Presentation is loading. Please wait.

Presentation is loading. Please wait.

Practical and Efficient Information Flow Tracking Using Speculative Hardware Haibo Chen, Xi Wu, Liwei Yuan, Binyu Zang Fudan Univ. Pen-chung Yew Univ.

Similar presentations


Presentation on theme: "Practical and Efficient Information Flow Tracking Using Speculative Hardware Haibo Chen, Xi Wu, Liwei Yuan, Binyu Zang Fudan Univ. Pen-chung Yew Univ."— Presentation transcript:

1 Practical and Efficient Information Flow Tracking Using Speculative Hardware Haibo Chen, Xi Wu, Liwei Yuan, Binyu Zang Fudan Univ. Pen-chung Yew Univ. of Minnesota Frederic T. Chong UCSB May 12, 2015

2 Motivation Vulnerabilities Stats. in CVE 2005 and 2006 Unsafe uses of untrusted data

3 DIFT: dynamic information flow tracking  Mark unsafe data as tainted  Track the propagation of tainted data across program execution  Alert if tainted data used unsafely

4 Buffer Overflow in qwik-smtpd char arg[1024] char clientHELO [32]; char localIP[64] … fscanf (network, “%s”, arg) … strcpy(clientHELO, arg) … if(!strcmp(clientIP, localIP)) { /* Relay the mail */ } When supply a long enough arg … LocalIP clientHELO data section

5 How DIFT defeats the attack ? Tainted Data! Tainted Data! fscanf(network,“%s”,arg) if(!strcmp (clientIP,localIP)){ /* Relay the mail */ } read Tainted Data Cannot compare! localIP clientHELO strcpy Security Policy Tainted data cannot alter control flow of program data section arg Security Alert

6 Previous Systems Software LIFT, Xu et al., TaintTrace TaintCheck, Chen et al Dytan Hardware FlexiTaintRakshaSuh et al., RIFLE, Minos Currently deployable × Best case: LIFT average 4.6X slowdown for SPECINT Fast × Many processor/memory changes × Not ready for production-run deployment

7 Is it possible to have a readily deployable DIFT system with good performance?

8 Contribution: SHIFT  Key Observation  DIFT can be efficiently emulated using DEP (deferred exception propagation) in Control Speculation  Implemented on Itanium Processor using GCC to do instrumentation  Good performance:  No modification to hardware:  Average 2.81X and 2.27X slowdown for byte- and word-level taint tracking  With minimal hardware modification:  Average 2.32X and 1.8X for byte- and word-level

9 Outline SHIFT: From Speculative Execution to DIFT SHIFT Design and Implementation Evaluation Conclusion

10 Control Speculation execute optimistically

11 Deferred Exception Propagation ◦ What happens if an exception occurs in the speculative execution ?  Cannot throw the exception immediately  Should propagate it across program execution speculative load check if exception occurs recovery code r r14 r15 Token

12 Similarity between DEP and DIFT DEPDIFT ld and recovery chk ld and alert chk similar! r r14 r15 Token r r14 r15 Tag

13 From DEP to DIFT  DEP: Accelerate the propagation of taint tags  Minor Enhancement:  Instructions setting/clearing exception token  DEP-aware compare instructions

14 Outline SHIFT: From Speculative Execution to DIFT SHIFT Design and Implementation Evaluation Conclusion

15 General Working Flow of SHIFT Taint Source Network I/O Disk files Keyboard input Specific functions Specific location Taint Policy Taint PropagationViolation Capture Tainted Data Untainted Data op (add,...) Using tainted Data call [Tainted Data] jmp [Tainted Data]... Policy Engine Alert Fault Memory Registers Tag Bitmap Load; set tag bit Store; update bitmap

16 Violation Capture  OS traps  DEP token violation triggers traps  Expensive when many traps  Instrumentation  Add instructions for checking DEP tokens before critical usages  Could cause code expansion  SHIFT supports both

17 Coexisting Control Speculation with DIFT  Revert to non-speculative code upon speculation failure  No matter whether the token is caused by tainted data or deferred exceptions  Performance implication  False positives for control speculation due to DIFT  Effective when little tainted data is involved  In apache 98% safe data transitions (LIFT MICRO’06)

18 Implementation (1/2)  Implemented on Itanium based on GCC  Itanium has good support for control speculation  Each general register has a NaT (Natval) bit  NaT(Natval) is propagated during program execution  Missing features  Instrutions setting/clearing NaT bits  NaT-aware compare instructions

19 Implementation (2/2)  Compiler Instrumentation  C code: Instrumentation on Low-level IR (RTL)  Language-independent  Extract program semantics to filter false alarms  Boundary checked data may be used safely  Assembly code  Use wrapper functions to propagate taint information  memset, strcpy, memcpy, etc.

20 Tag Memory Operation Load Computation Example Instrumentation Simulating NaT generation

21 Outline SHIFT: From Speculative Execution to DIFT SHIFT Design and Implementation Evaluation Security evaluation Performance evaluation Conclusion

22 Experimental Setup  Machine setup:  HP Integrity rx1620  Two 1.6GHz Itanium processors  4GB of memory  Redhat Linux Enterprise 4  GCC with –O3 optimization flag  Security evaluation  Several real-world vulnerabilities from CVE (http://cve.mitre.org)  Performance evaluation  Apache web-server using apache benchmark (ab)  Eight applications from SPECINT-2000  disk input as untrusted source

23 Questions for Evaluation  Can SHIFT defeat real-world security attacks?  Does SHIFT provide reasonable performance?  What contributes to the performance overhead?

24 Security Policies in SHIFT  Default policies  Tainted data cannot be used as load/store address  No modification of critical CPU state (e.g. branch registers)  Application semantic policies (Xu et al. security’06, Raksha isca’07 )  Directory transversal  Tainted data cannot be used as an absolute file path  Cross-site scripting  No tainted script tag ( )  SQL injection attack  Tainted data cannot contain SQL meta chars

25 SHIFT Security Results CVE#Program (Version)Tainted <>Attack Type GNU Tar (1.4)CDirectory Traversal GNU Gzip (1.2.4)CDirectory Traversal Qwikiwiki (1.4.1)PHPDirectory Traversal Scry (1.1)PHPCross Site Scripting php-stats ( )PHPCross Site Scripting phpsysinfo (2.3)PHPCross Site Scripting phpmyfaq (1.6.8)PHP SQL Command Injection N/ABftpd(0.96 prior)CFormat string attack High-level Semantic Attacks Low-level Memory Corruption Attacks

26 Performance Overhead with Apache 4.1% average about 1% overhead 0.5%

27 Relative Perf. of SPEC 4.7X 1.3X average 2.81X at byte-level and 2.27X at word-level

28 Relative Perf. of SPEC-INT (Arch Support) average 2.32X and 1.8X at byte- and word-level 1.29X 3.02X  0.49X and 0.47X improvement over no-arch support for byte- and word-level  With instructions clearing/setting DEP token and DEP-aware compare instructions in Itanium

29 DIFT Costs w/ (w/o) Control Speculation Instruction categories Example Instructions Proportion ( SPECINT-2K ) # DIFT insts w/o control speculation # DIFT insts w/ control speculation Arithmeticadd r7, r8, r945.7%5-60 Control-flowbeq r7,r8, r917.6%2-40 Memoryld r7, 8(r8)36.3%7-86-7

30 SPEC-INT 2000 (Breakdown of Remaining Overhead) Load Computation dominates the performance overhead

31 Related work  Software-based DIFT  TaintCheck (NDSS’05), LIFT (MICRO’06), Xu et al. security’06, Dytan (ISTAA’07)  Hardware-based DIFT  Minos (MICRO’04), Suh et al.(ASPLOS’04), Raksha(ISCA’07), Flexitaint (HPCA’08)

32 Conclusion Practical and efficient DIFT system ◦ Novel use of DEP to accelerate DIFT To-date best performance data for SPECINT-2000 ◦ 2.81X and 2.27X slowdown for byte- and word-level Non-invasive architectural support ◦ Reduce the performance slowdown to 2.32X and 1.8X ◦ Future work ◦ Compiler optimization could reduce overhead

33 Questions?  Thanks

34 Practical and Efficient Information Flow Tracking Using Speculative Hardware Haibo Chen, Xi Wu, Liwei Yuan, Binyu Zang Fudan Univ. Pen-chung Yew Univ. of Minnesota Frederic T. Chong UCSB May 12, 2015

35 Code Size Expansion 1.45X for byte-level And 1.36X for word-level 3.88X for byte-level And 3.23X for word-level Average 2.71X for byte-level And 2.43X for word-level

36 Relative Perf. of SPEC (Coexist DIFT and Control Speculation)  Average 0.05X and 0.06X increase in slowdown for byte- and word-level 4.6X 1.3X average 2.86X at byte-level and 2.34X at word-level

37 Tag Management in Itanium (1/2) Virtual address space in Linux Tag address space

38 Tag Management in Itanium (2/2) Mapping from VA to TA

39 Related work  LIFT (micro’06)  Use binary translation, support unmodified binaries  Only detect low-level memory-corruption attack  Aggressive compiler optimization to reduce tracking code  Average 4.6X performance slowdown for SPECINT-2000

40 Backup slides  Compiler Optimization  Sophisticated optimization is promising  one of our main future work  Use profiling to decide if control speculation is needed  Handling self-modifying code  not often in application code  Multi-threaded applications

41 Discussion and Further Work Compiler Optimization ◦ sophisticated optimization is promising ◦ Multi-threaded applications


Download ppt "Practical and Efficient Information Flow Tracking Using Speculative Hardware Haibo Chen, Xi Wu, Liwei Yuan, Binyu Zang Fudan Univ. Pen-chung Yew Univ."

Similar presentations


Ads by Google