Using Name Confusion to Enhance Security

Abstract

The paper introduces Name Confusion, a novel security concept implemented by the Phantom Name System (PNS), designed to thwart multiple classes of code-reuse attacks. PNS provides multiple randomized virtual addresses (N mappings) for program instructions, switching rapidly at the basic block granularity to confuse attackers and cause crashes upon address mismatch. This highly effective hardware protocol, validated on a RISC-V core, reduces exploit success probability to $10^{-12}$ while maintaining negligible performance overhead, targeting resource-constrained devices.

Report

Structured Report: Using Name Confusion to Enhance Security

Key Highlights

• Novel Security Primitive: Introduction of "Name Confusion," where a single program instruction is associated with multiple valid runtime addresses.
• Phantom Name System (PNS): The concrete security protocol derived from Name Confusion, which creates N distinct memory address mappings for the same instruction.
• Attack Mitigation: Specifically designed to thwart multiple classes of code-reuse attacks, including Just-In-Time (JIT) ROP.
• High Randomization Frequency: Address randomization occurs rapidly at the granularity of basic blocks.
• Quantitative Security: Evaluation shows the system reduces the success probability of typical exploits to approximately $10^{-12}$.
• Efficiency: PNS boasts negligible performance overhead compared to state-of-the-art hardware-based protections.
• Target Devices: Primarily designed for resource-constrained, or "wimpy," devices.
• Validation: Implementation verified on the SPEC CPU2017 benchmark suite and validated by adding it to a RISC-V core on an FPGA.

Technical Details

• Core Principle (PNS): Instead of the conventional one-to-one mapping (instruction to virtual address), PNS implements an N-to-one mapping, making the instruction's callable address unpredictable.
• Defense Mechanism: When an attacker attempts to exploit a memory safety vulnerability using a targeted instruction address, the system checks if the fetched address matches the currently chosen random address. A mismatch results in a program crash (fail-stop).
• Granularity: The address randomization cycle is fine-grained, occurring dynamically at the boundary of basic blocks, which makes tracking specific gadget addresses extremely challenging for JIT attackers.
• Implementation Platform: The practicality of PNS was verified through hardware implementation within a RISC-V core architecture on an FPGA, confirming feasibility in real hardware environments.

Implications

• RISC-V Security Ecosystem: The successful implementation of PNS within a RISC-V core demonstrates the architecture's suitability for integrating powerful, deep-hardware security mechanisms. This positions RISC-V as a strong platform for developing next-generation protection schemes.
• Defense Against Control-Flow Attacks: By achieving an extremely low exploit success rate ($10^{-12}$), PNS offers a highly robust, probabilistic defense against code-reuse attacks, which remain a dominant threat in modern computing.
• Resource Efficiency for IoT: Since PNS is specifically designed for resource-constrained devices and exhibits negligible overhead, it addresses a critical need for strong security in the booming IoT and embedded systems markets, where many RISC-V chips are deployed.
• Market Competitiveness: PNS provides a competitive hardware alternative to existing security solutions, offering superior protection without incurring the performance penalties often associated with comparable protection methods.