The main idea of this proposed dissertation project is to develop a CPU-extension that provides an improved capability against software vulnerabilities. Buffer overflows have been causing serious security problems in computer systems over the last years. The topic is getting more important, as the number of embedded and networked systems is increasing. Due to short development and verification periods of software, these vulnerabilities are increasing dramatically.
In this project we propose a CPU architecture in which code security can be improved passively. The proposed architecture can directly execute boundary checking for every data manipulation. Registers are extended with replicas, which contain the lowest and highest value that the register is allowed to hold. Therefore checks can be made directly in hardware without significant performance loss, whereas checking in software would make the application intolerably slow.
Based on new concepts of byte-code or intermediate languages, that support data-type information within metadata at the intermediate language level, changes in the compiler would be restricted to the last step in the compilation process, the byte-code interpreter or the JIT-compiler respectively.
The ides of developing a CPU-extension originates from several projects and Master's thesis that concentrated on code-security aspects and methods to develop FPGA-based CPUs written in hardware description languages such as VHDL or Verilog. A full implementation of a CPU including the complete tool-chain from the high-language compiler down to the CPU core was developed completely based on public-domain software.
The feasibility of our proposed approach will be demonstrated on a prototype implementation.