Martin Rinard, Cristian Cadar, Daniel Dumitran, Daniel Roy,

Slides:



Advertisements
Similar presentations
Topics Introduction Types of Errors Exceptions Exception Handling
Advertisements

Chapter 8 Improving the User Interface
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Chapter 15 : Attacking Compiled Applications Alexis Kirat - International Student.
Memory Allocation. Three kinds of memory Fixed memory Stack memory Heap memory.
Exceptions in Java Fawzi Emad Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.
Developing Dependable Systems CIS 376 Bruce R. Maxim UM-Dearborn.
Software Dependability CIS 376 Bruce R. Maxim UM-Dearborn.
CSCI 5801: Software Engineering
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.
Computer Security and Penetration Testing
BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.
Department of Computer Science A Static Program Analyzer to increase software reuse Ramakrishnan Venkitaraman and Gopal Gupta.
9 Chapter Nine Compiled Web Server Programs. 9 Chapter Objectives Learn about Common Gateway Interface (CGI) Create CGI programs that generate dynamic.
Presentation of Failure- Oblivious Computing vs. Rx OS Seminar, winter 2005 by Lauge Wullf and Jacob Munk-Stander January 4 th, 2006.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development 3.
Enhancing Availability and Security Through Failure-Oblivious Computing Martin Rinard, Cristian Cadar, Daniel Dumitran, Daniel Roy, and William Beebee,
1 A Secure Access Control Mechanism against Internet Crackers Kenichi Kourai* Shigeru Chiba** *University of Tokyo **University of Tsukuba.
Protecting C Programs from Attacks via Invalid Pointer Dereferences Suan Hsi Yong, Susan Horwitz University of Wisconsin – Madison.
School of Computer Science & Information Technology G6DICP - Lecture 6 Errors, bugs and debugging.
Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code Jeff Seibert, Hamed Okhravi, and Eric Söderström Presented.
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
Announcements You will receive your scores back for Assignment 2 this week. You will have an opportunity to correct your code and resubmit it for partial.
Chapter 11 Software Security. Many vulnerabilities result from poor programming practices Consequence from insufficient checking and validation of data.
FILES AND EXCEPTIONS Topics Introduction to File Input and Output Using Loops to Process Files Processing Records Exceptions.
Eighth Lecture Exception Handling in Java
Secure Coding Rules for C++ Copyright © 2016 Curt Hill
Mitigation against Buffer Overflow Attacks
SE-1021 Software Engineering II
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
Protecting Memory What is there to protect in memory?
Presented by: Daniel Taylor
Types for Programs and Proofs
Protecting Memory What is there to protect in memory?
Module 30 (Unix/Linux Security Issues II)
Protecting Memory What is there to protect in memory?
Compiler Construction (CS-636)
Chapter 2: System Structures
Testing and Debugging.
A Security Review Process for Existing Software Applications
Secure Software Development: Theory and Practice
Introduction to Operating System (OS)
Fault Tolerance In Operating System
CMSC 414 Computer and Network Security Lecture 21
High Coverage Detection of Input-Related Security Faults
Designing and Debugging Batch and Interactive COBOL Programs
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Topics Introduction to File Input and Output
Chapter 2: The Linux System Part 2
Security in Java Real or Decaf? cs205: engineering software
Chapter 2: System Structures
Fault Tolerance Distributed Web-based Systems
Software Security Lesson Introduction
Format String.
Critical Systems Development
Bugs & Debugging - Testing
Chapter 29: Program Security
Topics Introduction to File Input and Output
Understanding and Preventing Buffer Overflow Attacks in Unix
Testing & Security Dr. X.
MapReduce: Simplified Data Processing on Large Clusters
SPL – PS2 C++ Memory Handling.
Presentation transcript:

Enhancing Availability and Security Through Failure-Oblivious Computing Martin Rinard, Cristian Cadar, Daniel Dumitran, Daniel Roy, and William Beebee, Jr.

Introduction Memory errors are a common source of program failures ML and Java use dynamic checks to eliminate such errors Assumption: Invalid memory access  unsafe to continue the execution

Failure-Oblivious Computing Instead of throwing an exception or terminating Ignores any memory access errors and continue Read (an out of bounds array element) Just read a manufactured value Write (an out of bounds array element) Discard the value

Wrong Results? Many programs can continue to run As long as errors do not corrupt the program’s address space or data structures Failure-oblivious computing can improve the availability, robustness, and security of such programs

Shouldn’t We Stop at the First Error? Debugging may not be an option No source code Not enough time Failure-oblivious computing can still provide acceptable service Better than no service

Servers and Buffer-overrun Attacks When a program allocates a fixed-size buffer Then fails to check if input string fits in the buffer A long input string containing executable code can overwrites the stack contents Can coerce the server into running arbitrary code

Servers and Buffer-overrun Attacks Failure-oblivious computing discards the excess characters, preserving the integrity of the stack Server detects invalid request and returns an error Converts a dangerous attack into an invalid input

Multiple Items or Outputs Many programs (e.g. mail readers) process multiple items Some applications generate multiple outputs Some outputs are more important than others Without failure-oblivious computing Failure to process one can prevent the program to process the rest

Benefits and Drawbacks + Increased resilience Graceful degradation and continue to operate successfully on most of its inputs + Increased security Can survive stack overruns + Reduced development costs Pressured to find and eliminate all disruptive bugs + Reduced administration overhead Reduce the success rate of attacks

Benefits and Drawbacks + Safer integration Lowers the risks to use foreign components - May generate unacceptable results Inevitable consequence for better resiliency Need to convert unanticipated states into anticipated error states

Scope Interactive computing environments Mission critical applications Mailers Servers System administration tools Operating systems Document processing systems Mission critical applications Halting is not an option

Scope Less appropriate for programs Safety-critical applications Hard to determine whether the output is correct Safety-critical applications Safer to terminate the computation

Example A Mutt procedure With standard compilers With safe-C compilers Takes an input string Returns an encoded output string Fails to allocate sufficient space With standard compilers Writes succeed, corrupt the address space, and program segfaults With safe-C compilers Mutt exits before presenting the GUI

Example With the failure-oblivious compiler The returned string is incorrect Server responds with an error Failure oblivious approach works Mostly correct programs With subtle errors

Implementation Failure oblivious compiler Generate two kinds of additional code Checking code Discard erroneous writes Manufactures values for erroneous reads Continuation code Executes when checking code detects an attempt to perform illegal access

Checking Code Jones and Kelly’s Scheme Track the locations to structs, arrays, variables Each data item is padded with an extra byte Initialized to ILLEGAL Check the status of each pointer before dereferencing it

Continuation Code Write continuation code Read continuation code Discards the value Read continuation code Redirects the read to a preallocated buffer of values Iterates through all small integers Increasing the chance to exit loops To avoid nontermination Mostly 0s and 1s

Continuation Code Optional logging Failure-oblivious computing Can be used to track down errors Failure-oblivious computing Can also reduce the incentive to eliminate errors

Case Studies Recompiled widely-used open-source programs with known memory errors Pine (mail user agent) Midnight commander (file manager) Sendmail (mail transfer agent) Mutt (mail user agent) Samba (file server) WsMp3 (mp3 server) Apache (http server)

Methodology Compare each program compiled differently Workloads By a standard C compiler By the CRED safe-C compiler By the failure-oblivious compiler Workloads Contain inputs that exploit known security vulnerabilities

Pine 4.44 Fails to parse certain legal From fields Possible to execute arbitrary code Standard version: crashed Safe version: terminated with an error Failure oblivious version: continued to run Was able to forward the read and forward the message with the problematic From field

Midnight Commander Problems with symbolic links in tgz files Standard version: segfaulted Safe version: terminated with an error message Failure-oblivious version: continued to run

Sendmail 8.11.6 Allows root privilege to execute arbitrary code on the machine running the Sendmail server Standard version: vulnerable to an attack to gain the root shell Safe version: exited with an error message Failure-oblivious version: not vulnerable to the attack

Mutt 1.4 Memory error in the conversion from UTF-8 to UTF-7 string formats Standard version: crashed Safe version: exited with an error message Failure oblivious version: continued to run 6x slow down Took about 1 second to load 3,000 messages

Samba 2.2.5 Memory corruption error A remote user can obtain the root shell Standard version: vulnerable to an attack to gain the root shell Safe version: functional until the attack The child process exited Failure oblivious version: continued to run Similar performance compared to the safe version

WsMp3 0.0.5 Memory-error vulnerability Standard version: segfaulted Safe version: crashed the entire server Single threaded Failure-oblivious version: survived the attack

Apache 2.0.47 mod_alias contains a memory-error vulnerability Standard version: child process segfaulted Safe version: child process exited properly Failure-oblivious version: child process redirected the attacking request to a nonexistent URL The child process stayed alive and processed subsequent requests correctly

Gzip 1.2.4a Memory error in its file name processing code An attacker can run arbitrary code Standard version: segfaulted Remaining files were not processed Safe version: exited at the problematic file Failure-oblivious version: prompted an error message for the problematic files Proceeded to process all remaining files 10x slow down (1.2 MB/sec)

Discussion Failure oblivious versions survived all memory-corruption attempts Work well for this class of applications One input has a minimal effect on the next input Unless it corrupts the data structures or address space Little performance degradation for interactive programs Safe versions are prone to DoS attacks Tend to terminate prematurely

Related Work Any safe-C compiler can be modified to implement a failure-oblivious compiler Discard writes Manufacture values for unsafe reads Typically < 2x slow down Occasionally 8x slow down Does not perceptibly degrade the response times of interactive programs Also I/O-bound programs

Safe Languages Java and ML Modify the exception handling code Discard illegal writes Return manufactured values for illegal reads

Traditional Error Recovery Traditional approaches Reboot Checkpointing Partial system restarts Hardware redundancy Failure-oblivious computing reduces down time and vulnerabilities to persistent errors Restarting Pine will not solve the problem

Other Approaches Data structure repair Failure-oblivious approach is preventive Statically detect all buffer-overrun errors May conservatively reject almost working code Buffer-overrun detection tools Detect overwriting the return address Detect overwriting function pointers Failure-oblivious approach prevents the attack from corrupting the address space

Conclusion Failure-oblivious computation enhances availability, resilience, and security Converts dangerous unknown system states to known error cases

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.