In the news Data Leaks Mar 19 Apr 19 Mar 18 shutdown after data - - PowerPoint PPT Presentation

1

Data Leaks

In the news…

Sep ‘17 143M 👥 Mar ‘19 passwords stored in readable format 600M 👥 Nov ’18 500M 👥 1.8B US ~500 companies 2018 Cost of a Data Breach Study

www.ibm.com/security/data-breach

Data Breaches

shutdown after data leaks 0.5M 👥 Apr ‘19 exposed user data 1B 👥 Mar ‘18

Dynamic Taint Tacking

tracks information flow

2 Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves ! name scanf( ); send( ); cc#

explicit data flows

Propagation

Associate taints with sensitive data Propagate taints to derived values Check tainted values don’t reach untrusted channels

program arguments

keyboard files network

Sources

send to network

Sinks

x = secret + y; if (secret) x = y;

implicit control flows print to screen write to file Taint Tracking 3

Dynamic Taint Tacking

can prevent information leak

is slow ! Optimistic Hybrid Analysis with Safe Elisions improves !

enables powerful analyses

• verwrite attacks

command injection attacks XSS attacks security semantic analysis testing and debugging software engineering information leakage privacy

Taint Tracking 4

Dynamic Taint Tacking

is slow ! Optimistic Hybrid Analysis with Safe Elisions improves !

P r o b l e m

Dynamic Taint Tracking is expensive !

Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves !

~𝟔× slowdown [Newsome et al. ‘05]

main (…) { x = c + 3; y = secret; if (p < 0) { z = c * y; }

• ut = z;

printf(out); }

is expensive !

secret c p x y z

• ut

⋮ ⋮ MEMORY

track } } } } check }

Dynamic Taint Tacking

Taint Tracking is slow ! 5 Optimistic Hybrid Analysis with Safe Elisions improves !

main (…) { x = c + 3; y = secret; if (p < 0) { z = c * y; }

• ut = z;

printf(out); }

Static analyses— dataflow taint analysis + pointer analysis

𝟔× → 𝟑.𝟖×

∴ not effective enough…

Taint Tracking is slow !

Static Analysis can help ?

sound imprecise not scalable

Optimistic Hybrid Analysis with Safe Elisions improves ! 6

? undecidable imprecise

S P

P : Possible program states S : Sound Static analysis’ state space

Taint Tracking is slow ! 7

Static Analysis Limitation

Optimistic Hybrid Analysis with Safe Elisions improves !

sound not scalable

S o l u t i o n

Optimistic Hybrid Analysis

Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves !

S P O

Taint Tracking is slow ! Optimistic Hybrid Analysis 8

P : Possible program states S : Sound Static analysis’ state space T : Tested program states O : Predicated Static analysis’ state

space

Predicated Static Analysis

with Safe Elisions improves !

T

sound not scalable imprecise precise scalable unsound

p ≥𝟏 (Assume) Forward

• ptimization

Backward

• ptimization

Taint Tracking is slow ! Optimistic Hybrid Analysis 9

Predicated Static Analysis

main (…) { x = c + 3; y = secret; if (p < 0) { z = c * y; }

• ut = z;

printf(out); }

Optimistic analyses— dataflow taint analysis + pointer analysis + invariant assumption

precise

• ptimized for

common case scalable

with Safe Elisions improves !

• likely unreachable code
• likely callee sets
• likely unrealized call contexts

Profiling Optimized Dynamic

Analysis

workflow

likely invariants inputs

[Devecsery et al. ‘18]

main () { unsigned c; int x, y, z; c = secret; if (c < 0) x = secret; if (c == 1) y = secret; z = x + y; ⋮ printf(z); }

Optimistic Hybrid Analysis

Predicated Static

Analysis Taint Tracking is slow ! Optimistic Hybrid Analysis 10 with Safe Elisions improves !

p ≥𝟏 (Assume)

• 1. likely Unreachable Code
• 2. likely Callee Sets
• 3. likely Unrealized Call Contexts

Taint Tracking is slow ! Optimistic Hybrid Analysis 11

Optimistic Assumptions

with Safe Elisions improves !

invariant violation detection + analysis recovery

detection recovery

unsound sound

{ secret }

Taint set

→ missed state ?

{ secret,y }

main (…) { x = c + 3; y = secret; if (p < 0) { z = c * y; }

• ut = z;

printf(out); }

Optimistic Hybrid Analysis Recovery in OHA is a serious issue

Profiling Optimized Dynamic

Analysis

likely invariants inputs

main () { unsigned c; int x, y, z; c = secret; if (c < 0) x = secret; if (c == 1) y = secret; z = x + y; ⋮ printf(z); }

Predicated Static

Analysis

+

Taint Tracking is slow ! Optimistic Hybrid Analysis 12

Recovery Mechanism

Conservative approach: Rollback to the beginning

and re-execute with unoptimized analysis Sufficient for offline analysis Prohibitive for live executions

with Safe Elisions improves !

Unbounded Rollbacks Overheads !

check-pointing logging rollback

• replay

Rollback Recovery is Problematic !

Taint Tracking is slow ! Optimistic Hybrid Analysis 13 with Safe Elisions improves !

• Full Dynamic Analysis is prohibitively expensive.
• Conservative Hybrid Analysis is imprecise and

inefficient.

• Optimistic Hybrid Analysis can improve.
• But Rollback Recovery is challenging.

Taint Tracking is slow ! Optimistic Hybrid Analysis 14

REC

AP

with Safe Elisions improves !

R o l l b a c k - f r e e

Optimistic Hybrid Analysis

Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves !

metadata

Rollback Recovery

Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions 15

Forwar d Recover y

improves !

metadata ?

Safe Elisions

ensures metadata equivalence ! Invariant fails

{ metadata1} { metadata2}

=

monitor

noop

• f noop

monitors

Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions 16 improves !

exact semantics

y = public;

{ secret }

Taint set

{ secret }

main (…) { x = c + 3; y = secret; if (p < 0) { z = c * y; }

• ut = z;

printf(out); }

{ secret, y }

• riginal

safe unsafe

Predicated forward optimizations are safe

Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions 17

ensure exact metadata state !

improves !

{ secret }

elided

≠

Safe Elisions

• f noop

monitors

{ secret, y }

• riginal

{ secret, y }

elided

=

• Separate control flow domains

fast-path and slow-path

• Switch on invariant failure
• Switch on call return from slow-path

Switching to conservative analysis

fast-path slow-path

Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions 18

Forward Recovery :

main() in() parse() lex() parse_tag() template()

call graph

improves !

E v a l u a t i o n

Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves !

• LLVM 3.9 compiler infrastructure
• C programs

Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves ! 19

IODINE

Implementation

Conservative Static :

• Andersen’s pointer analysis

(context insensitive)

• data-flow taint analysis

Conservative Hybrid Rollback-free Optimistic Hybrid

Dynamic :

• taint tracking instrumentation-

LLVM Data Flow Sanitizer

Predicated Static :

• Andersen’s pointer analysis

(context sensitive)

• taint analysis: predicated forward +

conservative backward

Optimized Dynamic :

• optimized taint tracking
• invariant checking + forward recovery

Profiling : 3 likely invariant types

Information flow security policies —

Email integrity and privacy Overwrite attack detection

7.23 8.14 5.25 1.27 1.32 1.52 1.07 1.07 1.12

1 2 3 4 5 6 7 8 9

smtp integrity qmqp integrity nginx security Dynamic Taint Tracking Overhead Full Dynamic Conservative Hybrid Iodine

IODINE accelerates DIFT applications

Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves ! 20

POSTFIX

Mail server Web server

4.𝟓× faster than

conservative

improved by 𝟑×

Static Analysis Precision

Mail server Web server Text editor

Compression tool

Database

Gzip

POSTFIX

0.550 0.584 0.686 0.729 0.709 0.580 0.611 0.549 0.602 0.684 0.625 0.383 0.417 0.422 0.427 0.507 0.464 0.478 0.429 0.416 0.465 0.439 0.383 0.364 0.422 0.388 0.447 0.432 0.432 0.372 0.381 0.395 0.401 0.359 0.342 0.379 0.353 0.407 0.417 0.425 0.322 0.293 0.395 0.367

0.0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0

Fraction of static monitors Conservative +Unreachable Codes +Callee Sets +Call Contexts Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves ! 21

100 200 300 400 500 600 700 800 1.0 1.2 1.4 1.6 1.8 2.0 20 40 60 80 100 120 140 160

Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves ! 22

Profiling Effort

Normalized dynamic analysis time Profiling time (s)

500 1000 1500 2000 2500

nginx redis vim conservative conservative conservative

: regression test suites are adequate !

[CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE]

100 200 300 400 500 600 700 800

[CELLRANGE ] [CELLRANGE ] [CELLRANGE ] [CELLRANGE ] [CELLRANGE ] [CELLRANGE ] [CELLRANGE ] [CELLRANGE ] [CELLRANGE ] [CELLRANGE ] [CELLRANGE ] [CELLRANGE ] [CELLRANGE ] [CELLRANGE ]

1.0 1.2 1.4 1.6 1.8 2.0 20 40 60 80 100 120 140 160

Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves ! 22

Profiling Effort

Normalized dynamic analysis time Profiling time (s)

[CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE]

500 1000 1500 2000 2500

nginx redis vim conservative conservative conservative

: regression test suites are adequate !

[CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE]

100 200 300 400 500 600 700 800

[CELLRANGE ] [CELLRANGE ] [CELLRANGE ] [CELLRANGE ] [CELLRANGE ] [CELLRANGE ] [CELLRANGE ] [CELLRANGE ] [CELLRANGE ] [CELLRANGE ] [CELLRANGE ] [CELLRANGE ] [CELLRANGE ] [CELLRANGE ]

1.0 1.2 1.4 1.6 1.8 2.0 20 40 60 80 100 120 140 160

Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves ! 22

Profiling Effort

Normalized dynamic analysis time Profiling time (s)

[CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE]

500 1000 1500 2000 2500

nginx redis vim

Regression Tests Beta Tests

: regression test suites are adequate !

conservative conservative conservative

T a k e a w a y s

Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves !

Practical Dynamic Taint Tracking

:

• 𝟑.𝟗× lower overhead than conservative hybrid analysis

[ShadowReplica ‘13, TaintPipe ‘15, StraightTaint ‘16]

full dynamic ~𝟓× ~𝟐.𝟔× conservative hybrid ~𝟐.𝟑× IODINE native

IODINE

Summary Improves Optimistic Hybrid Analysis

• Rollback-free using only safe elisions
• Profiling using test suites is adequate

Taint Tracking is slow ! Optimistic Hybrid Analysis with Safe Elisions improves ! 23

Safety Guarantee

ensures metadata equivalence ! Invariant fails

{ metadata1} { metadata2}

=

monitor

noop

exact semantics

y = public;

{ secret }

Taint set

{ secret }

Unbounded Rollbacks Overheads !

check-pointing logging rollback

• replay

Rollbacks!

[CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE]

100 200 300 400 500 600 700 800

[CELLRANGE ] [CELLRANGE ] [CELLRANGE ] [CELLRANGE ] [CELLRANGE ] [CELLRANGE ] [CELLRANGE ] [CELLRANGE ] [CELLRANGE ] [CELLRANGE ] [CELLRANGE ] [CELLRANGE ] [CELLRANGE ] [CELLRANGE ]

1.0 1.2 1.4 1.6 1.8 2.0 20 40 60 80 100 120 140 160

Sensitivity to Profiling

Normalized dynamic analysis time Profiling time (s)

[CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE] [CELLRANGE]

500 1000 1500 2000 2500

nginx redis vim

Regression Tests Beta Tests

conservative conservative conservative

New Attack Vector : violate likely invariants Bounded Slowdown : best available conservative analysis Adapting Invariants : re-analyze excluding failed invariant Early Detection : forces attacker to induce unusual behavior

Attacks on Availability