1. Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman Objective and Approach Accomplishments Threat of Hardware Memory Errors (DSN’01, DSN’02) Modeling and Analyzing Software Security Vulnerabilities (DSN’03) Identifying New Security Threats (USENIX Security’05) Memory Layout Randomization-based Defense Technique (SRDS’03) Formal Analysis on Security Vulnerabilities (SEC’04) Architectural Supports for Security and Reliability Future Directions Combination of static code analysis and architecture support –To automatically derive predicates to be checked by processor at runtime Reliability and security support for embedded systems –Migrate our current techniques to embedded systems –New topics: cell phone viruses, reduced power consumption, tamper-resistance hardware, crypto and authentication hardware/software Objective –design and validate secure and reliable computing systems to support critical infrastructures. Approach –analyze raw data on security vulnerabilities and attacks –generate stochastic and state machine models depicting security threats –apply formal reasoning to uncover security vulnerabilities due to inconsistencies between system specifications and implementations –implement defensive techniques at compiler, operating system and hardware levels Study impact of hardware errors on system security –IEEE Dependable Systems and Networks (DSN’01 and DSN’02) State machine modeling of realistic security vulnerabilities –DSN’03 Memory layout randomization-based defensive technique –IEEE Reliable Distributed Systems (SRDS’03) Architecture level support for reliability and security –EASY’02, DSN’04 and DSN’05 Formal reasoning on security vulnerabilities –IFIP Information Security (SEC’04) Non-control-data attack: a new security threat –USENIX Security (Security’05) Attacker Target host Firewall (IPChains and Netfilter) Due to hardware memory errors, packets can penetrate firewalls Attacker Network server (FTP and SSH) Due to hardware memory errors, users can log in with arbitrary passwords  Emulate random hardware memory errors Stochastic model: quantitatively assess the threat in real environments WU-FTP Server Format String Attack NULL-HTTP Server Heap Corruption Attack State machine based modeling of buffer overflow, format string, heap corruption, and integer overflow Reliability and Security Engine (RSE) –A reconfigurable processor framework to embed reliability and security checking modules. –Modules perform low-latency detections. –Reliability data range check, instruction sequence check, hang/crash detection and hardware checkpointing –Security: secure return address stack, memory layout randomization and pointer taintedness detection Observation –Success of memory corruption attacks require attacker’s knowledge about the memory layout of the victim process Technique –Modify the loader so that every time when an application process starts, its memory layout is randomized. –Attack attempts crash the process rather than take control over the application. –Randomized memory regions Stack Heap Shared Libraries Global offset table The root cause of many vulnerabilities ( > 66% of CERT advisories): pointer taintedness Pointer taintedness: a pointer value is derived directly or indirectly from user input Formally defined semantics of pointer taintedness enables extracting security preconditions in application source code –Implement a compiler and a theorem prover to analyze C-code to extract conditions of pointer taitnedness. Usefulness of extracted security preconditions –Vulnerability avoidance – removal of vulnerabilities from the source code –Generation of assertions for runtime vulnerability masking Hardware-level checking: enhancing processors to detect pointer taintedness. Most current attacks are control-data attacks –Corrupting function pointers or return addresses to run malicious code. –Many defensive techniques are proposed to defeat control-data attacks, e.g., syscall-based IDS, non-executable memory and control data protection. New threat: non-control-data attacks –User identity data, configuration data, user input data and decision- making Booleans –Non-control-data attacks can obtain the root privilege by exploiting vulnerabilities of FTP, SSH, HTTP and Telnet servers –More comprehensive defensive techniques are needed. (EASY’02, DSN’04, DSN’05)