ConfLLVM: A Compiler for Enforcing Data Confidentiality in Low-Level Code

Brahmakshatriya, Ajay and Kedia, Piyus and Nemati, Hamed and McKee, Derrick and Bhatu, Pratik and Garg, Deepak and Lal, Akash and Rastogi, Aseem
(2019) ConfLLVM: A Compiler for Enforcing Data Confidentiality in Low-Level Code.
In: Proceedings of the Fourteenth EuroSys Conference 2019, March 25-28, 2019, Dresden, Germany.
Conference: EuroSys - Eurosys Conference

This is the latest version of this item.

Full text not available from this repository.
Official URL:


We present a compiler-based scheme for protecting the confidentiality of sensitive data in low-level applications (e.g. those written in C) in the presence of an active adversary. In our scheme, the programmer marks sensitive data by writing lightweight annotations on the top-level definitions in the source code. The compiler then uses a combination of static dataflow analysis and runtime instrumentation to prevent data leaks even in the presence of low-level attacks. To reduce runtime overheads, the compiler uses a novel memory layout and a taint-aware form of control flow integrity. We formalize our scheme and prove its security. We have also implemented our scheme within the LLVM compiler and evaluated it on the CPU-intensive SPEC micro-benchmarks, and on larger, real-world applications, including the NGINX webserver and the OpenLDAP directory server. We find that performance overheads introduced by our instrumentation are moderate (average 12% on SPEC), and the programmer effort to port the applications is minimal.

Available Versions of this Item


Actions (login required)

View Item View Item