Morpheus: A Vulnerability-Tolerant Secure Architecture Based on
Ensembles of Moving Target Defenses with Churn
Mark Gallagher, Lauren Biernacki, Shibo Chen,
Zelalem Birhanu Aweke, Salessawi Ferede Yitbarek,
Misiker Tadesse Aga, Austin Harris, Zhixing Xu,
Baris Kasikci, Valeria Bertacco, Sharad Malik, Mohit Tiwari,
Todd Austin
Abstract–Attacks often succeed by abusing the gap between program and
machine-level semantics–for example, by locating asensitive pointer, exploiting
a bug to overwrite this sensitive data, and hijacking the victim program’s
execution. In this work, we take secure system design on the offensive by
continuously obfuscating information that attackers need but normal programs do
not use, such as representation of code and pointers or the exact location of
code and data. Our secure hardware architecture, Morpheus, combines two powerful
protections: ensembles of moving target defenses and churn. Ensembles of moving
target defenses randomize key program values (e.g., relocating pointers and
encrypting code and pointers) which forces attackers to extensively probe the
system prior to an attack. To ensure attack probes fail, the architecture
incorporates churn to transparently re-randomize program values underneath the
running system. With frequent churn, systems quickly become impractically
difficult to penetrate.
     We demonstrate Morpheus through a RISC-V-based prototype designed
to stop
control-flow attacks. Each moving target defense in Morpheus uses hardware
support to individually offer more randomness at a lower cost than previous
techniques. When ensembled with churn, Morpheus defenses offer strong protection
against control-flow attacks, with our security testing and performance studies
revealing: i) high-coverage protection for a broad array of control-flow
attacks, including protections for advanced attacks and anattack disclosed after
the design of Morpheus, and ii) negligible performance impacts (1%) with churn
periods up to 50 ms, which our study estimates to be at least 5000x fasterthan
the time necessary to possibly penetrate Morpheus.