Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.

Published byCali Scaggs Modified over 9 years ago

Similar presentations

Presentation on theme: "Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007."— Presentation transcript:

1 Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007

2 Dec 5, 2007University of Virginia2 Stack Smashing Format String Cross-site Scripting SQL Injection Integer Overflow Memory Allocator … Common trait: Incorrect use of untrusted resources

3 Dec 5, 2007University of Virginia3 Dynamic Tainting (DT) Keep track of the source for each byte used in the program Shadow Memory Taint Seed Taint Propagation Taint Assert

4 Dec 5, 2007University of Virginia4 Is the content in this location derived from untrusted source? Yes! Then I won’t jump there. I am suspicious I’ve got attacked. Illustration – Buffer Overflow

5 Dec 5, 2007University of Virginia5 So what’s the problem? Dynamic Tainting is also applied to: – Malware detection – Ensuring privacy policies – Software testing

6 Dec 5, 2007University of Virginia6 Way too slow! Better be kept from online usage. Traditional dynamic tainting systems incurs about 20x ~ 50+x overhead than direct execution. Why is it the case?

7 Dec 5, 2007University of Virginia7 add %eax, 4(%ebp) Imagine how we need to instrument this single instruction

8 Dec 5, 2007University of Virginia8 TasksCosts Spill a few registers (may include FLAG registers) for taint computation2~4 Map %eax to its shadow memory location1 Map memory (%ebp) to its shadow memory location2 Map FLAG registers to its shadow memory (optional)1~2 Load the taint status of the two operands2 Compute and store the new taint status in the shadow memory1~3 Restore the spilled registers (may include status registers)2~4 add %eax, 4(%ebp) 1 Tatal12~19

9 Dec 5, 2007University of Virginia9 Some essential facts –the tainting computation and the original computation are highly parallelizable. –taint shepparding itself can also be simpler if it is kept separate from the original computation. Some essential facts –the tainting computation and the original computation are highly parallelizable. –taint shepparding itself can also be simpler if it is kept separate from the original computation. Some essential facts –the tainting computation and the original computation are highly parallelizable. –taint shepparding itself can also be simpler if it is kept separate from the original computation. Our Treatment – Multiple Cores

10 Dec 5, 2007University of Virginia10 The Basic Model Main Proc Environment Variables Various global tables Runtime stack.data section.bss section.text section Heap area Shadow Proc Environment Variables Various global tables Runtime stack.data section.bss section.text section Heap area

11 Dec 5, 2007University of Virginia11 The Basic Model Main ProcShadow Proc add %eax, 4(%ebp) or %eax, 4(%ebp) add %eax, %ebx or %eax, %ebx push %eax Queue_m2s add %eax, 4(%ebx) push %eax call Dequeue mov %eax, %ebx pop %eax or %eax, 4(%ebx) %ebx Queue_s2mQueue_s2m (optional) push %eax mov %ebx, %eax call Enqueue pop %eax add %eax, 4(%ebx)

12 Dec 5, 2007University of Virginia12 Main Proc Environment Variables Various global tables Runtime stack.data section.bss section.text section Heap area Shadow Proc Environment Variables Various global tables Runtime stack.data section.bss section.text section Heap area Queue_m2s Queue_s2m (optional) The Basic Model – Quick Recap We have 2 separate processes/threads (main and shadow) Main only takes care of original computation Shadow only deals with tainting They keep similar memory layout They communicate via one (or two) dedicated queues

13 Dec 5, 2007University of Virginia13 Implementation

14 Dec 5, 2007University of Virginia14 Program Compiling and Execution Diagram source code compiler front end binary code loader process in execution assembly code compiler back end static dynamic

15 Dec 5, 2007University of Virginia15 Source to Source Static Rewriter (SSSR) Advantages High level program objects information available; Less dependent on ISA; No penalty for run-time code generation; Easier to debug; original source code SSSR main proc src codeshadow proc src code processes in execution … Disadvantages Requiring the application’s source code; Hard to deal with low level (hardware related) control performance dependent on the underlying compiler

16 Dec 5, 2007University of Virginia16 Source to Binary Compiler (SBC) original source code SBC main proc bin codeshadow proc bin code processes in execution loader Advantages High level program information available; Full control over the binary generation Easy to do low level optimizations; Able to follow into statically linked libraries. Disadvantages Requiring the application’s source code; ISA dependent implementation; Unable to follow through dynamically linked libraries; Special care needed to protect the shadow memory;

17 Dec 5, 2007University of Virginia17 Binary to Binary Static Rewriter (BBSR) original binary code BBSR main proc bin codeshadow proc bin code processes in execution loader Advantages The rewriting doesn’t incur run-time overhead; Doesn’t require the application’s source code; Easy to do low level optimizations; Able to follow into statically linked libraries ; Disadvantages Lacking high level program information for optimization; Binary static analysis is hard and even infeasible; ISA dependent implementation; Unable to follow through dynamically linked libraries; Special care needed to protect the shadow memory;

18 Dec 5, 2007University of Virginia18 process address space Binary to Binary Dynamic Rewriter original binary code loader main proc bin code shadow proc bin code BBDR Advantages Doesn’t require the source code; Easy shadow memory protection; Able to follow through dynamically linked libraries; Dynamic information available for optimization; System-wide if BBDR is running underlying the OS; Disadvantages Run-time overhead introduced by the dynamic transformer; Lacking high level program information to do optimization;

19 Dec 5, 2007University of Virginia19 Quick recap Optimization Opportunity Static library tracing Dynamic library tracing ISA Independent Shadow memory protection source-to- source √××√hard source-to- binary √√××hard static binary rewriter ×√××hard runtime binary transformer ×√√×intuitive source-to- binary √√××hard runtime binary transformer ×√√×intuitive

20 Dec 5, 2007University of Virginia20 Implementation Source to binary compiler – phoenix – gcc Dynamic binary rewriter – Strata – Pin An assembly to assembly translator could be reused in both approaches

21 Dec 5, 2007University of Virginia21 Optimizations Reducing the number of synchronization points – ignore ‘never-tainted’ memory locations – ignore checking ‘never-tainted’ return addresses Reducing the chance of spinning wait – large queue buffers – do taint checking only in the shadow process – allow the main process to go over less critical points Efficient data communication – put the queue in L2 cache

22 Dec 5, 2007University of Virginia22 Evaluation Functional evaluation – Does it really work correctly? Performance evaluation – Is it efficient enough for online deployment? – Benchmarks – Real programs

23 Dec 5, 2007University of Virginia23 Questions

Download ppt "Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007."

Similar presentations

Operating Systems Components of OS

Operating Systems Components of OS
Programming Technologies, MIPT, April 7th, 2012 Introduction to Binary Translation Technology Roman Sokolov SMWare

Programming Technologies, MIPT, April 7th, 2012 Introduction to Binary Translation Technology Roman Sokolov SMWare
ITEC 352 Lecture 25 Memory(3). Review Questions RAM –What is the difference between register memory, cache memory, and main memory? –What connects the.

ITEC 352 Lecture 25 Memory(3). Review Questions RAM –What is the difference between register memory, cache memory, and main memory? –What connects the.
1 Lecture 4: Procedure Calls Today’s topics:  Procedure calls  Large constants  The compilation process Reminder: Assignment 1 is due on Thursday.

1 Lecture 4: Procedure Calls Today’s topics:  Procedure calls  Large constants  The compilation process Reminder: Assignment 1 is due on Thursday.
Assembler/Linker/Loader Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc11-12.html Chapter 4.3 J. Levine: Linkers & Loaders

Assembler/Linker/Loader Mooly Sagiv html:// Chapter 4.3 J. Levine: Linkers & Loaders
1 Starting a Program The 4 stages that take a C++ program (or any high-level programming language) and execute it in internal memory are: Compiler - C++

1 Starting a Program The 4 stages that take a C++ program (or any high-level programming language) and execute it in internal memory are: Compiler - C++
ITEC 352 Lecture 27 Memory(4). Review Questions? Cache control –L1/L2  Main memory example –Formulas for hits.

ITEC 352 Lecture 27 Memory(4). Review Questions? Cache control –L1/L2  Main memory example –Formulas for hits.
Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.

Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.
Memory Management Questions answered in this lecture: How do processes share memory? What is static relocation? What is dynamic relocation? What is segmentation?

Memory Management Questions answered in this lecture: How do processes share memory? What is static relocation? What is dynamic relocation? What is segmentation?
Procedures and Stacks. Outline Stack organization PUSH and POP instructions Defining and Calling procedures.

Procedures and Stacks. Outline Stack organization PUSH and POP instructions Defining and Calling procedures.
Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October.

Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October.
CPSC 325 - Compiler Tutorial 8 Code Generator (unoptimized)

CPSC Compiler Tutorial 8 Code Generator (unoptimized)
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Memory Allocation. Three kinds of memory Fixed memory Stack memory Heap memory.

Memory Allocation. Three kinds of memory Fixed memory Stack memory Heap memory.
Multiprocessing Memory Management

Multiprocessing Memory Management
Memory Management. 2 How to create a process? On Unix systems, executable read by loader Compiler: generates one object file per source file Linker: combines.

Memory Management. 2 How to create a process? On Unix systems, executable read by loader Compiler: generates one object file per source file Linker: combines.
The Procedure Abstraction Part I: Basics Copyright 2003, Keith D. Cooper, Ken Kennedy & Linda Torczon, all rights reserved. Students enrolled in Comp 412.

The Procedure Abstraction Part I: Basics Copyright 2003, Keith D. Cooper, Ken Kennedy & Linda Torczon, all rights reserved. Students enrolled in Comp 412.
Memory Management 2010.

Memory Management 2010.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
Semantics of Calls and Returns

Semantics of Calls and Returns

Similar presentations

Ads by Google