Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.

Slides:

Advertisements

Similar presentations

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos,

Advertisements

Comparison and Evaluation of Back Translation Algorithms for Static Single Assignment Form Masataka Sassa #, Masaki Kohama + and Yo Ito # # Dept. of Mathematical.

Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.

Programmability Issues

Dynamic Branch PredictionCS510 Computer ArchitecturesLecture Lecture 10 Dynamic Branch Prediction, Superscalar, VLIW, and Software Pipelining.

2014 Network and Distributed System Security Symposium AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijecking.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

Chapter 8. Pipelining. Instruction Hazards Overview Whenever the stream of instructions supplied by the instruction fetch unit is interrupted, the pipeline.

Program Representations. Representing programs Goals.

Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

CS412/413 Introduction to Compilers Radu Rugina Lecture 16: Efficient Translation to Low IR 25 Feb 02.

Design of a Framework for Testing Security Mechanisms for Program-Based Attacks Ben “Security” Breech and Lori Pollock University of Delaware.

Recap from last time We were trying to do Common Subexpression Elimination Compute expressions that are available at each program point.

Representing programs Goals. Representing programs Primary goals –analysis is easy and effective just a few cases to handle directly link related things.

Assemblers Dr. Monther Aldwairi 10/21/20071Dr. Monther Aldwairi.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

Dynamic Tainting for Deployed Java Programs Du Li Advisor: Witawas Srisa-an University of Nebraska-Lincoln 1.

Class canceled next Tuesday. Recap: Components of IR Control dependencies: sequencing of operations –evaluation of if & then –side-effects of statements.

RISC. Rational Behind RISC Few of the complex instructions were used –data movement – 45% –ALU ops – 25% –branching – 30% Cheaper memory VLSI technology.

Chapter 9: Subprogram Control

Recap from last time: live variables x := 5 y := x + 2 x := x + 1 y := x y...

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

Macro & Function. Function consumes more time When a function is called, the copy of the arguments are passed to the parameters in the function. After.

Precision Going back to constant prop, in what cases would we lose precision?

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Secure Virtual Architecture John Criswell, Arushi Aggarwal, Andrew Lenharth, Dinakar Dhurjati, and Vikram Adve University of Illinois at Urbana-Champaign.

MIPS coding. SPIM Some links can be found such as:

JIT in webkit. What’s JIT See time_compilation for more info. time_compilation.

Compiler Construction

CS533 Concepts of Operating Systems Jonathan Walpole.

Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.

CS212: Object Oriented Analysis and Design Lecture 10: Copy constructor.

EECS 583 – Class 21 Research Topic 3: Dynamic Taint Analysis University of Michigan December 5, 2012.

Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.

Title of Selected Paper: IMPRES: Integrated Monitoring for Processor Reliability and Security Authors: Roshan G. Ragel and Sri Parameswaran Presented by:

Kirk Scott Computer Science The University of Alaska Anchorage 1.

Represents different voltage levels High: 5 Volts Low: 0 Volts At this raw level a digital computer is instructed to carry out instructions.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

PLC '06 Experience in Testing Compiler Optimizers Using Comparison Checking Masataka Sassa and Daijiro Sudo Dept. of Mathematical and Computing Sciences.

Assembler Design Options One-Pass and Multi-Pass Assemblers.

Digital Computer Concept and Practice Copyright ©2012 by Jaejin Lee Control Unit.

Chapter 10 Chapter 10 Implementing Subprograms. Implementing Subprograms  The subprogram call and return operations are together called subprogram linkage.

First Foray into Programming (the hard way). A reminder from last lesson: A machine code instruction has two parts:  Op-code  Operand An instruction.

Memory Protection through Dynamic Access Control Kun Zhang, Tao Zhang and Santosh Pande College of Computing Georgia Institute of Technology.

Run-Time Environments Presented By: Seema Gupta 09MCA102.

Optimistic Hybrid Analysis

Shellcode COSC 480 Presentation Alison Buben.

Security and Programming Language Work on SmartPhones

YAHMD - Yet Another Heap Memory Debugger

Chapter 14: System Protection

Scope and Code Generation

TaintART: A Practical Multi-level Information-Flow Tracking System for Android RunTime Sadiq Basha.

Taint tracking Suman Jana.

Edward J. Schwartz, Thanassis Avgerinos, David Brumley

Code Generation.

From C to Elastic Circuits

Computer Programming Machine and Assembly.

SUDS: An Infrastructure for Creating Bug Detection Tools

Detecting Targeted Attacks Using Shadow Honeypots

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.

Dynamically Scheduled High-level Synthesis

CETS: Compiler-Enforced Temporal Safety for C

8 Code Generation Topics A simple code generator algorithm

Course Overview PART I: overview material PART II: inside a compiler

point when a program element is bound to a characteristic or property

CSE P 501 – Compilers SSA Hal Perkins Autumn /31/2019

Presentation transcript:

Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell

Taint Analysis ▫Used to track flow of data through program ▫Security Applications:  Malware Analysis  Finding Unknown Vulnerabilities ▫Static  Proves whether it is possible for taint to reach ▫Dynamic  Track flow dynamically through single execution

Dynamic Taint Analysis Taint Policies ▫Taint Rules specify three things  Sources of taint  Sinks of taint  How taint spreads for different instructions ▫OR based policy is simplest  C = A, B, …;  t C = t A ∨ t B ∨ …;

Considerations Time of Attack vs. Time of Detection Overtainting Undertainting Tainted Addresses All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask), Edward J. Schwartz, Thanassis Avgerinos, David Brumley

Previous Work Xu et. Al (2006) ▫Proposed source-to-source transformation for performing vulnerability analysis Newsome and Song (2005) ▫Performed Taint analysis on compiled binaries through Valgrind to detect buffer overflow attacks Yin and Song (2009) ▫Performed dynamic taint analysis on VEX/Vine IR

Motivation Binary Analysis - Drawbacks ▫Taint Analysis is slow  Binary analysis can be 1.5X to 40X slower  Few optimizations ▫Can be difficult to specify fine-grained policies  More instruction based Source Code Analysis – Drawbacks ▫Need access to the source code ▫Might be language specific

Dynamic Analysis in LLVM Add dynamic instrumentation into LLVM IR Provide configurable policies based on ▫Functions ▫Instructions ▫Variables Benefit from LLVM optimization passes Middle ground of LLVM IR

Approach Enforce instruction policies using LLVM’s InstVisitor ▫OR based taint policy for majority of instructions Specify sources and sinks at compile time

Implementation Approach Used InstVisitor to handle different instructions Basic Idea: each regular instruction has parallel taint instruction Can also copy PHI nodes using taint counterparts r1 = r2 * r3 t r1 = t r2 ∨ t r3

Sources and Sinks Sources ▫Functions ▫Variables Sinks ▫Functions ▫Instructions

Sinks

Memory Perform basic tracking of simple memory ops ▫Stores ▫Loads Store(raddr, rvalue) t address = t value r4 = Load(r2) t r4 = t r2

Parameter Passing For each function ▫Allocate 1 byte of memory per operand ▫Insert instructions to load taint from memory For each call instruction ▫Assign bytes to corresponding function’s memory based on current operands taint Downside ▫Doesn’t handle recursive calls

Evaluation Compiled bzip2 with taint pass Achieved 20.37% overhead over compiling without pass Code expansion ▫65% in binary code size ▫87% in LLVM LOC

Difficulties Resolving taint values at PHI nodes Parameter Passing Difficult to parallelize work %1 = phi %2,… BB2 %2 = phi %1,… BB3

Future Work Fine-Grained Memory Tracking ▫Bitmap of memory’s address space Better Function Parameter Passing Implementation of more policies Further Testing

Conclusion Implementing dynamic taint analysis in LLVM is difficult ▫Vine has 7 instructions Performance overhead is acceptable for most applications Code expansion is reasonable for lightweight applications DEMO