Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer

Computer Science Emre Can Sezer

Computer Science Emre Can Sezer Outline Quick wrap-up of last semester’s presentation Basic design Problems and Solutions –Pointers –Structure types Discussion –Performance considerations –Applications

Computer Science Emre Can Sezer Wrap-up of last semester’s talk C is not type safe, and continue to have vulnerabilities Worm outbreaks –NIDS’s can only detect random scanning worms –NIDS’s accept a certain number of casualties Data attacks evade most HIDS’s We need a good host-based framework to detect a broad range of memory corruption attacks

Computer Science Emre Can Sezer Main Observation with an Illustrative Example Line 11 can overflow buffer. Line 11 should only be writing to buffer. 1 void func () { 2 int isAdmin; 3 char buffer[255]; 4 isAdmin = 0; 5 if ( check_pssw(buffer) ) { 6 isAdmin = 1; 7 } else { 8 isAdmin = 0; 9 } 10 … 11 scanf (“%s”, buffer); 12 … 13 if (isAdmin) {…} else {…} 14 … 15 return; 16 } Overflow Ret. address Buffer[255] isAdmin Activation Record of func() on stack

Computer Science Emre Can Sezer Basic Design Observation: A memory location is only modified by a small number of instructions. Idea: –Select a list of memory locations to monitor –For every location determine the list of instructions that can modify it, called the memory location’s write set (WS). –At runtime perform checks to ensure monitored memory locations are only modified by instructions in their WS. Implementation has two parts: –Static analysis –Dynamic monitoring

Computer Science Emre Can Sezer Static Analysis Use source code analysis For every variable, determine the variable’s WS. –Assignment instructions where the variable is on the LHS. –Library function calls in which the variable is used as an argument that the function can modify (i.e. memcpy()) Current implementation uses Code Surfer A script automatically extracts all the information required

Computer Science Emre Can Sezer Dynamic Monitoring Terminology –Monitoring agent is called “agent” for short –The list of memory locations that are being monitored is M. Illegal write checking –Capturing of memory writes and set membership checks State maintenance –Capturing function calls and returns –Capturing malloc family of function calls –“Points to” tracking for pointers* We have written a skin for Valgrind, an open source x86 emulator, for dynamic monitoring

Computer Science Emre Can Sezer System Overview

Computer Science Emre Can Sezer Problems and Solutions Static AnalysisDynamic Monitoring Variable namesMemory addresses Line numbersProgram counter (PC) If code is compiled with debug flags, a PC can be translated into a file name and line number. ? Static Analysis and Dynamic Monitoring don’t talk the same language

Computer Science Emre Can Sezer Finding variables on memory Global variables –Reside in the data segment –Have fixed addresses Local variables –Their addresses depend on the function call stack –They are defined as offsets from the beginning of the function’s activation record –Function calls must be monitored at runtime

Computer Science Emre Can Sezer Problem: Good old pointers Line 4 is writing to a heap location How do we monitor and associate with line 4? Solution: –For a pointer p, keep two separate WS’s One for the pointer variable itself WS(p) Another for the memory region it points to WS(ref(p)) –At runtime determine ref(p) and add WS(ref(p)) to ref(p)’s WS. 1 void main () { 2 int * array; 3 array = (int *) malloc (10*sizeof(int)); 4 array[5] = 42; 5 }

Computer Science Emre Can Sezer Problem: Good old pointers Side benefits –Inter-procedural static analysis is not required. –Pointer aliasing and arithmetic can be handled.

Computer Science Emre Can Sezer Problem: Good old pointers If a function has pointer type formal arguments, we check where they point to at function call time In this example, line 2 is added to a’s WS. 1 int square (int * num) { 2 *num = (*num) * (*num); 3 } 4 void main () { 5 int a; 6 scanf (“%d”, &a); 7 square (&a); 8 printf (“%d\n”, a); 9 }

Computer Science Emre Can Sezer Problem: Chained Dereferences Our current approach cannot handle this situation Relation between line 4 and var z is lost Solution: –Use source code rewriting –Replace all complex dereferences with simple dereferences by introducing temporary variables 1 int z; 2 int * y = &z; 3 int ** x = &y; 4 **x = 5; 1 int z; 2 int * y = &z; 3 int ** x = &y; 4a int * temp1 = *x; 4b *temp1 = 5;

Computer Science Emre Can Sezer Problem: Structures Not handled in our current implementation Solution: –Treat every field of a structure as a separate variable with its own WS –Instructions operating on a structure variable is added to each field’s WS seperately struct { int num; char str[4]; } entry; 1 int main () { 2 struct entry var; 3 strcpy(var.str, "Hello"); 4 return 0; 5 } struct { int num; char str[4]; } entry; 1int main() { 2 struct entry base; 3 struct entry * var = &base; 4 strcpy(var->str, "Hello"); 5 }

Computer Science Emre Can Sezer Discussion: Capabilities Detects memory corruption errors at the time of write Can provide information about: –Instruction causing the error –Variable that was illegitimately written to –Current user stack –The error type (buffer overflow, double free etc.)

Computer Science Emre Can Sezer Discussion: Performance No real performance results yet Expecting to see 20x slow down We keep data structures for each variable, so memory requirement may be high Implications? –How much CPU/RAM does a web server use? –How bad is bad? 1% increase 1000% increase? –How does application runtime overhead influence service?

Computer Science Emre Can Sezer Discussion: Applications Attack identification –Use light-weight IPS –Replay attack on instrumented version to identify attack Debugging tool –Testing and debugging usually don’t have lower performance demands

Computer Science Memory Level Monitoring for Detecting Illegal Writes Ongoing Research by Emre Can Sezer