Sidecar: Leveraging Debugging Extensions in Commodity Processors to Secure Software

Sidecar: Leveraging Debugging Extensions in Commodity Processors to Secure Software

연구 분야: Cryptography

학회: 2024 Annual Computer Security Applications Conference (ACSAC)

The increased parallelism in modern processors has sparked interest in offloading security policy enforcement to processes or hardware operating in parallel with the main application. This approach can reduce application latency, enhance security, and improve compatibility. However, existing software solutions often incur high overheads and are susceptible to memory corruption attacks, while hardware solutions tend to be inflexible and require substantial modifications to the processor. In this paper, we present Sidecar, a novel approach that offloads security checks to run concurrently with applications by leveraging the debugging infrastructure available in commodity processors. Specifically, we utilize software-driven logging (SDL) extensions in Intel and Arm processors to create secure, append-only channels between applications and security monitors. We build and evaluate a prototype of Sidecar for the x86-64 and Aarch64 architectures. To demonstrate its utility, we adapt well-known security de-fenses within Sidecar, providing control-flow integrity (CFI), shadow call stacks (SCS), and memory error checking (ASan). Our evaluation shows that these extensions perform better on the Intel architecture. In terms of defenses, Sidecar reduces the latency of CFI in the tested real-world applications by an average of 30%, offers enhanced security with similar overhead for SCS, and is versatile enough to support complex defenses like ASan. Furthermore, our security monitor for CFI+SCS is 30 times more efficient compared to previous work.