Practical and Efficient Information Flow Tracking Using Speculative Hardware Haibo Chen, Xi Wu, Liwei Yuan, Binyu Zang Fudan Univ. Pen-chung Yew Univ. of Minnesota Frederic T. Chong UCSB May 12, 2015
Motivation Vulnerabilities Stats. in CVE 2005 and 2006 Unsafe uses of untrusted data
DIFT: dynamic information flow tracking Mark unsafe data as tainted Track the propagation of tainted data across program execution Alert if tainted data used unsafely
Buffer Overflow in qwik-smtpd char arg[1024] char clientHELO [32]; char localIP[64] … fscanf (network, “%s”, arg) … strcpy(clientHELO, arg) … if(!strcmp(clientIP, localIP)) { /* Relay the mail */ } When supply a long enough arg … LocalIP clientHELO data section
How DIFT defeats the attack ? Tainted Data! Tainted Data! fscanf(network,“%s”,arg) if(!strcmp (clientIP,localIP)){ /* Relay the mail */ } read Tainted Data Cannot compare! localIP clientHELO strcpy Security Policy Tainted data cannot alter control flow of program data section arg Security Alert
Previous Systems Software LIFT, Xu et al., TaintTrace TaintCheck, Chen et al Dytan Hardware FlexiTaintRakshaSuh et al., RIFLE, Minos Currently deployable × Best case: LIFT average 4.6X slowdown for SPECINT Fast × Many processor/memory changes × Not ready for production-run deployment
Is it possible to have a readily deployable DIFT system with good performance?
Contribution: SHIFT Key Observation DIFT can be efficiently emulated using DEP (deferred exception propagation) in Control Speculation Implemented on Itanium Processor using GCC to do instrumentation Good performance: No modification to hardware: Average 2.81X and 2.27X slowdown for byte- and word-level taint tracking With minimal hardware modification: Average 2.32X and 1.8X for byte- and word-level
Outline SHIFT: From Speculative Execution to DIFT SHIFT Design and Implementation Evaluation Conclusion
Control Speculation execute optimistically
Deferred Exception Propagation ◦ What happens if an exception occurs in the speculative execution ? Cannot throw the exception immediately Should propagate it across program execution speculative load check if exception occurs recovery code r r14 r15 Token
Similarity between DEP and DIFT DEPDIFT ld and recovery chk ld and alert chk similar! r r14 r15 Token r r14 r15 Tag
From DEP to DIFT DEP: Accelerate the propagation of taint tags Minor Enhancement: Instructions setting/clearing exception token DEP-aware compare instructions
Outline SHIFT: From Speculative Execution to DIFT SHIFT Design and Implementation Evaluation Conclusion
General Working Flow of SHIFT Taint Source Network I/O Disk files Keyboard input Specific functions Specific location Taint Policy Taint PropagationViolation Capture Tainted Data Untainted Data op (add,...) Using tainted Data call [Tainted Data] jmp [Tainted Data]... Policy Engine Alert Fault Memory Registers Tag Bitmap Load; set tag bit Store; update bitmap
Violation Capture OS traps DEP token violation triggers traps Expensive when many traps Instrumentation Add instructions for checking DEP tokens before critical usages Could cause code expansion SHIFT supports both
Coexisting Control Speculation with DIFT Revert to non-speculative code upon speculation failure No matter whether the token is caused by tainted data or deferred exceptions Performance implication False positives for control speculation due to DIFT Effective when little tainted data is involved In apache 98% safe data transitions (LIFT MICRO’06)
Implementation (1/2) Implemented on Itanium based on GCC Itanium has good support for control speculation Each general register has a NaT (Natval) bit NaT(Natval) is propagated during program execution Missing features Instrutions setting/clearing NaT bits NaT-aware compare instructions
Implementation (2/2) Compiler Instrumentation C code: Instrumentation on Low-level IR (RTL) Language-independent Extract program semantics to filter false alarms Boundary checked data may be used safely Assembly code Use wrapper functions to propagate taint information memset, strcpy, memcpy, etc.
Tag Memory Operation Load Computation Example Instrumentation Simulating NaT generation
Outline SHIFT: From Speculative Execution to DIFT SHIFT Design and Implementation Evaluation Security evaluation Performance evaluation Conclusion
Experimental Setup Machine setup: HP Integrity rx1620 Two 1.6GHz Itanium processors 4GB of memory Redhat Linux Enterprise 4 GCC with –O3 optimization flag Security evaluation Several real-world vulnerabilities from CVE ( Performance evaluation Apache web-server using apache benchmark (ab) Eight applications from SPECINT-2000 disk input as untrusted source
Questions for Evaluation Can SHIFT defeat real-world security attacks? Does SHIFT provide reasonable performance? What contributes to the performance overhead?
Security Policies in SHIFT Default policies Tainted data cannot be used as load/store address No modification of critical CPU state (e.g. branch registers) Application semantic policies (Xu et al. security’06, Raksha isca’07 ) Directory transversal Tainted data cannot be used as an absolute file path Cross-site scripting No tainted script tag ( ) SQL injection attack Tainted data cannot contain SQL meta chars
SHIFT Security Results CVE#Program (Version)Tainted <>Attack Type GNU Tar (1.4)CDirectory Traversal GNU Gzip (1.2.4)CDirectory Traversal Qwikiwiki (1.4.1)PHPDirectory Traversal Scry (1.1)PHPCross Site Scripting php-stats ( )PHPCross Site Scripting phpsysinfo (2.3)PHPCross Site Scripting phpmyfaq (1.6.8)PHP SQL Command Injection N/ABftpd(0.96 prior)CFormat string attack High-level Semantic Attacks Low-level Memory Corruption Attacks
Performance Overhead with Apache 4.1% average about 1% overhead 0.5%
Relative Perf. of SPEC 4.7X 1.3X average 2.81X at byte-level and 2.27X at word-level
Relative Perf. of SPEC-INT (Arch Support) average 2.32X and 1.8X at byte- and word-level 1.29X 3.02X 0.49X and 0.47X improvement over no-arch support for byte- and word-level With instructions clearing/setting DEP token and DEP-aware compare instructions in Itanium
DIFT Costs w/ (w/o) Control Speculation Instruction categories Example Instructions Proportion ( SPECINT-2K ) # DIFT insts w/o control speculation # DIFT insts w/ control speculation Arithmeticadd r7, r8, r945.7%5-60 Control-flowbeq r7,r8, r917.6%2-40 Memoryld r7, 8(r8)36.3%7-86-7
SPEC-INT 2000 (Breakdown of Remaining Overhead) Load Computation dominates the performance overhead
Related work Software-based DIFT TaintCheck (NDSS’05), LIFT (MICRO’06), Xu et al. security’06, Dytan (ISTAA’07) Hardware-based DIFT Minos (MICRO’04), Suh et al.(ASPLOS’04), Raksha(ISCA’07), Flexitaint (HPCA’08)
Conclusion Practical and efficient DIFT system ◦ Novel use of DEP to accelerate DIFT To-date best performance data for SPECINT-2000 ◦ 2.81X and 2.27X slowdown for byte- and word-level Non-invasive architectural support ◦ Reduce the performance slowdown to 2.32X and 1.8X ◦ Future work ◦ Compiler optimization could reduce overhead
Questions? Thanks
Practical and Efficient Information Flow Tracking Using Speculative Hardware Haibo Chen, Xi Wu, Liwei Yuan, Binyu Zang Fudan Univ. Pen-chung Yew Univ. of Minnesota Frederic T. Chong UCSB May 12, 2015
Code Size Expansion 1.45X for byte-level And 1.36X for word-level 3.88X for byte-level And 3.23X for word-level Average 2.71X for byte-level And 2.43X for word-level
Relative Perf. of SPEC (Coexist DIFT and Control Speculation) Average 0.05X and 0.06X increase in slowdown for byte- and word-level 4.6X 1.3X average 2.86X at byte-level and 2.34X at word-level
Tag Management in Itanium (1/2) Virtual address space in Linux Tag address space
Tag Management in Itanium (2/2) Mapping from VA to TA
Related work LIFT (micro’06) Use binary translation, support unmodified binaries Only detect low-level memory-corruption attack Aggressive compiler optimization to reduce tracking code Average 4.6X performance slowdown for SPECINT-2000
Backup slides Compiler Optimization Sophisticated optimization is promising one of our main future work Use profiling to decide if control speculation is needed Handling self-modifying code not often in application code Multi-threaded applications
Discussion and Further Work Compiler Optimization ◦ sophisticated optimization is promising ◦ Multi-threaded applications