Parallel Memory Permissions and Their Applications

A process can voluntarily set memory protections to different portions of its address space. As threads in a process share the same address space, they are equally bound to its protections. In this dissertation, we explore the concept of parallel memory permissions, a powerful technique that allows multiple threads to execute in parallel while having different permissions to the same address space, and we show how it may be implemented on commodity hardware without requiring special hardware primitives. Parallel memory permissions makes it practical and easy to apply various tools and protection schemes in multi-threaded applications; practical because it does not hinder threads from executing in parallel and easy because by virtue of not segmenting a process’s address space, applications require only slight modifications (if any) to benefit from it.

We demonstrate this first with SandTrap, a Dynamic Information-Flow Tracking (DIFT) tool for machine code on Android. SandTrap complements TaintDroid and addresses its key limitation: the inability to track information flows when an app calls third-party native functions. The key to SandTrap is on-demand DIFT, where DIFT is performed only when threads access data that needs to be tracked. Otherwise, they run unmodified without any DIFT overhead. As Android apps are inherently multi-threaded, on-demand DIFT in SandTrap is possible because of parallel memory permissions. It allows SandTrap to set different sets of memory protections on a thread depending on whether it is running third-party native code, and it does so without hindering the parallelism of the app. The current prototype of SandTrap runs on a real smartphone device with unmodified apps downloaded from the Google Play Store, such as Instagram.

Next, we present DoubleVision, a system that addresses the problem of stray memory accesses in which a thread might accidentally read or write to memory-mapped application resources. These stray accesses often occur because of bugs in the application code and they can violate the integrity or confidentiality of resources in memory. We show how DoubleVision uses parallel memory permissions to restrict a thread from inadvertently accessing such resources, without requiring significant refactoring of the application.