Secure Program Execution via Secure Program Execution via Dynamic - - PowerPoint PPT Presentation
Secure Program Execution via Secure Program Execution via Dynamic Information Flow Dynamic Information Flow Tracking Tracking G. Edward Suh Suh, , Jae Jae W. Lee, David W. Lee, David G. Edward Zhang, Srinivas Srinivas Devadas Devadas
ASPLOS XI, October 11, 2004 ASPLOS XI, October 11, 2004
ASPLOS XI, October 11, 2004 ASPLOS XI, October 11, 2004 2 2
Attackers can gain total control of victim processes
Very difficult, if not impossible, to eliminate the bugs
Safe languages re re-
programming, performance hit
Fix programs: new libraries, compilers
partial protection, re-
compilation
Run-
time monitoring: program shepherding
Other hardware solutions partial protection partial protection
ASPLOS XI, October 11, 2004 ASPLOS XI, October 11, 2004 3 3
Focus on attacks to gain total control gain total control (shell) (shell)
Should work for legacy code and shared libraries
transparent to applications, run to applications, run-
time checks
Should have low overhead low overhead (performance and memory (performance and memory space) space)
ASPLOS XI, October 11, 2004 ASPLOS XI, October 11, 2004 4 4
Step 1. Inject malicious data malicious data through legitimate channels through legitimate channels
Long input for buffer overflows for buffer overflows
Step 2. Bugs modify unintended memory locations memory locations
The data flows into buf buf[] [], ,
Step 3. Take control over
Jump to injected target address injected target address ( (return address return address in the example) in the example)
Execute injected code
int func(void) { char buf[256]; while (gets(buf)) {...} }
injected code
Other Other variables variables buf buf (256 Bytes) (256 Bytes) Return Return Address Address Stack Stack Attack Other Other variables variables Malicious Malicious Input data Input data from from gets() gets() Stack Stack Used for return
ASPLOS XI, October 11, 2004 ASPLOS XI, October 11, 2004 5 5
Both OS and applications explicitly manage I/O
Instructions: executes malicious code from I/O : executes malicious code from I/O
Code pointers: : arbitrarily arbitrarily redirect the control flow redirect the control flow
Data pointers for stores: overwrite a : overwrite a critical program critical program variable variable ( (valid_passwd valid_passwd = 1) = 1)
ASPLOS XI, October 11, 2004 ASPLOS XI, October 11, 2004 6 6
I/O, other processes Program Vulnerability Unintended Uses Step 3. Detect attacks
use of spurious values
Detect
Operating System Step 1. OS tags potentially malicious inputs as spurious Security Tags; 0 – authentic, 1 – spurious Step 2. Processors track the flow of the spurious values Dynamic Information Flow Tracking Processors checks + trap handler
ASPLOS XI, October 11, 2004 ASPLOS XI, October 11, 2004 7 7
I/O Information flow tracker Processor Tag checker Operating System Execution Monitor I/O I/O interface Trap handler
tag spurious
track
Security Policy Traps
ASPLOS XI, October 11, 2004 ASPLOS XI, October 11, 2004
ASPLOS XI, October 11, 2004 ASPLOS XI, October 11, 2004 9 9
1-
bit information to indicate whether a piece of data can be trusted ed
– authentic authentic
1 – – spurious spurious
Granularity
One for each general purpose register each general purpose register (GPR) (GPR)
One for each byte each byte in memory in memory – – 12.5% overhead is a na 12.5% overhead is a naï ïve management ve management
Multi-
granularity tags -
Only 1.4% 1.4% space overhead, space overhead, 2.1% 2.1% bandwidth bandwidth
At the start-
up, all instructions and initial data will be tagged “ “authentic authentic” ”
During the execution, the execution monitor sets the tag for each I/O h I/O input according to the security policy input according to the security policy
GPR (32 or 64 bits) 0/1 Memory (1 Byte) 0/1
ASPLOS XI, October 11, 2004 ASPLOS XI, October 11, 2004 10 10
Compute a new security tag for each operation
If spurious spurious data controls a result, the result is also data controls a result, the result is also spurious spurious
Various types of dependencies exist
Direct copy: load/store spurious data : load/store spurious data
Computation: compute from spurious data : compute from spurious data
Pointer additions
Other computations
Load address: load from spurious address : load from spurious address
Store address: store into spurious address : store into spurious address
Propagation Control Register (PCR) determines which dependencies to track dependencies to track
Execution monitor sets the register based on the security policy
ASPLOS XI, October 11, 2004 ASPLOS XI, October 11, 2004 11 11
T[MEM] = T[R3] OR T[R1] ST R1, Imm(R2) R1 1 Memory
Spurious
R3
+Imm Tag spurious
T[R2] = T[MEM] OR T[R1] LD R2, Imm(R1) R1 1 Memory
Authentic
R2 1
+Imm
R1 1 R2 R3 1 T[R3] = T[R1] OR T[R2]
ASPLOS XI, October 11, 2004 ASPLOS XI, October 11, 2004 12 12
Instructions
Load addresses
Store addresses
Jump target addresses
ASPLOS XI, October 11, 2004 ASPLOS XI, October 11, 2004 13 13
1-
bit tag for each GPR
Small modification to ALU
Tag computation (logical OR)
TLB contains tag types and tag pointers tag pointers
Separate tag caches
Allow parallel accesses to data and tags data and tags
Exploit multi-
granularity tags
Tags will be often less than 1/8 of data
Core D$-L1 L2 I$-L1 D-TLB I-TLB T$-L2 T$-L1 Regs Tag Types, Pointers Security Tags
1/8 of data
Memory Bus
ASPLOS XI, October 11, 2004 ASPLOS XI, October 11, 2004
ASPLOS XI, October 11, 2004 ASPLOS XI, October 11, 2004 15 15
I/O channels to be tagged
Dependencies to be tracked
Trap conditions
Software checks in the handler
ASPLOS XI, October 11, 2004 ASPLOS XI, October 11, 2004 16 16
ALL
ALL
Instruction
Jump target address
Store address
False alarms from spurious pointers Need to balance security and false positives Terminate the process
ASPLOS XI, October 11, 2004 ASPLOS XI, October 11, 2004 17 17
PTR_n PTR_n … … PTR_3 PTR_3 PTR_2 PTR_2 PTR_1 PTR_1
1 1 LDA Dep. Comp Dependency Base PTR 0
+
Bound Check 0 ≤ offset < n
*4
Offset 1
Jump Table Spurious Jump Pointer From I/O
ASPLOS XI, October 11, 2004 ASPLOS XI, October 11, 2004 18 18
ALL
ALL but pointer offsets
Instruction
Jump target address
Store address
Terminate the process For pointer additions such as [4*r1+r2] in x86, s4addq r1, r2, r3 (r3 r2+4*r1) in Alpha The new tag = T[r2] assuming the bound check is done.
ASPLOS XI, October 11, 2004 ASPLOS XI, October 11, 2004 19 19
Registers LD R1, Imm(SP)
Data Inst Inst Inst Data Ret Adr I/O
1
I/O
1
I/O
1
I/O
1
I/O
1
JR R1 - Return Trap – spurious jump target address Tag Check Processor Memory
ASPLOS XI, October 11, 2004 ASPLOS XI, October 11, 2004
ASPLOS XI, October 11, 2004 ASPLOS XI, October 11, 2004 21 21
Keyboard and network I/O are tagged spurious
Used to evaluate the effectiveness of our scheme
x86 applications on Debian Debian Linux (3.0r0) Linux (3.0r0)
All I/O are tagged spurious
sim-
fast: functional evaluations (false alarms, space
sim-
: performance evaluations
SPEC CPU2000 benchmarks
ASPLOS XI, October 11, 2004 ASPLOS XI, October 11, 2004 22 22
Covers all 20 combinations possible in practice
Overwrite technique: direct, pointer redirection
Buffer location: stack, heap/BSS/data
Attack targets: return address, base pointer, function pointer, and and longjmp longjmp buffers buffers
The best protection scheme in 2003 detected only 50%
Overflow a buffer or use %n conversion specification
So far, all known attacks directly inject pointers or instructions instructions lenient tag propagation does not matter lenient tag propagation does not matter
ASPLOS XI, October 11, 2004 ASPLOS XI, October 11, 2004 23 23
Debian Linux 3.0 (keyboard, network marked spurious) Linux 3.0 (keyboard, network marked spurious)
System commands: ls ls, cp, vi, ping, etc. , cp, vi, ping, etc.
server/client
A simple http server (TinyHttpd2) – – marked spurious marked spurious
SUN’ ’s s JAVA SDK 1.3 JAVA SDK 1.3 HotSpot HotSpot VM with JIT VM with JIT
Input files are marked spurious
ASPLOS XI, October 11, 2004 ASPLOS XI, October 11, 2004 24 24
0.7 0.75 0.8 0.85 0.9 0.95 1 1.05 ammp applu apsi art crafty eon equake gap gcc gzip mcf mesa mgrid parser sixtrack swim twolf vortex vpr wupwise ave
Normalized IPC
512KB 1MB 2MB 4MB
Various L2 sizes with 1/8 tag caches – – 1.1% 1.1% degradation on average degradation on average
Pessimistic overhead: baseline case gets 12.5% larger caches if it helps
0.82 0.78 0.95 With the same cache sizes, the performance degradation is less than 0.1% in the worst case.
ASPLOS XI, October 11, 2004 ASPLOS XI, October 11, 2004 25 25
Dynamic information flow tracking provides a powerful tool for system security for system security
Tells whether a value came from untrusted untrusted I/O or not I/O or not
Can restrict the use of potentially malicious input values
Our protection scheme is effective against large class of attacks attacks
Stops both buffer overflow and format string attacks
No false alarms for real-
world applications
The overhead of tagging can be small
1.4% space, 2.1% bandwidth, 1.1% performance overhead
Many extensions are possible
Automatically identify bound checks and strictly follow dependencies cies
Combine with static analysis
Other applications such as protecting private information or debugging debugging
ASPLOS XI, October 11, 2004 ASPLOS XI, October 11, 2004 26 26