Program Transformation Techniques for Erasing Sensitive Data in Sequential and Concurrent Applications
MetadataShow full item record
The memory footprints of sensitive data in security critical systems programs and end user applications is generally not ensured to be kept small. This results in data being left over in the memory long after it has been last used in the program. The prolonged presence of such memory resident data that is sensitive (such as passwords and cryptographic keys) poses a number of security risks. The onus of ensuring that sensitive data does not remain in the program well beyond its intended use is left entirely to the programmer. Unfortunately this is only done by the most sophisticated of applications developers, as many developers are not simply aware of these issues. Consequently, there is a dire need to retrofit applications to minimize the prolonged life of sensitive data in memory. A promising approach is to delete sensitive data as soon as it becomes unnecessary. In this thesis, we propose methods to reduce the lifetime of memory resident data by erasing the memory footprint of sensitive data after it’s last usage in programs. Our approach uses program transformation techniques to achieve the goal of precise and effective minimization of data exposure in sequential and concurrent applications. We first describe SWIPE, an approach to reduce the lifetime of sensitive, memory resident data in large-scale sequential applications written in C. In contrast to prior approaches that used a delayed or lazy approach to the problem of erasing sensitive data, SWIPE uses a novel eager erasure approach that minimizes the risk of accidental sensitive data leakage. SWIPE achieves this by transforming a legacy sequential C program to include additional instructions that erase sensitive data immediately after its intended use. SWIPE is guided by a highly scalable static analysis technique that precisely identifies locations to introduce erase instructions in the original program. In our experiments, SWIPE is able to successfully and robustly transform several large applications with minimal performance overheads. The sequential programs transformed using SWIPE enjoy several additional advantages: minimization of leaks that arise due to data dependencies; erasure of sensitive data with minimal developer guidance; and negligible performance overheads (averaging 1.35%). We subsequently tackle the challenge of minimizing data lifetime in the realm of concurrent pro- grams. In this case, the issues are comparatively more challenging as the interleaving of threads in concurrent applications makes the determination of lifetime statically difficult. In this dissertation, we also address the problem of data lifetime minimization for concurrent programs in addition to sequential programs. The major challenge for our approach is to ensure that the erasures introduced to the shared memory locations are done after anticipating all possible interleaving of threads, in order to en- sure soundness. We develop a new algorithm that anticipates shared variable lifetimes, and correctly introduce erase instructions. This algorithm is implemented in a tool called DEICS (Data Erasure In Concurrent Software). Through an experimental evaluation, we show that DEICS is able to reduce lifetimes of shared sensitive data in several concurrent applications (over 100k lines of code combined) with minimal performance overheads. This thesis is, as far as we know, the first study that applies “data lifetime minimization” techniques to concurrent programs. The method we present to erase data from shared memory is sound (i.e., data is erased only after it is no longer needed). Our experimental results show, DEICS enables data erasure efficiently. Taken together, SWIPE and DEICS address the issues in minimizing sensitive lifetime in modern computing applications. They demonstrate that precise and effective minimization of data exposure in sequential and concurrent applications can be achieved through program transformation techniques.