vma_protect: Protecting Memory from Disclosure by Arbitrary Code Execution

Abstract

Though there are many methods for protecting sensitive data in cloud environments, with the exception of fully homomorphic encryption schemes crippled by their slow execution times, all require the data to be present unmodified in the address space of the processing application. This leaves data at great risk to application vulnerabilities. Perhaps the most virulent vulnerability is a remote code execution exploit, allowing an attacker to execute arbitrary code in the address space of the victim application. These vulnerabilities easily allow for data exfiltration, though in most cases more destructive acts as well. Even with conventional defenses in place, attacks allowing for arbitrary code execution are thus generally deemed unrecoverable. In this paper we present vma_protect, a novel system to provide some confidentiality guarantees, even in the face of arbitrary code execution. vma_protect allows an application developer to mark certain memory regions as confidential, restricting access to those regions to a limited set of predefined code routines. Therefore, even if an application is vulnerable to a remote code execution exploit, the most an attacker could learn is the result of one of these predefined routines. By writing the routines carefully, to reveal only the bare minimum information required for the application to operate normally, a developer can therefore provide some data protection even in this exploited state.