publications

2025

SP 25

IncognitOS: A Practical Unikernel Design for Full-System Obfuscation in Confidential Virtual Machines (to appear)

Kha Dinh Duy, Jaeyoon Kim, Hajeong Lim, and Hojoon Lee

In 46th IEEE Symposium on Security and Privacy, 2025

2024

SEC 24
RustSan: Retrofitting AddressSanitizer for Efficient Sanitization of Rust

Kyuwon Cho, Jongyoon Kim, Kha Dinh Duy, Hajeong Lim, and Hojoon Lee

In 33rd USENIX Security Symposium (USENIX Security 24), Aug 2024

Abs Bib PDF

Rust is gaining traction as a safe systems programming language with its strong type and memory safety guarantees. However, Rust’s guarantees are not infallible. The use of unsafe Rust, a subvariant of Rust, allows the programmer to temporarily escape the strict Rust language semantics to trade security for flexibility. Memory errors within unsafe blocks in Rust have far-reaching ramifications for the program’s safety. As a result, the conventional dynamic memory error detection (e.g., fuzzing) has been adapted as a common practice for Rust and proved its effectiveness through a trophy case of discovered CVEs.
RUSTSAN is a retrofitted design of AddressSanitizer (ASan) for efficient dynamic memory error detection of Rust programs. Our observation is that a significant portion of instrumented memory access sites in a Rust program compiled with ASan is redundant, as the Rust security guarantees can still be valid at the site. RUSTSAN identifies and instruments the sites that definitely or may undermine Rust security guarantees while lifting instrumentation on safe sites. To this end, RUSTSAN employs a cross-IR program analysis for accurate tracking of unsafe sites and also extends ASan’s shadow memory scheme for checking non-uniform memory access validation necessary for Rust. We conduct a comprehensive evaluation of RUSTSAN in terms of detection capability and performance using 57 Rust crates. RUSTSAN successfully detected all 31 tested cases of CVE-issued memory errors. Also, RUSTSAN shows an average of 62.3% performance increase against ASan in general benchmarks that involved 20 Rust crates. In the fuzzing experiment with 6 crates, RUSTSAN marked an average of 23.52%, and up to 57.08% of performance improvement.
@inproceedings{rustsan, author = {Cho, Kyuwon and Kim, Jongyoon and Duy, Kha Dinh and Lim, Hajeong and Lee, Hojoon}, title = {{RustSan}: Retrofitting {AddressSanitizer} for Efficient Sanitization of Rust}, booktitle = {33rd USENIX Security Symposium (USENIX Security 24)}, year = {2024}, isbn = {978-1-939133-44-1}, address = {Philadelphia, PA}, pages = {3729--3746}, url = { https://www.usenix.org/conference/usenixsecurity24/presentation/cho-kyuwon }, publisher = {USENIX Association}, month = aug, }

2023

CCS 23
Capacity: Cryptographically-Enforced In-Process Capabilities for Modern ARM Architectures

Kha Dinh Duy, Kyuwon Cho, Taehyun Noh, and Hojoon Lee

In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, Aug 2023

Distinguished Paper Award

Abs Bib PDF Slides

In-process compartmentalization and access control have been actively explored to provide in-place and efficient isolation of in-process security domains. Many works have proposed compartmentalization schemes that leverage hardware features, most notably using the new page-based memory isolation feature called Protection Keys for Userspace (PKU) on x86. Unfortunately, the modern ARM architecture does not have an equivalent feature. Instead, newer ARM architectures introduced Pointer Authentication (PA) and Memory Tagging Extension (MTE), adapting the reference validation model for memory safety and runtime exploit mitigation. We argue that those features have been underexplored in the context of compartmentalization and that they can be retrofitted to implement a capability-based in-process access control scheme.
This paper presents Capacity, a novel hardware-assisted intra-process access control design that embraces capability-based security principles. Capacity coherently incorporates the new hardware security features on ARM that already exhibit inherent characteristics of capability. It supports the life-cycle protection of the domain’s sensitive objects - starting from their import from the file system to their place in memory. With intra-process domains authenticated with unique PA keys, Capacity transforms file descriptors and memory pointers into cryptographically-authenticated references and completely mediates reference usage with its program instrumentation framework and an efficient system call monitor. We evaluate our Capacity-enabled NGINX web server prototype and other common applications in which sensitive resources are isolated into different domains. Our evaluation shows that Capacity incurs a low-performance overhead of approximately 17% for the single-threaded and 13.54% for the multi-threaded webserver.
@inproceedings{capacity, author = {Dinh Duy, Kha and Cho, Kyuwon and Noh, Taehyun and Lee, Hojoon}, title = {Capacity: Cryptographically-Enforced In-Process Capabilities for Modern ARM Architectures}, year = {2023}, isbn = {9798400700507}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/3576915.3623079}, doi = {10.1145/3576915.3623079}, booktitle = {Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security}, pages = {874–888}, numpages = {15}, keywords = {compartmentalization, pointer authentication, capabilities}, location = {<conf-loc>, <city>Copenhagen</city>, <country>Denmark</country>, </conf-loc>}, series = {CCS '23}, }
TCC

SE-PIM: In-Memory Acceleration of Data-Intensive Confidential Computing

Kha Dinh Duy, and Hojoon Lee

IEEE Transactions on Cloud Computing, Aug 2023

PDF

2021

Access

Confidential Machine Learning Computation in Untrusted Environments: A Systems Security Perspective

Kha Dinh Duy, Taehyun Noh, Siwon Huh, and Hojoon Lee

IEEE Access, Aug 2021