Security Enhancing Compilation for Use in Real Environments

by · Sep 10, 2017 · 129 views ·

We have a proliferation of small, networked devices, rich in sensors - "the Internet of Things". Recent events have shown how such devices are vulnerable to attack. We have seen children's dolls hacked remotely to spout profanities, internet connected light bulbs which can be used to hijack a home network and the Mirai botnet using IoT devices to mount DDoS attacks. We need to make it easy for professional software engineers to write secure code for such devices. Beyond the trivial system failings (lack of passwords, use of open communication protocols), we need to be able to protect against attacks based on information leakage and make is easy to implement defensive programming techniques. Security is a system wide issue, and the compiler is the one tool which gets to look at all the code. SECURE is a one year research project led by Embecosm and supported by Innovate UK, which aims to extend popular open source compilers to help in writing secure code. We can do this in two ways. 1. We can warn the user of dangerous code constructs, for example when a critical variable is used to control program flow, thus leaking information. 2. We can provide features to assist the program, for example by wiping the stack on return from a function to avoid leaving data in memory. We'll be submitting patches to add such features, using ARM and RISC-V architectures as demonstrator. In this talk I'll describe the progress with GCC in the first two months of the project. I'll also look at the system we are using to test the effectiveness of these techniques.

Watch SlidesLive on mobile devices

© SlidesLive Inc.