Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sampling Dynamic Dataflow Analyses

Published byHallvard Simensen Modified over 5 years ago

Similar presentations

Presentation on theme: "Sampling Dynamic Dataflow Analyses"— Presentation transcript:

1 Sampling Dynamic Dataflow Analyses
This talk was given at the University of British Columbia Computer Science department on June 10, (This was hosted by Andrew Warfield. This is basically a combination of the talks I gave at CGO2011 with a few backup slides brought in, and some slides from my ISCA2011 talk. See those slides for detailed notes of what all the animations mean. Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan University of British Columbia June 10, 2011

2 Software Errors Abound
NIST: SW errors cost U.S. ~$60 billion/year as of 2002 FBI CCS: Security Issues $67 billion/year as of 2005 >⅓ from viruses, network intrusion, etc. CERT-Cataloged Vulnerabilities

3 Simple Buffer Overflow Example
Return address New Return address void foo() { int local_variables; int buffer[256]; buffer = read_input(); return; } Local variables Bad Local variables buffer Buffer Fill buffer If read_input() reads >256 ints If read_input() reads 200 ints

4 Concurrency Bugs Also Matter
Thread 1 Thread 2 mylen=small mylen=large Nov OpenSSL Security Flaw if(ptr == NULL) { len=thread_local->mylen; ptr=malloc(len); memcpy(ptr, data, len); }

5 Concurrency Bugs Also Matter
Thread 1 Thread 2 mylen=small mylen=large TIME if(ptr==NULL) if(ptr==NULL) len2=thread_local->mylen; ptr=malloc(len2); len1=thread_local->mylen; ptr=malloc(len1); memcpy(ptr, data1, len1) memcpy(ptr, data2, len2) ptr LEAKED

6 One Layer of a Solution High quality dynamic software analysis
Find difficult bugs that other analyses miss Distribute Tests to Large Populations Low overhead or users get angry Accomplished by sampling the analyses Each user only tests part of the program

7 Dynamic Dataflow Analysis
Associate meta-data with program values Propagate/Clear meta-data while executing Check meta-data for safety & correctness Forms dataflows of meta/shadow information

8 Example Dynamic Dataflow Analysis
Input Meta-data Associate x = read_input() x = read_input() validate(x) Clear Propagate y = x * 1024 y = x * 1024 w = x + 42 Check w Check w a += y z = y * 75 Check z Check z a += y z = y * 75 Check a Check a

9 Distributed Dynamic Dataflow Analysis
Split analysis across large populations Observe more runtime states Report problems developer never thought to test Instrumented Program Potential problems

10 Problem: DDAs are Slow 10-200x 2-200x 2-300x 10-80x 100-500x 5-50x
Symbolic Execution Data Race Detection (e.g. Helgrind) Memory Checking (e.g. Dr. Memory) Taint Analysis (e.g.TaintCheck) Dynamic Bounds Checking FP Accuracy Verification 10-200x 2-200x 2-300x 10-80x x 5-50x

11 One Solution: Sampling
Lower overheads by skipping some analyses No Analysis Complete Analysis

12 Sampling Allows Distribution
End Users Beta Testers Many users testing at little overhead see more errors than one user at high overhead. Developer

13 Cannot Naïvely Sample Code
Input x = read_input() validate(x) x = read_input() Validate(x) Skip Instr. False Positive y = x * 1024 w = x + 42 Check w Check w y = x * 1024 w = x + 42 a += y a += y z = y * 75 Skip Instr. Check z Check z Check a Check a False Negative

14 Sample Data, not Code Sampling must be aware of meta-data
Remove meta-data from skipped dataflows Prevents false positives

15 Dataflow Sampling Example
Input x = read_input() x = read_input() Skip Dataflow validate(x) y = x * 1024 y = x * 1024 w = x + 42 Check w Check w Skip Dataflow a += y a += y z = y * 75 Check z Check z Check a Check a False Negative

16 Mechanisms for Dataflow Sampling (1)
Start with demand analysis Demand Analysis Tool Instrumented Application (e.g. Valgrind) Instrumented Application (e.g. Valgrind) Native Application No meta-data Meta-data Shadow Value Detector

17 Mechanisms for Dataflow Sampling (2)
Remove dataflows if execution is too slow Sampling Analysis Tool Instrumented Application Instrumented Application Native Application OH Threshold Clear meta-data Meta-data Shadow Value Detector

18 Prototype Setup Taint analysis sampling system
Network packets untrusted Xen-based demand analysis Whole-system analysis with modified QEMU Overhead Manager (OHM) is user-controlled Xen Hypervisor Admin VM OS and Applications App Linux ShadowPage Table Net Stack Taint Analysis QEMU OHM

19 Benchmarks Performance – Network Throughput
Example: ssh_receive Accuracy of Sampling Analysis Real-world Security Exploits Name Error Description Apache Stack overflow in Apache Tomcat JK Connector Eggdrop Stack overflow in Eggdrop IRC bot Lynx Stack overflow in Lynx web browser ProFTPD Heap smashing attack on ProFTPD Server Squid Heap smashing attack on Squid proxy server

20 Performance of Dataflow Sampling (1)
ssh_receive Throughput with no analysis

21 Performance of Dataflow Sampling (2)
netcat_receive Throughput with no analysis

22 Performance of Dataflow Sampling (3)
ssh_transmit Throughput with no analysis

23 Accuracy at Very Low Overhead
Max time in analysis: 1% every 10 seconds Always stop analysis after threshold Lowest probability of detecting exploits Name Chance of Detecting Exploit Apache 100% Eggdrop Lynx ProFTPD Squid

24 Accuracy with Background Tasks
netcat_receive running with benchmark

25 Accuracy with Background Tasks
ssh_receive running in background

26 Conclusion & Future Work
Dynamic dataflow sampling gives users a knob to control accuracy vs. performance Better methods of sample choices Combine static information New types of sampling analysis

27 BACKUP SLIDES

28 Outline Software Errors and Security Dynamic Dataflow Analysis
Sampling and Distributed Analysis Prototype System Performance and Accuracy

29 Detecting Security Errors
Static Analysis Analyze source, formal reasoning Find all reachable, defined errors Intractable, requires expert input, no system state Dynamic Analysis Observe and test runtime state Find deep errors as they happen Only along traversed path, very slow

30 Width Test In case the projector is clipping.

Download ppt "Sampling Dynamic Dataflow Analyses"

Similar presentations

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.
Vertically Integrated Analysis and Transformation for Embedded Software John Regehr University of Utah.

Vertically Integrated Analysis and Transformation for Embedded Software John Regehr University of Utah.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.

1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
Address Space Layout Permutation

Address Space Layout Permutation
Www.aqualab.cs.northwestern.edu Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.
15-740/18-740 Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.

15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.

Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
Advanced Computer Architecture Lab University of Michigan USENIX Security ’03 Slide 1 High Coverage Detection of Input-Related Security Faults Eric Larson.

Advanced Computer Architecture Lab University of Michigan USENIX Security ’03 Slide 1 High Coverage Detection of Input-Related Security Faults Eric Larson.
University of Virginia Department of Computer Science1 Applications of Software Dynamic Translation Jack Davidson University of Virginia February 27, 2002.

University of Virginia Department of Computer Science1 Applications of Software Dynamic Translation Jack Davidson University of Virginia February 27, 2002.

Similar presentations

Ads by Google