In the news … Data Leaks Mar ‘19 Apr ‘19 Mar ‘18 shutdown after data leaks exposed user data passwords stored in readable format 1B 👥 600M 👥 0.5M 👥 Data Breaches Cost of a Data Breach Study www.ibm.com/security/data-breach Nov ’18 500M 👥 Sep ‘17 143M 👥 1.8B US ~ 500 companies 2018 1
Dynamic Taint Tacking tracks information flow name cc# scanf( ); send( ); Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves ! 2
Dynamic Taint Tacking can prevent information leak Associate taints with sensitive data Propagate taints to derived values Check tainted values don’t reach untrusted channels Sources Sinks Propagation program arguments send to network x = secret + y; if (secret) keyboard print to screen x = y; network write to file files implicit explicit control flows data flows Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves ! 3
Dynamic Taint Tacking enables powerful analyses overwrite attacks security command injection attacks XSS attacks privacy information leakage testing and debugging software semantic analysis engineering Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves ! 4
P r o b l e m Dynamic Taint Tracking is expensive ! Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves !
is expensive ! Dynamic Taint Tacking main (…) { x = c + 3; M EMORY } secret y = secret; } c if (p < 0) { p track z = c * y; x } } y out = z; z } check } out printf(out); } ⋮ ⋮ ~𝟔× slowdown [Newsome et al. ‘05] Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves ! 5
Static Analysis can help ? Static analyses— main (…) { dataflow taint analysis x = c + 3; + pointer analysis y = secret; if (p < 0) { sound z = c * y; imprecise } out = z; not scalable printf(out); } 𝟔× → 𝟑.𝟖× ∴ not effective enough … Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves ! 6
Static Analysis Limitation P : Possible program states S : Sound Static analysis’ state space S P sound ? undecidable imprecise not scalable Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves ! 7
S o l u t i o n Optimistic Hybrid Analysis Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves !
Predicated Static Analysis P : Possible program states S : Sound Static analysis’ state space S O T : Tested program states T P O : Predicated Static analysis’ state space sound unsound precise imprecise scalable not scalable Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves ! 8
Predicated Static Analysis Optimistic analyses— main (…) { dataflow taint analysis x = c + 3; + pointer analysis y = secret; Backward (Assume) optimization + invariant assumption if (p < 0) { p ≥𝟏 z = c * y; precise } out = z; optimized for Forward optimization common case printf(out); } scalable Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves ! 9
Optimistic Hybrid Analysis workflow [Devecsery et al. ‘18] inputs main () { unsigned c; Predicated Static Optimized Dynamic c = secret; Profiling int x, y, z; if (c < 0) x = secret; Analysis Analysis if (c == 1) y = secret; z = x + y; ⋮ printf(z); } likely invariants main () { unsigned c; int x, y, z; • likely unreachable code c = secret; if (c < 0) • likely callee sets x = secret; • likely unrealized call contexts if (c == 1) y = secret; z = x + y; ⋮ printf(z); } Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves ! 10
→ missed state ? Optimistic Assumptions Taint set main (…) { x = c + 3; 1. likely Unreachable Code { secret } y = secret; (Assume) { secret,y } 2. likely Callee Sets if (p < 0) { p ≥𝟏 detection z = c * y; recovery 3. likely Unrealized Call Contexts } out = z; sound unsound printf(out); } invariant violation detection + analysis recovery Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves ! 11
Recovery in OHA is a serious Optimistic Hybrid Analysis issue inputs main () { unsigned c; Predicated Static Optimized Dynamic c = secret; Profiling int x, y, z; if (c < 0) x = secret; Analysis Analysis if (c == 1) y = secret; z = x + y; ⋮ printf(z); } likely invariants main () { unsigned c; Recovery Conservative approach: Rollback to the beginning int x, y, z; c = secret; Mechanism + Sufficient for offline analysis and re-execute with unoptimized analysis if (c < 0) x = secret; if (c == 1) y = secret; z = x + y; ⋮ Prohibitive for live executions printf(z); } Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves ! 12
Rollback Recovery is Problematic ! check-pointing rollback -replay logging Unbounded Rollbacks Overheads ! Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves ! 13
R EC AP • Full Dynamic Analysis is prohibitively expensive. • Conservative Hybrid Analysis is imprecise and inefficient. • Optimisti c Hybrid Analysis can improve. • But Rollback Recovery is challenging. Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves ! 14
R o l l b a c k - f r e e Optimistic Hybrid Analysis Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves !
Rollback Forwar Recover Recovery y d metadata ? metadata Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves ! 15
Safe of noop monitors Elisions Taint set { metadata 1 } { secret } y = public; monitor noop = { secret } { metadata 2 } Invariant fails ensures metadata equivalence ! exact semantics Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves ! 16
Safe of noop monitors Elisions main (…) { x = c + 3; y = secret; unsafe if (p < 0) { { secret , y } { secret } ≠ original elided z = c * y; } { secret , y } = { secret , y } out = z; original elided safe Predicated forward optimizations are safe ensure exact metadata state ! printf(out); } Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves ! 17
Forward Switching to conservative Recovery : analysis • Separate control flow domains fast-path and slow-path • Switch on invariant failure fast-path slow-path in() lex() main() • Switch on call return from slow-path parse() parse_tag() template() call graph Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves ! 18
E v a l u a t i o n Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves !
Implementation I ODINE • LLVM 3.9 compiler infrastructure • C programs Conservative Hybrid Rollback-free Optimistic Hybrid Profiling : 3 likely invariant types Conservative Static : Predicated Static : • Andersen’s pointer analysis • Andersen’s pointer analysis (context insensitive) (context sensitive) • taint analysis: predicated forward + • data-flow taint analysis conservative backward Dynamic : Optimized Dynamic : • taint tracking instrumentation- • optimized taint tracking LLVM Data Flow Sanitizer • invariant checking + forward recovery Taint Tracking is slow ! Optimistic Hybrid Analysis with S afe Elisions improves ! 19
I ODINE accelerates DIFT applications Information flow security policies — Full Dynamic Conservative Hybrid Iodine 9 8.14 Dynamic Taint Tracking Overhead 8 Email integrity and privacy 7.23 POSTFIX 7 Mail server 6 Overwrite attack detection 5.25 Web server 5 4 3 4.𝟓× faster than 1.52 1.32 1.27 2 1.12 1.07 1.07 conservative 1 smtp integrity qmqp integrity nginx security Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves ! 20
Static Analysis Precision improved by 𝟑× Conservative +Unreachable Codes +Callee Sets +Call Contexts 1.0 0.9 Fraction of static monitors 0.729 0.709 0.8 0.686 0.684 0.625 0.611 0.602 0.7 0.584 0.580 Gzip 0.550 0.549 POSTFIX 0.507 0.6 0.478 Mail server Web server Text editor Database 0.464 Compression tool 0.465 0.447 0.439 0.432 0.432 0.429 0.427 0.422 0.422 0.425 0.417 0.417 0.416 0.407 0.401 0.395 0.395 0.388 0.5 0.383 0.383 0.381 0.379 0.372 0.367 0.364 0.359 0.353 0.342 0.322 0.293 0.4 0.3 0.2 0.1 0.0 Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves ! 21
: regression test suites are adequate ! Profiling Effort conservative Normalized dynamic analysis time 2.0 2.0 2.0 1.8 1.8 1.8 1.6 conservative 1.6 1.6 conservative 1.4 1.4 1.4 1.2 1.2 1.2 1.0 1.0 1.0 0 20 40 60 80 100 120 140 160 0 500 1000 1500 2000 2500 0 100 200 300 400 500 600 700 800 nginx redis vim Profiling time (s) Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves ! 22
Recommend
More recommend
