Presentation is loading. Please wait.

Presentation is loading. Please wait.

Orchestra: Intrusion Detection Using Parallel Execution and Monitoring of Program Variants in User-Space Babak Salamat, Todd Jackson, Andreas Gal, Michael.

Published byChristopher Garrett Modified over 8 years ago

Similar presentations

Presentation on theme: "Orchestra: Intrusion Detection Using Parallel Execution and Monitoring of Program Variants in User-Space Babak Salamat, Todd Jackson, Andreas Gal, Michael."— Presentation transcript:

1 Orchestra: Intrusion Detection Using Parallel Execution and Monitoring of Program Variants in User-Space Babak Salamat, Todd Jackson, Andreas Gal, Michael Franz Department of Computer Science School of Information and Computer Sciences University of California, Irvine March 2009 1

2 Multi-Variant Execution 2

3 Detection Requirements  Lock-step execution  Feed all variants with identical input  Attack vectors have different effects on different variants 3

4 Reverse Stack Growth Direction  Stack objects are located in opposite positions 4

5 Top 20 Vulnerabilities of All Time 5

6 From Source to Execution 6

7 Orchestra Architecture  The monitor is a user-space application 7

8 Granularity of Monitoring  Granularity of monitoring and Synchronization  Ideally after each instruction  Not always possible  Performance issues  Synchronize and monitor at system calls  No harm is done without calling any system call  All instances must invoke the same syscall with equivalent arguments 8

9 System Call Monitoring  Debugging facility of Linux (ptrace) is used to build the monitor  The monitor is notified twice per system call 9

10 System Call Monitoring (cont.)  Equivalency is checked at the beginning of a system call  The system calls must be the same  Arguments must be equivalent  Pointers (buffers) have the same content  Values are identical  Results of the system call are written back to the variants at the end of the system call if needed 10

11 System Call Execution  Non-state changing system call that produce immutable results are executed by all 11

12 System Call Execution (cont.)  State changing system calls are executed by the monitor 12

13 System Call Execution (cont.)  Non-state changing system call that produce non- immutable results are executed by all, results are copied from the first variant to all 13

14 Skipping a System Call  A system call must be executed when OS is notified  Replace the system call by a non-state changing one to skip it 14

15 Data Transfer  ptrace transfers only 4 bytes at a time  very slow in transferring large buffers 15

16 Data Transfer (cont.)  We tried using named pipes, but they cannot transfer more than 4K bytes at a time  Shared memory is fast and can transfer mega bytes 16

17 Data Transfer Performance Shared memory is about 1000 times faster than ptrace and 20 times faster than FIFO in transferring a 128K buffer 17

18 Removing False Positives False positives are the major practical issue in using multi-variant execution 18

19 Multi-Threaded Variants  Different scheduling of multi-threaded or multi-process applications can cause false positives 19

20 Monitoring multi-threaded variants  Corresponding threads/processes must be synchronized to each other 20

21 Deficiency of ptrace  Only one monitor can attach to a process  If the main monitor detaches from thread 2, thread 2 will continue execution  Many system calls may be executed before the second monitor attaches 21

22 Solution to The ptrace Problem  The main monitor continues monitoring new threads/processes until the first system call invocation  The first system call is replaced by “pause”  The main monitor detaches  The second monitor attaches without missing any system call 22

23 Asynchronous Signals  Signal handlers can cause different sequences of system calls to be executed by the variants 23

24 File Descriptors  The same file descriptor is always reported to all variants when they invoke system calls that return a file descriptor 24

25 Process ID  Monitor reports the process ID of the first variant to all  The PID of the first variant’s child process is reported as the result of fork or clone to all the variants 25

26 Process IDs in Arguments  When variants need to run a system call that receives a PID, appropriate PID is restored before the execution of the system call 26

27 Time and Random Numbers  System calls that read time (e.g., gettimeofday) are executed by one variant and the result is copied to all  By providing identical time and other system information to all variants, they likely use the same seed to generate random numbers  The monitor reads /dev/urandom and copies the result to all variants  Reading CPU time stamp counters (RDTSC) may still cause false positives 27

28 Performance 28

29 Summary  Multi-variant execution is an effective technique in detecting and disrupting attacks  A reverse stack executable can prevent stack-based buffer overflow vulnerabilities in a multi-variant environment  The introduced techniques remove most sources of false positives in multi-variant execution  Running two parallel variants have about 15% overhead on a multi-core processor 29

30 Thank you Questions? 30

31 Performance on a Loaded System 31

32 Reversing the Stack Growth  Most hardware platforms support one stack growth direction  Stack manipulation instructions should be augmented 32

33 CALL and RET instructions  SP adjustment cannot be performed after a CALL or RET  Adjust SP at the prologue of functions for CALL s  Adjust SP after CALL s for RET s 33

34 Arrays and Structures  Order of bytes in large units of data must be the same for all stack growth directions 34

35 Callee Popped Arguments  Some functions remove their own arguments from the stack (e.g., __stdcall)  “RET n” in x86 reads return address then increments SP by n  GCC considers ECX as clobbered after a function call. Using ECX does not need store and restore 35 Normal StackReverse Stack ret $8movl -4(%esp), %ecx leal -12(%esp), %esp jmp *%ecx

36 Effects of Compiler Optimization  Many of the SP adjustment instructions are removed 36 Non-optimizedOptimized addl $8,%esp movl -12(%ebp),%eax movl %eax,-4(%esp) leal 4(%esp),%esp call strlen leal -4(%esp),%esp movl %eax,-8(%esp) movl $.LC0,-4(%esp) leal 4(%esp),%esp call printf leal -4(%esp),%esp addl $12,%esp movl -12(%ebp),%eax movl %eax,-8(%esp) call strlen movl $.LC0,-8(%esp) movl %eax,-12(%esp) call printf subl $4,%esp

37 37 Attacking the Reverse Stack

38 Heap layout randomization  Locations of heap blocks are randomized 38

39 System call number randomization  System calls are not identical in all variants 39

40 Instruction Set Randomization  Instructions have different meanings in different variants 40

41 Reverse Stack Growth Direction  Stack objects are located in opposite positions 41

Download ppt "Orchestra: Intrusion Detection Using Parallel Execution and Monitoring of Program Variants in User-Space Babak Salamat, Todd Jackson, Andreas Gal, Michael."

Similar presentations

3.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Process An operating system executes a variety of programs: Batch system.

3.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Process An operating system executes a variety of programs: Batch system.
More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.

More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Exceptional Control Flow Processes Today. Control Flow Processors do only one thing: From startup to shutdown, a CPU simply reads and executes (interprets)

Exceptional Control Flow Processes Today. Control Flow Processors do only one thing: From startup to shutdown, a CPU simply reads and executes (interprets)
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.

Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.
Processes CSCI 444/544 Operating Systems Fall 2008.

Processes CSCI 444/544 Operating Systems Fall 2008.
1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)

1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)
1 Operating Systems and Protection Professor Jennifer Rexford CS 217.

1 Operating Systems and Protection Professor Jennifer Rexford CS 217.
CS 536 Spring 20011 Code generation I Lecture 20.

CS 536 Spring Code generation I Lecture 20.
Accessing parameters from the stack and calling functions.

Accessing parameters from the stack and calling functions.
3.5 Interprocess Communication

3.5 Interprocess Communication
Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.

Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.
Computer System Organization S H Srinivasan

Computer System Organization S H Srinivasan
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 3: Processes.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 3: Processes.
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E
Threads CS 416: Operating Systems Design, Spring 2001 Department of Computer Science Rutgers University

Threads CS 416: Operating Systems Design, Spring 2001 Department of Computer Science Rutgers University
Stacks and Frames Demystified CSCI 3753 Operating Systems Spring 2005 Prof. Rick Han.

Stacks and Frames Demystified CSCI 3753 Operating Systems Spring 2005 Prof. Rick Han.
CSE 451: Operating Systems Autumn 2013 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.

CSE 451: Operating Systems Autumn 2013 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.
1 CS503: Operating Systems Part 1: OS Interface Dongyan Xu Department of Computer Science Purdue University.

1 CS503: Operating Systems Part 1: OS Interface Dongyan Xu Department of Computer Science Purdue University.

Similar presentations

Ads by Google