Presentation is loading. Please wait.

Presentation is loading. Please wait.

Effective and Efficient memory Protection Using Dynamic Tainting

Published bySri Gunawan Modified over 6 years ago

Similar presentations

Presentation on theme: "Effective and Efficient memory Protection Using Dynamic Tainting"— Presentation transcript:

1 Effective and Efficient memory Protection Using Dynamic Tainting
[James Clause,Doudalis And Guru Venkataramani Members,IEEE]

2 OVERVIEW IMA..? An example IMA Technique-A general approach Tainting
Taint propagation checking Limiting the no.of taint marks Implementation

3 IMA?? Illegal memory access(IMA):An important class of memory related faults Currently free area ‘m’, of required size is allocated Starting address of m can be assigned to a pointer ‘p’ Access to m is legal only if it is referenced by p or a pointer derived from p and access occur during the interval when p is valid All other accesses are ‘Illegal Memory Accesses’ or IMAs

4 AN example IMA void prRandStr ( int n) 1. int i, seed;
2. char *buffer; 3. buffer = (char*) malloc (n); 4. if (buffer == NULL) return; 5. getSeedFromUser (&seed); 6. srand (seed); 7. for (i = 0; i <= n; i++) /*fault*/ 8. buffer [i] = rand() %26 + ‘a’ ; /*IMA*/ 9. buffer [n-1] = ‘\0’ ; 10. free(buffer); 11. printf (“Random String: %s \n”, buffer);

5 Technique-A general approach
Dynamic tainting: a technigue for marking and tracking certain data at run time Marking two kinds of data : memory in data space and pointers When m is allocated, it is tainted with t When p is created with m as referent, p is also tainted with t When memory is accessed, taint marks is checked

6 3 PARTS 1)Tainting Static Memory Allocation
Pointers to Statically Allocated Memory Dynamically Allocated Memory Pointers to Dynamically Allocated Memory 2)Taint Propagation Propagation of Memory taints Propagation of Pointer taints 3)Checking

7 Tainting Initializing taint marks 4 cases Static Memory Allocation
Pointer to statically allocated memory Dynamic Memory Allocation Pointer to dynamic allocated memory

8 Tainting of statically allocated memory
Upon program entry/ function entry, memory for each variable is identified and each is tainted with a fresh taint mark Memory area for a variable is identified using starting address and size needed to store the variable

9 Pointer to Statically Allocated Memory
For scalar Variable – ‘Address – of’ or ‘&’ returns starting memory address When ‘&’ operator is used on a variable, pointer is tainted with same taint mark as that of the memory location For Statically allocated arrays – Name of the array is pointer to first location, which get tainted

10 Dynamic Memory Allocations
Occurs as a result of a call to a memory- allocation function. E.g. malloc To taint, when the function is about to return, the memory allocated is identified as [r,r+size) and taints the region with a fresh taint mark r-value returned by m/y allocation function size –amount of m/y requested

11 Pointers to Dynamically allocated Memory
Created either directly (as return value of allocation function) or indirectly (from another pointer) When a memory area is tainted as a result of call to a memory allocation function, the return value, i.e the corresponding pointer is also tainted with the same mark. When other pointers are derived from that pointer, the taint mark is propagated to them.

12 Taint Propagation Detects how taint marks flow along data as program executes. 2 concepts: Propagation of memory taints Propagation of pointer taints

13 Propagation of Memory Taints
Not actually propagated. Taint marks are associated with a memory area when it is allocated and removed when deallocated Pointers remain tainted If such a pointer is used to access memory ,an IMA still detected.

14 Dynamically allocated memory – deallocated and taint mark will be removed by calling a memory deallocation function, e.g.: free Statically allocated memory- deallocated and taint mark is removed when the function returns (local variable) or when program exits (global variables)

15 Propagation of Pointer Taints
Taint marks associated with pointers propagated to derived pointers. The rules models all possible operations on pointers and associate,for each operation an action that assigns to the result of the operation the correct pointer taint mark.

16 Propagation rules Add, Subtract c = a +/- b
a tainted with ta, b tainted with tb Then c will be tainted with ta + tb or ta – tb Multiply, Divide, Modulo, Bitwise OR, XOR Result of these operations are never tainted

17 Bitwise AND c = a & b If a and b both tainted/ untainted, c is not tainted, else it is tainted Bitwise NOT c = ~ a Alternative to subtraction tc = - ta

18 checking For each memory access, taint mark of the pointer and memory is checked. If they are not the same, an IMA is detected

19 Limiting number of taints
Ideal condition – unlimited number of taints Realistically, number of taints should be limited Memory consumption Complexity of hardware While retaining ability to detect maximum IMAs

20 Each taint mark is represented with n bits
Number of taint marks is limited to 2^n Probability of detecting each IMA will be P = 1- (1/ 2^n)

21 Software Implementation
An additional pass is added in compiler (LLVM) to taint all stack and global defined arrays. Taint propagation may be implemented using any dynamic tainting framework

22 Hardware Based Implementation
Taint Processing and Storage 2 options: data widening, decoupling Data widening: extending data with a few bits to represent the taint information Decoupling: Taint information is stored as a packed array in a reserved part of the application’s virtual address space This address space is managed by OS similar to normal data pages

23 Taint Propagation and Access Checking
2 options: hard wiring / programming an accelerator Hardwiring would require modifications in the hard wiring for making changes in future, whereas it would be easier to reprogram the accelerator

24 But for adding different propagation strategies for each pointer operations, exceptions should be made for each operator in case of software accelerator Easier to add a hardwire support for taint operations As a result of all these considerations, a hard wiring approach is opted for taint propagation and access checking

25 In short, Taint processing and Initialization is done using decoupling Taint Propagation and Checking is done using Hard wiring technique

26 Conclusion A dynamic technique for detecting IMAs was studied
With minimum number of taint bits, maximum number of IMAs are detected Only actual IMAs are reported and no false detections are made

27 Future Scope Technique can be improved to use software accelerators instead of hard wiring techniques for taint propagation and checking Can be improved to increase probability of detecting IMAs with reduced resource utilisation

28 References IEEE Transactions on Computers, vol 61, no 1, January 2012, “Effective and Efficient Memory Protection using Dynamic Tainting” by Ioannis Doudalis, James Clause, Guru Venkataramani, Milos Prvulovic,and Alessandro Orso. G. Venkataramani, Doudalis, y.solihin”FlexiTaint :A programmable accelerator for dynamic taint propagation” Doudalis, James Clause,A.orso”Effective memory protection using dynamic tainting”.proc.22nd IEEE 2007.

29 THANK YOU…

30 Questions….

Download ppt "Effective and Efficient memory Protection Using Dynamic Tainting"

Similar presentations

Dynamic Memory Allocation in C.  What is Memory What is Memory  Memory Allocation in C Memory Allocation in C  Difference b\w static memory allocation.

Dynamic Memory Allocation in C.  What is Memory What is Memory  Memory Allocation in C Memory Allocation in C  Difference b\w static memory allocation.
Prof. Necula CS 164 Lecture 141 Run-time Environments Lecture 8.

Prof. Necula CS 164 Lecture 141 Run-time Environments Lecture 8.
Chapter 7: User-Defined Functions II

Chapter 7: User-Defined Functions II
CS1061: C Programming Lecture 21: Dynamic Memory Allocation and Variations on struct A. O’Riordan, 2004, 2007 updated.

CS1061: C Programming Lecture 21: Dynamic Memory Allocation and Variations on struct A. O’Riordan, 2004, 2007 updated.
CS 326 Programming Languages, Concepts and Implementation Instructor: Mircea Nicolescu Lecture 18.

CS 326 Programming Languages, Concepts and Implementation Instructor: Mircea Nicolescu Lecture 18.
CS 536 Spring 20011 Run-time organization Lecture 19.

CS 536 Spring Run-time organization Lecture 19.
Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.

Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.
CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.

CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.
CS 61C L03 C Arrays (1) A Carle, Summer 2005 © UCB inst.eecs.berkeley.edu/~cs61c/su05 CS61C : Machine Structures Lecture #3: C Pointers & Arrays 2005-06-22.

CS 61C L03 C Arrays (1) A Carle, Summer 2005 © UCB inst.eecs.berkeley.edu/~cs61c/su05 CS61C : Machine Structures Lecture #3: C Pointers & Arrays
Run-time Environment and Program Organization

Run-time Environment and Program Organization
WEL COME PRAVEEN M JIGAJINNI PGT (Computer Science) MCA, MSc[IT], MTech[IT], MPhil (Comp. Sci), PGDCA, ADCA, Dc. Sc. & Engg.

WEL COME PRAVEEN M JIGAJINNI PGT (Computer Science) MCA, MSc[IT], MTech[IT], MPhil (Comp. Sci), PGDCA, ADCA, Dc. Sc. & Engg.
1 Pointers, Dynamic Data, and Reference Types Review on Pointers Reference Variables Dynamic Memory Allocation –The new operator –The delete operator –Dynamic.

1 Pointers, Dynamic Data, and Reference Types Review on Pointers Reference Variables Dynamic Memory Allocation –The new operator –The delete operator –Dynamic.
Overview Working directly with memory locations is beneficial. In C, pointers allow you to: change values passed as arguments to functions work directly.

Overview Working directly with memory locations is beneficial. In C, pointers allow you to: change values passed as arguments to functions work directly.
Runtime Environments Compiler Construction Chapter 7.

Runtime Environments Compiler Construction Chapter 7.
IT253: Computer Organization Lecture 3: Memory and Bit Operations Tonga Institute of Higher Education.

IT253: Computer Organization Lecture 3: Memory and Bit Operations Tonga Institute of Higher Education.
Stack and Heap Memory Stack resident variables include:

Stack and Heap Memory Stack resident variables include:
Basic Semantics Associating meaning with language entities.

Basic Semantics Associating meaning with language entities.
Storage Management - Chap 10 MANAGING A STORAGE HIERARCHY on-chip --> main memory --> 750ps - 8ns 10 - 90 ns. 128kb - 16mb 2gb -1 tb. RATIO 1 10 hard disk.

Storage Management - Chap 10 MANAGING A STORAGE HIERARCHY on-chip --> main memory --> 750ps - 8ns ns. 128kb - 16mb 2gb -1 tb. RATIO 1 10 hard disk.
Operating Systems (CS 340 D) Princess Nora University Faculty of Computer & Information Systems Computer science Department.

Operating Systems (CS 340 D) Princess Nora University Faculty of Computer & Information Systems Computer science Department.
1 Homework HW5 due today Review a lot of things about allocation of storage that may not have been clear when we covered them in our initial pass Introduction.

1 Homework HW5 due today Review a lot of things about allocation of storage that may not have been clear when we covered them in our initial pass Introduction.

Similar presentations

Ads by Google