case study of asap code repair
play

Case Study of ASAP Code Repair Mathias Payer*, Thomas R. Gross - PowerPoint PPT Presentation

Oct 11, 2023 •40 likes •330 views

Hot-Patching a Web Server: a Case Study of ASAP Code Repair Mathias Payer*, Thomas R. Gross Department of Computer Science ETH Zurich * now at UC Berkeley Security Dilemma Integrity and availability threatened by vulnerabilities Two

  1. Hot-Patching a Web Server: a Case Study of ASAP Code Repair Mathias Payer*, Thomas R. Gross Department of Computer Science ETH Zurich * now at UC Berkeley

  2. Security Dilemma Integrity and availability threatened by vulnerabilities Two remedies: update or sandboxing • Security updates fix known vulnerabilities but require service restart • Sandboxes protect from unknown exploits but stop the service when an attack is detected

  3. DynSec in 1 Minute Key insight: both sandboxes and dynamic update mechanisms rely on some form of virtualization Binary Translation (BT) provides virtualization • Sandbox protects integrity • Dynamic update mechanism protects availability

  4. DynSec in 2 Minutes Application DynSec Patches Binary Translation Loader Kernel Patch extraction and distribution

  5. Hot-Patching a Web Server Analyze all security patches of Apache 2.2 From Dec 1 st 2005 to Feb. 18 th 2013 • • Total of 49 security bugs, most are simple • Many different classes of bugs All vulnerabilities Software patches Sandbox protection

  6. Outline Motivation Patching architecture & distribution Apache case-study Evaluation Conclusion

  7. Code Translation Binary Translator ● Translates individual basic blocks ● Weave patches into translated code ● Protect from security exploits Original Code Translated Code 1' 1 2 2' 3 3' 4 Kernel

  8. Patch Classes Simple patch • Only few instructions change, directly patched Patches building on DSO: • New import patch: additional library function used • New function patch: additional function • Additional call patch: calls to existing functions • New String patch: new static string used Other patches • Type change, code refactoring, heavyweight changes

  9. Patch Distribution Most Linux distributions provide dynamic update service; piggy pack on this distribution service • Automatically generate a dynamic patch when new package is generated • Systems download packages and install dynamic patches to running services • System administrators update binaries during next maintenance window

  10. Implementation DynSec builds on TRuE/libdetox [IEEE S&P’12, ACM VEE’11] • Patching thread injected in BT layer • Implemented in <2000 LoC • 48 LoC changed in TRuE to add DynSec hooks • Supports unmodified, unaware, multi-threaded x86 applications on Linux

  11. Outline Motivation Patching architecture & distribution Apache case-study • Vulnerability classes • Distribution Evaluation Conclusion

  12. Apache: Vulnerability Classes Low 23 Moderate 19 Important 7 DoS XSS IL EXE HBOF lPE AIH lDoS CSRF ACI IOF

  13. DynSec Coverage Most (45/49) vulnerabilities are hot patchable • All 7 important vulnerabilities • 18 (out of 19) moderate vulnerabilities • 20 (out of 23) low vulnerabilities Patch complexity • Important patches: 4 simple, 3 DSO patches • Moderate patches: 6 simple, 12 DSO patches • Low patches: 10 simple, 10 DSO patches

  14. DynSec: Uncovered exploits CVE-2007-3304 (lDoS, mod): signals to arbitrary PIDs • Heavy code refactoring CVE-2008-0005 (XSS, low): missing UTF-7 encoding • Additional types, new functions CVE-2012-0031 (DoS, low): scoreboard parent DoS • Type change, new functions CVE-2012-0883 (DoS, low): insecure variable in script • Not applicable to DynSec (start-up script only)

  15. DynSec: Uncovered exploits CVE-2007-3304 (lDoS, mod): signals to arbitrary PIDs • Heavy code refactoring Possibility for 4 year stride CVE-2008-0005 (XSS, low): missing UTF-7 encoding without restart • Additional types, new functions CVE-2012-0031 (DoS, low): scoreboard parent DoS • Type change, new functions CVE-2012-0883 (DoS, low): insecure variable in script • Not applicable to DynSec (start-up script only)

  16. Sandbox Coverage Protects from all code-based exploits • Code injection • Control-Flow redirection (ROP/partial JOP) • System call policies Unpatched protection for 11 (of 49) bugs • Two important vulnerabilities (out of 7) • 5 moderate vulnerabilities (out of 20) • 4 low vulnerabilities (out of 21)

  17. Outline Motivation Patching architecture & distribution Apache case-study Evaluation • SPEC CPU 2006 performance • Apache performance Conclusion

  18. Evaluation DynSec evaluated using SPEC CPU2006 • CPU: Intel Core2 Quad Q6600 @ 2.64GHz, 8GB RAM • Ubuntu 11.04, Linux 2.6.38 • Used GCC 4.5.1 with – O2 Benchmark configurations • Native • Sandboxing (use TRuE w/ shadow stack and checks) • DynSec (with different patches)

  19. 0.5 1.5 2.5 0 1 2 SPEC CPU2006: Performance 400.perlbench 401.bzip2 403.gcc 429.mcf 445.gobmk 456.hmmer 458.sjeng 462.libquantum 464.h264ref 471.omnetpp Sandbox 473.astar 410.bwaves 416.gamess 433.milc DynSec 434.zeusmp 435.gromacs 436.cactusADM 437.leslie3d 444.namd 450.soplex 453.povray 454.calculix 459.GemsFDTD 465.tonto 470.lbm 482.sphinx3 Mean

  20. 0.5 1.5 2.5 0 1 2 SPEC CPU2006: Performance 400.perlbench 401.bzip2 Low performance overhead 403.gcc 429.mcf 445.gobmk 456.hmmer 458.sjeng 462.libquantum 464.h264ref 471.omnetpp Sandbox (~11%) 473.astar 410.bwaves 416.gamess 433.milc DynSec 434.zeusmp 435.gromacs 436.cactusADM 437.leslie3d 444.namd 450.soplex 453.povray 454.calculix 459.GemsFDTD 465.tonto 470.lbm 482.sphinx3 Mean

  21. Apache: “large” files (~250kb) Performance impact: picture.png 1000 900 800 Throughput [MB/s] 700 600 500 400 300 200 100 0 100 1000 10000 Total connections Native TRUE DynSec DynSec-50 DynSec-100

  22. Apache: “large” files (~250kb) Performance impact: picture.png 1000 900 800 Throughput [MB/s] 700 Less than 7% slowdown 600 500 400 300 200 100 0 100 1000 10000 Total connections Native TRUE DynSec DynSec-50 DynSec-100

  23. Apache: small (tiny) files (~50b) Performance impact: index.html 3.5 3 Throughput [MB/s] 2.5 2 1.5 1 0.5 0 100 1000 10000 Total connections Native TRUE DynSec DynSec-50 DynSec-100

  24. Apache: small (tiny) files (~50b) Performance impact: index.html 3.5 3 Low performance cost for Throughput [MB/s] 2.5 2 large connection counts 1.5 1 0.5 0 100 1000 10000 Total connections Native TRUE DynSec DynSec-50 DynSec-100

  25. Outline Motivation Patching architecture & distribution Apache case-study Evaluation Conclusion

  26. Conclusion Virtualization enables on-the-fly code rewriting and repair for unmodified applications • Sandbox protects integrity • Patches provide availability Study shows that protecting large, long-running, and modular applications like Apache is feasible • High coverage: 45 of 49 Apache bugs patchable • Low performance impact: 7% for Apache 2.2

  27. Patching Architecture DynSec thread waits for incoming patches Patch application happens in 3 steps: • Signal all application threads to stop • Flush all code caches • Restart application threads Patch is applied indirectly when code is retranslated • BT checks for every instruction if a patch is available

  28. Patch Format The focus of DynSec is on security patches • Most security patches are only few lines of code • Type changes and code refactoring out of scope Patches are sets of changed instructions Each patch may specify additional shared library for more heavyweight changes

  29. Patch Extraction Build patched application with current toolchain Extract instruction differences between patched and unpatched version of the binary (per function) • Changed instructions are added to patch • Check differences in static read-only data • Manually ensure integrity of patch (no type changes, no data changes)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Pinellas, Inc. (ASAP) ADD LOGO HERE ASAP Home Office 3050 1 st Ave South, St. Petersburg ASAP

Pinellas, Inc. (ASAP) ADD LOGO HERE ASAP Home Office 3050 1 st Ave South, St. Petersburg ASAP

AIDS Service Association of Pinellas, Inc. (ASAP) ADD LOGO HERE ASAP Home Office 3050 1 st Ave South, St. Petersburg ASAP Programs and Services Medical Case Management Part A, B, D, Project AIDS Care (PAC) Waiver Department of

299 views • 13 slides
Content Before Code A D8 Case Study Session overview + Who We Are + The Content Before

Content Before Code A D8 Case Study Session overview + Who We Are + The Content Before

Content Before Code A D8 Case Study Session overview + Who We Are + The Content Before Code Philosophy + AcademyHealth + Outcomes + Our Approach + GatherContent Michelle Jackson Web Strategist Bec White Development Operations

613 views • 40 slides
Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has

Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has

Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has innovation helped to produce a cost effective remedial design? Challenging contaminant profile Taken a traditional / well understood remedial

910 views • 4 slides
About Us 124445, Russia, Moscow, Smolnaya Street, 24A, 1314 www.asap-sol.com client@asap-sol.com

About Us 124445, Russia, Moscow, Smolnaya Street, 24A, 1314 www.asap-sol.com client@asap-sol.com

www.asap-sol.com client@asap-sol.com +7 (495) 988-35-41 About Us 124445, Russia, Moscow, Smolnaya Street, 24A, 1314 www.asap-sol.com client@asap-sol.com +7 (495) 988-35-41 BRIEF INFO: CREATION DATE: October, 2007 MAJOR OBJECTIVE: Executive

499 views • 11 slides
Offload Mode Case Study James Briggs 1 COSMOS DiRAC April 28, 2015 Case Study: Modal2d

Offload Mode Case Study James Briggs 1 COSMOS DiRAC April 28, 2015 Case Study: Modal2d

Case Study: Modal2d Surveying the Code Making it Offloadable Xeon Phi Performance Offload Mode Case Study James Briggs 1 COSMOS DiRAC April 28, 2015 Case Study: Modal2d Surveying the Code Making it Offloadable Xeon Phi Performance Case

366 views • 12 slides
Code-Red: a case study on the spread and victims of an Internet worm David Moore, Colleen

Code-Red: a case study on the spread and victims of an Internet worm David Moore, Colleen

Code-Red: a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeff Brown November, 2002 IMW {dmoore, cshannon} @ caida.org www.caida.org Outline What is the Code-Red worm? Detection Host

495 views • 35 slides
in the Internet of Things IoT-ASAP @ ICSA 2018 Ronny Seiger, Steffen Huber, Uwe Amann Seattle,

in the Internet of Things IoT-ASAP @ ICSA 2018 Ronny Seiger, Steffen Huber, Uwe Amann Seattle,

Faculty of Computer Science , Software Technology Group A Case Study for Workflow-based Automation in the Internet of Things IoT-ASAP @ ICSA 2018 Ronny Seiger, Steffen Huber, Uwe Amann Seattle, 30.04.2018 Workflows in IoT Workflow Layer

535 views • 17 slides
Running Head: ASAP SERVICE LEARNING CONSULTANT PACKET ASAP Service Learning Consultant Packet

Running Head: ASAP SERVICE LEARNING CONSULTANT PACKET ASAP Service Learning Consultant Packet

Running Head: ASAP SERVICE LEARNING CONSULTANT PACKET ASAP Service Learning Consultant Packet Cassie Chrisman, Kirsten Juntunen, Tony Romano, Manuel Solis Western Washington University Table of Contents ASAP Presentation

391 views • 14 slides
ePublic Health - the 2011 EHEC case ASEF-ASAP workshop on effective risk communication for public

ePublic Health - the 2011 EHEC case ASEF-ASAP workshop on effective risk communication for public

ePublic Health - the 2011 EHEC case ASEF-ASAP workshop on effective risk communication for public health emergencies and the role of social media 3-4 June, Bali, Indonesia Hans C Ossebaard &amp; Lisette van Gemert-Pijnen Dutch National Institute

678 views • 48 slides
Flexor Tendon Repair Remains a Post Operative Range of Motion Challenge 2013 JHS 2011 JHS 2012

Flexor Tendon Repair Remains a Post Operative Range of Motion Challenge 2013 JHS 2011 JHS 2012

5/10/2013 A Knotless Cable-Crimp Flexor Tendon Repair - Disclosure: Biomechanical Comparison to a Four Strand FiberWire Cruciate Repair I have no disclosures PONTiS Orthopaedics provided the materials and devices used for this study UCSF/

60 views • 4 slides
on ACCU Laura Pathak Royal London Hospital Case Study Diagnoses Code Red Polytrauma.

on ACCU Laura Pathak Royal London Hospital Case Study Diagnoses Code Red Polytrauma.

Speech and Language Therapy on ACCU Laura Pathak Royal London Hospital Case Study Diagnoses Code Red Polytrauma. Jump from 5th Floor. GCS 4 on scene Injuries: HEAD: multifocal ICH, SAH, DAI 1, R sided stroke FACE:

226 views • 10 slides
Case Study A Case fo r Use in Addic tio n Re se arc h De re k Quig le y Unive rsity o f Auc

Case Study A Case fo r Use in Addic tio n Re se arc h De re k Quig le y Unive rsity o f Auc

Case Study A Case fo r Use in Addic tio n Re se arc h De re k Quig le y Unive rsity o f Auc kland What We ll Co ve r T o day T he L ig htbulb Mo me nt My Ph.D Case Study Case Study Charac te ristic s Case Study Stre

424 views • 10 slides
Case Study CC BY Charlotte Wickham fivethirtyeight Datasets and code from the fivethirtyeight

Case Study CC BY Charlotte Wickham fivethirtyeight Datasets and code from the fivethirtyeight

Case Study CC BY Charlotte Wickham fivethirtyeight Datasets and code from the fivethirtyeight website. (Not o ff icially published by 'FiveThirtyEight'). # install.packages(&quot;fivethirtyeight&quot;) fivethirtyeight library(fivethiryeight)

714 views • 26 slides
Graph-based, Self-Supervised Program Repair from Diagnostic Feedback ICML 2020 Michihiro

Graph-based, Self-Supervised Program Repair from Diagnostic Feedback ICML 2020 Michihiro

Graph-based, Self-Supervised Program Repair from Diagnostic Feedback ICML 2020 Michihiro Yasunaga, Percy Liang Stanford University Why program repair? Programmers spend 75% of time fixing source code errors Automatic program repair can

1.69k views • 130 slides
Algorithm Engineering (aka. How to Write Fast Code) CS260 Lecture 2 Yan Gu Case Study:

Algorithm Engineering (aka. How to Write Fast Code) CS260 Lecture 2 Yan Gu Case Study:

Algorithm Engineering (aka. How to Write Fast Code) CS260 Lecture 2 Yan Gu Case Study: Matrix Multiplication Many slides in this lecture are borrowed from the first lecture in 6.172 Performance Engineering of Software Systems at MIT. The

833 views • 55 slides
2.7 Case Study: Floorplan Optimization Our second case study is an example of a highly irregular,

2.7 Case Study: Floorplan Optimization Our second case study is an example of a highly irregular,

2.7 Case Study: Floorplan Optimization Page 1 of 7 2.7 Case Study: Floorplan Optimization Our second case study is an example of a highly irregular, symbolic problem. The solution that we develop incorporates a task scheduling algorithm. 2.7.1

259 views • 7 slides
Interim Results 6-month period ended 31 August 2018 Presented by: Norman Celliers Chief

Interim Results 6-month period ended 31 August 2018 Presented by: Norman Celliers Chief

Interim Results 6-month period ended 31 August 2018 Presented by: Norman Celliers Chief Executive Officer Agenda Overview and interim financial results Portfolio review Conclusion Questions and answers 1 An investment holding

330 views • 31 slides
Challenges of Policymaking in Times of Pandemics State of the Bangladesh Economy in FY2020

Challenges of Policymaking in Times of Pandemics State of the Bangladesh Economy in FY2020

Challenges of Policymaking in Times of Pandemics State of the Bangladesh Economy in FY2020 Dhaka: 7 June 2020 www.cpd.org.bd CPD

844 views • 81 slides
Low Carbon Development Bangladesh Perspective Mirza Shawkat Ali Deputy Director (International

Low Carbon Development Bangladesh Perspective Mirza Shawkat Ali Deputy Director (International

Low Carbon Development Bangladesh Perspective Mirza Shawkat Ali Deputy Director (International Convention) Department of Environment Tsukuba, Japan 17 F ebruary 2012 BCCS&amp;AP For Bangladesh Adaptation is the priority; National

886 views • 30 slides
ON ENERGY AUDIT AND EFFICIENCY IN POWER SECTOR MD. GIASH UDDIN MUGAL SENIOR ASSISTANT

ON ENERGY AUDIT AND EFFICIENCY IN POWER SECTOR MD. GIASH UDDIN MUGAL SENIOR ASSISTANT

SAARC TRAINING WORKSHOP ON ENERGY AUDIT AND EFFICIENCY IN POWER SECTOR MD. GIASH UDDIN MUGAL SENIOR ASSISTANT SECRETARY POWER DIVISION &amp; Q.A. SHARHAN SADIQUE DEPUTY DIRECTOR (SUSTAINABLE ENERGY) POWER CELL SAARC MEMBER STATES

947 views • 37 slides
PATCH MANAGER. The Comprehensive Connectivity and Asset Management Software Solution About

PATCH MANAGER. The Comprehensive Connectivity and Asset Management Software Solution About

PATCH MANAGER. The Comprehensive Connectivity and Asset Management Software Solution About Patchmanager B.V. Software technology company Established in 2002 Based out of Amsterdam, the Netherlands Independent, owner

493 views • 20 slides
How to install Patch Manager Plus at AWS Steps to install Patch Manager Plus at AWS 1. Login to

How to install Patch Manager Plus at AWS Steps to install Patch Manager Plus at AWS 1. Login to

How to install Patch Manager Plus at AWS Steps to install Patch Manager Plus at AWS 1. Login to Aws console 2. Select launch instance 3. Select your OS 4. Choose instance type 5. Select VPC 6. Add storage 7. Tag your instance 8. Configure security

185 views • 14 slides
NVIDIA TURF EFFECTS: MASSIVE GRASS RENDERING WITH DYNAMIC SIMULATION EVGENY MAKAROV , DEVTECH

NVIDIA TURF EFFECTS: MASSIVE GRASS RENDERING WITH DYNAMIC SIMULATION EVGENY MAKAROV , DEVTECH

NVIDIA TURF EFFECTS: MASSIVE GRASS RENDERING WITH DYNAMIC SIMULATION EVGENY MAKAROV , DEVTECH NVIDIA OUTLINE Real-time grass rendering Turf Effects: grass rendering Turf Effects: dynamic simulation Grass authoring Q&amp;A REAL-TIME GRASS

854 views • 36 slides
th An rs 4 th Ame Ameri rican Le Legion Riders Annual Sum Summit Merry-Go-Round Round

th An rs 4 th Ame Ameri rican Le Legion Riders Annual Sum Summit Merry-Go-Round Round

th An rs 4 th Ame Ameri rican Le Legion Riders Annual Sum Summit Merry-Go-Round Round Robin Unity Ride District Patch Sonny Decker &amp; Jeff Hawk Merry-Go-Round &amp; The Round Robin These month-long events are intended for our

841 views • 22 slides

More recommend