way to protect against cold boot attacks in systems where encryption is expensive or otherwise undesirable. 10…”

Section: Comparison With Other State-of-the-art Mechanismsmentioning

confidence: 99%

See 1 more Smart Citation

CODIC: A Low-Cost Substrate for Enabling Custom In-DRAM Functionalities and Optimizations

Orosa¹,

Wang²,

Sadrosadati³

et al. 2021

Preprint

View full text Add to dashboard Cite

DRAM is the dominant main memory technology used in modern computing systems. Computing systems implement a memory controller that interfaces with DRAM via DRAM commands. DRAM executes the given commands using internal components (e.g., access transistors, sense amplifiers) that are orchestrated by DRAM internal timings, which are fixed for each DRAM command. Unfortunately, the use of fixed internal timings limits the types of operations that DRAM can perform and hinders the implementation of new functionalities and custom mechanisms that improve DRAM reliability, performance and energy. To overcome these limitations, we propose enabling programmable DRAM internal timings for controlling in-DRAM components.To this end, we design CODIC, a new low-cost DRAM substrate that enables fine-grained control over four previously fixed internal DRAM timings that are key to many DRAM operations. We implement CODIC with only minimal changes to the DRAM chip and the DDRx interface. To demonstrate the potential of CODIC, we propose two new CODIC-based security mechanisms that outperform state-of-the-art mechanisms in several ways: (1) a new DRAM Physical Unclonable Function (PUF) that is more robust and has significantly higher throughput than state-of-the-art DRAM PUFs, and (2) the first cold boot attack prevention mechanism that does not introduce any performance or energy overheads at runtime.

show abstract