Chaos for a Fast, Secure, and Predictable Future

Violating a program’s semantics for fun and profit is a time honored hacker tradition. Compilers defend against such fiends by inserting run-time checks to enforce semantic safety properties. Safe language compilers insert type checks for down-casts, information flow compilers [11] add run-time checks to prevent information leakage, and tools like SAFECode [8], WIT [1], and DFI [6] insert run-time checks to detect memory errors in C code. While effective, run-time checks often incur extra CPU and/or memory overhead. This is especially true when enforcing safety properties on C code [8, 1]. Instead of detecting or tolerating violations of semantic safety properties, perhaps we can gain better performance by making the results of such violations unpredictable. Attackers often rely on violations of semantic safety properties having specific, predictable outcomes at the machine-code level. What if violations of safety properties could be guaranteed to produce unpredictable behavior? While randomization for security has been proposed for limited purposes [4, 5, 10, 15, 3], we believe that there is a more general principle afoot: many attacks utilizing semantic violations that are stopped using run-time checks can also be reliably thwarted using randomization techniques. The primary difference is that the former detects or prevents violations while the latter permits a violation but prevents an attacker from exploiting it. In Section 2, we describe previous work that illustrates a semantic safety property used to enforce memory safety and how randomization can provide similar safety with less CPU and address space overhead than run-time checks. We will then generalize this principle and argue that randomization can enforce other semantic safety properties by showing novel, potential randomization techniques for enforcing information flow policies, type-safety, and data-flow integrity.