Minos

Jedidiah R. Crandall, S. Felix Wu, Frederic T. Chong
2006 ACM Transactions on Architecture and Code Optimization (TACO)  
We present Minos, a microarchitecture that implements Biba's low water-mark integrity policy on individual words of data. Minos stops attacks that corrupt control data to hijack program control flow, but is orthogonal to the memory model. Control data is any data that is loaded into the program counter on control-flow transfer, or any data used to calculate such data. The key is that Minos tracks the integrity of all data, but protects control flow by checking this integrity when a program uses
more » ... the data for control transfer. Existing policies, in contrast, need to differentiate between control and noncontrol data a priori, a task made impossible by coercions between pointers and other data types, such as integers in the C language. Our implementation of Minos for Red Hat Linux 6.2 on a Pentium-based emulator is a stable, usable Linux system on the network on which we are currently running a web server (http://minos.cs.ucdavis.edu). Our emulated Minos systems running Linux and Windows have stopped ten actual attacks. Extensive full-system testing and real-world attacks have given us a unique perspective on the policy tradeoffs that must be made in any system, such as Minos; this paper details and discusses these. We also present a microarchitectural implementation of Minos that achieves negligible impact on cycle time with a small investment in die area, as well as and minor changes to the Linux kernel to handle the tag bits and perform virtual memory swapping. Extension of Conference Paper: This is an extension of a paper presented at MICRO-37 [Crandall and Chong 2004b]. The additional material includes implementations for FreeBSD, and OpenBSD, as well as three new attacks for these, seven new actual attacks caught by Minos honeypots, six of which were included in a different conference paper [Crandall et al. 2005b ], a new section on noncontrol data attacks (Section 8.4), a new section describing the details of the Hannibal exploit (Section 9), and a new section (Section 3.1) which details the policy tradeoffs that a year and a half of testing has uncovered.
doi:10.1145/1187976.1187977 fatcat:xtosxrf7pfd3nmsakxdyprq7tm