Effective Memory Protection Using Dynamic Tainting (ASE 2007)

1. College of Computing Georgia Institute of Technology Supported in part by: NSF awards CCF-0541080 and CCR-0205422 to Georgia Tech, DHS and US Air Force Contract No. FA8750-05-2-0214 Effective Memory Protection Using Dynamic Tainting Ioannis Doudalis Milos Prvulovic (hardware) James Clause Alessandro Orso (software) and

2. void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5. buf = malloc(n * sizeof(int)); 6. for(i = 0; i <= n; i++) 7. *(buf + i) = rand()%10; ... } Illegal memory accesses (IMA) Memory

5. void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5. buf = malloc(n * sizeof(int)); 6. for(i = 0; i <= n; i++) 7. *(buf + i) = rand()%10; ... } Illegal memory accesses (IMA) Memory buf: np: i: n:

9. void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5. buf = malloc(n * sizeof(int)); 6. for(i = 0; i <= n; i++) 7. *(buf + i) = rand()%10; ... } Illegal memory accesses (IMA) Memory buf: np: i: n: 3

13. void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5. buf = malloc(n * sizeof(int)); 6. for(i = 0; i <= n; i++) 7. *(buf + i) = rand()%10; ... } Illegal memory accesses (IMA) Memory buf: np: i: n: 9 3 0

14. void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5. buf = malloc(n * sizeof(int)); 6. for(i = 0; i <= n; i++) 7. *(buf + i) = rand()%10; ... } Illegal memory accesses (IMA) Memory buf: np: i: n: 9 8 2 3 2

15. void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5. buf = malloc(n * sizeof(int)); 6. for(i = 0; i <= n; i++) 7. *(buf + i) = rand()%10; ... } Illegal memory accesses (IMA) Memory i <= n ➜ i < n buf: np: i: n: 9 8 2 3 2

18. void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5. buf = malloc(n * sizeof(int)); 6. for(i = 0; i <= n; i++) 7. *(buf + i) = rand()%10; ... } Illegal memory accesses (IMA) Memory buf: np: i: n: 9 8 2 3 3 7

19. void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5. buf = malloc(n * sizeof(int)); 6. for(i = 0; i <= n; i++) 7. *(buf + i) = rand()%10; ... } Illegal memory accesses (IMA) Memory buf: np: i: n: 9 8 2 3 3 7

20. void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5. buf = malloc(n * sizeof(int)); 6. for(i = 0; i <= n; i++) 7. *(buf + i) = rand()%10; ... } Illegal memory accesses (IMA) Memory buf: np: i: n: 9 8 2 3 3 7 Illegal memory accesses • Caused by common programming mistakes • Cause non-deterministic failures • Cause security vulnerabilities

21. Previous work Static techniques •Language based e.g., Jim et al. 02, Necula et al. 05 •Analysis based e.g., Dor et al. 03, Hallem et al. 02, Heine and Lam 03, Xie et al. 03 Dynamic techniques •Analysis based e.g., Dhurjati and Adve 06, Ruwase and Lam 04, Xu et al. 04, Hastings and Joyce 92, Seward and Nethercote 05 •Hardware based e.g., Qin et al. 05,Venkataramani et al. 07, Crandall and Chong 04, Dalton et al. 07,Vachharajani et al. 04

22. Previous work Static techniques •Language based e.g., Jim et al. 02, Necula et al. 05 •Analysis based e.g., Dor et al. 03, Hallem et al. 02, Heine and Lam 03, Xie et al. 03 Dynamic techniques •Analysis based e.g., Dhurjati and Adve 06, Ruwase and Lam 04, Xu et al. 04, Hastings and Joyce 92, Seward and Nethercote 05 •Hardware based e.g., Qin et al. 05,Venkataramani et al. 07, Crandall and Chong 04, Dalton et al. 07,Vachharajani et al. 04 }Require source code

23. Previous work Static techniques •Language based e.g., Jim et al. 02, Necula et al. 05 •Analysis based e.g., Dor et al. 03, Hallem et al. 02, Heine and Lam 03, Xie et al. 03 Dynamic techniques •Analysis based e.g., Dhurjati and Adve 06, Ruwase and Lam 04, Xu et al. 04, Hastings and Joyce 92, Seward and Nethercote 05 •Hardware based e.g., Qin et al. 05,Venkataramani et al. 07, Crandall and Chong 04, Dalton et al. 07,Vachharajani et al. 04 } } Require source code Unacceptable overhead

24. Previous work Static techniques •Language based e.g., Jim et al. 02, Necula et al. 05 •Analysis based e.g., Dor et al. 03, Hallem et al. 02, Heine and Lam 03, Xie et al. 03 Dynamic techniques •Analysis based e.g., Dhurjati and Adve 06, Ruwase and Lam 04, Xu et al. 04, Hastings and Joyce 92, Seward and Nethercote 05 •Hardware based e.g., Qin et al. 05,Venkataramani et al. 07, Crandall and Chong 04, Dalton et al. 07,Vachharajani et al. 04 } } Require source code Unacceptable overhead } Extensive modiﬁcation

25. Previous work Static techniques •Language based e.g., Jim et al. 02, Necula et al. 05 •Analysis based e.g., Dor et al. 03, Hallem et al. 02, Heine and Lam 03, Xie et al. 03 Dynamic techniques •Analysis based e.g., Dhurjati and Adve 06, Ruwase and Lam 04, Xu et al. 04, Hastings and Joyce 92, Seward and Nethercote 05 •Hardware based e.g., Qin et al. 05,Venkataramani et al. 07, Crandall and Chong 04, Dalton et al. 07,Vachharajani et al. 04 } } Require source code Unacceptable overhead We define our approach to overcome these limitations • Operate at the binary level • Use hardware to reduce overhead • Minimal, practical modifications } Extensive modification

26. Approach overview

27. 1 Assign taint marks Approach overview

28. 1 Assign taint marks Approach overview P1 A

29. P1 1 A 1 1 Assign taint marks Approach overview

30. 1 Assign taint marks Approach overview P1 P2 1 2 AB 12

31. 1 Assign taint marks Approach overview P3 P1 P2 3 1 2 AC B 123

32. 1 Assign taint marks Approach overview P3 P1 P2 3 1 2 P5 AC B 123 P4

33. 1 Assign taint marks Approach overview 2 Propagate taint marks P3 P1 P2 3 1 2 P5 AC B 123 P4

34. 1 Assign taint marks Approach overview 2 Propagate taint marks P3 P1 P2 3 1 2 P5 AC B 123 P4

35. 1 Assign taint marks Approach overview 2 Propagate taint marks P3 P1 P2 3 1 2 P5 3 AC B 123 P4 1

36. 1 Assign taint marks Approach overview 3 Check taint marks 2 Propagate taint marks P3 P1 P2 3 1 2 P5 3 AC B 123 P4 1

39. 1 Assign taint marks Approach overview 3 Check taint marks 2 Propagate taint marks P3 P1 P2 3 1 2 P5 3 AC B 123 P4 1 ✔

40. 1 Assign taint marks Approach overview 3 Check taint marks 2 Propagate taint marks P3 P1 P2 3 1 2 AC B 123 P4 P5 3 1

41. 1 Assign taint marks Approach overview 3 Check taint marks 2 Propagate taint marks P3 P1 P2 3 1 2 AC B 123 P4 P5 3 1

42. 1 Assign taint marks Approach overview 3 Check taint marks 2 Propagate taint marks P3 P1 P2 3 1 2 AC B 123 P4 ✘ P5 3 1

43. Outline • Our approach 1. Assigning taint marks 2. Propagating taint marks 3. Checking taint marks • Empirical evaluation • Conclusions

44. Memory Pointers 1 Assigning taint marksStaticDynamic void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Static memory allocations 1 Identify the ranges of allocated memory 2 Assign a unique taint mark to each range buf: np: i: n: 4321 void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Pointers to statically allocated memory 1 Identify pointer creation sites 2 Assign the pointer the same taint mark as the memory it points to 1 Identify the ranges of allocated memory 2 Assign a unique taint mark to each range buf: np: i: n: 4 2 321 3 void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Dynamic memory allocations 1 Identify pointer creation sites 2 Assign the pointer the same taint mark as the memory it points to buf: np: i: n: 4 2 321555 3 void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Pointers to dynamically allocated memory void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Static memory allocations 1 Identify the ranges of allocated memory 2 Assign a unique taint mark to each range buf: np: i: n: 4321 void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Pointers to statically allocated memory 1 Identify pointer creation sites 2 Assign the pointer the same taint mark as the memory it points to 1 Identify the ranges of allocated memory 2 Assign a unique taint mark to each range buf: np: i: n: 4 2 321 3 void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Dynamic memory allocations 1 Identify pointer creation sites 2 Assign the pointer the same taint mark as the memory it points to buf: np: i: n: 4 2 321555 3 void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Pointers to dynamically allocated memory

45. Memory Pointers 1 Assigning taint marksStaticDynamic void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Static memory allocations 1 Identify the ranges of allocated memory 2 Assign a unique taint mark to each range void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Static memory allocations 1 Identify the ranges of allocated memory 2 Assign a unique taint mark to each range

46. Memory Pointers 1 Assigning taint marksStaticDynamic void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Static memory allocations 1 Identify the ranges of allocated memory 2 Assign a unique taint mark to each range void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Static memory allocations 1 Identify the ranges of allocated memory 2 Assign a unique taint mark to each range buf: np: i: n:

47. Memory Pointers 1 Assigning taint marksStaticDynamic void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Static memory allocations 1 Identify the ranges of allocated memory 2 Assign a unique taint mark to each range void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Static memory allocations 1 Identify the ranges of allocated memory 2 Assign a unique taint mark to each range buf: np: i: n: { [&np, &np + sizeof(int *))

48. Memory Pointers 1 Assigning taint marksStaticDynamic void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Static memory allocations 1 Identify the ranges of allocated memory 2 Assign a unique taint mark to each range void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Static memory allocations 1 Identify the ranges of allocated memory 2 Assign a unique taint mark to each range buf: np: i: n:

49. Memory Pointers 1 Assigning taint marksStaticDynamic void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Static memory allocations 1 Identify the ranges of allocated memory 2 Assign a unique taint mark to each range void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Static memory allocations 1 Identify the ranges of allocated memory 2 Assign a unique taint mark to each range buf: np: i: n: 4321

51. Memory Pointers 1 Assigning taint marksStaticDynamic buf: np: i: n: 4321 void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Pointers to statically allocated memory 1 Identify pointer creation sites 2 Assign the pointer the same taint mark as the memory it points to buf: np: i: n: 4321 void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Pointers to statically allocated memory 1 Identify pointer creation sites 2 Assign the pointer the same taint mark as the memory it points to

52. Memory Pointers 1 Assigning taint marksStaticDynamic buf: np: i: n: 4321 void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Pointers to statically allocated memory 1 Identify pointer creation sites 2 Assign the pointer the same taint mark as the memory it points to buf: np: i: n: 4321 void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Pointers to statically allocated memory 1 Identify pointer creation sites 2 Assign the pointer the same taint mark as the memory it points to address-of operator (&)

54. Memory Pointers 1 Assigning taint marksStaticDynamic buf: np: i: n: 4321 void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Pointers to statically allocated memory 1 Identify pointer creation sites 2 Assign the pointer the same taint mark as the memory it points to buf: np: i: n: 4321 void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Pointers to statically allocated memory 1 Identify pointer creation sites 2 Assign the pointer the same taint mark as the memory it points to buf: np: i: n: 4321

57. Memory Pointers 1 Assigning taint marksStaticDynamic 1 Identify the ranges of allocated memory 2 Assign a unique taint mark to each range buf: np: i: n: 4 2 321 3 void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Dynamic memory allocations 1 Identify the ranges of allocated memory 2 Assign a unique taint mark to each range buf: np: i: n: 4 2 321 3 void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Dynamic memory allocations

58. Memory Pointers 1 Assigning taint marksStaticDynamic 1 Identify the ranges of allocated memory 2 Assign a unique taint mark to each range buf: np: i: n: 4 2 321 3 void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Dynamic memory allocations 1 Identify the ranges of allocated memory 2 Assign a unique taint mark to each range buf: np: i: n: 4 2 321 3 void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Dynamic memory allocations buf: np: i: n: 4 2 321 3

59. Memory Pointers 1 Assigning taint marksStaticDynamic 1 Identify the ranges of allocated memory 2 Assign a unique taint mark to each range buf: np: i: n: 4 2 321 3 void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Dynamic memory allocations 1 Identify the ranges of allocated memory 2 Assign a unique taint mark to each range buf: np: i: n: 4 2 321 3 void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Dynamic memory allocations buf: np: i: n: 4 2 321 3 [ret, ret + arg0) {

63. Memory Pointers 1 Assigning taint marksStaticDynamic 1 Identify pointer creation sites 2 Assign the pointer the same taint mark as the memory it points to buf: np: i: n: 4 2 321555 3 void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Pointers to dynamically allocated memory 1 Identify pointer creation sites 2 Assign the pointer the same taint mark as the memory it points to buf: np: i: n: 4 2 321555 3 void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Pointers to dynamically allocated memory

64. Memory Pointers 1 Assigning taint marksStaticDynamic 1 Identify pointer creation sites 2 Assign the pointer the same taint mark as the memory it points to buf: np: i: n: 4 2 321555 3 void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Pointers to dynamically allocated memory 1 Identify pointer creation sites 2 Assign the pointer the same taint mark as the memory it points to buf: np: i: n: 4 2 321555 3 void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Pointers to dynamically allocated memory return value of malloc

66. Memory Pointers 1 Assigning taint marksStaticDynamic 1 Identify pointer creation sites 2 Assign the pointer the same taint mark as the memory it points to buf: np: i: n: 4 2 321555 3 void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Pointers to dynamically allocated memory 1 Identify pointer creation sites 2 Assign the pointer the same taint mark as the memory it points to buf: np: i: n: 4 2 321555 3 void main() { int *np, n, i, *buf; np = &n; printf(“Enter size: “); scanf(“%d”, np); buf = malloc(n * sizeof(int)); for(i = 0; i <= n; i++) *(buf + i) = rand()%10; ... } Pointers to dynamically allocated memory buf: np: i: n: 4 2 321555 3

69. AND Addition, Subtraction Overview Propagating taint marks2 Multiplication, Division, OR, XOR Overview P1 1 P2

70. AND Addition, Subtraction Overview Propagating taint marks2 Multiplication, Division, OR, XOR Overview +, −, ×, ÷, and, or, xor, ... P1 1 P2

71. AND Addition, Subtraction Overview Propagating taint marks2 Multiplication, Division, OR, XOR Overview +, −, ×, ÷, and, or, xor, ... P1 1 P2 Should the result be tainted? If so, how?

72. AND Addition, Subtraction Overview Propagating taint marks2 Multiplication, Division, OR, XOR Overview • Propagation must take into account both operation semantics and programmer intent +, −, ×, ÷, and, or, xor, ... P1 1 P2 Should the result be tainted? If so, how?

73. AND Addition, Subtraction Overview Propagating taint marks2 Multiplication, Division, OR, XOR Overview • Propagation must take into account both operation semantics and programmer intent • Our policy is based on knowledge of C/C++/assembly and patterns observed in real software +, −, ×, ÷, and, or, xor, ... P1 1 P2 Should the result be tainted? If so, how?

74. AND Addition, Subtraction Overview Propagating taint marks2 Multiplication, Division, OR, XOR Addition, Subtraction A +/− B = C A B C Most common use of addition and subtraction is to add or subtract a pointer and an offset 1 1 1 /1 no taint ...

75. AND Addition, Subtraction Overview Propagating taint marks2 Multiplication, Division, OR, XOR AND The result of anding a pointer and a mask should be treated differently depending on the value of the mask c = a & 0xffffff00 - base address c = a & 0x000000ff - offset A & B = C A B C 1 or1 no taint ...

76. AND Addition, Subtraction Overview Propagating taint marks2 Multiplication, Division, OR, XOR Multiplication, Division, OR, XOR We found zero cases where the result of any of these operations was a pointer

77. Checking taint marks When memory is accessed through a pointer: compare the memory taint mark and the pointer taint mark 3 Pointer Memory IMA? no yes yes yes yes 1 2 2 2 3 3

78. Preventing IMAs void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5. buf = malloc(n * sizeof(int)); 6. for(i = 0; i <= n; i++) 7. *(buf + i) = rand()%10; ... }

81. Preventing IMAs void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5. buf = malloc(n * sizeof(int)); 6. for(i = 0; i <= n; i++) 7. *(buf + i) = rand()%10; ... } buf: np: i: n: 4321

82. Preventing IMAs void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5. buf = malloc(n * sizeof(int)); 6. for(i = 0; i <= n; i++) 7. *(buf + i) = rand()%10; ... } buf: np: i: n: 4321

83. Preventing IMAs void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5. buf = malloc(n * sizeof(int)); 6. for(i = 0; i <= n; i++) 7. *(buf + i) = rand()%10; ... } buf: np: i: n: 4 2321

86. Preventing IMAs void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5. buf = malloc(n * sizeof(int)); 6. for(i = 0; i <= n; i++) 7. *(buf + i) = rand()%10; ... } buf: np: i: n: 4 2321 ✔

88. Preventing IMAs void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5. buf = malloc(n * sizeof(int)); 6. for(i = 0; i <= n; i++) 7. *(buf + i) = rand()%10; ... } buf: np: i: n: 4 2321 3

89. Preventing IMAs void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5. buf = malloc(n * sizeof(int)); 6. for(i = 0; i <= n; i++) 7. *(buf + i) = rand()%10; ... } buf: np: i: n: 4 2321 3

90. Preventing IMAs void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5. buf = malloc(n * sizeof(int)); 6. for(i = 0; i <= n; i++) 7. *(buf + i) = rand()%10; ... } buf: np: 5 i: n: 4 2321555 3

91. Preventing IMAs void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5. buf = malloc(n * sizeof(int)); 6. for(i = 0; i <= n; i++) 7. *(buf + i) = rand()%10; ... } buf: np: 5 i: n: 4 2321555 3

92. Preventing IMAs void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5. buf = malloc(n * sizeof(int)); 6. for(i = 0; i <= n; i++) 7. *(buf + i) = rand()%10; ... } buf: np: 5 i: n: 4 2321555 3 0

93. Preventing IMAs void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5. buf = malloc(n * sizeof(int)); 6. for(i = 0; i <= n; i++) 7. *(buf + i) = rand()%10; ... } + =5 5 buf: np: 5 i: n: 4 2321555 3 0

94. Preventing IMAs void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5. buf = malloc(n * sizeof(int)); 6. for(i = 0; i <= n; i++) 7. *(buf + i) = rand()%10; ... } + =5 5 buf: np: 5 i: n: 4 2321555 3 0 ✔

95. Preventing IMAs void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5. buf = malloc(n * sizeof(int)); 6. for(i = 0; i <= n; i++) 7. *(buf + i) = rand()%10; ... } buf: np: 5 i: n: 4 2321555 3 0

96. Preventing IMAs void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5. buf = malloc(n * sizeof(int)); 6. for(i = 0; i <= n; i++) 7. *(buf + i) = rand()%10; ... } buf: np: 5 i: n: 4 2321555 9 3 0

97. Preventing IMAs void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5. buf = malloc(n * sizeof(int)); 6. for(i = 0; i <= n; i++) 7. *(buf + i) = rand()%10; ... } buf: np: 5 i: n: 4 2321555 9 8 2 3 2

98. Preventing IMAs void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5. buf = malloc(n * sizeof(int)); 6. for(i = 0; i <= n; i++) 7. *(buf + i) = rand()%10; ... } buf: np: 5 i: n: 4 2321555 9 8 2 3 2

99. Preventing IMAs void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5. buf = malloc(n * sizeof(int)); 6. for(i = 0; i <= n; i++) 7. *(buf + i) = rand()%10; ... } buf: np: 5 i: n: 4 2321555 9 8 2 3 3 + =5 5

100. Preventing IMAs void main() { 1. int *np, n, i, *buf; 2. np = &n; 3. printf(“Enter size: “); 4. scanf(“%d”, np); 5. buf = malloc(n * sizeof(int)); 6. for(i = 0; i <= n; i++) 7. *(buf + i) = rand()%10; ... } buf: np: 5 i: n: 4 2321555 9 8 2 3 3 + =5 5 ✘

101. Limiting the number of taint marks An unlimited number of taint marks makes a hardware implementation infeasible • increases the overhead (time and space) • complicates the design

102. Limiting the number of taint marks An unlimited number of taint marks makes a hardware implementation infeasible • increases the overhead (time and space) • complicates the design ➡ Assign taint marks from a limited, reusable pool

103. Effects on the approach With an random assignment of n taint marks the detection probability is: IMAs are detected probabilistically p = 1 1 n

104. Effects on the approach With an random assignment of n taint marks the detection probability is: IMAs are detected probabilistically 2 marks = 50%, 4 marks = 75%, 16 marks = 93.75%, 256 marks = 99.6% p = 1 1 n

105. Effects on the approach With an random assignment of n taint marks the detection probability is: 1. The technique can be tuned by increasing or decreasing the number of taint marks IMAs are detected probabilistically 2 marks = 50%, 4 marks = 75%, 16 marks = 93.75%, 256 marks = 99.6% p = 1 1 n

106. Effects on the approach With an random assignment of n taint marks the detection probability is: 1. The technique can be tuned by increasing or decreasing the number of taint marks 2. In practice the approach is successful with only a small number (2) of taint marks IMAs are detected probabilistically 2 marks = 50%, 4 marks = 75%, 16 marks = 93.75%, 256 marks = 99.6% p = 1 1 n

107. Empirical evaluation RQ1: Is the efﬁciency of our approach sufﬁcient for it to be applied to deployed software? RQ2:What is the effectiveness of our technique when using limited number of taint marks?

108. RQ1: experimental method • Hardware implementation • Cycle accurate simuator (SESC) • Treat taint marks as ﬁrst class citizens • Subjects • SPEC CPU2000 benchmark (12 applications) • Calculate the overhead imposed by our approach for each subject application

109. RQ1: experimental method • Hardware implementation • Cycle accurate simuator (SESC) • Treat taint marks as ﬁrst class citizens • Subjects • SPEC CPU2000 benchmark (12 applications) • Calculate the overhead imposed by our approach for each subject application Current implementation assigns taint marks only to dynamically allocated memory, but propagation and checking are fully implemented

110. RQ1: results 0 5 10 15 20 25 30 bzip2 crafty eon gap gcc gzip m cf parser perlbm k twolf vortex vpr average %overhead(time) 2 marks 8 marks 16 marks 256 marks

111. RQ1: results 0 5 10 15 20 25 30 bzip2 crafty eon gap gcc gzip m cf parser perlbm k twolf vortex vpr average %overhead(time) 2 marks 8 marks 16 marks 256 marks • Even with 256 marks, the average overhead is in the single digits

112. RQ1: results 0 5 10 15 20 25 30 bzip2 crafty eon gap gcc gzip m cf parser perlbm k twolf vortex vpr average %overhead(time) 2 marks 8 marks 16 marks 256 marks • All attacks were detected with two taint marks • Even with 256 marks, the average overhead is in the single digits

113. RQ1: results 0 5 10 15 20 25 30 bzip2 crafty eon gap gcc gzip m cf parser perlbm k twolf vortex vpr average %overhead(time) 2 marks 8 marks 16 marks 256 marks • All attacks were detected with two taint marks • Software-only implementations impose two orders of magnitude more overhead • Even with 256 marks, the average overhead is in the single digits

114. RQ2: experimental method • Software implementation • Binary instrumenter (Pin) • Use instrumentation to assign, propagate, and check taint marks • Subjects • SPEC CPU2000 benchmark (12 applications) • 5 applications with 7 known IMAs • Run both each applications protected by our software implementation and check that only the known illegal memory accesses are detected (5 times)

115. RQ2: results Application IMA location Type Detected bc-1.06 more_arrays: 177 buffer overflow ✔ (5/5) bc-1.06 lookup: 577 buffer overflow ✔ (5/5) gnupg-1.4.4 parse_comment: 2095 integer overflow ✔ (5/5) mutt-1.4.2.li utf8_to_utf7: 199 buffer overflow ✔ (5/5) php-5.2.0 php_char_to_str_ex: 3152 integer overflow ✔ (5/5) pine-4.44 rfc882_cat: 260 buffer overflow ✔ (5/5) squid-2.3 ftpBuildTitleUrl: 1024 buffer overflow ✔ (5/5) Applications with known IMAs

116. RQ2: results Application IMA location Type Detected bc-1.06 more_arrays: 177 buffer overflow ✔ (5/5) bc-1.06 lookup: 577 buffer overflow ✔ (5/5) gnupg-1.4.4 parse_comment: 2095 integer overflow ✔ (5/5) mutt-1.4.2.li utf8_to_utf7: 199 buffer overflow ✔ (5/5) php-5.2.0 php_char_to_str_ex: 3152 integer overflow ✔ (5/5) pine-4.44 rfc882_cat: 260 buffer overflow ✔ (5/5) squid-2.3 ftpBuildTitleUrl: 1024 buffer overflow ✔ (5/5) Applications with known IMAs All attacks were detected with two taint marks

117. RQ2: results Application IMA location Type Detected bc-1.06 more_arrays: 177 buffer overflow ✔ (5/5) bc-1.06 lookup: 577 buffer overflow ✔ (5/5) gnupg-1.4.4 parse_comment: 2095 integer overflow ✔ (5/5) mutt-1.4.2.li utf8_to_utf7: 199 buffer overflow ✔ (5/5) php-5.2.0 php_char_to_str_ex: 3152 integer overflow ✔ (5/5) pine-4.44 rfc882_cat: 260 buffer overflow ✔ (5/5) squid-2.3 ftpBuildTitleUrl: 1024 buffer overflow ✔ (5/5) Application IMA location Type Detected vortex SendMsg: 279 null-pointer dereference ✔ (5/5) Applications with known IMAs SPEC Benchmarks (“IMA free”) All attacks were detected with two taint marks

118. Future work • Complete implementation that handles static memory • Additional experiments with a wider range of IMAs • Further optimization of the hardware implementation

119. Conclusions • Deﬁnition of an approach for preventing illegal memory accesses in deployed software • uses dynamic taint analysis to protect memory • uses probabilistic detection to achieve acceptable overhead • Empirical evaluation showing that the approach • is effective at detecting IMA in real applications • can be implemented efﬁciently in hardware

Effective Memory Protection Using Dynamic Tainting (ASE 2007)

More Related Content

Similar to Effective Memory Protection Using Dynamic Tainting (ASE 2007) (20)

More from James Clause (12)

Recently uploaded (20)

Effective Memory Protection Using Dynamic Tainting (ASE 2007)