Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.

Published byNora Cummings Modified over 8 years ago

Similar presentations

Presentation on theme: "Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer."— Presentation transcript:

1 Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer

2 Computer Science Emre Can Sezer

3 Computer Science Emre Can Sezer Outline Quick wrap-up of last semester’s presentation Basic design Problems and Solutions –Pointers –Structure types Discussion –Performance considerations –Applications

4 Computer Science Emre Can Sezer Wrap-up of last semester’s talk C is not type safe, and continue to have vulnerabilities Worm outbreaks –NIDS’s can only detect random scanning worms –NIDS’s accept a certain number of casualties Data attacks evade most HIDS’s We need a good host-based framework to detect a broad range of memory corruption attacks

5 Computer Science Emre Can Sezer Main Observation with an Illustrative Example Line 11 can overflow buffer. Line 11 should only be writing to buffer. 1 void func () { 2 int isAdmin; 3 char buffer[255]; 4 isAdmin = 0; 5 if ( check_pssw(buffer) ) { 6 isAdmin = 1; 7 } else { 8 isAdmin = 0; 9 } 10 … 11 scanf (“%s”, buffer); 12 … 13 if (isAdmin) {…} else {…} 14 … 15 return; 16 } Overflow Ret. address Buffer[255] isAdmin Activation Record of func() on stack

6 Computer Science Emre Can Sezer Basic Design Observation: A memory location is only modified by a small number of instructions. Idea: –Select a list of memory locations to monitor –For every location determine the list of instructions that can modify it, called the memory location’s write set (WS). –At runtime perform checks to ensure monitored memory locations are only modified by instructions in their WS. Implementation has two parts: –Static analysis –Dynamic monitoring

7 Computer Science Emre Can Sezer Static Analysis Use source code analysis For every variable, determine the variable’s WS. –Assignment instructions where the variable is on the LHS. –Library function calls in which the variable is used as an argument that the function can modify (i.e. memcpy()) Current implementation uses Code Surfer A script automatically extracts all the information required

8 Computer Science Emre Can Sezer Dynamic Monitoring Terminology –Monitoring agent is called “agent” for short –The list of memory locations that are being monitored is M. Illegal write checking –Capturing of memory writes and set membership checks State maintenance –Capturing function calls and returns –Capturing malloc family of function calls –“Points to” tracking for pointers* We have written a skin for Valgrind, an open source x86 emulator, for dynamic monitoring

9 Computer Science Emre Can Sezer System Overview

10 Computer Science Emre Can Sezer Problems and Solutions Static AnalysisDynamic Monitoring Variable namesMemory addresses Line numbersProgram counter (PC) If code is compiled with debug flags, a PC can be translated into a file name and line number. ? Static Analysis and Dynamic Monitoring don’t talk the same language

11 Computer Science Emre Can Sezer Finding variables on memory Global variables –Reside in the data segment –Have fixed addresses Local variables –Their addresses depend on the function call stack –They are defined as offsets from the beginning of the function’s activation record –Function calls must be monitored at runtime

12 Computer Science Emre Can Sezer Problem: Good old pointers Line 4 is writing to a heap location How do we monitor and associate with line 4? Solution: –For a pointer p, keep two separate WS’s One for the pointer variable itself WS(p) Another for the memory region it points to WS(ref(p)) –At runtime determine ref(p) and add WS(ref(p)) to ref(p)’s WS. 1 void main () { 2 int * array; 3 array = (int *) malloc (10*sizeof(int)); 4 array[5] = 42; 5 }

13 Computer Science Emre Can Sezer Problem: Good old pointers Side benefits –Inter-procedural static analysis is not required. –Pointer aliasing and arithmetic can be handled.

14 Computer Science Emre Can Sezer Problem: Good old pointers If a function has pointer type formal arguments, we check where they point to at function call time In this example, line 2 is added to a’s WS. 1 int square (int * num) { 2 *num = (*num) * (*num); 3 } 4 void main () { 5 int a; 6 scanf (“%d”, &a); 7 square (&a); 8 printf (“%d\n”, a); 9 }

15 Computer Science Emre Can Sezer Problem: Chained Dereferences Our current approach cannot handle this situation Relation between line 4 and var z is lost Solution: –Use source code rewriting –Replace all complex dereferences with simple dereferences by introducing temporary variables 1 int z; 2 int * y = &z; 3 int ** x = &y; 4 **x = 5; 1 int z; 2 int * y = &z; 3 int ** x = &y; 4a int * temp1 = *x; 4b *temp1 = 5;

16 Computer Science Emre Can Sezer Problem: Structures Not handled in our current implementation Solution: –Treat every field of a structure as a separate variable with its own WS –Instructions operating on a structure variable is added to each field’s WS seperately struct { int num; char str[4]; } entry; 1 int main () { 2 struct entry var; 3 strcpy(var.str, "Hello"); 4 return 0; 5 } struct { int num; char str[4]; } entry; 1int main() { 2 struct entry base; 3 struct entry * var = &base; 4 strcpy(var->str, "Hello"); 5 }

17 Computer Science Emre Can Sezer Discussion: Capabilities Detects memory corruption errors at the time of write Can provide information about: –Instruction causing the error –Variable that was illegitimately written to –Current user stack –The error type (buffer overflow, double free etc.)

18 Computer Science Emre Can Sezer Discussion: Performance No real performance results yet Expecting to see 20x slow down We keep data structures for each variable, so memory requirement may be high Implications? –How much CPU/RAM does a web server use? –How bad is bad? 1% increase 1000% increase? –How does application runtime overhead influence service?

19 Computer Science Emre Can Sezer Discussion: Applications Attack identification –Use light-weight IPS –Replay attack on instrumented version to identify attack Debugging tool –Testing and debugging usually don’t have lower performance demands

20 Computer Science Memory Level Monitoring for Detecting Illegal Writes Ongoing Research by Emre Can Sezer

Download ppt "Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer."

Similar presentations

Dynamic Memory Allocation in C.  What is Memory What is Memory  Memory Allocation in C Memory Allocation in C  Difference b\w static memory allocation.

Dynamic Memory Allocation in C.  What is Memory What is Memory  Memory Allocation in C Memory Allocation in C  Difference b\w static memory allocation.
Introduction to Memory Management. 2 General Structure of Run-Time Memory.

Introduction to Memory Management. 2 General Structure of Run-Time Memory.
SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.

SPLINT STATIC CHECKING TOOL Sripriya Subramanian 10/29/2002.
Kernighan/Ritchie: Kelley/Pohl:

Kernighan/Ritchie: Kelley/Pohl:
(1) ICS 313: Programming Language Theory Chapter 10: Implementing Subprograms.

(1) ICS 313: Programming Language Theory Chapter 10: Implementing Subprograms.
Informática II Prof. Dr. Gustavo Patiño MJ 16- 18 24-09-2013.

Informática II Prof. Dr. Gustavo Patiño MJ
Dynamic Memory Allocation in C++. Memory Segments in C++ Memory is divided in certain segments – Code Segment Stores application code – Data Segment Holds.

Dynamic Memory Allocation in C++. Memory Segments in C++ Memory is divided in certain segments – Code Segment Stores application code – Data Segment Holds.
Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.
1 Chapter 7: Runtime Environments. int * larger (int a, int b) { if (a > b) return &a; //wrong else return &b; //wrong } int * larger (int *a, int *b)

1 Chapter 7: Runtime Environments. int * larger (int a, int b) { if (a > b) return &a; //wrong else return &b; //wrong } int * larger (int *a, int *b)
Memory Arrangement Memory is arrange in a sequence of addressable units (usually bytes) –sizeof( ) return the number of units it takes to store a type.

Memory Arrangement Memory is arrange in a sequence of addressable units (usually bytes) –sizeof( ) return the number of units it takes to store a type.
Run-time Environment and Program Organization

Run-time Environment and Program Organization
1 Pointers, Dynamic Data, and Reference Types Review on Pointers Reference Variables Dynamic Memory Allocation –The new operator –The delete operator –Dynamic.

1 Pointers, Dynamic Data, and Reference Types Review on Pointers Reference Variables Dynamic Memory Allocation –The new operator –The delete operator –Dynamic.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
1 Procedural Concept The main program coordinates calls to procedures and hands over appropriate data as parameters.

1 Procedural Concept The main program coordinates calls to procedures and hands over appropriate data as parameters.
Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.

Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Runtime Environments What is in the memory?. 2301373 Runtime Environment2 Outline Memory organization during program execution Static runtime environments.

Runtime Environments What is in the memory? Runtime Environment2 Outline Memory organization during program execution Static runtime environments.
CS 11 C track: lecture 5 Last week: pointers This week: Pointer arithmetic Arrays and pointers Dynamic memory allocation The stack and the heap.

CS 11 C track: lecture 5 Last week: pointers This week: Pointer arithmetic Arrays and pointers Dynamic memory allocation The stack and the heap.
Outline Midterm results Static variables Memory model

Outline Midterm results Static variables Memory model
Runtime Environments Compiler Construction Chapter 7.

Runtime Environments Compiler Construction Chapter 7.

Similar presentations

Ads by Google