Sampling Dynamic Dataflow Analyses Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan University of British Columbia June 10, 2011

NIST: SW errors cost U.S. ~$60 billion/year as of 2002 FBI CCS: Security Issues $67 billion/year as of 2005  >⅓ from viruses, network intrusion, etc. Software Errors Abound 2 CERT-Cataloged Vulnerabilities

Simple Buffer Overflow Example 3 void foo() { int local_variables; int buffer[256]; … buffer = read_input(); … return; } Return address Local variables buffer Buffer Fill New Return address Bad Local variables If read_input() reads 200 ints If read_input() reads >256 ints buffer

Concurrency Bugs Also Matter 4 if(ptr == NULL) { len=thread_local->mylen; ptr=malloc(len); memcpy(ptr, data, len); } Thread 2 mylen=large Nov OpenSSL Security Flaw Thread 1 mylen=small

Concurrency Bugs Also Matter 5 if(ptr==NULL) memcpy(ptr, data2, len2) ptr LEAKED TIME Thread 2 mylen=large Thread 1 mylen=small ∅ len2=thread_local->mylen; ptr=malloc(len2); len1=thread_local->mylen; ptr=malloc(len1); memcpy(ptr, data1, len1)

One Layer of a Solution High quality dynamic software analysis  Find difficult bugs that other analyses miss Distribute Tests to Large Populations  Low overhead or users get angry Accomplished by sampling the analyses  Each user only tests part of the program 6

Dynamic Dataflow Analysis Associate meta-data with program values Propagate/Clear meta-data while executing Check meta-data for safety & correctness Forms dataflows of meta/shadow information 7

a += y z = y * 75 y = x * 1024 w = x + 42 Check w Example Dynamic Dataflow Analysis 8 validate(x) x = read_input() Clear a += y z = y * 75 y = x * 1024 x = read_input() Propagate Associate Input Check a Check z Data Meta-data

Distributed Dynamic Dataflow Analysis 9 Split analysis across large populations  Observe more runtime states  Report problems developer never thought to test Instrumented Program Potential problems

Taint Analysis (e.g.TaintCheck) Dynamic Bounds Checking FP Accuracy Verification Symbolic Execution Data Race Detection (e.g. Helgrind) Memory Checking (e.g. Dr. Memory) Problem: DDAs are Slow x 2-200x 10-80x 5-50x x 2-300x

One Solution: Sampling 11 Lower overheads by skipping some analyses Complete Analysis No Analysis No Analysis

Sampling Allows Distribution 12 Developer Beta TestersEnd Users Many users testing at little overhead see more errors than one user at high overhead.

a += y z = y * 75 y = x * 1024 w = x + 42 Cannot Naïvely Sample Code 13 Validate(x) x = read_input() a += y y = x * 1024 False Positive False Negative w = x + 42 validate(x) x = read_input() Skip Instr. Input Check w Check z Skip Instr. Check a

Sampling must be aware of meta-data Remove meta-data from skipped dataflows  Prevents false positives Sample Data, not Code 14

a += y z = y * 75 y = x * 1024 w = x + 42 Dataflow Sampling Example 15 validate(x) x = read_input() a += y y = x * 1024 False Negative x = read_input() Skip Dataflow Input Check w Check z Skip Dataflow Check a

Mechanisms for Dataflow Sampling (1) 16 Start with demand analysis Demand Analysis Tool Native Application Native Application Instrumented Application (e.g. Valgrind) Instrumented Application (e.g. Valgrind) Instrumented Application (e.g. Valgrind) Shadow Value Detector Meta-data No meta-data

Mechanisms for Dataflow Sampling (2) 17 Remove dataflows if execution is too slow Sampling Analysis Tool Instrumented Application Instrumented Application Native Application Instrumented Application Instrumented Application Shadow Value Detector Meta-data Clear meta-data OH Threshold

Prototype Setup Taint analysis sampling system  Network packets untrusted Xen-based demand analysis  Whole-system analysis with modified QEMU Overhead Manager (OHM) is user-controlled 18 Xen Hypervisor OS and Applications App … Linux Shadow Page Table Admin VM Taint Analysis QEMU Net Stack OHM

Benchmarks Performance – Network Throughput  Example: ssh_receive Accuracy of Sampling Analysis  Real-world Security Exploits 19 NameError Description ApacheStack overflow in Apache Tomcat JK Connector EggdropStack overflow in Eggdrop IRC bot LynxStack overflow in Lynx web browser ProFTPDHeap smashing attack on ProFTPD Server SquidHeap smashing attack on Squid proxy server

ssh_receive Performance of Dataflow Sampling (1) 20 Throughput with no analysis

netcat_receive Performance of Dataflow Sampling (2) 21 Throughput with no analysis

ssh_transmit Performance of Dataflow Sampling (3) 22 Throughput with no analysis

Accuracy at Very Low Overhead Max time in analysis: 1% every 10 seconds Always stop analysis after threshold  Lowest probability of detecting exploits 23 NameChance of Detecting Exploit Apache100% Eggdrop100% Lynx100% ProFTPD100% Squid100%

netcat_receive running with benchmark Accuracy with Background Tasks 24

Accuracy with Background Tasks ssh_receive running in background 25

Conclusion & Future Work Dynamic dataflow sampling gives users a knob to control accuracy vs. performance Better methods of sample choices Combine static information New types of sampling analysis 26

BACKUP SLIDES 27

Outline 28 Software Errors and Security Dynamic Dataflow Analysis Sampling and Distributed Analysis Prototype System Performance and Accuracy

Detecting Security Errors Static Analysis  Analyze source, formal reasoning +Find all reachable, defined errors –Intractable, requires expert input, no system state Dynamic Analysis  Observe and test runtime state +Find deep errors as they happen –Only along traversed path, very slow 29

Width Test 30