Effective and Efficient memory Protection Using Dynamic Tainting

Slides:



Advertisements
Similar presentations
Dynamic Memory Allocation in C.  What is Memory What is Memory  Memory Allocation in C Memory Allocation in C  Difference b\w static memory allocation.
Advertisements

Prof. Necula CS 164 Lecture 141 Run-time Environments Lecture 8.
Chapter 7: User-Defined Functions II
CS1061: C Programming Lecture 21: Dynamic Memory Allocation and Variations on struct A. O’Riordan, 2004, 2007 updated.
CS 326 Programming Languages, Concepts and Implementation Instructor: Mircea Nicolescu Lecture 18.
CS 536 Spring Run-time organization Lecture 19.
Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.
CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.
CS 61C L03 C Arrays (1) A Carle, Summer 2005 © UCB inst.eecs.berkeley.edu/~cs61c/su05 CS61C : Machine Structures Lecture #3: C Pointers & Arrays
Run-time Environment and Program Organization
WEL COME PRAVEEN M JIGAJINNI PGT (Computer Science) MCA, MSc[IT], MTech[IT], MPhil (Comp. Sci), PGDCA, ADCA, Dc. Sc. & Engg.
1 Pointers, Dynamic Data, and Reference Types Review on Pointers Reference Variables Dynamic Memory Allocation –The new operator –The delete operator –Dynamic.
Overview Working directly with memory locations is beneficial. In C, pointers allow you to: change values passed as arguments to functions work directly.
Runtime Environments Compiler Construction Chapter 7.
IT253: Computer Organization Lecture 3: Memory and Bit Operations Tonga Institute of Higher Education.
Stack and Heap Memory Stack resident variables include:
Basic Semantics Associating meaning with language entities.
Storage Management - Chap 10 MANAGING A STORAGE HIERARCHY on-chip --> main memory --> 750ps - 8ns ns. 128kb - 16mb 2gb -1 tb. RATIO 1 10 hard disk.
Operating Systems (CS 340 D) Princess Nora University Faculty of Computer & Information Systems Computer science Department.
1 Homework HW5 due today Review a lot of things about allocation of storage that may not have been clear when we covered them in our initial pass Introduction.
Pointers in C Computer Organization I 1 August 2009 © McQuain, Feng & Ribbens Memory and Addresses Memory is just a sequence of byte-sized.
Swap Space and Other Memory Management Issues Operating Systems: Internals and Design Principles.
1 Lecture07: Memory Model 5/2/2012 Slides modified from Yin Lou, Cornell CS2022: Introduction to C.
Pointers in C++. Topics Covered  Introduction to Pointers  Pointers and arrays  Character Pointers, Arrays and Strings  Examples.
By Anand George SourceLens.org Copyright. All rights reserved. Content Owner - Meera R (meera at sourcelens.org)
Design issues for Object-Oriented Languages
Overview Working directly with memory locations is beneficial. In C, pointers allow you to: change values passed as arguments to functions work directly.
Mitigation against Buffer Overflow Attacks
Dynamic Storage Allocation
Virtual memory.
Virtualization Virtualize hardware resources through abstraction CPU
Chapter 2 Memory and process management
CS 326 Programming Languages, Concepts and Implementation
Chapter 13: Pointers, Classes, Virtual Functions, and Abstract Classes
Andy Wang Object Oriented Programming in C++ COP 3330
Understand Computer Storage and Data Types
Run-time organization
Checking Memory Management
CSCI206 - Computer Organization & Programming
This pointer, Dynamic memory allocation, Constructors and Destructor
C++ for Engineers and Scientists Second Edition
Chapter 8: Main Memory.
Clear1 and Clear2 clear1(int array[], int size) { int i; for (i = 0; i < size; i += 1) array[i] = 0; } clear2(int *array, int size) {
Chapter 12: Pointers, Classes, Virtual Functions, and Abstract Classes
Chapter 9 :: Subroutines and Control Abstraction
O.S Lecture 13 Virtual Memory.
CS Introduction to Operating Systems
Chap. 8 :: Subroutines and Control Abstraction
Chap. 8 :: Subroutines and Control Abstraction
Pointers, Dynamic Data, and Reference Types
Memory Allocation CS 217.
Given the code to the left:
Lecture 3: Main Memory.
Dynamic Memory A whole heap of fun….
Pointers The C programming language gives us the ability to directly manipulate the contents of memory addresses via pointers. Unfortunately, this power.
Programming Languages
Dynamic Memory A whole heap of fun….
Data Structures & Algorithms
Chapter 9: Pointers and String
Virtual Memory: Policies (Part II)
Programming Languages and Paradigms
RUN-TIME STORAGE Chuen-Liang Chen Department of Computer Science
COMP755 Advanced Operating Systems
Pointers, Dynamic Data, and Reference Types
Classes and Objects Object Creation
Run-time environments
CMSC 202 Constructors Version 9/10.
Software Testing and QA Theory and Practice (Chapter 5: Data Flow Testing) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory and Practice.
Chapter 12 Variables and Operators
Presentation transcript:

Effective and Efficient memory Protection Using Dynamic Tainting [James Clause,Doudalis And Guru Venkataramani Members,IEEE]

OVERVIEW IMA..? An example IMA Technique-A general approach Tainting Taint propagation checking Limiting the no.of taint marks Implementation

IMA?? Illegal memory access(IMA):An important class of memory related faults Currently free area ‘m’, of required size is allocated Starting address of m can be assigned to a pointer ‘p’ Access to m is legal only if it is referenced by p or a pointer derived from p and access occur during the interval when p is valid All other accesses are ‘Illegal Memory Accesses’ or IMAs

AN example IMA void prRandStr ( int n) 1. int i, seed; 2. char *buffer; 3. buffer = (char*) malloc (n); 4. if (buffer == NULL) return; 5. getSeedFromUser (&seed); 6. srand (seed); 7. for (i = 0; i <= n; i++) /*fault*/ 8. buffer [i] = rand() %26 + ‘a’ ; /*IMA*/ 9. buffer [n-1] = ‘\0’ ; 10. free(buffer); 11. printf (“Random String: %s \n”, buffer);

Technique-A general approach Dynamic tainting: a technigue for marking and tracking certain data at run time Marking two kinds of data : memory in data space and pointers When m is allocated, it is tainted with t When p is created with m as referent, p is also tainted with t When memory is accessed, taint marks is checked

3 PARTS 1)Tainting Static Memory Allocation Pointers to Statically Allocated Memory Dynamically Allocated Memory Pointers to Dynamically Allocated Memory 2)Taint Propagation Propagation of Memory taints Propagation of Pointer taints 3)Checking

Tainting Initializing taint marks 4 cases Static Memory Allocation Pointer to statically allocated memory Dynamic Memory Allocation Pointer to dynamic allocated memory

Tainting of statically allocated memory Upon program entry/ function entry, memory for each variable is identified and each is tainted with a fresh taint mark Memory area for a variable is identified using starting address and size needed to store the variable

Pointer to Statically Allocated Memory For scalar Variable – ‘Address – of’ or ‘&’ returns starting memory address When ‘&’ operator is used on a variable, pointer is tainted with same taint mark as that of the memory location For Statically allocated arrays – Name of the array is pointer to first location, which get tainted

Dynamic Memory Allocations Occurs as a result of a call to a memory- allocation function. E.g. malloc To taint, when the function is about to return, the memory allocated is identified as [r,r+size) and taints the region with a fresh taint mark r-value returned by m/y allocation function size –amount of m/y requested

Pointers to Dynamically allocated Memory Created either directly (as return value of allocation function) or indirectly (from another pointer) When a memory area is tainted as a result of call to a memory allocation function, the return value, i.e the corresponding pointer is also tainted with the same mark. When other pointers are derived from that pointer, the taint mark is propagated to them.

Taint Propagation Detects how taint marks flow along data as program executes. 2 concepts: Propagation of memory taints Propagation of pointer taints

Propagation of Memory Taints Not actually propagated. Taint marks are associated with a memory area when it is allocated and removed when deallocated Pointers remain tainted If such a pointer is used to access memory ,an IMA still detected.

Dynamically allocated memory – deallocated and taint mark will be removed by calling a memory deallocation function, e.g.: free Statically allocated memory- deallocated and taint mark is removed when the function returns (local variable) or when program exits (global variables)

Propagation of Pointer Taints Taint marks associated with pointers propagated to derived pointers. The rules models all possible operations on pointers and associate,for each operation an action that assigns to the result of the operation the correct pointer taint mark.

Propagation rules Add, Subtract c = a +/- b a tainted with ta, b tainted with tb Then c will be tainted with ta + tb or ta – tb Multiply, Divide, Modulo, Bitwise OR, XOR Result of these operations are never tainted

Bitwise AND c = a & b If a and b both tainted/ untainted, c is not tainted, else it is tainted Bitwise NOT c = ~ a Alternative to subtraction tc = - ta

checking For each memory access, taint mark of the pointer and memory is checked. If they are not the same, an IMA is detected

Limiting number of taints Ideal condition – unlimited number of taints Realistically, number of taints should be limited Memory consumption Complexity of hardware While retaining ability to detect maximum IMAs

Each taint mark is represented with n bits Number of taint marks is limited to 2^n Probability of detecting each IMA will be P = 1- (1/ 2^n)

Software Implementation An additional pass is added in compiler (LLVM) to taint all stack and global defined arrays. Taint propagation may be implemented using any dynamic tainting framework

Hardware Based Implementation Taint Processing and Storage 2 options: data widening, decoupling Data widening: extending data with a few bits to represent the taint information Decoupling: Taint information is stored as a packed array in a reserved part of the application’s virtual address space This address space is managed by OS similar to normal data pages

Taint Propagation and Access Checking 2 options: hard wiring / programming an accelerator Hardwiring would require modifications in the hard wiring for making changes in future, whereas it would be easier to reprogram the accelerator

But for adding different propagation strategies for each pointer operations, exceptions should be made for each operator in case of software accelerator Easier to add a hardwire support for taint operations As a result of all these considerations, a hard wiring approach is opted for taint propagation and access checking

In short, Taint processing and Initialization is done using decoupling Taint Propagation and Checking is done using Hard wiring technique

Conclusion A dynamic technique for detecting IMAs was studied With minimum number of taint bits, maximum number of IMAs are detected Only actual IMAs are reported and no false detections are made

Future Scope Technique can be improved to use software accelerators instead of hard wiring techniques for taint propagation and checking Can be improved to increase probability of detecting IMAs with reduced resource utilisation

References IEEE Transactions on Computers, vol 61, no 1, January 2012, “Effective and Efficient Memory Protection using Dynamic Tainting” by Ioannis Doudalis, James Clause, Guru Venkataramani, Milos Prvulovic,and Alessandro Orso. G. Venkataramani, Doudalis, y.solihin”FlexiTaint :A programmable accelerator for dynamic taint propagation” Doudalis, James Clause,A.orso”Effective memory protection using dynamic tainting”.proc.22nd IEEE 2007.

THANK YOU…

Questions….

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.