Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dynamic Program Security Aaron Roth Ali Sinop Gunhee Kim Hyeontaek Lim.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Dynamic Program Security Aaron Roth Ali Sinop Gunhee Kim Hyeontaek Lim."— Presentation transcript:

1 Dynamic Program Security Aaron Roth Ali Sinop Gunhee Kim Hyeontaek Lim

2 Security Attacks Software that deals with input is potentially vulnerable to attacks: Low-level Attacks: –Buffer Overflows: Writing data without bounds checking can corrupt adjacent memory locations. Can overwrite return pointer and hijack control flow…

3 Security Attacks Semantic Attacks: –Everything looks ok at the low-level, but… SELECT Userlist.Username FROM Userlist WHERE Userlist.Username = ‘Username’ AND Userlist.Password = ‘Password’ SELECT Userlist.Username FROM Userlist WHERE Userlist.Username = ‘Username’ AND Userlist.Password = ‘Password’ OR ‘1’=‘1’

4 Solution? Tracking untrusted information –Assign a ‘taint bit’ to every word of memory. Set to 1 if it came from an untrusted source, or if it was derived from an untrusted register. –Throw a security exception if something dangerous is done with a tainted word: Instruction Execution Pointer Dereferencing … DONE!

5 Problems? A Naïve software implementation of this is slow… (up to 37x slowdown) –Remember PIN? A hardware-only implementation risks lots of false negatives/false positives –Doesn’t know about program semantics, or when data has been verified to be safe Solution?

6 Raksha: A Flexible Information Flow Architecture for Software Security Michael Dalton, Hari Kannan and Christos Kozyrakis Computer Systems Laboratory, Stanford University ISCA 2007

7 Prior Work Software-based methods: + Flexible –Either require access to source code [Xu et al’06] or, –Binary instrumentations lead to slowdowns from 3x to 37x [Qin et al’06, Newsome & Song’05] –Not safe with multi-threading [Qin et al’06] Hardware-based methods: + Fast –Hardcoded security policies –Can’t prevent high-level attacks [Dalton et al’06]

8 Basic Approach Taint propagation mechanism as mentioned earlier (dynamic information flow): –Extend all storage by 4-bit tag bits at 32-bit word level. –One bit for each policy –Each instruction is given one or more classes: –Floating Point –Move –Integer Arithmetic –Comparisons –Logical –TPR: Tag Propagation Registers for each active security policy (=4) –Designates how to compute the result tag from source tag(s) –for each instruction class –Certain instructions can untaint data: Example: –Buffer overwrite: Bounds checking by comparison [Chen et al’05]

9 Basic Approach (2) –Checking for security violations: –TCR: Tag Check Registers for each active security policy (=4) –Specifies which operands should be checked for tag exception. –Also handles corner cases (false positives): –Should XOR r1, r1, r1 make r1 untainted?

10 Even more Raksha Trusted processor mode –Access to security policy TPR and TCR registers User-defined security handler –Raised when an unsafe operation is executed on a tainted operand –Should distinguish false-positives –Efficient because no kernel/user mode switch

11 Results ProgramLanguageAttackDetected Vulnerability gzipCDirectory traversal Open file with tainted absolute path ScryPHPCross-site scriptingTainted HTML output includes ProFTPDCSQL injectionUnescaped tainted SQL query polymorphCBuffer overflowTainted code pointer dereference (return address) ProgramRaksha Slowdown bzip21.33x crafty1.00x gap1.12x

12 Flexible Hardware Acceleration for Instruction-Grain Lifeguards Shimin Chen 1, Michael Kozuch 1, Theodoros Strigkos 2, Babak Falsafi 3, Phillip B. Gibbons 1, Todd C. Mowry 1,2, Vijaya Ramachandran 4, Olatunji Ruwase 2, Michael Ryan 1, Evangelos Vlachos 2 1 Intel Research Pittsburgh 2 CMU 3 EPFL 4 UT Austin ISCA 2008

13 Flexible Hardware Acceleration for Instruction-Grain Lifeguards Dynamic Monitoring Tool (during application execution) Ex. Memory access, Data Flow

14 Flexible Hardware Acceleration for Instruction-Grain Lifeguards Dynamic Monitoring Tool (during application execution) Ex. DBI: 10~100 times Slowdown Ex. Memory access, Data Flow

15 Flexible Hardware Acceleration for Instruction-Grain Lifeguards Ex. DBI: 10~100 times Slowdown Applications/bugs, attacks are always changed Ex. Memory access, Data Flow Dynamic Monitoring Tool (during application execution)

16 Summary Fast and Flexible Lifeguard Specific Lifeguard General Purpose: Wide Range of Lifeguards Dynamic binary instrumentation (DBI) 10-100X slowdowns General-Purpose HW improving DBI 3-8X slowdowns Lifeguard-specific hardware This paper Performance Good Poor [Bruening’04] [Luk et al’05] [Nethercote’04] [Crandall & Chong’04], [Dalton et al’07], [Shetty et al’06], [Shi et al’06], [Suh et al’04], [Venkataramani’07], [Venkataramani’08], [Zhou et al’07] [Chen et al’06] [Corliss’03] [Source] http://www.ece.cmu.edu/~tstrigko/papers/LBA-isca08-final.ppt

17 Approach Identify three main sources of lifeguard overhead –Propagation-style metadata updates –Metadata checks –Matadata mapping Propose three hardware acceleration techniques –Inheritance tracking (IT) –Idempotent filters (IF) –Metadata-TLBs (M-TLB) Log-based architecture (LBA)

18 Results AddrCheck TaintCheck TaintCheck w/ detailed tracking LockSet MemCheck 3.23 1.90 1.02 7.80 6.05 3.81 3.27 3.36 2.29 1.36 4.21 2.71 1.51 4.25 3.20 1.40 0.0 1.0 2.0 3.0 4.0 5.0 6.0 7.0 8.0 9.0 10.0 BASE MTLB MTLB+IF BASE MTLB MTLB+IT MTLB+IT+IF BASE MTLB MTLB+IT BASE MTLB MTLB+IT BASE MTLB MTLB+IF average slowdowns [Source] http://www.ece.cmu.edu/~tstrigko/papers/LBA-isca08-final.ppt

19 Discussion Dynamic checking seems to be good… Let’s check dynamic checking!

20 Who Checks? Software only –Adaptable to new types of checking –Very slow Mostly hardware –Low overheads –Specialized & needs more complex hardware HW checks, but SW analyzes ([Dalton et al’07]) SW checks, but HW accelerates ([Chen et al’08]) Other hybrid methods?

21 What Does It Check? Hand-written invariants –Time consuming to write –Error-prone –Can be another source of bug & security problems! Automatically finding invariants?

22 When Does It Check? Immediately checking –Blocks main execution when handling security exception ([Dalton et al’07]) –Stops any error propagation if found –Makes unnecessary latency for false-positives Not immediately checking –Records execution log & check it ([Chen et al’06,’08]) –Can hide latency & utilize idle/multiple cores –May be too late to stop error propagation Some hybrid methods?

23 Conclusion Dynamic checking –Promising solution to detect security attacks –Abundant research opportunities

Download ppt "Dynamic Program Security Aaron Roth Ali Sinop Gunhee Kim Hyeontaek Lim."

Similar presentations

Flexible Hardware Acceleration for Instruction-Grain Program Monitoring Joint work with Michael Kozuch 1, Theodoros Strigkos 2, Babak Falsafi 3, Phillip.

Flexible Hardware Acceleration for Instruction-Grain Program Monitoring Joint work with Michael Kozuch 1, Theodoros Strigkos 2, Babak Falsafi 3, Phillip.
Overcoming an UNTRUSTED COMPUTING BASE: Detecting and Removing Malicious Hardware Automatically Matthew Hicks Murph Finnicum Samuel T. King University.

Overcoming an UNTRUSTED COMPUTING BASE: Detecting and Removing Malicious Hardware Automatically Matthew Hicks Murph Finnicum Samuel T. King University.
IMPACT Second Generation EPIC Architecture Wen-mei Hwu IMPACT Second Generation EPIC Architecture Wen-mei Hwu Department of Electrical and Computer Engineering.

IMPACT Second Generation EPIC Architecture Wen-mei Hwu IMPACT Second Generation EPIC Architecture Wen-mei Hwu Department of Electrical and Computer Engineering.
Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.

Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
1/1/ / faculty of Electrical Engineering eindhoven university of technology Architectures of Digital Information Systems Part 1: Interrupts and DMA dr.ir.

1/1/ / faculty of Electrical Engineering eindhoven university of technology Architectures of Digital Information Systems Part 1: Interrupts and DMA dr.ir.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.

ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.
1/1/ / faculty of Electrical Engineering eindhoven university of technology Introduction Part 3: Input/output and co-processors dr.ir. A.C. Verschueren.

1/1/ / faculty of Electrical Engineering eindhoven university of technology Introduction Part 3: Input/output and co-processors dr.ir. A.C. Verschueren.
Practical and Efficient Information Flow Tracking Using Speculative Hardware Haibo Chen, Xi Wu, Liwei Yuan, Binyu Zang Fudan Univ. Pen-chung Yew Univ.

Practical and Efficient Information Flow Tracking Using Speculative Hardware Haibo Chen, Xi Wu, Liwei Yuan, Binyu Zang Fudan Univ. Pen-chung Yew Univ.
Chrysalis Analysis: Incorporating Synchronization Arcs in Dataflow-Analysis-Based Parallel Monitoring Michelle Goodstein*, Shimin Chen †, Phillip B. Gibbons.

Chrysalis Analysis: Incorporating Synchronization Arcs in Dataflow-Analysis-Based Parallel Monitoring Michelle Goodstein*, Shimin Chen †, Phillip B. Gibbons.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks - F. Qin, C. Wang, Z. Li, H. Kim, Y. Zhou, Y. Wu (UIUC,

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks - F. Qin, C. Wang, Z. Li, H. Kim, Y. Zhou, Y. Wu (UIUC,
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
RAKSHA A Flexible Information Flow Architecture for Software Security Michael Dalton Hari Kannan Christos Kozyrakis Computer Systems Laboratory Stanford.

RAKSHA A Flexible Information Flow Architecture for Software Security Michael Dalton Hari Kannan Christos Kozyrakis Computer Systems Laboratory Stanford.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Efficient and Flexible Architectural Support for Dynamic Monitoring YUANYUAN ZHOU, PIN ZHOU, FENG QIN, WEI LIU, & JOSEP TORRELLAS UIUC.

Efficient and Flexible Architectural Support for Dynamic Monitoring YUANYUAN ZHOU, PIN ZHOU, FENG QIN, WEI LIU, & JOSEP TORRELLAS UIUC.
Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.

1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.

Similar presentations

Ads by Google