libdft
play

libdft Practical Dynamic Data Flow Tracking for Commodity Systems - PowerPoint PPT Presentation

Nov 04, 2022 •287 likes •649 views

Overview Design & Implementation Results & Discussion libdft Practical Dynamic Data Flow Tracking for Commodity Systems Vasileios P. Kemerlis Georgios Portokalidis Kangkook Jee Angelos D. Keromytis Network Security Lab Department of

  1. Overview Design & Implementation Results & Discussion libdft Practical Dynamic Data Flow Tracking for Commodity Systems Vasileios P. Kemerlis Georgios Portokalidis Kangkook Jee Angelos D. Keromytis Network Security Lab Department of Computer Science Columbia University New York, NY, USA Virtual Execution Environments (VEE), 03/04/2012 vpk@cs.columbia.edu Columbia University - Network Security Lab

  2. Overview Design & Implementation Results & Discussion Outline Overview 1 Problem statement Contribution Design & Implementation 2 Definitions Design overview Implementation Results & Discussion 3 Performance Use cases Summary vpk@cs.columbia.edu Columbia University - Network Security Lab

  3. Overview Problem statement Design & Implementation Contribution Results & Discussion Dynamic data flow tracking (DFT) What is it? Tagging and tracking “interesting” data as they propagate during program execution Extremely popular research topic (also known as information flow tracking) analyzing malware behavior [Portokalidis Eurosys’06] hardening software against zero-day attacks [Bosman RAID’11, Qin MICRO’06, Newsome NDSS’05] detecting and preventing information leaks [Zhu SIGOPS’11, Enck OSDI’10] debugging software misconfigurations [Attariyan OSDI’10] vpk@cs.columbia.edu Columbia University - Network Security Lab

  4. Overview Problem statement Design & Implementation Contribution Results & Discussion Related work Architectural classification Integrated into full system emulators and virtual machine monitors [Ho Eurosys’06, Portokalidis Eurosys’06, Myers POPL ’99] Retrofitted into unmodified binaries using dynamic binary instrumentation (DBI) [Qin MICRO’06] Added to source codebases using source-to-source code transformations [Xu USENIX Sec’06] Implemented in hardware [Venkataramani HPCA’08, Crandall MICRO’04, Suh ASPLOS’04] vpk@cs.columbia.edu Columbia University - Network Security Lab

  5. Overview Problem statement Design & Implementation Contribution Results & Discussion Related work (cont’d) Issues & limitations Ad hoc & problem-specific implementations high overhead, little reusability, limited applicability Attempts for flexible DFT systems Versatility comes at a high price TaintCheck [Newsome NDSS’05] → 20x overhead even for small utilities LIFT [Qin MICRO’06] → no multithreading support Minemu [Bosman RAID’11] → only 32-bit binaries Dytan [Clause ISSTA’07] → attempts to define a generic and reusable DFT framework, but incurs a slowdown of more than 30x vpk@cs.columbia.edu Columbia University - Network Security Lab

  6. Overview Problem statement Design & Implementation Contribution Results & Discussion libdft Brief overview DFT framework in the form of a shared library Features Fast → 1.14x – 10x slowdown Reusable → API for building custom DFT-powered tools Applicable to commodity hardware and software → supports multi- { process, threaded } x86 Linux applications, without requiring any modifications to the binaries or the underlying OS vpk@cs.columbia.edu Columbia University - Network Security Lab

  7. Overview Definitions Design & Implementation Design overview Results & Discussion Implementation DFT Formalisms Many aliases Data flow tracking (DFT) Information flow tracking (IFT) Dynamic taint analysis (DTA) ... Definition The process of accurately tracking the flow of selected data throughout the execution of a program or system vpk@cs.columbia.edu Columbia University - Network Security Lab

  8. Overview Definitions Design & Implementation Design overview Results & Discussion Implementation DFT (cont’d) Basic aspects DFT is characterized by 3 aspects Data sources : program, or memory locations, where data 1 of interest enter the system and subsequently get tagged Data tracking : process of propagating data tags according 2 to program semantics Data sinks : program, or memory locations, where checks 3 for tagged data can be made Note We strictly deal with explicit data flows vpk@cs.columbia.edu Columbia University - Network Security Lab

  9. Overview Definitions Design & Implementation Design overview Results & Discussion Implementation Design goal Shared library for customized DFT Allow the creation of “meta-tools” that transparently employ DFT PROCESS Pin Code cache Pintool libdft T agmap Process binary MEMORY Other library Instructions ... ... Function calls mov ebx, 0x0a mov eax, [esp+0x10] Other call eax library ... System calls USER SPACE (I/O) KERNEL SPACE Figure: Putting it altogether: Pin, libdft, process vpk@cs.columbia.edu Columbia University - Network Security Lab

  10. Overview Definitions Design & Implementation Design overview Results & Discussion Implementation Usage libdft in a nutshell Pin loads itself, libdft, and a libdft-enabled tool into the 1 same address space with a process (Figure 1) Before commencing or resuming execution, the libdft-tool 2 defines the data sources and sinks by tapping arbitrary points of interest User-defined callbacks drive the DFT process by tagging 3 and untagging data, or checking and enforcing data use vpk@cs.columbia.edu Columbia University - Network Security Lab

  11. Overview Definitions Design & Implementation Design overview Results & Discussion Implementation Challenges Achieving low overhead is hard Size & structure of the analysis routines ( i.e., DFT logic) matters Complex analysis code → excessive register spilling Certain types of instructions should be avoided altogether ( e.g., test-and-branch, EFLAGS modifiers) vpk@cs.columbia.edu Columbia University - Network Security Lab

  12. Overview Definitions Design & Implementation Design overview Results & Discussion Implementation libdft Prototype implementation libdft has been implemented using Pin v2.9 Currently supports only x86 Linux binaries Consists of three main components (Figure 2) Tagmap 1 Tracker 2 I/O interface 3 ∼ 5000 LOC in C/C++ vpk@cs.columbia.edu Columbia University - Network Security Lab

  13. Overview Definitions Design & Implementation Design overview Results & Discussion Implementation libdft Architecture libdft API Pin API libdft backend Tagmap Tracker Instrumentation engine mem_bitmap vcpu handle_add handle_cmov R1: handle_sub handle_lods handle_and handle_pop R2: handle_or handle_push ... ... handle_xor handle_cpuid Rn: Analysis routines I/O Interface STAB tseg r2r_alu_opl() r2r_alu_opw() syscall_desc[] r2r_alu_opb_l() pre_syscall tseg r2m_xfer_opl() r2m_xfer_opw() ... post_syscall m2r_alu_opb_h() Figure: The architecture of libdft vpk@cs.columbia.edu Columbia University - Network Security Lab

  14. Overview Definitions Design & Implementation Design overview Results & Discussion Implementation libdft Tagmap Stores the tags for every process Major impact on the overall performance → DFT logic constantly operates on data tags Tag format Tagging granularity → byte Tag size → { 1,8 } -bit Register tags Per thread vcpu structure 8 general purpose registers (GPRs) Memory tags Per process mem bitmap , or STAB and tseg structures 1 bit/byte for every byte of addressable memory vpk@cs.columbia.edu Columbia University - Network Security Lab

  15. Overview Definitions Design & Implementation Design overview Results & Discussion Implementation libdft Tracker Instruments a program for retrofitting the DFT logic Instrumentation Engine Invoked once for each sequence of instructions Handles the elaborate logic of discovering data dependencies → allows for compact and fast analysis code Inspects the instructions of a program Determines the analysis routines that should be injected before each instruction Allows for customization (libdft API) Analysis Routines Invoked every time a specific instruction is executed Contain code that implements the DFT logic Clear, assert, and propagate tags vpk@cs.columbia.edu Columbia University - Network Security Lab

  16. Overview Definitions Design & Implementation Design overview Results & Discussion Implementation libdft I/O Interface Handles the kernel ↔ process data pre syscall / post syscall → instrumentation stubs syscall desc[] → syscall meta-information table The stubs are invoked upon every system call entry/exit Allows the user to register callback functions (libdft API) The default behavior of the post syscall stub is to untag the data being written/returned by the system call Advantages Enables the customization of libdft by using I/O system calls as data sources and sinks arbitrarily Eliminates tag leaks by considering that some system calls write specific data to user-provided buffers vpk@cs.columbia.edu Columbia University - Network Security Lab

  17. Overview Definitions Design & Implementation Design overview Results & Discussion Implementation libdft Optimizations fast vcpu Uses a scratch-register to store a pointer to the vcpu structure of each thread fast rep Avoids recomputing the effective address (EA) on each repetition in REP -prefixed instructions huge tlb Uses huge pages for mem bitmap and STAB to minimize TLB poisoning tagmap col Collapses tseg structures that correspond to write-protected memory regions to a single constant segment vpk@cs.columbia.edu Columbia University - Network Security Lab

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Streaming Massive Environments From Zero to 200MPH Chris Tector (Software Architect Turn 10

Streaming Massive Environments From Zero to 200MPH Chris Tector (Software Architect Turn 10

FORZA MOTORSPORT Streaming Massive Environments From Zero to 200MPH Chris Tector (Software Architect Turn 10 Studios) Turn 10 Internal studio at Microsoft Game Studios - we make Forza Motorsport Around 70 full time staff Streaming

880 views • 50 slides
FAST & FURIOUS REVERSE ENGINEERING WITH TITANENGINE Agenda Obligatory Scare Talk Why

FAST & FURIOUS REVERSE ENGINEERING WITH TITANENGINE Agenda Obligatory Scare Talk Why

Mario Vuksan, Tomislav Periin & Vojislav Milunovic, ReversingLabsCorporation FAST & FURIOUS REVERSE ENGINEERING WITH TITANENGINE Agenda Obligatory Scare Talk Why should you care? What is the problem? How can

1.47k views • 83 slides
arXiv:1209.2137v6 [cs.IR] 15 May 2014 SUMMARY In many important applicationssuch as search

arXiv:1209.2137v6 [cs.IR] 15 May 2014 SUMMARY In many important applicationssuch as search

Decoding billions of integers per second through vectorization D. Lemire 1 , L. Boytsov 2 1 LICEF Research Center, TELUQ, Montreal, QC, Canada 2 Carnegie Mellon University, Pittsburgh, Pennsylvania, USA arXiv:1209.2137v6 [cs.IR] 15 May 2014

488 views • 30 slides
CS4617 Computer Architecture Lecture 7: Instruction Set Architectures Dr J Vaughan October 1,

CS4617 Computer Architecture Lecture 7: Instruction Set Architectures Dr J Vaughan October 1,

CS4617 Computer Architecture Lecture 7: Instruction Set Architectures Dr J Vaughan October 1, 2014 1/27 ISA Classification Stack architecture: operands on top of stack Accumulator architecture: 1 operand in ACC, implicitly

643 views • 27 slides
Robust PCA Yingjun Wu Preliminary: vector projection Scalar projection of a onto b: a1 could be

Robust PCA Yingjun Wu Preliminary: vector projection Scalar projection of a onto b: a1 could be

Robust PCA Yingjun Wu Preliminary: vector projection Scalar projection of a onto b: a1 could be expressed as: Example b=(10,4) w=(1,0) Preliminary: understanding PCA Preliminary: methodology in PCA Purpose: project a high-dimensional

500 views • 24 slides
Exploring Qualcomm Baseband via ModKit Tencent Blade Team Tencent Security Platform Department

Exploring Qualcomm Baseband via ModKit Tencent Blade Team Tencent Security Platform Department

Exploring Qualcomm Baseband via ModKit Tencent Blade Team Tencent Security Platform Department About Us - Tencent Blade Team A security research team from Tencent Security Platform Department Focus security research on AI, IoT and

388 views • 34 slides
Compression and Decompression in Cognition Vertolli, M. O., Kelly, M., & Davies, J.

Compression and Decompression in Cognition Vertolli, M. O., Kelly, M., & Davies, J.

Compression and Decompression in Cognition Vertolli, M. O., Kelly, M., & Davies, J. Introduction Compression of signals from the environment is critical to an organisms success Decompression plays an equally critical role We

434 views • 4 slides
DECOMPRESSION ON HETEROGENEOUS MULTICORE ARCHITECTURES Wasuwee Sodsong 1 , Jingun Hong 1 ,

DECOMPRESSION ON HETEROGENEOUS MULTICORE ARCHITECTURES Wasuwee Sodsong 1 , Jingun Hong 1 ,

DYNAMIC PARTITIONING-BASED JPEG DECOMPRESSION ON HETEROGENEOUS MULTICORE ARCHITECTURES Wasuwee Sodsong 1 , Jingun Hong 1 , Seongwook Chung 1 , Yeongkyu Lim 2 , Shin-Dug Kim 1 and Bernd Burgstaller 1 1 Yonsei University 2 LG Electronics JPEG

1.34k views • 35 slides
GPU-Acceleration of In-Memory Data Analytics Evangelia Sitaridi AWS Redshift GPUs for Telcos

GPU-Acceleration of In-Memory Data Analytics Evangelia Sitaridi AWS Redshift GPUs for Telcos

GPU-Acceleration of In-Memory Data Analytics Evangelia Sitaridi AWS Redshift GPUs for Telcos Fast query-time Quickly identify network problems No time to index data Respond fast to customers Geospatial visualization Take

828 views • 37 slides
Opening Exercise Suppose that you are given three integers in int variables. Describe a way to

Opening Exercise Suppose that you are given three integers in int variables. Describe a way to

Opening Exercise Suppose that you are given three integers in int variables. Describe a way to encode their values into a single int value. Now suppose that all three integers have values 256. How can you encode their values into a single int

352 views • 14 slides
Uncovering SAP vulnerabilities: Reversing and breaking the Diag protocol Martin Gallo Core

Uncovering SAP vulnerabilities: Reversing and breaking the Diag protocol Martin Gallo Core

Uncovering SAP vulnerabilities: Reversing and breaking the Diag protocol Martin Gallo Core Security Defcon 20 July 2012 P A G E Agenda Introduction Motivation and related work SAP Netweaver architecture and protocols layout

785 views • 41 slides
F F Fast Transforms using the Cell/B.E. Processor Fast Transforms using the Cell/B.E. Processor

F F Fast Transforms using the Cell/B.E. Processor Fast Transforms using the Cell/B.E. Processor

F F Fast Transforms using the Cell/B.E. Processor Fast Transforms using the Cell/B.E. Processor t T t T f f i g th C ll/B E P i g th C ll/B E P David A. Bader joint work with Seunghwa Kang and Virat Agarwal Sony-Toshiba-IBM Center of

612 views • 47 slides
Memory-Optimized Distributed Graph Processing through Novel Compression Techniques Katia

Memory-Optimized Distributed Graph Processing through Novel Compression Techniques Katia

Memory-Optimized Distributed Graph Processing through Novel Compression Techniques Katia Papakonstantinopoulou Joint work with Panagiotis Liakos and Alex Delis University of Athens Athens Colloquium in Algorithms and Complexity UoA, August 26

772 views • 19 slides
Re-think Data Management Software Design Upon the Arrival of Storage Hardware with Built-in

Re-think Data Management Software Design Upon the Arrival of Storage Hardware with Built-in

Re-think Data Management Software Design Upon the Arrival of Storage Hardware with Built-in Transparent Compression 07/2020 1 The Rise of Computational Storage Homogeneous Computing Heterogenous Computing Compute Networking Storage

163 views • 12 slides
Application compartmentalization Conventional gunzip Compartmentalized gunzip UNIX process UNIX

Application compartmentalization Conventional gunzip Compartmentalized gunzip UNIX process UNIX

CHERI A Hybrid Capability-System Architecture for Scalable Software Compartmentalization Robert N.M. Watson * , Jonathan Woodruff * , Peter G. Neumann , Simon W. Moore * , Jonathan Anderson , David Chisnall * , Nirav Dave , Brooks

267 views • 13 slides
Exact JPEG recompression and forensics using interval arithmetic Andrew B. Lewis and Markus G.

Exact JPEG recompression and forensics using interval arithmetic Andrew B. Lewis and Markus G.

Exact JPEG recompression and forensics using interval arithmetic Andrew B. Lewis and Markus G. Kuhn Computer Laboratory Security Group MM&Sec08 rump session What is recompression? Exact recompression is useful because it allows us to

369 views • 12 slides
p(E|H p(E|H p ) p ) p(E|H p(E|H d ) d ) Need for testing In forensic voice comparison,

p(E|H p(E|H p ) p ) p(E|H p(E|H d ) d ) Need for testing In forensic voice comparison,

Multi-laboratory evaluation of forensic voice comparison systems under conditions reflecting those of a real forensic case forensic_eval_01 Geoffrey Stewart Morrison Ewald Enzinger p(E|H p(E|H p ) p ) p(E|H p(E|H d ) d ) Need for testing

337 views • 21 slides
Trip Report FINAL MEETING AND SUMMER SCHOOL OF DFG PRIORITY PROGRAM ALGORITHM ENGINEERING DFG

Trip Report FINAL MEETING AND SUMMER SCHOOL OF DFG PRIORITY PROGRAM ALGORITHM ENGINEERING DFG

Trip Report FINAL MEETING AND SUMMER SCHOOL OF DFG PRIORITY PROGRAM ALGORITHM ENGINEERING DFG PP 1307: Algorithm Engineering DFG Priority Program: nationwide funding program over 6 years for up to 30 individual projects PP 1307: Algorithm

243 views • 21 slides
Ascent timescales at the Onset of the Oruanui, NZ Supereruption Madison Myers University of

Ascent timescales at the Onset of the Oruanui, NZ Supereruption Madison Myers University of

Ascent timescales at the Onset of the Oruanui, NZ Supereruption Madison Myers University of Oregon In collaboration with: Paul J. Wallace, Colin J.N. Wilson, Jim Watkins and Yang Liu How are large volume eruptions triggered? Chamber Triggered

212 views • 18 slides
When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis

When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis

When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis Features Hojjat Aghakhani , Fabio Gri*, Francesco Mecca, Mar0na Lindorfer, Stefano Ortolani, Davide Balzaro*, Giovanni Vigna, Christopher Kruegel

1.01k views • 53 slides
Modeling Analytics for Computational Storage Veronica Lagrange, Harry Li, Anahita Shayesteh

Modeling Analytics for Computational Storage Veronica Lagrange, Harry Li, Anahita Shayesteh

Modeling Analytics for Computational Storage Veronica Lagrange, Harry Li, Anahita Shayesteh Memory Solutions Lab 07 April 2020 Version 1.2 Samsung Semiconductor, Inc. ICPE 2020 Agenda Modeling Analytics for Computational Storage

848 views • 21 slides
Fronthaul Compression for Cloud Radio Access Networks O. Simeone New Jersey Institute of

Fronthaul Compression for Cloud Radio Access Networks O. Simeone New Jersey Institute of

Fronthaul Compression for Cloud Radio Access Networks O. Simeone New Jersey Institute of Technology (NJIT) Joint work with S.-H. Park 1 , O. Sahin 2 and S. Shamai 3 3 1 2 Cloud Radio Access Networks Base stations operate as radio units

1.09k views • 57 slides
Detect New Physics with Deep Learning Trigger at the LHC Zhenbin Wu (UIC) Thong Nguyen

Detect New Physics with Deep Learning Trigger at the LHC Zhenbin Wu (UIC) Thong Nguyen

Detect New Physics with Deep Learning Trigger at the LHC Zhenbin Wu (UIC) Thong Nguyen (Caltech), Maurizio Pierini(CERN) --on behalf of the CMS collaboration CPAD Instrumentation Frontier Workshop December 8-10, 2019 The LHC Big Data Problem

750 views • 20 slides
Efficient compression of SIDH public keys Craig Costello 1 David Jao 2 Patrick Longa 1 Michael

Efficient compression of SIDH public keys Craig Costello 1 David Jao 2 Patrick Longa 1 Michael

Efficient compression of SIDH public keys Craig Costello 1 David Jao 2 Patrick Longa 1 Michael Naehrig 1 Joost Renes 3 David Urbanik 2 1 Microsoft Research, Redmond, USA 2 University of Waterloo, Ontario, Canada 3 Radboud University, Nijmegen, The

835 views • 44 slides

More recommend