bunshin compositing security mechanisms through
play

Bunshin: Compositing Security Mechanisms through Diversification - PowerPoint PPT Presentation

Jul 02, 2023 •137 likes •698 views

Bunshin: Compositing Security Mechanisms through Diversification Meng Xu, Kangjie Lu, Taesoo Kim, Wenke Lee Georgia Institute of Technology 1 Memory Corruptions Are Costly 2 3 4 Name your phone Nexus 5X %x.%x 5 Battle against

  1. Bunshin: Compositing Security Mechanisms through Diversification Meng Xu, Kangjie Lu, Taesoo Kim, Wenke Lee Georgia Institute of Technology 1

  2. Memory Corruptions Are Costly… 2

  3. 3

  4. 4

  5. Name your phone “Nexus 5X %x.%x” 5

  6. Battle against Memory Errors Existing security mechanisms: W ⊕ R, ASLR, CFI → Not hard to by pass 6

  7. Battle against Memory Errors Existing security mechanisms: W ⊕ R, ASLR, CFI → Not hard to by pass Protect all dangerous operation using sanity checks : → Auto-applied at compile time void foo(T *a) { if(!is_valid_address(a) { void foo(T *a) { Sanitize report_and_abort(); *a = 0x1234; } } *a = 0x1234; } 7

  8. Battle against Memory Errors Memory Error Main Causes Defenses Lack of length check Integer overflow Softbound Out-of-bound read/write AddressSanitizer Format string bug Bad type casting Dangling pointer CETS Use-after-free AddressSanitizer Double free Lack of initialization Data structure alignment MemorySanitizer Uninitialized read Subword copying Divide-by-zero Pointer misalignment UndefinedBehaviorSanitizer Undefined behaviors Null-pointer dereference 8

  9. Comprehensive Protection: Goal and Reality • Accumulated execution slowdown • Example: Softbound + CETS → 110% slowdown • Implementation conflicts • Example: AddressSanitizer and MemorySanitizer 9

  10. Comprehensive Protection with Bunshin • Accumulated execution slowdown • Example: Softbound + CETS → 110% slowdown • Bunshin: Reduce to 60% or 40% (depends on the config) • Implementation conflicts • Example: AddressSanitizer and MemorySanitizer • Bunshin: Seamlessly enforce conflicting sanitizers 10

  11. The N-Version Way Input Program Output 11

  12. The N-Version Way Input Virtualization Input Variant 1 Program Variant 2 Variant 3 Output Synchronize Execution & Consolidate Outputs Output 12

  13. The N-Version Way Input (benign) Virtualization Input Variant 1 Program Variant 2 Variant 3 Output Synchronize Execution & Consolidate Outputs Output (consensus) 13

  14. The N-Version Way Input (malicious) Virtualization Input Variant 1 Program Variant 2 Variant 3 Output Synchronize Execution & Consolidate Outputs Output (divergence) 14

  15. The N-Version Way Input (malicious) Virtualization Input An attacker has to simultaneously compromise all variants in order to to compromise the whole system Variant 1 Program Variant 2 Variant 3 Output Synchronize Execution & Consolidate Outputs Output (divergence) 15

  16. Similar Ideas • Two variants placed in disjoint memory partitions [ N-Variant Systems ] • Two variants with stacks growing in di ff erent directions [ Orchestra ] • Multiple variants with randomized heap object locations [ DieHard ] • Multiple versions of the same program [ Varan, Mx ] 16

  17. Bunshin Overview • Goal: • Reduce slowdown caused by security mechanisms • Enable di ff erent or even conflicting mechanisms 17

  18. Challenges for Bunshin • How to generate these variants? • What properties they should have? • How to make them appear as one to outsiders? • What is a “behavior” and what is a divergence? • What if the sanitizers introduces new behaviors? • Multi-threading support? 18

  19. Variant Generation Intuitions • Scope of protection required → Sanitizers selected Memory Error Defenses Softbound, AddressSanitizer Out-of-bound read/write CETS, AddressSanitizer Use-after-free MemorySanitizer Uninitialized read UndefinedBehaviorSanitizer Undefined behaviors • Instrumented checks by each sanitizer void foo(T *a) { void bar(T *b) { if(!is_valid_address(a) { if(!is_valid_address(b) { report_and_abort(); report_and_abort(); } } *a = 0x1234; *b = 0x5678; } } 19

  20. Variant Generation Principles • Check distribution • Sanitizer distribution 20

  21. Check Distribution Input Virtualization Input Partition 1 Partition 1 Partition 2 Partition 2 Partition 3 Partition 3 Variant 1 Program Variant 2 Variant 3 Output Synchronize Execution & Consolidate Outputs Output 21

  22. Sanitizer Distribution Input Virtualization Input A A M M D U D U E E D N D N M M R D R D O O E E E E R R S F S F Y Y S S Variant 1 Program Variant 2 Variant 3 Output Synchronize Execution & Consolidate Outputs Output 22

  23. Cost Profiling • Calculate the slowdown caused by the sanity checks void foo(T *a) { timing_start(); void foo(T *a) { if(!is_valid_address(a) { timing_start(); report_and_abort(); *a = 0x1234; } timing_end(); *a = 0x1234; } timing_end(); } 23

  24. Cost Distribution • Equally distribute overhead to variants so that they execute at the same speed 17% 17% Foo Foo Variant 1 (52% overhead) 35% Baz 28% Bar 35% Baz 28% Bar Variant 2 (48% overhead) 20% 20% Qux Qux 24

  25. Variant Generation Process Source code Variant generator Costs profiling Security opt. Variants mechanisms Overhead (e.g., ASan, MSan, UBSan) full distribution w/ MSan w/ ASan opt. ... ... Variant compiling w/ UBSan w/ ASan selective 25

  26. Variant Sync Considerations • What is a behavior and what is a divergence? • System call (both order and arguments) • How to hook it? • By patching the system call table with a kernel module • What if di ff erent sanitizers introduce di ff erent system calls? • Sync only when a program is in its main function • Do not check system calls for memory management 26

  27. System Call Synchronization Partition 1 Partition 2 Partition 3 Userspace Leader Follower 1 Follower 2 Kernel Syscall number Arguments Execution result sync slot 27

  28. System Call Synchronization Partition 1 Partition 2 Partition 3 Userspace Leader Follower 1 Follower 2 ① Leader enters syscall Kernel Syscall number Arguments Execution result sync slot 28

  29. System Call Synchronization Partition 1 Partition 2 Partition 3 Userspace Leader Follower 1 Follower 2 Kernel ② Followers enter syscall Syscall number Arguments Execution result sync slot 29

  30. System Call Synchronization Partition 1 Partition 2 Partition 3 Userspace Leader Follower 1 Follower 2 Kernel Syscall number Arguments ③ Kernel execute the syscall only once Execution result sync slot 30

  31. System Call Synchronization Partition 1 Partition 2 Partition 3 Userspace Leader Follower 1 Follower 2 Kernel Syscall number ④ Leader fetches syscall result ④ Followers fetch syscall result Arguments Execution result sync slot 31

  32. Strict and Selective Lockstep Partition 1 Partition 2 Partition 3 Userspace Leader Follower 1 Follower 2 Followers read at Kernel their own speed Leader writes at the next available slot sync ring buffer 32

  33. Strict and Selective Lockstep Partition 1 Partition 2 Partition 3 Userspace Leader Follower 1 Follower 2 Kernel Always strictly synchronized for “write” related system calls sync ring buffer 33

  34. Strict and Selective Lockstep Partition 1 Partition 2 Selective-locksteps mitigates address leaks Partition 3 Address leak involves a "write" Userspace Leader Follower 1 Follower 2 system call and with ASLR enabled, such leak attempt will be captured Kernel Reduce sync. overhead by 3% - 5% Always strictly synchronized for “write” related system calls sync ring buffer 34

  35. Multi-threading Support Before fork Original Execution group After fork New Execution group Leader Follower 1 Follower 2 New ring buffer 35

  36. Multi-threading Support Before fork Works if there is Original Execution group no interleaving between threads After fork New Execution group Leader Follower 1 Follower 2 New ring buffer 36

  37. Multi-threading Support Leader Follower 1 Follower 2 Userspace Record Enforce Enforce Kernel Total order of lock acquisition and releases 37

  38. Multi-threading Support Leader Follower 1 Follower 2 Userspace Works under Record Enforce Enforce weak determinism Kernel (data race-free programs) Implementation specific ( pthread APIs only) Total order of lock acquisition and releases 38

  39. Evaluate Bunshin • Robustness and Security • E ffi ciency and Scalability • Protection Distribution Case Studies 39

  40. Robustness Benchmark Single/Multi-thread Featuer Pass ? Single SPEC CPU2006 Multi CPU Intensive SPLASH-2x Multi 6 out of 13 PARSEC Single lighttpd I/O Intensive Multi nginx Single Interpreter python, php 40

  41. Security • RIPE Benchmark Config Succeed Probabilistic Failed Not possible 114 16 720 2990 Default 8 0 842 2990 AddressSanitizer 8 0 842 2990 Bunshin • Real-world CVEs Config CVE Exploits Sanitizer Detect 2013-2028 Blind ROP AddressSanitizer nginx-1.4.0 2016-5636 Integer overflow AddressSanitizer cpython-2.7.10 2015-4602 Type confusion AddressSanitizer php-5.6.6 2014-0160 Heartbleed AddressSanitizer openssl-1.0.1a 2014-3581 Null dereference UndefinedBehaviorSanitizer httpd-2.4.10 41

  42. Performance Benchmark Items Strict-Lockstep Selective-Lockstep Max 17.5% 14.7% SPEC CPU2006 Min 1.6% 1.0% (19 Programs) Ave 8.6% 5.6% Max 21.4% 18.9% SPLASH-2X / PARSEC Min 10.7% 6.6% (19 Programs) Ave 16.6% 14.5% lighttpd Ave 1.44% 1.21% 1MB File Request nginx Ave 1.71% 1.41% 1MB File Request

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CS4405 Compositing Digital Compositing Digital compositing is the

CS4405 Compositing Digital Compositing Digital compositing is the

CS4405 Compositing Digital Compositing Digital compositing is the digitally manipulated integration of at least two source images to produce a new image The

656 views • 18 slides
FOG; COMPOSITING 1 OUTLINE Fog Compositing Blending Transparency Clipping

FOG; COMPOSITING 1 OUTLINE Fog Compositing Blending Transparency Clipping

FOG; COMPOSITING 1 OUTLINE Fog Compositing Blending Transparency Clipping 3D Textures Noise 2 FOG Atmospheric haze Provides more realism in a scene Also provides more sense of scene depth Simple

967 views • 33 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
Local Shape Editing at the Compositing Stage Carlos J. Zubiaga, Gal Guennebaud, Romain Vergne,

Local Shape Editing at the Compositing Stage Carlos J. Zubiaga, Gal Guennebaud, Romain Vergne,

Local Shape Editing at the Compositing Stage Carlos J. Zubiaga, Gal Guennebaud, Romain Vergne, Pascal Barla Compositing Shading Buffers Diffuse Reflection Final Image Transparent Subsurface Emission Compositing Auxiliary Buffers

719 views • 35 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Security Overview Different aspects of security User authentication Protection mechanisms

Security Overview Different aspects of security User authentication Protection mechanisms

CS399 New Beginnings Jonathan Walpole Security Overview Different aspects of security User authentication Protection mechanisms Attacks: - trojan horses, spoofing, logic bombs, trap doors, buffer overflow attacks, viruses, worms, mobile

825 views • 59 slides
Introduction to Security Attacks Services Mechanisms CSS441: Security and Cryptography

Introduction to Security Attacks Services Mechanisms CSS441: Security and Cryptography

CSS441 Introduction Concepts Architecture Introduction to Security Attacks Services Mechanisms CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20

678 views • 23 slides
Survey on Security Threats and Protection Mechanisms in Embedded Automotive Networks Ivan

Survey on Security Threats and Protection Mechanisms in Embedded Automotive Networks Ivan

The Automotive Network Threats Protection mechanisms Conclusion Survey on Security Threats and Protection Mechanisms in Embedded Automotive Networks Ivan Studnia Vincent Nicomette Eric Alata Yves Deswarte Mohamed Ka aniche Renault

752 views • 40 slides
SCADA deep inside: protocols and security mechanisms Aleksandr Timorin

SCADA deep inside: protocols and security mechanisms Aleksandr Timorin

SCADA deep inside: protocols and security mechanisms Aleksandr Timorin 05|06|07 September 2014 # whoami penetration tester at Positive Technologies SCADA security researcher, main specialisation -

1.03k views • 81 slides
Security Assessment of Authentication and Authorization Mechanisms in Ethereum, Quorum,

Security Assessment of Authentication and Authorization Mechanisms in Ethereum, Quorum,

Security Assessment of Authentication and Authorization Mechanisms in Ethereum, Quorum, Hyperledger Fabric and Corda Marie-Jeanne Lagarde, Master's thesis 2018-2019 Agenda Introduction Motivation 1. Scope 2. Research Questions 3.

467 views • 35 slides
Experimentation with network-based security mechanisms GENI Security Workshop UC Davis G.

Experimentation with network-based security mechanisms GENI Security Workshop UC Davis G.

Experimentation with network-based security mechanisms GENI Security Workshop UC Davis G. Kesidis January 22-23, 2009 EE and CSE Depts Penn State kesidis@engr.psu.edu . George Kesidis, Penn State University GENI Security Workshop 01/22/09

277 views • 12 slides
Presentations Evaluating the Effectiveness of Security Mechanisms at Scale David Nicol

Presentations Evaluating the Effectiveness of Security Mechanisms at Scale David Nicol

Trustworthy Cyber Infrastructure for the Power Grid Presentations Evaluating the Effectiveness of Security Mechanisms at Scale David Nicol University of Illinois Dartmouth College Cornell University Washington State

335 views • 7 slides
Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering They are where cryptography and system mechanisms meet They allow trust to be taken from where it exists to where it s needed But they are

941 views • 67 slides
Dynamically Scheduled Region-Based Image Compositing A.V.Pascal Grosset, Aaron Knoll, &

Dynamically Scheduled Region-Based Image Compositing A.V.Pascal Grosset, Aaron Knoll, &

Eurographics Symposium on Parallel Graphics and Visualization (2016) W. Bethel, E. Gobbetti (Editors) Dynamically Scheduled Region-Based Image Compositing A.V.Pascal Grosset, Aaron Knoll, & Charles Hansen Scientific Computing and Imaging

296 views • 10 slides
TOD-Tree: Task-Overlapped Direct send Tree Image Compositing for Hybrid MPI Parallelism

TOD-Tree: Task-Overlapped Direct send Tree Image Compositing for Hybrid MPI Parallelism

Eurographics Symposium on Parallel Graphics and Visualization (2015) C. Dachsbacher, P. Navrtil (Editors) TOD-Tree: Task-Overlapped Direct send Tree Image Compositing for Hybrid MPI Parallelism A.V.Pascal Grosset, Manasa Prasad, Cameron

233 views • 10 slides
CAF - The C++ Actor Framework for Scalable and Resource-e ffi cient Applications Dominik

CAF - The C++ Actor Framework for Scalable and Resource-e ffi cient Applications Dominik

CAF - The C++ Actor Framework for Scalable and Resource-e ffi cient Applications Dominik Charousset, Raphael Hiesgen, and Thomas C. Schmidt {dominik.charousset,raphael.hiesgen,t.schmidt}@haw-hamburg.de Dept. Computer Science Hamburg University

520 views • 29 slides
Enterprise Automatons with Agenda useR2006 Background Zubin Dowlaty@ichotelsgroup.com Vice

Enterprise Automatons with Agenda useR2006 Background Zubin Dowlaty@ichotelsgroup.com Vice

Enterprise Automatons with Agenda useR2006 Background Zubin Dowlaty@ichotelsgroup.com Vice President Decision Sciences Business Process Modeling Meets R InterContinental Hotels Group Dean Mao Computing Analyst InterContinental Hotels

318 views • 3 slides
Water Energy Nexus Energy sector Water sector What is energy-water nexus? Milad

Water Energy Nexus Energy sector Water sector What is energy-water nexus? Milad

6/23/2017 Content Water Energy Nexus Energy sector Water sector What is energy-water nexus? Milad Pooladsanj Why is nexus important? S upervisors: Amin Nobakhti Nexus in Iran Mahdi S harifzadeh Quantifying the

694 views • 9 slides
Liquidity at Risk Joint Stress Testing of Liquidity and Solvency Risk Rama Cont & Artur

Liquidity at Risk Joint Stress Testing of Liquidity and Solvency Risk Rama Cont & Artur

Liquidity at Risk Joint Stress Testing of Liquidity and Solvency Risk Rama Cont & Artur Kotlicki University of Oxford Laura Valderrama International Monetary Fund 1 Solvency stress testing 2 Solvency Risk Solvency risk is driven

576 views • 28 slides
Building OSGi projects with Maven Ray Aug (Liferay) Tim Ward (Paremus) The bnd-maven-plugin

Building OSGi projects with Maven Ray Aug (Liferay) Tim Ward (Paremus) The bnd-maven-plugin

Building OSGi projects with Maven Ray Aug (Liferay) Tim Ward (Paremus) The bnd-maven-plugin What? The core bnd plugin for Maven, integrates bnd into the maven lifecycle. Why? Generates a bundle manifest and other OSGi metadata based on

418 views • 24 slides
WECONNEX Development Investment and Sustainable Change in Ethiopia Zrich, 27. November 2015

WECONNEX Development Investment and Sustainable Change in Ethiopia Zrich, 27. November 2015

WECONNEX Development Investment and Sustainable Change in Ethiopia Zrich, 27. November 2015 WECONNEX AG | Bohl 2 | CH-9000 St.Gallen | +41 71 923 88 88 | info@weconnex.org | www.weconnex.org WECONNEX AG | Bohl 2 | CH-9000 St.Gallen | +41 71

1.33k views • 19 slides
Device Creation with Qt Enterprise Embedded Andy Nichols Overview The challenges of device

Device Creation with Qt Enterprise Embedded Andy Nichols Overview The challenges of device

Device Creation with Qt Enterprise Embedded Andy Nichols Overview The challenges of device creation What is Qt Enterprise Embedded Prototyping a device Device creation 2 The Challenges of Device Creation 3 The Application is

611 views • 50 slides
Allowable and Unallowable Costs Audio is only available by conference call Please call:

Allowable and Unallowable Costs Audio is only available by conference call Please call:

Allowable and Unallowable Costs Audio is only available by conference call Please call: 877-692-8953 Participant Access Code: 1514610 to join the conference call portion of the webinar OFFICE OF HOUSING COUNSE July 28, 2020 LING Webinar

879 views • 42 slides

More recommend